Very Computer

Warning newbie question. I have a 1720 with static nat setup (i
think!) between the internet and a single host.

From the router I can ping single host 192.168.0.2 and any internet
address; from the single host i can only ping as far as the dhcp
assigned address 10.0.0.1 (eth0), but no further.

I figured I'd start with a simple configuration before setting up
dynamic nat and access lists thinking this would be straightforward
:). I'm guessing I'm nearly there but am totally stumped and would
really appreciate any advice.

Run conf:

!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname newbie
!
boot-start-marker
boot-end-marker
!
enable secret XXXXXXXX
enable password XXXXXXX
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
no ip routing
!
!
ip name-server 194.168.4.100
ip name-server 194.168.8.100
!
no ip cef
!
!
!
!
interface Ethernet0
 mac-address 0001.03d6.f16a
 ip address dhcp
 ip nat outside
 no ip route-cache
 full-duplex
!
interface Ethernet1
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
interface FastEthernet0
 ip address 192.168.0.1 255.255.255.0
ip nat inside
 no ip route-cache
 speed auto
 full-duplex
!
ip nat log translations syslog
ip nat inside source static 192.168.0.2 interface Ethernet0
ip classless
no ip http server
!
!
line con 0
line aux 0
line vty 0 4
 password XXXXX
 login
!
!
end

sh ip nat translation:

Pro Inside global      Inside local       Outside local      Outside
global
--- 10.0.0.1           192.168.0.2        ---                ---

Trying chaging your nat list to a destination IP not is use via the DHCP
server on E0 (for example 10.0.0.200)

ip nat inside source static 192.168.0.2 10.0.0.200

also can you attach  the screen output for debug ip nat once you ping (you
may have to turn on terminal monitor to see the output)

Quote:> Warning newbie question. I have a 1720 with static nat setup (i
> think!) between the internet and a single host.

> From the router I can ping single host 192.168.0.2 and any internet
> address; from the single host i can only ping as far as the dhcp
> assigned address 10.0.0.1 (eth0), but no further.

> I figured I'd start with a simple configuration before setting up
> dynamic nat and access lists thinking this would be straightforward
> :). I'm guessing I'm nearly there but am totally stumped and would
> really appreciate any advice.

> Run conf:

> !
> version 12.3
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> no service dhcp
> !
> hostname newbie
> !
> boot-start-marker
> boot-end-marker
> !
> enable secret XXXXXXXX
> enable password XXXXXXX
> !
> memory-size iomem 25
> no aaa new-model
> ip subnet-zero
> no ip routing
> !
> !
> ip name-server 194.168.4.100
> ip name-server 194.168.8.100
> !
> no ip cef
> !
> !
> !
> !
> interface Ethernet0
>  mac-address 0001.03d6.f16a
>  ip address dhcp
>  ip nat outside
>  no ip route-cache
>  full-duplex
> !
> interface Ethernet1
>  no ip address
>  no ip route-cache
>  shutdown
>  half-duplex
> !
> interface FastEthernet0
>  ip address 192.168.0.1 255.255.255.0
> ip nat inside
>  no ip route-cache
>  speed auto
>  full-duplex
> !
> ip nat log translations syslog
> ip nat inside source static 192.168.0.2 interface Ethernet0
> ip classless
> no ip http server
> !
> !
> line con 0
> line aux 0
> line vty 0 4
>  password XXXXX
>  login
> !
> !
> end

> sh ip nat translation:

> Pro Inside global      Inside local       Outside local      Outside
> global
> --- 10.0.0.1           192.168.0.2        ---                ---

