RIP, EIGRP, OSPF, IS-IS, BGP, MPLS, VTP, STP.
WaxTrax
New Member
Posts:
7
Joined:
Wed Oct 24, 2012 7:27 pm
Certs:
CCNP, CCDP, JNCIA-Junos, MCSA 2012

Can't ping past gateway. NAT issues?

Wed Oct 24, 2012 7:57 pm

Hello there,

I've spent the last two days working on this problem and it is killing me! I know the answer has to be something simple, but despite hours of searching and trying different things, I just can't seem to fix it.

Essentially, I am going to be installing a Cisco 2691 and use it as the default gateway for a small business. It will be directly connected to a cable modem with a static IP. The other Ethernet interface is going to connect to a 2950 switch with a couple different VLANs.

The problem I'm having is that I can ping anything external from the router itself. From the clients connected to the 2950, I can ping IPs in other VLANs, and I can ping up to the IP of the external interface, but no pings go beyond that.

I've set up NAT overload on the router, and when I do a debug ip nat, I see the pings trying to get through with the proper translations, but I still don't receive ICMP replies back.

I set up GNS3 to simulate what I'm trying to accomplish (since it emulates a 2691). Attached is a jpg of the topology -- on the right is the "simulated ISP" with 3 loopback networks and one host on a different subnet. The 2691 has a static route to the "Internet" router, and can ping everything attached to the router, including the host. The host (5.5.5.5) can also ping the outside interface of the 2691 (50.50.50.2).

However, the hosts behind the 2691 can't ping past 50.50.50.2. The 192.168.0.x network can be ignored, because that network won't need to access the Internet. But the 10.10.20.x (VLAN 20) and 10.10.30.x (VLAN 30) networks will need to. In the simulation, the hosts are 10.10.20.5 and 30.5. They can ping each other, their default gateways, and the 2691 outside interface (50.50.50.2) but not the other side, the "Internet" router at 50.50.50.1 or beyond.

Here is my config for the 2691:

==================================
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2691router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name lab.local
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface FastEthernet0/0
ip address 50.50.50.2 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 10.10.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.100
encapsulation dot1Q 100
ip address 192.168.0.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.50.50.1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
================================

When I ping from one of the inside hosts with debug ip nat turned on, I get this:
*Mar 1 00:26:56.303: NAT*: s=10.10.30.5->50.50.50.2, d=5.5.5.5 [33204]

So it looks like its working, but I never receive the reply back.

Here's a little more info:

2691router#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 50.50.50.2 YES manual up up
FastEthernet0/1 unassigned YES unset up up
FastEthernet0/1.20 10.10.20.1 YES manual up up
FastEthernet0/1.30 10.10.30.1 YES manual up up
FastEthernet0/1.100 192.168.0.1 YES manual up up
NVI0 50.50.50.2 YES unset up up

and show ip route:

Gateway of last resort is 50.50.50.1 to network 0.0.0.0

50.0.0.0/30 is subnetted, 1 subnets
C 50.50.50.0 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.20.0 is directly connected, FastEthernet0/1.20
C 10.10.30.0 is directly connected, FastEthernet0/1.30
C 192.168.0.0/24 is directly connected, FastEthernet0/1.100
S* 0.0.0.0/0 [1/0] via 50.50.50.1

Just in case it matters, here's the config for the "Internet" router:

============================
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Internet
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
no ip domain lookup
ip domain name lab.local
!
multilink bundle-name authenticated
!
archive
log config
hidekeys
!
interface Loopback1
ip address 1.1.1.1 255.255.255.0
!
interface Loopback2
ip address 2.2.2.1 255.255.255.0
!
interface Loopback3
ip address 3.3.3.1 255.255.255.252
!
interface FastEthernet0/0
ip address 50.50.50.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 5.5.5.1 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
!
end
==========================
Internet#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 50.50.50.1 YES manual up up
FastEthernet0/1 5.5.5.1 YES manual up up
Loopback1 1.1.1.1 YES manual up up
Loopback2 2.2.2.1 YES manual up up
Loopback3 3.3.3.1 YES manual up up

show ip route:
Gateway of last resort is not set

1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback1
50.0.0.0/30 is subnetted, 1 subnets
C 50.50.50.0 is directly connected, FastEthernet0/0
2.0.0.0/24 is subnetted, 1 subnets
C 2.2.2.0 is directly connected, Loopback2
3.0.0.0/30 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback3
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, FastEthernet0/1


Thank you so much to whoever looks at this. I know it must be something really easy and I feel stupid for not spotting it, but I've been trying for hours to make this work and I'm at my wits end! LOL

gns3.jpg
GNS3 topology
gns3.jpg (64.09 KiB) Viewed 1918 times

cadetalain
Member
Posts:
159
Joined:
Tue Oct 11, 2011 2:05 pm
Certs:
CCNP-CCNA Security-CCNA Voice-CCNA

Re: Can't ping past gateway. NAT issues?

Thu Oct 25, 2012 9:08 am

Hi,

the internet user must have a route to 50.50.50.2 and i suppose this is not the case.
Configure 5.5.5.1 as its default gateway.

Regards.

WaxTrax
New Member
Posts:
7
Joined:
Wed Oct 24, 2012 7:27 pm
Certs:
CCNP, CCDP, JNCIA-Junos, MCSA 2012

Re: Can't ping past gateway. NAT issues?

Thu Oct 25, 2012 9:22 am

Thanks for taking the time to look at this, I appreciate your time.

When I was testing, I set the InternetUser's gateway to 5.5.5.1 and it can ping to the other end of the router link, 50.50.50.2 with no problems.

I was trying to go the other way -- reach the InternetUser IP (5.5.5.5) from, for example, ManagerPC (10.10.20.5).

For some reason, 10.10.20.5 (and 10.10.30.5) can ping 50.50.50.2, but not 50.50.50.1 or 5.5.5.5.

WaxTrax
New Member
Posts:
7
Joined:
Wed Oct 24, 2012 7:27 pm
Certs:
CCNP, CCDP, JNCIA-Junos, MCSA 2012

Re: Can't ping past gateway. NAT issues?

Thu Oct 25, 2012 9:32 am

I think I might have narrowed it down to a routing problem. On the virtual 2691, I added another Ethernet interface and connected a new host, 4.4.4.5, with the router's interface as 4.4.4.1. This interface (and host) are directly connected to the router and are not behind the NAT or VLAN configurations. With this, I get the same results as before, where I can ping 50.50.50.2, but not 50.50.50.1 or beyond.

I have a default route from 0.0.0.0 to 50.50.50.1 on the 2691 router, so I'm not understanding why this isn't working.

EDIT: I think I just confused myself further. On the "Internet" router, I put two static routes -- 4.4.4.0/24 to 50.50.50.2, and 10.10.20.0/24 to 50.50.50.2.

Now 4.4.4.5 and 5.5.5.5 can ping each other back and forth. 10.10.20.5 of course, still can't ping because there's no route to it because it is behind the NAT.

However, the confusing part to me is that a regular cable ISP isn't going to create routes back to your IP address, are they? Using this example, if they lease 50.50.50.2 to you, does their routing table simply show that IP as directly connected, or how does that work?

When I have a private IP behind a public NAT overload IP, the pings are sent from the private IP to the public IP, which then pings the destination on behalf of the private IP. When I do a "debug ip nat" I can see this. But the ping doesn't come back for some reason. I guess I don't understand what's happening on your ordinary SOHO NAT router that makes this work, but my manual configuration isn't working.

WaxTrax
New Member
Posts:
7
Joined:
Wed Oct 24, 2012 7:27 pm
Certs:
CCNP, CCDP, JNCIA-Junos, MCSA 2012

Re: Can't ping past gateway. NAT issues?

Fri Oct 26, 2012 10:30 am

SOLVED!

I turns out that I did do everything correctly -- the problem was with the GNS3 VPCS clients. For whatever reason, they don't support the full ICMP.

I tried replacing the "ManagerPC" with a router -- I disabled IP routing on it to make it act like a regular client PC, and everything started working properly.

So the problem was with VPCS, not my configuration, which means it will work like it's supposed to on a production network.

Thanks again to cadetalain and anyone else that read this -- I really do appreciate your time and look forward to being a participating member here :-)

'

Return to Cisco Routing and Switching

Who is online

Users browsing this forum: Bing [Bot] and 32 guests