Configuration Help -- internal network can't get out

[Sirich]

Greetings all,

I have been digging around for several hours and have not been able to come up with a solution to my problem. As it stands now I have a Cisco 1721 router that I am trying to configure with a NAT pool and some access rules. I have been able to setup the NAT and access-lists to allow connections from the internet to access resources internal however nothing I do will let me get out of the internal network. Additionally I can't ping or otherwise access resources on the internet from the router itself.

I have included the config I am using minus some information that was either sensitive or I believed to be uninportant. If someone could help me that would be fantastic. I am about ready to scream over this.

Here is the config:

!
version 12.3
!
hostname router01
!
no aaa new-model
ip subnet-zero
!
ip cef
!
interface Ethernet0
description connected to Internet
ip address X.Y.Z.242 255.255.255.248
ip access-group 102 in
ip nat outside
half-duplex
!
interface FastEthernet0
description connected to Local Network
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
speed auto
!
router rip
version 2
passive-interface Ethernet0
network 192.168.0.0
no auto-summary
!
ip nat pool router01-natpool-1 X.Y.Z.243 X.Y.Z.245 netmask 255.255.255.248
ip nat inside source list 1 pool router01-natpool-1 overload
ip nat inside source static tcp 192.168.0.2 22 X.Y.Z.245 22 extendable
ip nat inside source static udp 192.168.0.2 53 X.Y.Z.245 53 extendable
ip nat inside source static 192.168.0.2 X.Y.Z.245
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 permit tcp any host X.Y.Z.245 established
access-list 102 permit tcp any host X.Y.Z.244 established
access-list 102 permit tcp any host X.Y.Z.243 established
access-list 102 permit tcp any host X.Y.Z.242 established
access-list 102 permit tcp any host X.Y.Z.245 eq 22
access-list 102 permit tcp any host X.Y.Z.245 eq domain
access-list 102 permit udp any host X.Y.Z.245 eq domain
access-list 102 permit icmp any host X.Y.Z.245 echo
access-list 102 permit icmp any host X.Y.Z.245 echo-reply
!
end

 

[KiscoKid]

I think what's happening is you have quite a small NAT pool (3 usable IP addresses from x.x.x.243 through to x.x.x.245). You're also using NAT overload but, if your network is largeish, only the first two clients will use the first two available pool addresses and everyone else will try and use x.x.x.245. This is usually ok.

However..

You have defined a static NAT for 192.168.0.2 to the x.x.x.245 address. Static NAT translations always have precedence over dynamic NAT translations.

I'd be willing to bet the device 192.168.0.2 can access the internet just fine.

You can do 2 things to rectify this:

1. NAT overload on the E0 interface and stop using the pool called router01-natpool-1 as follows:

ip nat inside source list 1 interface E0 overload


2. Reduce the size of the router01-natpool-1 as follows:

ip nat pool router01-natpool-1 X.Y.Z.243 X.Y.Z.244 netmask 255.255.255.248

Hope this helps

 

[Sirich]

Thanks for the reply.

I applied the suggested changes but that did not seem to make a difference. Additionally the 192.168.0.2 address was unable to access the internet as well. I think however I may have stumbled across the problem.

I spent quite a bit of time paring down the configuration to further simplify it and I had some success when I removed the extended access-lists altogether. At that point I started getting better results. In addition I changed my static route to point to the next router explicitly. It was as this point that I started to get some expected results. I reloaded my config to get back my settings and added the static route as before. This had some results but still I thing my access lists were getting in the way. I started to modify them when I accidentally locked myself out; oops! I'll make the trip during lunch to fix that problem. Until then I'll take a break.

I think I've made progress and I really appreciate your sugguestion as I think it helped me down the path.

Perhaps someone could provide me some approval or slap on the wrist with what I'm ultimately trying to do. I have the addresses .242-.246 with the gateway .241 as provided by my ISP. At the moment I have an office wireless device setup on .246 so I'm avoiding that but want to use it in the end and move that device behind the router. I want the router to be the single device between our internal network and the external. I have currently about 10 devices on the internal network with most needing access outside. I also will be getting 3-4 devices moved in that are our servers that need to be accessible from the outside. Mostly each of those only needs a small number of services enabled.

I was hoping that I could have the router NAT/Firewall .242-.246 and have .242-.244 be the external IP's for the servers that need it and have .245 and .246 for general use and future expansion.

One question that I assumed but now start to wonder about is can I use .242 for one of the external servers or does this IP become consumed by the router for it's sole use?

I am not sure if that is enough information to go on. If anyone has an opinion or some advice on this I am eager to hear it. Low level routing has always been something I have struggled with and I continue to try and understand a little more each time I have to deal with it.