cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
472
Views
0
Helpful
9
Replies

natting, routing or acl problem ?

ideanet77
Level 1
Level 1

Hi, I have configured a cisco router 871 with the following configuration,

but I have some problem, probably a natting or routing problem.

The VLAN10 (DMZ) works fine and I can connect my servers with the public ip assigned by my ISP. The servers can see internet.

The VLAN1, (private LAN), doesn't work very well: I can ping my internal LAN gateway (10.10.1.1) and my servers with public ip (on VLAN10), but I can't see internet.

Someone can help me to resolve this problem ?

Subnet public IP assigned by provider (VLAN10)

Subnet: xxx.yyy.zzz.248

Router IP: xxx.yyy.zzz.249

Available IPs: xxx.yyy.zzz.250 .. xxx.yyy.zzz.254

Broadcast: xxx.yyy.zzz.255

Netmask: 255.255.255.248

Subnet LAN (VLAN1)

Subnet: 10.10.1.0

Gateway: 10.10.1.1

Netmask: 255.255.255.0

My router config (see attachment)

9 Replies 9

John Blakley
VIP Alumni
VIP Alumni

You can try to move nat to vlan 10 from dial0.

int dial0

no ip nat out

int vlan10

ip nat out

You'll also need to change:

ip nat inside source list 101 interface Dialer0 overload

to

ip nat inside source list 101 interface Vlan10 overload

See if that works, but I'm not sure it will.

John

HTH, John *** Please rate all useful posts ***

Hi John,

doesn't work this configuration.

This configuration break the dmz (VLAN10) and the LAN doesn't work...

jpoplawski
Level 1
Level 1

Everything looks good, however the thing I can see is you are using the same ACL for your NAT and your Access-group...

ip access-group 101 in

ip access-group 102 out

I would take the 102 line out altogether, and the 101 line would be locked down according to your needs, IE TCP25,80, etc. Right now it looks like your DMZ is wide open.

As for the nat issue. Write mem, reload and see if its resolved. Also try show ip nat trans and show ip nat stat and post your results.

Hope this helps, rate if it does,

JB

Hi JB,

thank you for your reply.

I don't speak very well english and I don't have understood what you mean... can you get me an example please ?

Thanks

Luca

maybe,

I need to invert in and out access-list?

interface Dialer0

ip unnumbered Vlan10

ip access-group 101 in

ip access-group 102 out

...

ip nat inside source list 102 interface Dialer0 overload

...

access-list 101 permit ip any any

access-list 102 permit ip 10.10.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

Hi JB,

I have changed the following settings

ip nat inside source list 103 interface Dialer0 overload

!

!

access-list 101 remark *** ACL INBOUND DAILER0***

access-list 101 permit ip any any

access-list 102 remark *** ACL OUTBOUND DAILER0***

access-list 102 permit ip any any

access-list 103 remark *** ACL FOR NAT***

access-list 103 permit ip 10.10.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

without any success!

from the VLAN10 I can see Internet, but not from natted VLAN1...

P.S.: I know that the inbound is wide open, but before to close all unused ports, I want to see that the router work fine...

sorry, I have forgotted to post results

#show ip nat trans

-> no results !

#show ip nat stat

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Outside interfaces:

Dialer0, Virtual-Access1

Inside interfaces:

Vlan1

Hits: 0 Misses: 0

CEF Translated packets: 0, CEF Punted packets: 4

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 103 interface Dialer0 refcount 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

Here's a couple things you could try.

1) On Dialer 0 remove the access-groups

Conf t

int dialer 0

no ip access-group 101 in

no ip access-group 102 out

2) Try adding ip nat outside to int vlan 10

conf t

int vlan 10

ip nat outside

I think what's going on has to do with the IP Unnumbered command on the dialer interface. The dialer is being told to use the ip of VLAN10, and nat for it as well. See if that works, I'm assuming #2 fixes the problem and #1 is just unnecessary configuration.

Hope this helps, rate if it does.

JB

Hi JB, today I have resolved the issue.

I have simply changed from

ip nat inside source list 103 interface Dialer0 overload

to

ip nat inside source list 103 interface Vlan10 overload

Now my router works fine!

It's the moment to apply somes ACL :-)

Thank you for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: