NAT problem on 2620

login enable config t int fa 1/0 no shut ctrl`z

conf t int faste 1/0 no shut exit write mem

sho int reveals that FastEthernet1/0 is administratively down, line protocol is down

How do I br> I have just configured the Fastethernet1/0 interface but can't

Here's a few.

Despite the description F0/0 appears to not be your outside interface so. ! interface FastEthernet0/0 no ip nat outside !

According to your default route S0/0 is apparently your outside interface. ! interface Serial0/0 ip nat outside !

This interface is shutdown as you noticed. ! interface FastEthernet1/0 no shutdown !

Do not use 'any' in a NAT access list since this tells NAT that it can muck with any packet it wants, rather than just the ones you want. NAT will take you at your word and this will probably return to bite you one day ! no access-list 1 access-list 1 permit 10.0.0.0 0.0.0.255 !

Thanks everyone, almost there. The router has address 10.0.0.1 on FA 1/0 INSIDE and 206.xx.xxx.241 on FA 0/0 OUTSIDE and from a W2K laptop can ping both but browser doesn't work. The settings for the laptop ip = 10.0.0.102 255.255.255.0 gateway 10.0.0.1 cisco 2620 nameservers 206.xx.xxx.242 VMS box nameservers 206.xx.xxx.245 VMS box

now the VMS boxes also have 10 series addresses and i tried entering one of them into the settings for the laptop but that didn't work either

running tracert to kednos.com from laptop it takes two hops

10.0.0.1 206.xx.xxx.242 If i use the 10.0.0.11 address for the nameserver. If I use the 206 address it doesn't make it

I made the changes you suggested but still not getting out. I guess I am confused about what is INSIDE and what is OUTSIDE

csco#sho run Building configuration...

Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname csco ! enable secret 5 $1$IQHh$0GBfTADUxGxspblAfubsen/ enable password ! ! ! ! ! ip subnet-zero ip name-server 206.xx.xxx.242 ip name-server 206.xx.xxx.245 ! ! ! ! interface FastEthernet0/0 description OUTSIDE INTERFACE TO THE INTERNET ip address 206.xx.xxx.241 255.255.255.240 ip access-group 101 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp speed auto full-duplex no cdp enable ! interface Serial0/0 ip address 206.55.246.110 255.255.255.252 ip access-group 101 in ip access-group 102 out no ip directed-broadcast ip nat outside no ip mroute-cache ! interface FastEthernet1/0 description INSIDE INTERFACE TO PRIVATE NETWORK ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast ip nat inside duplex auto speed auto ! ip nat inside source list 1 interface FastEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 206.55.246.109 no ip http server ! access-list 1 permit 10.0.0.0 0.0.0.255 access-list 101 remark PREVENT UNWANTED ACCESS access-list 101 remark DENY RFC 1918 SOURCES access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.0.15.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 remark ANTI-SPOOFING PROTECTION access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 224.0.0.0 31.255.255.255 any access-list 101 remark DENY BROADCASTS access-list 101 deny ip 255.0.0.0 0.255.255.255 any access-list 101 deny ip any 255.0.0.0 0.255.255.255 access-list 101 remark PERMIT/DENY a few knowns access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 deny icmp any any echo access-list 101 remark PREVENT ANY INBOUND SNMP access-list 101 deny udp any any eq snmp access-list 101 deny udp any any eq snmptrap access-list 101 remark ICMP TYPES access-list 101 deny icmp any any access-list 101 remark PREVENT CISCO CODE VULNERABILITY access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny pim any any access-list 101 remark PERMIT everything else access-list 101 permit ip any any access-list 102 permit ip 206.55.236.240 0.0.0.15 any access-list 102 permit ip host 206.55.246.110 any access-list 102 deny ip any any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit !

Have a read of

for an introduction to NAT.

To see what's happening:

1. Add these commands to your config.

! logging console info logging buffered 65535 !

1. Execute these commands.

# show ip nat stat # debug ip nat

Ping 206.55.246.109 then 198.133.219.25 from your laptop on the 10 network.

# undebug all # show log

Running debugs on your router *MIGHT* disrupt normal operations, depending on traffic and the like, so better do it at a quiet time.

On Sun, 19 Mar 2006 10:48:27 +1100, Martin Gallagher wrote:

OK, here is what I got, doesn't seem to be too helpful. Now from the 10 networks I can ping all the nodes on the 206 network and I can ping my end of the serial line (206.55.246.110)

csco(config)#logging console info csco(config)#logging buffered 65535 csco(config)#exit csco#

3d17h: %SYS-5-CONFIG_I: Configured from console by console csco#sho ip nat stat Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: FastEthernet0/0 Inside interfaces: FastEthernet1/0 Hits: 7602 Misses: 525 Expired translations: 526 Dynamic mappings:

-- Inside Source access-list 1 interface FastEthernet0/0 refcount 0 csco#debug ip nat IP NAT debugging is on

RAN THE TWO PINGS FROM LAPTOP

csco#undebug all All possible debugging has been turned off csco#sho log Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Console logging: level informational, 267 messages logged Monitor logging: level debugging, 0 messages logged Buffer logging: level debugging, 3 messages logged Trap logging: level informational, 270 message lines logged

Log Buffer (65535 bytes):

3d17h: %SYS-5-CONFIG_I: Configured from console by console csco#

AND FOR REFERENCE HERE IS THE CONFIG

csco#sho config Using 2728 out of 29688 bytes ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname csco ! enable secret 5 $1$IQHh$0GBfTADUxpblAfubsen/ enable password ! ! ! ! ! ip subnet-zero ip name-server 206.55.236.242 ip name-server 206.55.236.245 ! ! ! ! interface FastEthernet0/0 description OUTSIDE INTERFACE TO THE INTERNET ip address 206.55.236.241 255.255.255.240 ip access-group 101 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp ip nat outside speed auto full-duplex no cdp enable ! interface Serial0/0 ip address 206.55.246.110 255.255.255.252 ip access-group 101 in ip access-group 102 out no ip directed-broadcast no ip mroute-cache ! interface FastEthernet1/0 description INSIDE INTERFACE TO PRIVATE NETWORK ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast ip nat inside duplex auto speed auto ! ip nat inside source list 1 interface FastEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 206.55.246.109 ip http server ! access-list 1 permit 10.0.0.0 0.0.0.255 access-list 101 remark PREVENT UNWANTED ACCESS access-list 101 remark DENY RFC 1918 SOURCES access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.0.15.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 remark ANTI-SPOOFING PROTECTION access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 224.0.0.0 31.255.255.255 any access-list 101 remark DENY BROADCASTS access-list 101 deny ip 255.0.0.0 0.255.255.255 any access-list 101 deny ip any 255.0.0.0 0.255.255.255 access-list 101 remark PERMIT/DENY a few knowns access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 deny icmp any any echo access-list 101 remark PREVENT ANY INBOUND SNMP access-list 101 deny udp any any eq snmp access-list 101 deny udp any any eq snmptrap access-list 101 remark ICMP TYPES access-list 101 deny icmp any any access-list 101 deny icmp any any access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny pim any any access-list 101 remark PERMIT everything else access-list 101 permit ip any any access-list 102 permit ip 206.55.236.240 0.0.0.15 any access-list 102 permit ip host 206.55.246.110 any access-list 102 deny ip any any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 exec-timeout 0 0 transport input none line aux 0 line vty 0 4 password cypress login ! no scheduler allocate end

csco#

Well, you still have the wrong interface configured as your outside interface. S0/0 is your outside interface so change your config then repeat the test.

! csco#sho ip nat stat Total active translations: 0 (0 static, 0 dynamic; 0 extended) Outside interfaces: FastEthernet0/0 Inside interfaces: FastEthernet1/0 Hits: 7602 Misses: 525 Expired translations: 526 Dynamic mappings:

-- Inside Source access-list 1 interface FastEthernet0/0 refcount 0

The 526 expired translations tell us that at some point NAT has been dong its job, which is to modify addresses in IP headers as and when appropriate. If we can get that happening again, we will be that much further ahead.

NAT will modify a packet that crosses the router from an "inside" to an "outside" interface, and the packet matches the NAT access list.

In your case:

10/24 -- F0/1 [Router] S0/0 -- Internet

Thank you, Martin. That took care of it. Also thanks to J.Cottingim for providing a good config template.

Tom