Skip to main content
AT&T Community Forums
Announcements
Don’t miss your chance to add AT&T Protect Advantage. Peace of mind, starting at $15 per month. Open enrollment ends 8/31. See all protection plans.
ttx336

Mentor

 • 

36 Messages

Fri, Nov 11, 2011 2:28 PM

3800RG, Cisco Routers and Static IPs

I've got a block of 8 static IPs, one A.B.C.64 /29 - A.B.C.70 is my default gateway, my Cisco E2000 router runs my main home LAN and is doing just fine. I am using two of the RG's ports to run my U-verse set-top boxes via Ethernet, one for the WAN link on the E2000 and one goes to a 4-port DLink switch that then goes to a Cisco 2621XM. Everythings works super except the 2621... I have fa0/1 setup to A.B.C.66 (the E2000 is .65, btw) and I have fa0/0 set to 172.16.1.1 /24 and one PC connected to it set to 172.16.1.10 /24 with a default gateway of 172.16.1.1. I can ping A.B.C.70 from the 2621 just fine and I can ping an outside address such as Google, Apple, etc just fine. What is puzzling me to no end is why I CAN ping A.B.C.66 from the PC, and I CANNOT ping A.B.C.70???? What the heck, it's a directly connected interface; I cannot for the life of me understand this. The only thing I can come up with is that somehow the RG is not setting up a return route.

Responses

Accepted Solution

Official Solution

SomeJoe7777

Expert

 • 

9.4K Messages

9 years ago

Two issues:

1. The ip nat inside source statement is NATting to the wrong interface. Correct line:

ip nat inside source list 1 interface FastEthernet0/1 overload

2. The inside interface needs to be marked as such. Add this line in the FastEthernet0/0 interface config:

ip nat inside


The reason you need both the ip default-gateway statement as well as the static default route statement is that the Cisco's use those two statements in different ways. The static default route statement affects packets that are passing through the router (i.e. being routed). The ip default gateway statement affects packets originating or terminating on the router (i.e. a ping command given at the Cisco IOS prompt).

Accepted Solution

Official Solution

SomeJoe7777

Expert

 • 

9.4K Messages

9 years ago

You should be able to telnet into xxx.xxx.xxx.66.

Try to telnet into that address from a computer that's connected directly to the 2Wire router and on a private IP address (192.168.x.x). This will rule out any issue with the Cisco R1 router.

If that works, you should be able to telnet in from outside on the Internet as well.

Make sure the firewall is turned off for the Cisco (on the 2Wire router, go to Settings -> LAN -> IP Address Allocation, look for the Cisco R1 device, and set the firewall to disabled.)

Note that if you disable the firewall like this, you probably will want to enable some kind of firewall on the Cisco. Use the Context-Based Access Control (CBAC) style of firewall, it's the easiest to set up.
SomeJoe7777

Expert

 • 

9.4K Messages

9 years ago

I've seen this happen on some Cisco's I've configured, and it's usually because there is a small issue in the Cisco config. A lot of times it's because you don't have NAT set up right. When you ping .70 from the Cisco, the Cisco is using .66 as the source, which doesn't involve NAT. When you ping .66 from the PC, the Cisco responds without invoking NAT. When you try to ping .70 from the PC, NAT has to be working right to get responses.

Post the Cisco config (xxx out your public IPs and any passwords) and we'll take a look.
ttx336

Mentor

 • 

36 Messages

9 years ago

I tried this before using NAT and with NAT, same result, this current config has NAT turned on. I am a novice so it is quite likely I have something setup wrong. For instance, it seems redundant to have both a default gateway to xxx.xxx.xxx.70 and also a quad-zero route, but I tried it just to see if it fixed it and haven't turned the default gateway back off. Another odd thing is that if I set up a quad-zero pointing directly to the fa0/1 it won't ping to the WAN, Google, Apple, etc, I must use the 0.0.0.0 0.0.0.0 xxx.xxx.xxx.70, why is that?

Here's my current config:

Building configuration...

Current configuration : 823 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 10
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address xxx.xxx.xxx.66 255.255.255.248
ip nat outside
duplex auto
speed auto
!
interface Serial0/1
no ip address
!
ip default-gateway xxx.xxx.xxx.70
ip nat inside source list 1 interface FastEthernet0/0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.70
!
!
access-list 1 permit 172.16.1.0 0.0.0.255
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end
ttx336

Mentor

 • 

36 Messages

9 years ago

thanks for the reply, I have corrected these via http and will test it when I get home tonight.

SomeJoe7777

Expert

 • 

9.4K Messages

9 years ago

Very cool, let us know if it works.

By the way, on your last question about why the static default route has to point to xxx.xxx.xxx.70 vice pointing to FastEthernet0/1 is because having a default route point to an interface is a valid configuration only for point-to-point interfaces, like T1, Frame-Relay, serial, etc. In the point-to-point interface case, there is only one other host that the interface can talk to.

FastEthernet is a multipoint interface, so pointing the default route to the interface itself is not valid. It must point to an IP address within the subnet of that interface so that a single host on that logical network is designated as the default gateway.
ttx336

Mentor

 • 

36 Messages

9 years ago

awww geez! now I feel stupid!!! since you expalined it, that makes perfect sense, there's my inexperience showing, I have never used a static route except in lab and always pointing to a point-to-point connected interface...

 

btw, I had my son wake up the computer at home and I pinged it, it replied so I may be good now!! Once I get home and check it out and am sure I will post that this is solved....

