11-18-2008 11:14 AM
Hi, I have configured a cisco router 871 with the following configuration,
but I have some problem, probably a natting or routing problem.
The VLAN10 (DMZ) works fine and I can connect my servers with the public ip assigned by my ISP. The servers can see internet.
The VLAN1, (private LAN), doesn't work very well: I can ping my internal LAN gateway (10.10.1.1) and my servers with public ip (on VLAN10), but I can't see internet.
Someone can help me to resolve this problem ?
Subnet public IP assigned by provider (VLAN10)
Subnet: xxx.yyy.zzz.248
Router IP: xxx.yyy.zzz.249
Available IPs: xxx.yyy.zzz.250 .. xxx.yyy.zzz.254
Broadcast: xxx.yyy.zzz.255
Netmask: 255.255.255.248
Subnet LAN (VLAN1)
Subnet: 10.10.1.0
Gateway: 10.10.1.1
Netmask: 255.255.255.0
My router config (see attachment)
11-25-2008 07:33 AM
You can try to move nat to vlan 10 from dial0.
int dial0
no ip nat out
int vlan10
ip nat out
You'll also need to change:
ip nat inside source list 101 interface Dialer0 overload
to
ip nat inside source list 101 interface Vlan10 overload
See if that works, but I'm not sure it will.
John
12-03-2008 10:53 AM
Hi John,
doesn't work this configuration.
This configuration break the dmz (VLAN10) and the LAN doesn't work...
12-03-2008 09:17 AM
Everything looks good, however the thing I can see is you are using the same ACL for your NAT and your Access-group...
ip access-group 101 in
ip access-group 102 out
I would take the 102 line out altogether, and the 101 line would be locked down according to your needs, IE TCP25,80, etc. Right now it looks like your DMZ is wide open.
As for the nat issue. Write mem, reload and see if its resolved. Also try show ip nat trans and show ip nat stat and post your results.
Hope this helps, rate if it does,
JB
12-03-2008 10:51 AM
Hi JB,
thank you for your reply.
I don't speak very well english and I don't have understood what you mean... can you get me an example please ?
Thanks
Luca
12-03-2008 11:27 AM
maybe,
I need to invert in and out access-list?
interface Dialer0
ip unnumbered Vlan10
ip access-group 101 in
ip access-group 102 out
...
ip nat inside source list 102 interface Dialer0 overload
...
access-list 101 permit ip any any
access-list 102 permit ip 10.10.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
12-03-2008 12:28 PM
Hi JB,
I have changed the following settings
ip nat inside source list 103 interface Dialer0 overload
!
!
access-list 101 remark *** ACL INBOUND DAILER0***
access-list 101 permit ip any any
access-list 102 remark *** ACL OUTBOUND DAILER0***
access-list 102 permit ip any any
access-list 103 remark *** ACL FOR NAT***
access-list 103 permit ip 10.10.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
without any success!
from the VLAN10 I can see Internet, but not from natted VLAN1...
P.S.: I know that the inbound is wide open, but before to close all unused ports, I want to see that the router work fine...
12-03-2008 12:31 PM
sorry, I have forgotted to post results
#show ip nat trans
-> no results !
#show ip nat stat
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Dialer0, Virtual-Access1
Inside interfaces:
Vlan1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 4
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 103 interface Dialer0 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
12-04-2008 07:30 AM
Here's a couple things you could try.
1) On Dialer 0 remove the access-groups
Conf t
int dialer 0
no ip access-group 101 in
no ip access-group 102 out
2) Try adding ip nat outside to int vlan 10
conf t
int vlan 10
ip nat outside
I think what's going on has to do with the IP Unnumbered command on the dialer interface. The dialer is being told to use the ip of VLAN10, and nat for it as well. See if that works, I'm assuming #2 fixes the problem and #1 is just unnecessary configuration.
Hope this helps, rate if it does.
JB
12-04-2008 07:43 AM
Hi JB, today I have resolved the issue.
I have simply changed from
ip nat inside source list 103 interface Dialer0 overload
to
ip nat inside source list 103 interface Vlan10 overload
Now my router works fine!
It's the moment to apply somes ACL :-)
Thank you for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: