Need help with home lab setup

Phillies8607

Hey guys, so I'm wondering if someone can pinpoint the problem for me. I just recently started labbing as I study for the CCENT and I'm having trouble getting out to the internet via my Cisco 1841. I have the 1841 router and 2 switches (3550 and 3560).

Here is the setup: Comcast Modem (wireless gateway) > 1841 > 3560 > 3550 > PC. Since I couldnt get the serial port on the 1841 to work (I know its a T1 connection but I heard it can work with cable modems) I used the 2 FA ports on the 1841 to segment the networks. Since the Comcast modem has a 10.0.0.0/24, I put a static IP of 10.0.0.12 on Fa0/0 and made that the WAN port. Then I set up a static IP of 10.1.1.12 on the fa0/1 port with the 2 switches and my PC all on the 10.1.1.0/24 network. There is no DHCP or any other routing protocols set up, everything is statically assigned. I just wanted to see of I could get it to work.

Basically, from the 1841 I can ping everything on the local side and the WAN side including 10.0.0.1 and google. But, from the PC I can ping everything locally and even the fa0/0 port (10.0.0.12 WAN side port) of the 1841, but I cannot ping the Comcast modem (10.0.0.1) or anything else on the outside.

What am I missing? Let me know, much appreciated. Here is the running config below:



!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1841
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$pu13$nI4sCbd9QTcTQGouVuN.K.
!
no aaa new-model
dot11 syslog
ip source-route
!
!
!
!
ip cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0/0
description WAN Port
ip address 10.0.0.12 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN Port
ip address 10.1.1.12 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
ip address 10.2.2.2 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
no ip http server
no ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end

clarson

do a show ip route command
anything in the routing table that points to the internet. it should know about 10.0.0.0 and 10.1.1.0, but it doesn't know where to send traffic for any other networks. So you need to add a default route that tells it to send all traffic to networks it doesn't know about to your internet connection.

do something like this:

ip route 0.0.0.0 0.0.0.0 (exit interface/next hop ip address)
ip default-network (network number)

TechGuru80

For starters, you don't have NAT setup.

clarson

he has a comcast modem that is probably doing NAT for him.

And, the T1 card can do a lot of things, but ethernet isn't one of them.

Phillies8607

Yes, the Comcast modem is doing NAT. And there is a default route set up of "ip route 0.0.0.0 0.0.0.0 10.0.0.1" 10.0.0.1 is the default gateway of the Comcast modem. Here's what I cant figure out though. When I'm consoled into the 1841 I can ping out to google and ping the Comcast modem as well as ping everything on the local side. On the PC I have a static IP of 10.1.1.20 and can ping everything on the local side (10.1.1.0/24) and even the exit interface of the 1841(fa0/0, 10.0.0.12).

GDaines

TechGuru80 wrote: »

For starters, you don't have NAT setup.

That is correct. While NAT on the Comcast will work for the directly connected 1841 router, it won't work for anything else on the internal network. For that he'll need NAT on the 1841 as well...

clarson wrote: »

ip route 0.0.0.0 0.0.0.0 (exit interface/next hop ip address)
ip default-network (network number)

Clarson is referring to the gateway of last resort. I personally don't have this set up on my 1841 as I use a layer3 3560 switch for my DHCP and inter-vlan routing so it's set on that. The router is purely for my internet connection.

Phillies8607 wrote: »

Here's what I cant figure out though. When I'm consoled into the 1841 I can ping out to google and ping the Comcast modem as well as ping everything on the local side. On the PC I have a static IP of 10.1.1.20 and can ping everything on the local side (10.1.1.0/24) and even the exit interface of the 1841(fa0/0, 10.0.0.12).

I have a very similar setup - a Cisco network connecting to an 1841 router and onwards to my cable modem for a route out to the Internet. As suggested by TechGuru, I had to set up NAT on the 1841 to allow the Cisco network to route outside. Your Comcast is doing NAT for the 1841, but you have nothing doing NAT for the internal clients.

Key entries from my running config:

interface FastEthernet0/0
ip address 10.10.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
ip nat pool mypool 192.168.2.7 192.168.2.7 netmask 255.255.0.0
ip nat inside source list 1 pool mypool overload

If you can see, Ethernet0 points to my internal network (to a layer3 switch which handles VLANs and DHCP and to which all other switches and devices ultimately connect back to) using IP 10.10.0.1 on the router and 10.10.0.2 on the switch. On this port I've configured 'ip nat inside' as it's my inside network. On the switch connection (a 3560 in my case) I used the 'no switchport' command.

Ethernet1 points to my cable modem and onwards to the Internet. My cable modem is running DHCP as it provides addresses to my home network so I've set up the port simply to receive a DHCP address. On this port I've configured 'ip nat outside' as it goes outside to the Internet.

Finally I configured NAT Overload which allows many internal clients to share a single internet-facing IP address (this is where a business would configure one or more public IP addresses provided by the ISP to be shared by the internal clients when accessing the Internet).

I created a pool of addresses called 'mypool' containing a single address (start address 192.168.2.7, end address 192.168.2.7) with a mask of 255.255.0.0 which is IP address given to my router interface by my cable modem using DHCP. I have set a static reservation on my cable modem so that it always gives my 1841 router this IP address, and then left the modem-to-router connection on DHCP to avoid misconfiguring any setting.

Hope this helps...

clarson

Yes GDaines is right. You will have to setup nat on the 1841. While the cable modem is doing nat, it probably doesn't have a routing table. Or, for that matter doesn't have a way to add static routes, or a default route, or running a routing protocol. So, the cable modem doesn't know how to deal with traffic for the 10.1.1.0 network. Just like the 1841 didn't know what to do with 10.1.1.0 traffic till it was given a static, or default route telling it to send the traffic to the cable modem.

Being the cable modem only knows about the 10.0.0.0 network. You use nat on the 1841 to translate all the 1841 inside traffic to the 10.0.0.12 address. So, internet traffic comes to the cable modem gets translated to the 10.0.0.0 addresses. And, for the 10.1.1.0 traffic, it is translated to 10.0.0.12 and goes to the 1841 router. The 1841 would translate the traffic into it's inside traffic. Which for what is configured so far, would be the 10.1.1.0 addresses. And, the 1841 router knows where to send that traffic.

TechGuru80

clarson wrote: »

he has a comcast modem that is probably doing NAT for him.

And, the T1 card can do a lot of things, but ethernet isn't one of them.

The ISP router doesn't share routes with a Cisco router which is why you have to setup NAT on the Cisco router. The NAT on the ISP router works since he can ping from the Cisco router but since he cannot ping from inside the Cisco router we know that the problem is at the router or on the client and not with the ISP. Trace route could help diagnose where the issue is at too.

Basically in the current situation, the ISP router doesn't know where to forward return traffic because it doesn't know anything about the subnet where the client sits.

Phillies8607

So I finally got it working. Whew took a lot of research to figure it out. You guys were right I did have to set up NAT, I must have set it up 1000 times today and it still didn't work! I knew it could be done and was doing everything I needed to do but I figured I was messing up with the config somewhere. I Enabled inside and outside NAT, created the NAT pool, created the ACL, and pointed it them to the right addressed. I kept doing it over and over and trying different ways. Turns out there's an exact order to to all these steps or it doesn't work. First assign IPs to the interface, then create the ACL, then create the pool, then enable inside NAT, then outside NAT. Maybe it was the order I was enabling NAT on the interfaces. Idk, I wrote it down. Anyways thanks guys!