dhcp question

thisisalex02thisisalex02 Posts: 136Member
Well right now this is my setup... i got static modem from my isp going into my 3640 on fa1/0. i set up static on fa1/0 and did static route of 0.0.0.0 0.0.0.0 71.40.52.185. so as of now i can ping and telnet to the useable. then on fa1/1 it has a private ip of 10.0.0.1 /8. that interface is going into my switch (1900 icon_mad.gif ) and of course i have the comps plugging into the switch. i set up dhcp pool.. and the computers are getting private ips.. i just cant get them on the net. I know im missing something.

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3640
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip dhcp pool lan
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1 255.0.0.0
dns-server 24.93.40.36
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 71.40.52.186 255.255.255.252
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
!
interface FastEthernet1/1
ip address 10.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface Serial1/1
no ip address
shutdown
!
ip http server
!
ip classless
ip route 0.0.0.0 0.0.0.0 71.40.52.185
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

Anybody see what im missing or doing wrong? somehow i cant pass traffic from fa1/1 to go out 1/0.
Switches are bridges on steroids!

Comments

  • mikej412mikej412 Posts: 10,090Member
    Anybody see what im missing or doing wrong? somehow i cant pass traffic from fa1/1 to go out 1/0.
    NAT or PAT (overloaded NAT) for one. Private addresses are not allowed on the internet -- and if you're not filtering them, your ISP is.

    Did you check that your router can ping something on the the internet?

    What are you using for name resolution (DNS)?
    :mike: Cisco Certifications -- Collect the Entire Set!
  • thisisalex02thisisalex02 Posts: 136Member
    yea im able to ping out from the 3640. im not trying to go on the internet with just a private ip (come on now). i have my static ip on interface 1/0 and fa1/1 is going into my switch which in turn connects my computers. so through the 1/0 interface i can ping out through the internet, im just trying to get my 1/1 inerface which is connected to the switch, to route through the 1/0 interface so that my private ips go through my public.. So yea nat needs to be setup.
    Switches are bridges on steroids!
  • thisisalex02thisisalex02 Posts: 136Member
    tryed this but still a no go..

    3640#sh run
    Building configuration...

    Current configuration : 1216 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname 3640
    !
    boot-start-marker
    boot-end-marker
    !
    no logging console
    !
    no aaa new-mode
    ip subnet-zero
    !
    !
    ip cef
    !
    ip dhcp pool lan
    network 10.0.0.0 255.0.0.0
    default-router 10.0.0.1 255.0.0.0
    dns-server 24.93.40.36
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface Serial0/0
    no ip address
    shutdown
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet1/0
    ip address 71.40.52.186 255.255.255.252
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface Serial1/0
    no ip address
    shutdown
    !
    interface FastEthernet1/1
    ip address 10.0.0.1 255.0.0.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface Serial1/1
    no ip address
    shutdown
    !
    ip http server
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 71.40.52.185
    !
    ip nat pool private_access 10.0.0.2 10.0.0.5 netmask 255.0.0.0
    ip nat inside source list 1 pool private_access
    !
    access-list 1 permit 10.0.0.0 0.255.255.255
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    login
    !
    !
    end
    Switches are bridges on steroids!
  • forbeslforbesl Posts: 454Member
    You're still trying to push private IP addresses across the internet, and as mikej412 stated, these will be filtered.

    Remove these two entries:

    ip nat pool private_access 10.0.0.2 10.0.0.5 netmask 255.0.0.0
    ip nat inside source list 1 pool private_access

    And replace them with this one:

    ip nat inside source list 1 interface FastEthernet1/0 overload

    This will translate all permitted traffic from access list 1 to the static IP address associated with f1/0.
  • thisisalex02thisisalex02 Posts: 136Member
    AHHHH! it all makes sense now... ok i gotta read more.. hehe.. but thanks everythings up and running.
    Switches are bridges on steroids!
  • HELLZxPHADERHELLZxPHADER Posts: 74Member ■■□□□□□□□□
    clock timezone EST -3
    ip subnet-zero
    !
    !Use your favorite nameserver either ISP or other
    !
    ip name-server xx.xx.xx.xx
    ip name-server xx.xx.xx.xx
    !
    !Use the router as a DHCP server for your network
    !
    no ip dhcp conflict logging
    !
    ! exclude a range for your printers, router and any other static device
    !
    ip dhcp excluded-address 10.1.1.1 10.1.1.9
    !
    ip dhcp pool DHCP-POOL
    network 10.1.1.0 255.255.255.0
    domain-name cox.rr.com
    dns-server 24.28.192.64 24.28.192.65
    default-router 10.1.1.1
    !
    !
    interface Ethernet0/0
    description Outside interface to COX/RR
    !
    !This will force the assigned MAC(if needed) to the Ethernet interface
    !
    mac-address 0050.9999.c3be
    ip address dhcp
    ip nat outside
    ip access-group 107 in
    !
    interface Ethernet0/1
    description Inside interface to your network
    ip address 10.1.1.1 255.255.255.0
    ip nat inside
    !
    ip nat inside source list 1 interface Ethernet0/0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0
    no http server
    !
    access-list 1 permit 10.1.1.0 0.0.0.255
    !
    !Access list 107 will deny private IP ranges from outside your network to come it as a
    !security measure. It also denies ICMP PINGs to help *hide* the router from scanners. Lastly
    !it denies the FINGER protocol.
    !
    access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
    access-list 107 deny ip 172.0.0.0 0.255.255.255 any log
    access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
    access-list 107 deny ip 255.0.0.0 0.255.255.255 any log
    access-list 107 deny ip 224.0.0.0 0.255.255.255 any log
    access-list 107 deny ip 192.168.50.0 0.0.0.255 any log
    access-list 107 deny icmp any any echo log
    access-list 107 deny tcp any any eq finger
    access-list 107 permit ip any any
    ! no cdp run
    !
    end

    The access-list from this show run is the part that connected me, without it ull be able to ping everything but wont be able to connect to the internet. Im currently connected with only 3 of the 107 lines.
  • mikej412mikej412 Posts: 10,090Member
    AHHHH! it all makes sense now...
    :D It just looked like you need a nudge in the right direction -- I almost just posted "NAT"

    Hum -- 3640..... beginning of a Cisco Home Lab? Or a work thing?
    :mike: Cisco Certifications -- Collect the Entire Set!
  • thisisalex02thisisalex02 Posts: 136Member
    its my home lab.. i got a 3640 and two 2503's with a crappy 1924.. need to get me a 2950.
    Switches are bridges on steroids!
Sign In or Register to comment.