1 2 Previous Next 15 Replies Latest reply: May 3, 2012 3:25 AM by Daniel RSS

    Client can't get out to internet. Cisco 861

    Securitron

      All,

       

      I'm baffled as to why my single client can't get out to the internet, yet the router can. I must have the "ip nat inside source static tcp 192.168.100.21 6001 172.18.116.106 9090 extendable" line for a specific function to work on my client. I can see the nat translations happening for this, but when I try to ping or resolve anything on the internet, I get either "Destination Host Unreachable" or "Request Timed Out", and do not see these translations happening.

       

      I don't need all clients in the 192.168.100.0/24 network to get access, just 192.168.100.21. My routing table on the client has the default route as 192.168.100.1. Any help is greatly appreciated.

       

      Thanks,

       

      Russ

       

      Here is my config, less the security info:

       


      !!
      version 15.0
      no service pad
      service timestamps debug datetime msec
      service timestamps log datetime msec
      no service password-encryption
      !
      hostname XXXX-Router
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 51200 warnings
      !
      no aaa new-model
      memory-size iomem 10
      !
      !
      !
      ip source-route
      !
      !
      !
      !
      ip cef
      no ip domain lookup
      ip domain name yourdomain.com
      !
      !
      license udi pid CISCO861-K9 sn FTX151301VG
      !
      !
      username XXXX-Removed for security-XXXX
      !
      !
      !
      !
      !
      !
      !
      !
      !
      interface FastEthernet0
      !
      interface FastEthernet1
      !
      interface FastEthernet2
      !
      interface FastEthernet3
      !
      interface FastEthernet4
      description $ES_WAN$
      ip address 172.18.116.105 255.255.254.0
      ip nat outside
      ip virtual-reassembly
      duplex auto
      speed auto
      !
      interface Vlan1
      ip address 192.168.100.1 255.255.255.0
      ip nat inside
      ip virtual-reassembly
      !
      ip forward-protocol nd
      ip http server
      ip http access-class 23
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 60 life 86400 requests 10000
      !
      ip nat inside source list 12 interface FastEthernet4 overload
      ip nat inside source static tcp 192.168.100.21 6001 172.18.116.106 9090 extendable
      ip route 0.0.0.0 0.0.0.0 FastEthernet4
      !
      access-list 12 permit 192.168.100.21 0.0.0.0 log
      access-list 23 permit 192.168.100.21
      access-list 23 permit 192.168.100.101
      no cdp run

      !
      control-plane
      !
      !
      line con 0
      login local
      no modem enable
      line aux 0
      line vty 0 4
      access-class 23 in
      privilege level 15
      login local
      transport input telnet ssh
      !
      scheduler max-task-time 5000
      end

        • 1. Re: Client can't get out to internet. Cisco 861
          borzol CCNP (CCIE R&S candidate)

          hi,

           

          is your nat work well or you just see the nat translation in show ip nat transl command output?

           

          can you send me the debug ip nat output? and sh ip nat translations? and sh ip arp?

           

          can you use internet when you just allow access for all of your clients?

           

          try add default route like this if your arp table is incomlete for your default route next hop (sh ip arp):

           

          ip route 0.0.0.0 0.0.0.0 172.18.x.y fa 4

           

          your nat config looks good so i think the error not in your nat config.

           

          borzol

          • 2. Re: Client can't get out to internet. Cisco 861
            Cristian F. Stoica

            Is it possible that the client is missing the default GW? You should be getting a consistent reply, i.e. either "destination unreachable" or "request timeout" as far as I can tell.

            • 3. Re: Client can't get out to internet. Cisco 861
              vivan

              Hi Securitron ,

               

              The problem is in this command "ip route 0.0.0.0 0.0.0.0 FastEthernet4".

               

              Replace FastEthernet4 with the IP address of your next hop router.

               

              HTH,

              Vivan.

              My CCNA Video Collection

              http://ccna-labs.blogspot.com

              • 4. Re: Client can't get out to internet. Cisco 861
                Securitron

                Borzol: I can't get any debug statements at the moment, as the router is in another office that I can't remote into. I'll be back at that office tomorrow and I'll get all of that info and post here.

                vivan: I'll try adjusting the "ip route 0.0.0.0 0.0.0.0" line to the next hop, as you suggested.

                Christian: Gateway on client is set correctly to "192.168.100.1". As with the above config, I get "Request Timed Out" and when I remove the defautl route all together from the config, I get "Reply 192.168.100.1: Destination net unreachable".

                 

                I'll post more tomorrow when I get another chance to test.

                • 5. Re: Client can't get out to internet. Cisco 861
                  eugen

                  Have you tried changing your standard access list to an extended one? I will also remove the more specific nat translation just to test the pings and then add it back and see if it works.

                   

                  Hope this helps

                  Eugen

                  • 6. Re: Client can't get out to internet. Cisco 861
                    Cristian F. Stoica

                    I did a quick test in PT, and NAT was working fine using your config. I'll try it when I get home with physical equipment but, as Borzol mentioned too, the config looks fine, so it might be that the issue lies somewhere else.

