11-12-2008 11:14 AM
Hi, have the following situation:
_ VDSL 20'000/1'000 internet connection
_ VDSL bridge (zyxel P-870M)
_ router Cisco 871 (Advanced IP Services)
Assigned subnet from ISP
Subnet: xxx.yyy.zzz.248
Router IP: xxx.yyy.zzz.249
Available IPs: xxx.yyy.zzz.250 .. xxx.yyy.zzz.254
Broadcast: xxx.yyy.zzz.255
Netmask: 255.255.255.248
dns 1: 212.90.199.2
dns 2: 212.90.192.190
Subnet internal LAN
Subnet: 10.10.1.0
Gateway: 10.10.1.1
Netmask: 255.255.255.0
Target:
_ configure WAN port (Dialer0 on FE4) of Cisco 871 for the PPPOE negotiation and configure IP UNNUMBERED with the VLAN of DMZ port (VLAN10, see following config)
_ configure DMZ (FE3) with first public ip (xxx.yyy.zzz.249) assigned to VLAN10, that permit to connect directly some server using the other public IP assigned from the provider (xxx.yyy.zzz.250 .. xxx.yyy.zzz.254)
_ configure FE0/FE1/FE2 for the internal LAN (10.10.1.0/24), natted with the Dialer port.
_ configure DHCP server for the LAN port (FE0/FE1/FE2) for the range 10.10.1.60-10.10.1.99
_ configure an ACL to enable full access from LAN to DMZ
_ configure an ACL to enable full access from LAN to WAN
This is my configuration, but I don't find why doesn't work. Anyone can help me ?
Thank you
Luca
********************************
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <REMOVED>
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 <REMOVED>
!
no aaa new-model
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.1.1 10.10.1.59
ip dhcp excluded-address 10.10.1.100 10.10.1.254
!
ip dhcp pool VLAN1
import all
network 10.10.1.0 255.255.255.0
default-router 10.10.1.1
domain-name <REMOVED>
dns-server 212.90.199.2 212.90.192.190
lease 0 2
!
!
no ip domain lookup
no ip bootp server
ip domain name <REMOVED>
ip name-server 212.90.199.2
ip name-server 212.90.192.190
!
multilink bundle-name authenticated
!
!
username <REMOVED> privilege 15 secret 5 <REMOVED>
!
!
archive
log config
hidekeys
!
!
interface FastEthernet0
no shutdown
!
interface FastEthernet1
no shutdown
!
interface FastEthernet2
no shutdown
!
interface FastEthernet3
description DMZ port
switchport access vlan 10
no shutdown
!
interface FastEthernet4
description WAN port
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
no shutdown
!
interface Vlan1
description Local Area Network
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
description DMZ Network
ip address xxx.yyy.zzz.249 255.255.255.248
!
interface Dialer0
description WAN Interface
ip unnumbered Vlan10
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <REMOVED>
ppp chap password 7 <REMOVED>
!
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface Dialer0 overload
!
access-list 101 remark *** NAT overload ***
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175101
ntp server 212.90.197.226
end
11-13-2008 01:57 PM
ok, I have changed the config.
Now I have some problems to exit from my LAN (VLAN1).
I can ping my LAN gateway (10.10.1.1), but no other external ip. The DMZ (VLAN10) works fine...
Does anyone can help me ? thanks, Luca
My configuration:
version 12.4
no parser cache
no service pad
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
logging userinfo
logging buffered 32000 informational
logging console informational
logging monitor informational
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login admin local
!
!
aaa session-id common
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
no ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.1.1 10.10.1.59
ip dhcp excluded-address 10.10.1.100 10.10.1.254
!
ip dhcp pool VLAN1
import all
network 10.10.1.0 255.255.255.0
default-router 10.10.1.1
domain-name
dns-server 212.90.199.2 212.90.192.190
lease 0 2
!
!
no ip bootp server
no ip domain lookup
ip domain name
ip name-server 212.90.199.2
ip name-server 212.90.192.190
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 1100
ip inspect one-minute high 1100
ip inspect one-minute low 1100
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 tcp
login block-for 60 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
!
!
username
!
no crypto isakmp enable
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 1
ip ssh version 2
!
!
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
description DMZ port
switchport access vlan 10
no cdp enable
!
interface FastEthernet4
description WAN port
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Vlan1
description Local Area Network
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
description DMZ Network
ip address xxx.yyy.zzz.249 255.255.255.248
no ip proxy-arp
no ip mroute-cache
ntp broadcast
hold-queue 100 out
!
interface Dialer0
ip unnumbered Vlan10
ip access-group 101 in
ip access-group 102 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname
ppp chap password 7
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip any any
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner motd ^CC
This is machine name. Unauthorised access to this
machine is strictly prohibited. Please disconnect now unless
you have received prior authorisation for use. The systems
administrator is your name on Your phone number.
^C
!
line con 0
login authentication admin
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 5 0
login authentication admin
transport input ssh
!
scheduler max-task-time 5000
ntp logging
ntp clock-period 17179869
ntp source Dialer0
ntp peer 212.90.197.226 prefer
end
06-02-2010 01:23 PM
I'm sure this issue is long resolved but it looks like you don't have an Nat overload statement and cooresponding NAT INSIDE commands.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: