NAT on Cisco Router!?!?!

[o3rat]

I have a cisco 2610 with two ethernet modules (one is on a module.) And my topology is like this:




[CABLE MODEM]-------[e1/0 Cisco 2610 e0/0]------[LAN]
^ ^
| |
ethernet ethernet
69.47.17.34/20 192.168.1.1/24

I can ping both interfaces and telnet into the router from another network, but i cant access the internet from within the network. It seems that the DHCP is working fine. My theory is the nat isnt configured right..?

this is my current config:

Current configuration : 1245 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname o3rat
!
enable secret 5 $1$OCnm$yubBhGOMHT7KKZlQxNyZL.
!
ip subnet-zero
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.10
!
ip dhcp pool 1
network 192.168.1.0 255.255.255.0
dns-server 64.233.217.2 64.233.207.
default-router 192.168.1.1
!
ip audit notify log
ip audit po max-events 100
!
!
!
interface Ethernet0/0
description Router to Switch Connection
ip address 192.168.1.1 255.255.255.0
ip nat inside
half-duplex
!
interface Ethernet1/0
description LAN to WAN connection
ip address 69.47.17.34 255.255.248.0
ip nat outside
half-duplex
!
ip nat inside source list 99 interface Ethernet1/0 overload
ip nat inside source list 102 interface Ethernet1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 69.47.16.1
half-duplex
!
ip nat inside source list 99 interface Ethernet1/0 overload
ip nat inside source list 102 interface Ethernet1/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 69.47.16.1
no ip http server
!
access-list 99 permit any
access-list 102 permit ip 0.0.0.0 192.168.1.254 any
!
line con 0
password 7 12010014071F0916
login
line aux 0
line vty 0 4
password 7 0831495A021617
login
!
end


Any suggestions???

 

[Parcival21]

Hi o3rat,

well I'm quite new to routers so I don't really know if I'm right. For me it seems to be that there is something missing like the overload of your internal addresses.
Something similar to this:
ip nat inside source list 101 interface Dialer1 overload
did something similar to this on a 831 adsl router and it worked out fine for me. Dialer1 in this case is a virtual interface.
Maybe you can find further help under:

http://www.cisco.com/en/US/products...figuration_guide_chapter09186a0080118cbb.html

that's where I got help when I had to do my configs(besides of this great place here).

Hope this gets you in the right direction.

busche

 

[bell1996]

o3rat -

You have too many "ip nat inside soure" statements.
All you need is one. The one you need is:

ip nat inside source list 99 interface Ethernet1/0 overload

Secondly, the access-list 99 looks good.

To see if your NATting is working. Perform a show:

show ip nat translations

This should show you all the IP's being NAT'd.

Just to make sure you have internet connectivity, perform a PING from the router to an address on the internet.

 

[CompuGuru]

Here is a config for nat that has been working like a champ.

aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip name-server 192.168.2.196
--More--  ip name-server 192.168.2.195
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.190 192.168.2.200
!
ip dhcp pool crwstest
origin ipcp
!
ip dhcp pool CLIENT
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.2.195 192.168.2.196
domain-name hq.mikehein.net
netbios-name-server 192.168.2.196
lease 0 5
!
ip ftp username mhein
ip ftp password 7 0529031B206E4B1D18544E
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
--More--  ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group 806client
key mike123
dns 192.168.2.196 192.168.2.195
wins 192.168.2.196
domain hq.mikehein.net
pool ippool
acl 108
!
--More--  !
crypto ipsec transform-set mypolicy esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set mypolicy
!
!
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.2.1-255.255.255.0
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1100
no cdp enable
hold-queue 32 in
hold-queue 100 out
--More--  !
interface Ethernet1
ip address 24.123.104.18 255.255.255.248
ip nat outside
ip inspect myfw out
no cdp enable
crypto map clientmap
!
ip local pool ippool 192.168.100.1 192.168.100.100
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 192.168.2.196 80 24.123.104.20 80 extendable
ip nat inside source static tcp 192.168.2.196 25 24.123.104.19 25 extendable
ip nat inside source static tcp 192.168.2.196 443 24.123.104.20 443 extendable
ip nat inside source static tcp 192.168.2.196 21 24.123.104.20 21 extendable
ip nat inside source static tcp 192.168.2.196 20 24.123.104.20 20 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 24.123.104.17
ip http server
ip pim bidir-enable
!
!
access-list 12 permit 192.168.2.0 0.0.0.255
access-list 12 permit 192.168.100.0 0.0.0.255
--More--  access-list 23 permit 192.168.2.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 111 permit esp any any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 443
access-list 111 permit icmp any any traceroute
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq ftp-data
access-list 111 permit tcp any 192.168.2.0 0.0.0.255 established
access-list 111 permit tcp any any eq 1723
access-list 111 permit icmp any any echo
no cdp run
radius-server authorization permit missing Service-Type
banner login ^C
inetrouter.hq.mikehein.net
^C
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 12 in
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
end