1 Solution
Correct answers
Model A90-9100EM15-10.
Two devices are connected to the Verizon router, inside IP of Verizon router is 192.168.1.1.
Device 1 is a DLink router/firewall/wireless. Outside address is DHCP 192.168.1.4. Inside IP is 172.17.7.1. This router and all devices attached to it (wired and wireless) work perfectly on a default reset of the Verizon router.
Device 2 is a Cisco 2600 router. Outside address is hard-coded as 192.168.1.5. Inside IP is 172.18.8.1. The outside interface of this router can ping all the way out to the Internet (4.2.2.2). The inside interface can ping the outside interface (172.18.8.1 -> 192.168.1.5). The inside interface can only ping the Verizon router if a static route is entered:
Dest 172.18.8.0 255.255.255.0 to 192.168.1.5 metric 1.
The Cisco router cannot get beyond the outside interface of the Verizon router.
Anytime a ping attempt is made, the following message appears in the Verizon router's log: Null-NAPT Outgoing
Again, the DLink works perfectly using only connected routes. I've tried an advanced firewall filter in the Verizon router allowing all packets between the two subnets. I've tried enabling RIP. Nada.
Thoughts?
Thanks!
Solved! Go to Correct Answer
Ok. Here's what I've found out.
It's not the Verizon router that's the problem. It's the device after the Verizon router that's the problem. With static routes in place, my ping requests can get all the way out to the outside interface of the Verizon router, and the Verizon router knows exactly where to go. However, anything past the outside interface of the Verizon router, and the ping requests halt. Is this perhaps a Metric setting? I don't know. I tried using metrics other than 1, but to no avail. I tried adding filtering rules between the two subnets on the Verizon and Cisco routers, and that didn't work either.
Finally, I went to my original question. Why does the DLink device work without a static route and the Cisco doesn't? It FINALLY came to me. NAT. Or in this case, PNAT. I kept seeing PNAT null requests from my hosts behind the Cisco router, and the addresses were always transparent (the subnet of the internal Cisco hosts), whereas the DLink ping requests all showed it's external interface's IP as the ping requestor.
Since the Verizon device is doing PNAT also with its internal IP, it's next hop only saw requests from its outside interface. So when something came through, the Verizon's next hop would see a public address. Since there was no translation between my Cisco's internal subnet and the Verizon's external IP, the Verizon router's next hop address was presumably seeing requests from an internal range and dropping the traffic because there was no route for it. Once I put PNAT on my Cisco router, the Verizon router saw requests from the Cisco's External IP. Because the Cisco's External IP is in the same range as the Verizon's internal IP, all of those requests are Nat'd and the Verizon router's next hop sees all of those requests as routable.
To get this working without putting PNAT on my Cisco router, I'd have to somehow be able to put this new range in the Verizon router's PNAT configuration, something that even the advanced configuration doesn't seem to offer. While you can configure static NAT on this device, it does not appear that you can configure PNAT on it. If I am wrong, please correct me.
The solution is to configure PNAT on the Cisco router. For those interested, the commands are as follows:
int f0/0 <Enter>
ip nat outside <Enter>
int f0/1 <Enter>
ip nat inside <Enter>
access-list 1 permit 172.18.8.0 0.0.0.255 <Enter>
ip nat source list 1 interface f0/0 overload <Enter>
That's it!
If anyone knows how to confgure PNAT on this Verizon router, let me know, and I'll try the scenario out.
You want the Crisco Router to have a static route of: 0.0.0.0 0.0.0.0 192.168.1.5.
Are you doing NAT on both devices? I'm sure the DLINK is but if the Crisco is not you will want to add a static route in the VZ router: 172.18.8.0 255.255.255.0 192.168.1.5
My "Crisco" router has a static route pointing to the Verizon router. There is also a static route on the Verizon router to the Cisco 2600.
I am still unable to pass traffic.
Thanks!
Are you using the static routes as I have indicated?
If you look in the route tables of both devices, are both networks showing up?
You want the Crisco Router to have a static route of: 0.0.0.0 0.0.0.0 192.168.1.5
I assume you mean a static route on the Cisco router of 0.0.0.0 0.0.0.0 192.168.1.1. In this case, yes. I have that route listed. I cannot put a static route of 192.168.1.5 on the Cisco router because that's not the next hop IP, and such a setting isn't allowed in the Cisco router. It literally refuses to configure the setting.
Are you doing NAT on both devices? I'm sure the DLINK is but if the Crisco is not you will want to add a static route in the VZ router: 172.18.8.0 255.255.255.0 192.168.1.5
I am also doing this. (Both of these should be listed in my original post).
My Cisco router shows up in the ARP table, and the static route appears in the device's configuration. Is there another place I need to go to look at the Verizon's routing table?
Ok. Here's what I've found out.
It's not the Verizon router that's the problem. It's the device after the Verizon router that's the problem. With static routes in place, my ping requests can get all the way out to the outside interface of the Verizon router, and the Verizon router knows exactly where to go. However, anything past the outside interface of the Verizon router, and the ping requests halt. Is this perhaps a Metric setting? I don't know. I tried using metrics other than 1, but to no avail. I tried adding filtering rules between the two subnets on the Verizon and Cisco routers, and that didn't work either.
Finally, I went to my original question. Why does the DLink device work without a static route and the Cisco doesn't? It FINALLY came to me. NAT. Or in this case, PNAT. I kept seeing PNAT null requests from my hosts behind the Cisco router, and the addresses were always transparent (the subnet of the internal Cisco hosts), whereas the DLink ping requests all showed it's external interface's IP as the ping requestor.
Since the Verizon device is doing PNAT also with its internal IP, it's next hop only saw requests from its outside interface. So when something came through, the Verizon's next hop would see a public address. Since there was no translation between my Cisco's internal subnet and the Verizon's external IP, the Verizon router's next hop address was presumably seeing requests from an internal range and dropping the traffic because there was no route for it. Once I put PNAT on my Cisco router, the Verizon router saw requests from the Cisco's External IP. Because the Cisco's External IP is in the same range as the Verizon's internal IP, all of those requests are Nat'd and the Verizon router's next hop sees all of those requests as routable.
To get this working without putting PNAT on my Cisco router, I'd have to somehow be able to put this new range in the Verizon router's PNAT configuration, something that even the advanced configuration doesn't seem to offer. While you can configure static NAT on this device, it does not appear that you can configure PNAT on it. If I am wrong, please correct me.
The solution is to configure PNAT on the Cisco router. For those interested, the commands are as follows:
int f0/0 <Enter>
ip nat outside <Enter>
int f0/1 <Enter>
ip nat inside <Enter>
access-list 1 permit 172.18.8.0 0.0.0.255 <Enter>
ip nat source list 1 interface f0/0 overload <Enter>
That's it!
If anyone knows how to confgure PNAT on this Verizon router, let me know, and I'll try the scenario out.
Start a new topic or ask questions in the open forum.