Thanks for the response! I think I've understood you correctly - I've
subsituted another number in the last octet only of the dhcp assigned
address i.e. not the address I'm currently leasing but nonetheless one
that could potentially be leased by the server - I've plumped for .200

dummy(config)#ip nat inside source static 192.168.0.2 10.0.0.200
dummy(config)#
20:49:17: %IPNAT-6-NAT_CREATED: Created ? 192.168.0.2:0 10.0.0.200:0
0.0.0.0:0
0.0.0.0:0
20:49:17: ipnat_add_static_cfg: id 1, flag 6
20:49:17: id 1, flags 0, domain 0, lookup 0, from_addr C0A80004,
        from_mask FFFFFFFF, from_port 0, to_addr 50053DC8, to_port 0
to_mask FFF
FFFFF, proto 0
dummy#debug ip nat
IP NAT debugging is on
dummy#debug ip icmp
ICMP packet debugging is on
dummy#terminal monitor
% Console already monitors

dummy#ping 80.5.61.160

Type escape se
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [140]
ICMP: echo reply rcvd, src 192.168.0.4, dst 80.5.61.142quence to
abort.
Sending 5, 100-byte ICMP Echos to 80.5.61.160, timeout is 2 seconds:
.
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [141]
ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [142]
ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [143]
ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [144]
ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
Success rate is 0 percent (0/5)

Pinging 10.0.0.200 at the command line on host 192.168.0.2 is
successful with the following ICMP debug messages only appearing on
console of router:

ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2

and if the host pings dhcp assigned address 10.0.0.1:

ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2

-----------------------------

Simon

Just spotted an error in my response - please see below. Thanks in advance.

dummy(config)#ip nat inside source static 192.168.0.2 10.0.0.200
dummy(config)#
20:49:17: %IPNAT-6-NAT_CREATED: Created ? 192.168.0.2:0 10.0.0.200:0
0.0.0.0:0
0.0.0.0:0
20:49:17: ipnat_add_static_cfg: id 1, flag 6
20:49:17: id 1, flags 0, domain 0, lookup 0, from_addr C0A80004,
        from_mask FFFFFFFF, from_port 0, to_addr 50053DC8, to_port 0
to_mask FFF
FFFFF, proto 0
dummy#debug ip nat
IP NAT debugging is on
dummy#debug ip icmp
ICMP packet debugging is on
dummy#terminal monitor
% Console already monitors

dummy#ping 10.0.0.200

Type escape se
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [140]
ICMP: echo reply rcvd, src 192.168.0.4, dst 80.5.61.142quence to
abort.
Sending 5, 100-byte ICMP Echos to 80.5.61.160, timeout is 2 seconds:
.
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [141]
CMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [142]
ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [143]
ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [144]
ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
Success rate is 0 percent (0/5)

Pinging 10.0.0.200 at the command line on host 192.168.0.2 is
successful with the following ICMP debug messages only appearing on
console of router:

ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2

and if the host pings dhcp assigned address 10.0.0.1:

ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2
ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2

-----------------------------

Simon

Can you attach your config again. and also the routing table.

Do you have a route to 80.5.61.160?

Quote:> Just spotted an error in my response - please see below. Thanks in
advance.

> dummy(config)#ip nat inside source static 192.168.0.2 10.0.0.200
> dummy(config)#
> 20:49:17: %IPNAT-6-NAT_CREATED: Created ? 192.168.0.2:0 10.0.0.200:0
> 0.0.0.0:0
> 0.0.0.0:0
> 20:49:17: ipnat_add_static_cfg: id 1, flag 6
> 20:49:17: id 1, flags 0, domain 0, lookup 0, from_addr C0A80004,
>         from_mask FFFFFFFF, from_port 0, to_addr 50053DC8, to_port 0
> to_mask FFF
> FFFFF, proto 0
> dummy#debug ip nat
> IP NAT debugging is on
> dummy#debug ip icmp
> ICMP packet debugging is on
> dummy#terminal monitor
> % Console already monitors

> dummy#ping 10.0.0.200

> Type escape se
> NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [140]
> ICMP: echo reply rcvd, src 192.168.0.4, dst 80.5.61.142quence to
> abort.
> Sending 5, 100-byte ICMP Echos to 80.5.61.160, timeout is 2 seconds:
> .
> NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [141]
> CMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
> NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [142]
> ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
> NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [143]
> ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
> NAT: s=10.0.0.1, d=10.0.0.200->192.168.0.2 [144]
> ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.1.
> Success rate is 0 percent (0/5)