 

Thanks, -Gary

ttx336

Mentor

 • 

36 Messages

9 years ago

my son tested pings to xxx.xxx.xxx.70 as well as out to the WAN and said it reported 100% success!!

 

it's so nice to have computer literate kids at home, lol!!

 

Thanks again so very much,

Gary

SomeJoe7777

Expert

 • 

9.4K Messages

9 years ago

Glad everything's working!

ttx336

Mentor

 • 

36 Messages

9 years ago

I've hit another snag in trying to get my complete lab running... R1 is doing great thanks to you... I added on R2 and R3 via WIC2T cards and Smart Serial cables. I have S0/0 on R1 set to 10.0.0.1 /30 and S0/1 set to 10.0.0.10 /30, R2 has S0/0 set to 10.0.0.2 /30 and S0/1 set to 10.0.0.5 /30; R3 has S0/1 set to 10.0.0.6 /30 and S0/0 set to 10.0.0.9 /30 I have EIGRP set up, all of the serial routes seems fine, but once again, I cannot ping the xxx.xxx.xxx.70 I took some shots in the dark with various static routes and NAT but to no avial. I have an EIGRP advertised route on R1 = xxx.xxx.xxx.64 and used  "redistribute static"

so that 0.0.0.0 0.0.0.0 xxx.xxx.xxx.70 is shown as "gateway of last resort" on the other two routers.

 

I thought I had this working before, but maybe not, I had copied the running-config to the startup-config so they are as they were before I shut them (R2 and R3) off to concentrate on getting R1 working. It seems like with the PC connected to R1 being able to ping the .70 address the other two router surely should be able to, but that is not the case.

SomeJoe7777

Expert

 • 

9.4K Messages

9 years ago

Post the configs of all 3 routers and I'll take a look.
ttx336

Mentor

 • 

36 Messages

9 years ago

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 10
no aaa new-model
ip subnet-zero
ip cef
!
!
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.0.0.1 255.255.255.252
 clock rate 64000
!
interface FastEthernet0/1
 ip address xxx.xxx.xxx.66 255.255.255.248
 ip nat outside
 duplex auto
 speed auto
!
interface Serial0/1
 ip address 10.0.0.10 255.255.255.252
!
router eigrp 10
 redistribute static
 network 10.0.0.0
 network xxx.xxx.xxx.64 0.0.0.7
 no auto-summary
!
ip default-gateway xxx.xxx.xxx.70
ip nat inside source list 1 interface FastEthernet0/1 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.70
!
!
access-list 1 permit 172.16.1.0 0.0.0.255
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end



!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.2.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.0.0.2 255.255.255.252
 no fair-queue
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 ip address 10.0.0.5 255.255.255.252
 clock rate 64000
!
router eigrp 10
 network 10.0.0.0
 network 172.16.0.0
 no auto-summary
!
ip http server
ip classless
!
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
!
end



!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
no ip domain lookup
!
!
!
!
interface FastEthernet0/0
 ip address 172.16.3.1 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0
 ip address 10.0.0.9 255.255.255.252
 clock rate 64000
 no dce-terminal-timing-enable
 no fair-queue
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/1
 ip address 10.0.0.6 255.255.255.252
 no dce-terminal-timing-enable
!
router eigrp 10
 network 10.0.0.0
 network 172.16.0.0
 no auto-summary
!
ip http server
!
!
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
 login
!
end

 thanks so much for looking at this... Gary

SomeJoe7777

Expert

 • 

9.4K Messages

9 years ago

OK, so I assume by looking at the serial IP addresses that your 3 Cisco routers are connected in a triangle formation:

 

R1 S0/0 -> R2 S0/0

R1 S0/1 -> R3 S0/0

R2 S0/1 -> R3 S0/1

 

and the goal is to make all serial interfaces and the FastEthernet interfaces on R2 and R3 able to access the internet through R1.

 

The key here is that you must tell R1 that all of those addresses and the interfaces that those packets arrive on are eligible for NAT, because all packets must be NATted to the xxx.xxx.xx.66 address.

 

So, on R1:

 

1. Add the following line to the Serial0/0 interface:

 

ip nat inside

 

2. Add the following line to the Serial 0/1 interface:

 

ip nat inside

 

3. Adjust the NAT source list to include the other subnets that will need NAT:

 

access-list 1 permit 172.16.0.0 0.0.31.255

access-list 1 permit 10.0.0.0 0.255.255.255

 

(I cheated here, I added all private IP addressing in the 10.x and 176.16.x blocks to the access list rather than adding your in-use subnets.)

 

 

After you do this, all your routers should be able to access the internet, assuming your EIGRP is working correctly.

 

ttx336

Mentor

 • 

36 Messages

9 years ago

Once again, you were dead-on, it is working great!!

 

Thank you so much... now, I gotta get my homework done, I am working on CCNA, I'm taking the Routing Protocols class currently so I am about halfway through. I find this all to be most fascinating.

 

We have been so satisfied with AT&T's U-verse... coming from Comcast running on coax, this has been a refreshing change. Last night we were watching only the second movie that we have rented from OnDemand, it had a few glitches but other than that, our service over the entire two months has been outstanding. We have FTTH at our new home and have just outstanding Internet and I think it is so cool to run the set-top boxes from Ethernet. We also have AT&T wireless and iPhones... I am VERY quickly becoming a huge AT&T fan and am considering seeking employment with them.

 

-Gary

SomeJoe7777

Expert

 • 

9.4K Messages

9 years ago

Very cool, glad it's working!

Get started...

Ask a new question