Users Cannot Access Itnernet

Unanswered Question
Jul 1st, 2008

Hi All,

The scenario:

Office LAN connected to ADSL line through a 851 Router (static IP) . LAN clients should have internet access through FE4 (ADSL Static IP)

Also remote users should connect with cisco VPN Client.

i have tried the configuration on my home pc.

I gave my PC the addres of the GW X.X.X.129 (My routers FE4 interface is X.X.X.130

When at home and my network card was connected on the routers FE4 port i could connect with telnet to the router interface and log in. I could use cisco vpn client and connect and also when on router with consoel i could ping the local private IP my PC was obtaining from the router. when i connect my PC on the switch interface and enable automatic IP ti gets IP from routers dhcp. I could not do any more tests.

My friend took the router and istalled it and the problems are:

WE cannot ping Router FE4. WE cannot telnet anymore to the router. The inside users on private LAN ( cannot access the internet !!!

the adsl modem works and works with for internet access with a simple SDM configuration !!!

Pleae review my config if you can and let me know what could be wrong !!!

I suspect NAT (cause i used source-map nat) for LAN not going on internet, but then again why cant i telnet ???

Please help !!!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
stephen.stack Wed, 07/02/2008 - 00:44


Couple of things here for you to try.

1. Change the default route to ip route x.x.x.129 where x.x.x.129 is the next hop

2. add the command 'login' to the line vty 04


conf t

line vty 0 4


This should allow telnet sessions inbound.

The Nat command looks good. Use the 'show ip nat trans' to show active nat translations. This will help you troubleshoot NAT.

Also, check with your ISP to see if any type of authentication is required. i.e. PPPOE etc..

HTH (Please rate if it does)


a.alekseev Wed, 07/02/2008 - 02:41

no access-list 100 permit ip any

access-list 100 deny ip

access-list 100 permit ip any

no ip route FastEthernet4

ip route X.X.X.129

purohit_810 Wed, 07/02/2008 - 05:22

Why you need route-map?

can you remove route-map and check once?

in that case you have to change your nat statement:

ip nat inside source static nat interface FastEthernet4 overload


Dharmesh Purohit

g-serghiou Wed, 07/02/2008 - 20:41

Hi All,

Thanks all for your replies.

My concerns were about my default route (using FastE instead of static IP) ...

I will try the above (or get my friend to try them) and let you know what happens.

Can someone also please take a look at the VPN connection (Remote user Access) and comment if they seem ok (they worked ok with cisco vpn client but not XP client when i was on same cable with the router)

Thanks all.


jdcrowder Tue, 07/08/2008 - 14:17

Don't use Route-Maps for NAT - its a pain in the butt - use ACL's... You should also have an ACL applied to your Outside interface.

If you don't tell the router that your VPN traffic should NOT go out through NAT - it will.

Here is what my NAT ACL looks like;

ip access-list extended NAT

deny ip any !vpn client traffic

permit ip any

permit ip any

Hope this helps...



g-serghiou Tue, 07/08/2008 - 20:48

Hi josh,

I will take that onboard...

meanwhile i havent been able to try the above suggestions but i will as soon as i find some time.

all the help here is appreciated !




This Discussion