dhcp question

Well right now this is my setup... i got static modem from my isp going into my 3640 on fa1/0. i set up static on fa1/0 and did static route of 0.0.0.0 0.0.0.0 71.40.52.185. so as of now i can ping and telnet to the useable. then on fa1/1 it has a private ip of 10.0.0.1 /8. that interface is going into my switch (1900

) and of course i have the comps plugging into the switch. i set up dhcp pool.. and the computers are getting private ips.. i just cant get them on the net. I know im missing something.

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3640
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
ip subnet-zero
!
!
ip cef
!
ip dhcp pool lan
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1 255.0.0.0
dns-server 24.93.40.36
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 71.40.52.186 255.255.255.252
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
!
interface FastEthernet1/1
ip address 10.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface Serial1/1
no ip address
shutdown
!
ip http server
!
ip classless
ip route 0.0.0.0 0.0.0.0 71.40.52.185
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

Anybody see what im missing or doing wrong? somehow i cant pass traffic from fa1/1 to go out 1/0.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

mikej412

thisisalex02 wrote:

Anybody see what im missing or doing wrong? somehow i cant pass traffic from fa1/1 to go out 1/0.

NAT or PAT (overloaded NAT) for one. Private addresses are not allowed on the internet -- and if you're not filtering them, your ISP is.

Did you check that your router can ping something on the the internet?

What are you using for name resolution (DNS)?

thisisalex02

yea im able to ping out from the 3640. im not trying to go on the internet with just a private ip (come on now). i have my static ip on interface 1/0 and fa1/1 is going into my switch which in turn connects my computers. so through the 1/0 interface i can ping out through the internet, im just trying to get my 1/1 inerface which is connected to the switch, to route through the 1/0 interface so that my private ips go through my public.. So yea nat needs to be setup.

thisisalex02

tryed this but still a no go..

3640#sh run
Building configuration...

Current configuration : 1216 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3640
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-mode
ip subnet-zero
!
!
ip cef
!
ip dhcp pool lan
network 10.0.0.0 255.0.0.0
default-router 10.0.0.1 255.0.0.0
dns-server 24.93.40.36
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1/0
ip address 71.40.52.186 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial1/0
no ip address
shutdown
!
interface FastEthernet1/1
ip address 10.0.0.1 255.0.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial1/1
no ip address
shutdown
!
ip http server
!
ip classless
ip route 0.0.0.0 0.0.0.0 71.40.52.185
!
ip nat pool private_access 10.0.0.2 10.0.0.5 netmask 255.0.0.0
ip nat inside source list 1 pool private_access
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

forbesl

You're still trying to push private IP addresses across the internet, and as mikej412 stated, these will be filtered.

Remove these two entries:

ip nat pool private_access 10.0.0.2 10.0.0.5 netmask 255.0.0.0
ip nat inside source list 1 pool private_access

And replace them with this one:

ip nat inside source list 1 interface FastEthernet1/0 overload

This will translate all permitted traffic from access list 1 to the static IP address associated with f1/0.

thisisalex02

AHHHH! it all makes sense now... ok i gotta read more.. hehe.. but thanks everythings up and running.

HELLZxPHADER

clock timezone EST -3
ip subnet-zero
!
!Use your favorite nameserver either ISP or other
!
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
!
!Use the router as a DHCP server for your network
!
no ip dhcp conflict logging
!
! exclude a range for your printers, router and any other static device
!
ip dhcp excluded-address 10.1.1.1 10.1.1.9
!
ip dhcp pool DHCP-POOL
network 10.1.1.0 255.255.255.0
domain-name cox.rr.com
dns-server 24.28.192.64 24.28.192.65
default-router 10.1.1.1
!
!
interface Ethernet0/0
description Outside interface to COX/RR
!
!This will force the assigned MAC(if needed) to the Ethernet interface
!
mac-address 0050.9999.c3be
ip address dhcp
ip nat outside
ip access-group 107 in
!
interface Ethernet0/1
description Inside interface to your network
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0
no http server
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
!Access list 107 will deny private IP ranges from outside your network to come it as a
!security measure. It also denies ICMP PINGs to help *hide* the router from scanners. Lastly
!it denies the FINGER protocol.
!
access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
access-list 107 deny ip 172.0.0.0 0.255.255.255 any log
access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
access-list 107 deny ip 255.0.0.0 0.255.255.255 any log
access-list 107 deny ip 224.0.0.0 0.255.255.255 any log
access-list 107 deny ip 192.168.50.0 0.0.0.255 any log
access-list 107 deny icmp any any echo log
access-list 107 deny tcp any any eq finger
access-list 107 permit ip any any
! no cdp run
!
end

The access-list from this show run is the part that connected me, without it ull be able to ping everything but wont be able to connect to the internet. Im currently connected with only 3 of the 107 lines.

mikej412

thisisalex02 wrote:

AHHHH! it all makes sense now...

It just looked like you need a nudge in the right direction -- I almost just posted "NAT"

Hum -- 3640..... beginning of a Cisco Home Lab? Or a work thing?

thisisalex02

its my home lab.. i got a 3640 and two 2503's with a crappy 1924.. need to get me a 2950.