natting, routing or acl problem ?

Unanswered Question
Nov 18th, 2008

Hi, I have configured a cisco router 871 with the following configuration,

but I have some problem, probably a natting or routing problem.

The VLAN10 (DMZ) works fine and I can connect my servers with the public ip assigned by my ISP. The servers can see internet.

The VLAN1, (private LAN), doesn't work very well: I can ping my internal LAN gateway (10.10.1.1) and my servers with public ip (on VLAN10), but I can't see internet.

Someone can help me to resolve this problem ?

Subnet public IP assigned by provider (VLAN10)

Subnet: xxx.yyy.zzz.248

Router IP: xxx.yyy.zzz.249

Available IPs: xxx.yyy.zzz.250 .. xxx.yyy.zzz.254

Broadcast: xxx.yyy.zzz.255

Netmask: 255.255.255.248

Subnet LAN (VLAN1)

Subnet: 10.10.1.0

Gateway: 10.10.1.1

Netmask: 255.255.255.0

My router config (see attachment)

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Tue, 11/25/2008 - 07:33

You can try to move nat to vlan 10 from dial0.

int dial0

no ip nat out

int vlan10

ip nat out

You'll also need to change:

ip nat inside source list 101 interface Dialer0 overload

to

ip nat inside source list 101 interface Vlan10 overload

See if that works, but I'm not sure it will.

John

ideanet77 Wed, 12/03/2008 - 10:53

Hi John,

doesn't work this configuration.

This configuration break the dmz (VLAN10) and the LAN doesn't work...

jpoplawski Wed, 12/03/2008 - 09:17

Everything looks good, however the thing I can see is you are using the same ACL for your NAT and your Access-group...

ip access-group 101 in

ip access-group 102 out

I would take the 102 line out altogether, and the 101 line would be locked down according to your needs, IE TCP25,80, etc. Right now it looks like your DMZ is wide open.

As for the nat issue. Write mem, reload and see if its resolved. Also try show ip nat trans and show ip nat stat and post your results.

Hope this helps, rate if it does,

JB

ideanet77 Wed, 12/03/2008 - 10:51

Hi JB,

thank you for your reply.

I don't speak very well english and I don't have understood what you mean... can you get me an example please ?

Thanks

Luca

ideanet77 Wed, 12/03/2008 - 11:27

maybe,

I need to invert in and out access-list?

interface Dialer0

ip unnumbered Vlan10

ip access-group 101 in

ip access-group 102 out

...

ip nat inside source list 102 interface Dialer0 overload

...

access-list 101 permit ip any any

access-list 102 permit ip 10.10.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

ideanet77 Wed, 12/03/2008 - 12:28

Hi JB,

I have changed the following settings

ip nat inside source list 103 interface Dialer0 overload

!

!

access-list 101 remark *** ACL INBOUND DAILER0***

access-list 101 permit ip any any

access-list 102 remark *** ACL OUTBOUND DAILER0***

access-list 102 permit ip any any

access-list 103 remark *** ACL FOR NAT***

access-list 103 permit ip 10.10.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

without any success!

from the VLAN10 I can see Internet, but not from natted VLAN1...

P.S.: I know that the inbound is wide open, but before to close all unused ports, I want to see that the router work fine...

ideanet77 Wed, 12/03/2008 - 12:31

sorry, I have forgotted to post results

#show ip nat trans

-> no results !

#show ip nat stat

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Outside interfaces:

Dialer0, Virtual-Access1

Inside interfaces:

Vlan1

Hits: 0 Misses: 0

CEF Translated packets: 0, CEF Punted packets: 4

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 103 interface Dialer0 refcount 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

jpoplawski Thu, 12/04/2008 - 07:30

Here's a couple things you could try.

1) On Dialer 0 remove the access-groups

Conf t

int dialer 0

no ip access-group 101 in

no ip access-group 102 out

2) Try adding ip nat outside to int vlan 10

conf t

int vlan 10

ip nat outside

I think what's going on has to do with the IP Unnumbered command on the dialer interface. The dialer is being told to use the ip of VLAN10, and nat for it as well. See if that works, I'm assuming #2 fixes the problem and #1 is just unnecessary configuration.

Hope this helps, rate if it does.

JB

ideanet77 Thu, 12/04/2008 - 07:43

Hi JB, today I have resolved the issue.

I have simply changed from

ip nat inside source list 103 interface Dialer0 overload

to

ip nat inside source list 103 interface Vlan10 overload

Now my router works fine!

It's the moment to apply somes ACL :-)

Thank you for your help.

Actions

This Discussion