                    @Vivan: default route can use either IP or interface as long as they are correct.

                    • 7. Re: Client can't get out to internet. Cisco 861
                      Daniel

                      Hi,

                       

                      Just out of curiosity i see Fa0/4 connected to the 172.18.116.0/23 network defined as "outside", and i see 192.168.100.0/24 "connected" to VLAN1 and defined as "inside".

                       

                      What struck me is, where have you connected your host 192.168.100.21? The reason i ask is because the 861 can be tricky when using ip nat outside/inside to get it to work because of the way it's designed.

                       

                      It supports 2 VLAN:s, port 0-3 are part of VLAN1 by default and port 4 is designated WAN port just like in your configuration.

                       

                      What i suggest trying is what i normally do in these situations....

                      Add a 2nd VLAN, say VLAN2. Add another port from FA0/0-3 in that vlan and then define the ip nat inside for this VLAN.

                       

                      IT shouldn't really matter, but i have had extensive trouble getting NAT to work correctly with the 8xx series because of the way it's designed...FA0/0-3 is member of VLAN1, FA0/4 is WAN port...that's why i move a designated port from 0-3 in another 2nd vlan and use that like another "wan interface" so to speak. It has saved me some hair a few times....but like the rest, your configuration seem fine.

                       

                      Edit: while i wrote this Alain had posted below, and I agree with him...but the above config will most likely work.

                       

                      HTH

                      -Daniel

                      • 8. Re: Client can't get out to internet. Cisco 861
                        cadetalain

                        Hi Christian,

                         

                        Cristian F. Stoica a écrit:


                        @Vivan: default route can use either IP or interface as long as they are correct.

                        Yes surely you can use either but if the outgoing interface is a multipoint interface like ethernet then it can only work if the next-hop router is implementing proxy-arp ( which is a security breach) and even so it is highly recommended no to do so because of performance issues.

                         

                        Alain

                        • 9. Re: Client can't get out to internet. Cisco 861
                          Cristian F. Stoica

                          Valid point, Alain. If a broadcast interface is used as destination, the router will perform ARP for every destinations as it assumes that it is directly connected to all of them.

                          Anyway, I was assuming that the Fast Ethernet interface is directly connected (i.e. Point- to-Point) to the external router. Nevertheless, this configuration shouldn't have any influence on NATting, but I do agree, in a production network it should be implemented according to best practices.

                          • 10. Re: Client can't get out to internet. Cisco 861
                            cadetalain

                            Hi Christian,

                             

                            Yes it should have no direct influence on NAT but NAT can't work is routing is not working.

                             

                            Anyway, I was assuming that the Fast Ethernet interface is directly connected (i.e. Point- to-Point) to the external router.

                             

                            But it is still considered a multiaccess interface even if it is only connected in a p2p manner, ain't it ?

                             

                            Alain

                            • 11. Re: Client can't get out to internet. Cisco 861
                              Cristian F. Stoica

                              Alain, what do you mean by "routing is not working"? Routing will work disregarding if using interface or IP, it's just that it will be a performance penalty since the router has to ARP the destination address every single time.

                              Edit: just for completeness, proxy ARP should also be enabled otherwise the connectivity will break.

                              The best practice is to use both the IP and the interface. The reason for including the interface is that the static route will be removed when the interface gets deleted. This is especially useful in production networks when using subinterfaces and people forget to remove static routes that are no longer valid (i.e. customer is disconnected).

                              • 12. Re: Client can't get out to internet. Cisco 861
                                Daniel

                                Cristian,

                                 

                                I think what he meant is that if, for any reason i do not know, the FA0/4 interface was connected to a switch which would have multiple gateways instead of a PtP connection...and that the ARP-process can be messed up, meaning the routing would also be messed up in that case. (say that more than 1 router responds to the ARP, and the unicast gets messed up? im just speculating though as that would make sence of his reasoning)

                                 

                                -Daniel

                                • 13. Re: Client can't get out to internet. Cisco 861
                                  Cristian F. Stoica

                                  Daniel, yes, definitely, the route command needs to be changed to include the next hop IP and, optional, the interface. I would start by pinging the other end of 172.18.116.105/23 interface from the PC to see if any replies and translations are generated.

                                  • 14. Re: Client can't get out to internet. Cisco 861
                                    black-cisco01

                                    ip nat inside source static tcp 192.168.100.21 6001 172.18.116.106 9090 extendable

                                     

                                    shouldn't the 172.18.116.106 be a public adres, because now private range is being nat to private range and ofcourse internet connectivity wouldn't be possible

                                     

                                    or mayby try these solutions:

                                     

                                    ip nat inside source static tcp 192.168.100.21 6001 172.18.116.106 6001 extendable

                                     

                                    or

                                     

                                    ip nat inside source static tcp 192.168.100.21 6001 interface fastethernet 4 9090

                                    1 2 Previous Next