> Pinging 10.0.0.200 at the command line on host 192.168.0.2 is
> successful with the following ICMP debug messages only appearing on
> console of router:

> ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
> ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
> ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
> ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2

> and if the host pings dhcp assigned address 10.0.0.1:

> ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2
> ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2
> ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2
> ICMP: echo reply sent, src 10.0.0.1, dst 192.168.0.2

> -----------------------------

> Simon

Not sure I follow exactly what you're trying to accomplish, but one
thing stuck out in your config.  That is, in your 'ip nat inside
source static' statement, it looks like your internal and external
addresses are reversed.  I use such a static mapping on a 2610 router
of ours (basically same IOS as 1720, of which we also have 1), and my
syntax is as follows:
 ip nat inside source static tcp 172.20.51.10 65.x.x.x extendable
where the 172.20 is the inside address (interface ethernet0 in your
case, I guess), and 65.x.x.x is the internet address.

My first thought was where is the default route???

I have almost exactly the same setup at home plus:

ip route 0.0.0.0 0.0.0.0 ethernet 0

Ok! here's my latest config after I changed the ip nat. I've also
included the suggestion of inserting a default route to eth0:

!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname dummy
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXX
enable password XXXXXX
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
no ip routing
!
!
ip name-server 194.168.4.100
ip name-server 194.168.8.100
!
no ip cef
!
!
!
!
interface Ethernet0
 mac-address 0001.03d6.f06a
 ip address dhcp
 ip nat outside
 no ip route-cache
 full-duplex
!
interface Ethernet1
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
interface FastEthernet0
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 no ip route-cache
 speed auto
 full-duplex
!
ip nat log translations syslog
ip nat inside source static 192.168.0.2 10.0.0.200
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
!
!
line con 0
line aux 0
line vty 0 4
 password XXXXXX
 login
!
!
end

And here's the output to the router terminal (ip and nat debug on) if
I ping 10.0.0.200 from host 192.168.0.2:

00:22:23: ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
00:22:24: ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
00:22:25: ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
00:22:26: ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2

I can also successfully ping both the outside router interface address
10.0.0.142 and the inside router interface 192.168.0.1 from this host,
both resulting in ICMP debug output on the router terminal. Pinging an
internet address from host results in failure reason "Request timed
out" with nothing appearing on the router terminal in the process.

Here's what happens if I ping 10.0.0.200 directly from the router
command line, remembering that my dhcp leased ip is 10.0.0.142 and nat
is set to translate 192.168.0.2<->10.0.0.200:

00:26:13: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [15]
00:26:13: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
00:26:15: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [16]
00:26:15: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
00:26:17: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [17]
00:26:17: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
00:26:19: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [18]
00:26:19: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
00:26:21: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [19]
00:26:21: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
Success rate is 0 percent (0/5)

I can ping the internet from the router command line and I can ping
both 192.168.0.1, 192.168.0.2 no problems, all resulting in ICMP debug
output to terminal.

And finally here's the output of "sh ip route":

Default gateway is 10.0.0.1

Host               Gateway           Last Use    Total Uses  Interface
ICMP redirect cache is empty

Do this

Under your F0 add
ip add 192.168.0.2 255.255.255.0 sec

then

#ping
Protocol [ip]:
Target IP address: -----(Internet IP Address)
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:

What does you out put look like?

What exactly is plugged up on the other end of E0 10.0.0.142 ?

Quote:> Ok! here's my latest config after I changed the ip nat. I've also
> included the suggestion of inserting a default route to eth0:

> !
> version 12.3
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> no service dhcp
> !
> hostname dummy
> !
> boot-start-marker
> boot-end-marker
> !
> enable secret 5 XXXXXX
> enable password XXXXXX
> !
> memory-size iomem 25
> no aaa new-model
> ip subnet-zero
> no ip routing
> !
> !
> ip name-server 194.168.4.100
> ip name-server 194.168.8.100
> !
> no ip cef
> !
> !
> !
> !
> interface Ethernet0
>  mac-address 0001.03d6.f06a
>  ip address dhcp
>  ip nat outside
>  no ip route-cache
>  full-duplex
> !
> interface Ethernet1
>  no ip address
>  no ip route-cache
>  shutdown
>  half-duplex
> !
> interface FastEthernet0
>  ip address 192.168.0.1 255.255.255.0
>  ip nat inside
>  no ip route-cache
>  speed auto
>  full-duplex
> !
> ip nat log translations syslog
> ip nat inside source static 192.168.0.2 10.0.0.200
> ip classless
> ip route 0.0.0.0 0.0.0.0 Ethernet0
> no ip http server
> !
> !
> line con 0
> line aux 0
> line vty 0 4
>  password XXXXXX
>  login
> !
> !
> end

> And here's the output to the router terminal (ip and nat debug on) if
> I ping 10.0.0.200 from host 192.168.0.2:

> 00:22:23: ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
> 00:22:24: ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
> 00:22:25: ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2
> 00:22:26: ICMP: echo reply sent, src 10.0.0.200, dst 192.168.0.2

> I can also successfully ping both the outside router interface address
> 10.0.0.142 and the inside router interface 192.168.0.1 from this host,
> both resulting in ICMP debug output on the router terminal. Pinging an
> internet address from host results in failure reason "Request timed
> out" with nothing appearing on the router terminal in the process.

> Here's what happens if I ping 10.0.0.200 directly from the router
> command line, remembering that my dhcp leased ip is 10.0.0.142 and nat
> is set to translate 192.168.0.2<->10.0.0.200:

> 00:26:13: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [15]
> 00:26:13: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
> 00:26:15: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [16]
> 00:26:15: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
> 00:26:17: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [17]
> 00:26:17: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
> 00:26:19: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [18]
> 00:26:19: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
> 00:26:21: NAT: s=10.0.0.142, d=10.0.0.200->192.168.0.2 [19]
> 00:26:21: ICMP: echo reply rcvd, src 192.168.0.2, dst 10.0.0.142.
> Success rate is 0 percent (0/5)

> I can ping the internet from the router command line and I can ping
> both 192.168.0.1, 192.168.0.2 no problems, all resulting in ICMP debug
> output to terminal.

> And finally here's the output of "sh ip route":

> Default gateway is 10.0.0.1

> Host               Gateway           Last Use    Total Uses  Interface
> ICMP redirect cache is empty

[snip]

Quote:> ip subnet-zero
> no ip routing
> !

[snip]

Quote:

> Default gateway is 10.0.0.1

> Host               Gateway           Last Use    Total Uses  Interface
> ICMP redirect cache is empty

  Not sure what you're trying to do here bur if this router is meant to be
routing, you should configure "ip routing".

--
Rgds,
Martin

Hi Ronnie: Added a sec IP to fasteth0 as instructions. ping output as
follows:

Sending 5, 100-byte ICMP Echos to 217.12.3.11, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.2

00:38:27: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [100].
00:38:29: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [101].
00:38:31: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [102].
00:38:33: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [103].
00:38:35: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [104].
Success rate is 0 percent (0/5)

however if I:

no ip nat inside source static 192.168.0.2 10.0.0.200
ip nat inside source static 192.168.0.2 10.0.0.142

to change the translation to my real dhcp leased address 10.0.0.142
then output:

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/52
ms
00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [110]
00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [111]
00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [112]
00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [113]
00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [114]

