Users Cannot Access Itnernet

g-serghiou · ‎07-01-2008

Hi All,

The scenario:

Office LAN connected to ADSL line through a 851 Router (static IP) . LAN clients should have internet access through FE4 (ADSL Static IP)

Also remote users should connect with cisco VPN Client.

i have tried the configuration on my home pc.

I gave my PC the addres of the GW X.X.X.129 255.255.255.252 (My routers FE4 interface is X.X.X.130 255.255.255.252)

When at home and my network card was connected on the routers FE4 port i could connect with telnet to the router interface and log in. I could use cisco vpn client and connect and also when on router with consoel i could ping the local private IP my PC was obtaining from the router. when i connect my PC on the switch interface and enable automatic IP ti gets IP from routers dhcp. I could not do any more tests.

My friend took the router and istalled it and the problems are:

WE cannot ping Router FE4. WE cannot telnet anymore to the router. The inside users on private LAN (192.168.40.0) cannot access the internet !!!

the adsl modem works and works with for internet access with a simple SDM configuration !!!

Pleae review my config if you can and let me know what could be wrong !!!

I suspect NAT (cause i used source-map nat) for LAN not going on internet, but then again why cant i telnet ???

Please help !!!

Thanks,

GEorge

stephen.stack · ‎07-02-2008

Hi

Couple of things here for you to try.

1. Change the default route to ip route 0.0.0.0 0.0.0.0 x.x.x.129 where x.x.x.129 is the next hop

2. add the command 'login' to the line vty 04

i.e.

conf t

line vty 0 4

login

This should allow telnet sessions inbound.

The Nat command looks good. Use the 'show ip nat trans' to show active nat translations. This will help you troubleshoot NAT.

Also, check with your ISP to see if any type of authentication is required. i.e. PPPOE etc..

HTH (Please rate if it does)

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

a.alekseev · ‎07-02-2008

no access-list 100 permit ip 192.168.40.0 0.0.0.255 any

access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.40.0 0.0.0.255

access-list 100 permit ip 192.168.40.0 0.0.0.255 any

no ip route 0.0.0.0 0.0.0.0 FastEthernet4

ip route 0.0.0.0 0.0.0.0 X.X.X.129

purohit_810 · ‎07-02-2008

Why you need route-map?

can you remove route-map and check once?

in that case you have to change your nat statement:

ip nat inside source static nat interface FastEthernet4 overload

Thanks,

Dharmesh Purohit

g-serghiou · ‎07-02-2008

Hi All,

Thanks all for your replies.

My concerns were about my default route (using FastE instead of static IP) ...

I will try the above (or get my friend to try them) and let you know what happens.

Can someone also please take a look at the VPN connection (Remote user Access) and comment if they seem ok (they worked ok with cisco vpn client but not XP client when i was on same cable with the router)

Thanks all.

George

jdcrowder · ‎07-08-2008

Don't use Route-Maps for NAT - its a pain in the butt - use ACL's... You should also have an ACL applied to your Outside interface.

If you don't tell the router that your VPN traffic should NOT go out through NAT - it will.

Here is what my NAT ACL looks like;

ip access-list extended NAT

deny ip 192.168.12.0 0.0.0.255 any !vpn client traffic

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.11.0 0.0.0.255 any

Hope this helps...

Cheers,

Josh

g-serghiou · ‎07-08-2008

Hi josh,

I will take that onboard...

meanwhile i havent been able to try the above suggestions but i will as soon as i find some time.

all the help here is appreciated !

Thanks,

George