My run config now stands as follows:

version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
no service dhcp
!
hostname dummy
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXXX
enable password XXXXXXX
!
memory-size iomem 25
no aaa new-model
ip subnet-zero
no ip routing
!
!
ip name-server 194.168.4.100
ip name-server 194.168.8.100
!
no ip cef
!
!
!
!
interface Ethernet0
 mac-address 0001.03d6.f16a
 ip address dhcp
 ip nat outside
 no ip route-cache
 full-duplex
!
interface Ethernet1
 no ip address
 no ip route-cache
 shutdown
 half-duplex
!
interface FastEthernet0
 ip address 192.168.0.2 255.255.255.0 secondary
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 no ip route-cache
 speed auto
 full-duplex
!
ip nat log translations syslog
ip nat inside source static 192.168.0.2 10.0.0.142
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
!
!
line con 0
line aux 0
line vty 0 4
 password XXXXXX
 login
!
!
end

eth0 is linked to a cablemodem. I have the mac address of eth0 cloning
the mac of the nic in the host if this is significant. sh ip route is
unchanged.

dummy#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside
global
--- 80.5.61.142        192.168.0.2        ---                ---

I had someone else on the internet ping my dhcp leased address
10.0.0.142 - they received successful replies but no NAT debug output
appearing on my router console in the process.

-------------------------------------------------------------------------------------

Martin - inputting the command "ip routing" in global conf mode
results in my being able to ping fasteth0 192.168.0.1 and 192.168.0.2
only with the above run conf. Pinging 10.0.0.142 results in the
following NAT debugging info:

01:21:32: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [180]
01:21:32: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [180].
01:21:34: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [181]
01:21:34: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [181].
01:21:36: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [182]
01:21:36: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [182].
01:21:38: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [183]
01:21:38: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [183].
01:21:40: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [184]
01:21:40: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [184].
Success rate is 0 percent (0/5)

Host 192.168.0.2 cannot ping fasteth0 interface 192.168.0.1 and
beyond, even when the clashing sec ip is removed from fasteth0 and no
NAT debug info is output to router terminal in the process.

I had someone else on the internet ping my dhcp leased address
10.0.0.142 with the following result on my router terminal:

01:36:18: NAT*: s=10.0.177.9, d=10.0.0.142->192.168.0.2 [18959]
01:36:23: NAT*: s=10.0.177.9, d=10.0.0.142->192.168.0.2 [19085]
01:36:28: NAT*: s=10.0.177.9, d=10.0.0.142->192.168.0.2 [19190]
01:36:34: NAT*: s=10.0.177.9, d=10.0.0.142->192.168.0.2 [19307]

------------------------------------------------------------------------------------

------------------------------------------------------------------------------------

Martin - please read the 80.5.61 as 10.0.0 - forgot to subsitute my
real ip address with the 10.0.0 in response but now I've gone and done
it....

Simon I am a little confused about your setup.

First off based on RFC 1918 which is the non routable ips for the internet

10.x.x.x
172.16.x.x - 172.31.x.x
192.168.x.x

These are not routed on the internet. How can your friend ping your DHCP
leased address of 10.0.0.142 successful?

Sounds like you cable modem is also Nating you externally to a routable ip
on the internet.

What is your subnet mask on the E0 interface the 10.0.0.42 ip?

If I may also ask why do you have the interface learning via DHCP why not a
static IP on the interface?

Quote:> > Hi Ronnie: Added a sec IP to fasteth0 as instructions. ping output as
> > follows:

> > Sending 5, 100-byte ICMP Echos to 217.12.3.11, timeout is 2 seconds:
> > Packet sent with a source address of 192.168.0.2

> > 00:38:27: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [100].
> > 00:38:29: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [101].
> > 00:38:31: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [102].
> > 00:38:33: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [103].
> > 00:38:35: NAT: s=192.168.0.2->10.0.0.200, d=217.12.3.11 [104].
> > Success rate is 0 percent (0/5)

> > however if I:

> > no ip nat inside source static 192.168.0.2 10.0.0.200
> > ip nat inside source static 192.168.0.2 10.0.0.142

> > to change the translation to my real dhcp leased address 10.0.0.142
> > then output:

> > Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/52
> > ms
> > 00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [110]
> > 00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [111]
> > 00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [112]
> > 00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [113]
> > 00:48:20: NAT: s=192.168.0.2->10.0.0.142, d=217.12.3.11 [114]

> > My run config now stands as follows:

> > version 12.3
> > service timestamps debug uptime
> > service timestamps log uptime
> > no service password-encryption
> > no service dhcp
> > !
> > hostname dummy
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > enable secret 5 XXXXXXX
> > enable password XXXXXXX
> > !
> > memory-size iomem 25
> > no aaa new-model
> > ip subnet-zero
> > no ip routing
> > !
> > !
> > ip name-server 194.168.4.100
> > ip name-server 194.168.8.100
> > !
> > no ip cef
> > !
> > !
> > !
> > !
> > interface Ethernet0
> >  mac-address 0001.03d6.f16a
> >  ip address dhcp
> >  ip nat outside
> >  no ip route-cache
> >  full-duplex
> > !
> > interface Ethernet1
> >  no ip address
> >  no ip route-cache
> >  shutdown
> >  half-duplex
> > !
> > interface FastEthernet0
> >  ip address 192.168.0.2 255.255.255.0 secondary
> >  ip address 192.168.0.1 255.255.255.0
> >  ip nat inside
> >  no ip route-cache
> >  speed auto
> >  full-duplex
> > !
> > ip nat log translations syslog
> > ip nat inside source static 192.168.0.2 10.0.0.142
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Ethernet0
> > no ip http server
> > !
> > !
> > line con 0
> > line aux 0
> > line vty 0 4
> >  password XXXXXX
> >  login
> > !
> > !
> > end

> > eth0 is linked to a cablemodem. I have the mac address of eth0 cloning
> > the mac of the nic in the host if this is significant. sh ip route is
> > unchanged.

> > dummy#sh ip nat trans
> > Pro Inside global      Inside local       Outside local      Outside
> > global
> > --- 80.5.61.142        192.168.0.2        ---                ---

> > I had someone else on the internet ping my dhcp leased address
> > 10.0.0.142 - they received successful replies but no NAT debug output
> > appearing on my router console in the process.

> --------------------------------------------------------------------------
-----------

> > Martin - inputting the command "ip routing" in global conf mode
> > results in my being able to ping fasteth0 192.168.0.1 and 192.168.0.2
> > only with the above run conf. Pinging 10.0.0.142 results in the
> > following NAT debugging info:

> > 01:21:32: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [180]
> > 01:21:32: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [180].
> > 01:21:34: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [181]
> > 01:21:34: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [181].
> > 01:21:36: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [182]
> > 01:21:36: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [182].
> > 01:21:38: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [183]
> > 01:21:38: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [183].
> > 01:21:40: NAT: s=80.5.61.142, d=80.5.61.142->192.168.0.2 [184]
> > 01:21:40: NAT: s=192.168.0.2, d=80.5.61.142->192.168.0.2 [184].
> > Success rate is 0 percent (0/5)

> > Host 192.168.0.2 cannot ping fasteth0 interface 192.168.0.1 and
> > beyond, even when the clashing sec ip is removed from fasteth0 and no
> > NAT debug info is output to router terminal in the process.

> > I had someone else on the internet ping my dhcp leased address
> > 10.0.0.142 with the following result on my router terminal:

> > 01:36:18: NAT*: s=10.0.177.9, d=10.0.0.142->192.168.0.2 [18959]
> > 01:36:23: NAT*: s=10.0.177.9, d=10.0.0.142->192.168.0.2 [19085]
> > 01:36:28: NAT*: s=10.0.177.9, d=10.0.0.142->192.168.0.2 [19190]
> > 01:36:34: NAT*: s=10.0.177.9, d=10.0.0.142->192.168.0.2 [19307]

> --------------------------------------------------------------------------
----------

> --------------------------------------------------------------------------

----------