cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
850
Views
15
Helpful
12
Replies

Access to Internet.

Faizan Shaikh
Level 1
Level 1

There are two clients in our network who are connected to the ISP via a POP Router. There is something wrong in the config which is why only client1 is able to access the internet and not client 02.

Configs:

Client1 Router:

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface Serial0/0/0

ip address 10.20.0.2 255.255.255.252

ip nat outside

ip nat pool client01 10.30.0.6 10.30.0.14 netmask 255.255.255.240

ip nat inside source list natpool pool client01

ip classless

ip route 0.0.0.0 0.0.0.0 10.20.0.1

ip access-list extended natpool

permit ip any any

!

!

ip dhcp pool client01

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 10.10.0.10

Client2 Router:

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface Serial0/0/0

ip address 10.20.0.6 255.255.255.252

ip nat outside

ip nat pool client02 10.30.0.20 10.30.0.30 netmask 255.255.255.240

ip nat inside source list natpool pool client02

ip classless

ip route 0.0.0.0 0.0.0.0 10.20.0.5

ip access-list extended natpool

permit ip any any

!

!

ip dhcp pool client02

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 10.10.0.10

ISP Router:

interface FastEthernet0/0

ip address 204.60.0.1 255.255.255.0

ip nat outside

interface Serial0/0/0

ip address 10.11.0.18 255.255.255.252

ip nat inside

router ospf 10

log-adjacency-changes

redistribute static subnets

network 10.11.0.16 0.0.0.3 area 0

default-information originate

ip nat pool natclient01 204.60.0.9 204.60.0.14 netmask 255.255.255.0

ip nat inside source list natclient01 pool natclient01 overload

ip classless

ip route 0.0.0.0 0.0.0.0 204.60.0.254

!

!

ip access-list extended natclient01

permit ip 10.30.0.0 0.0.0.15 any.

Please assist.

Regards,

12 Replies 12

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Faizan,

on last router:

ip access-list extended natclient01

permit ip 10.30.0.0 0.0.0.15 any.

this doesn't match ip addresses of client2 that are in range 10.30.0.20 10.30.0.30

use

ip access-list extended natclient012

permit ip 10.30.0.0 0.0.0.31 any.

but what is the interface of client2 to isp router ?

it needs ip nat inside too

or there is another router in the middle collecting both access links ? I guess it is so.

Hope to help

Giuseppe

Giuseppe,

Thanx for your support :)

I've got it.

Client 01 also has an internal server that they would like internet users to be able to reach.

The public IP address to use for this is 204.60.0.3. What would be the command for it?

The server has been assigned the IP address 192.168.0.254

The public DNS has already been put in place for this on public DNS server 4.2.2.2 as www.client01.com

I've to make DNS entries so that internal users can reach it.

I've Use first available NAT in the reserved section of the NAT pool.

Kindly assist.

Regards.

A layer 3 swicth connects the border router, DNS server (4.2.2.2) and a host.

The vlans on L3 switch are as follows:

interface Vlan1

ip address 204.10.0.254 255.255.255.0

!

interface Vlan2

ip address 4.2.2.254 255.255.255.0

!

interface Vlan60

ip address 204.60.0.254 255.255.255.0

!

interface Vlan70

ip address 204.70.0.1 255.255.255.0

Regards.

Hello ,

>>The public IP address to use for this is 204.60.0.3. What would be the command for it?

>>The server has been assigned the IP address 192.168.0.254

you are doing NAT at two different sections of the network.

So you need to do two static NATs

one for client1 to

one on the border router.

to work well you need to use a dedicated address that is not in the pools to avoid competition with dynamic NAT

the basic command is

ip nat source inside static local-addr global-addr

r1client1:

ip nat inside source static 192.168.0.254 10.30.0.5

isp router

ip nat inside source static 10.30.0.5 204.60.0.3

remember also to exclude ip address 192.68.0.254 from dhcp pool

use from global config:

r1client1:

ip dhcp excluded-address 192.198.0.1 192.168.0.254

Hope to help

Giuseppe

Thanx for your support. I have made all the above changes.

I am still not able to ping the internal server from Internet user.

I am confused because the ISP router has a range of 204.60.0.0/24. I want to assign public IP 204.60.0.3 to the internal server connected to client01 router. How can I assign a public IP to the internal server from a pool of private IPs which have already been assigned to ISP router.

Please reply.

Regards.

Hello Faisan,

add the option reversible to both nat commands

because:

An initial session from inside-to-outside is required to trigger a NAT. New translation sessions can then be initiated from outside-to-inside to the inside host that triggered the initial translation.

see

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1074422

Hope to help

Giuseppe

Thank you for your assistance Giuseppe.

I have followed that link but still I'm not able to make out.

I have designed the network on CPT, and attached with this post for you to understand the scenario better.

Thanks.

Hello Faizan,

let's try to add two lines like

ip nat outside source static global-ip local-ip

to create the entries from the outside interface.

Use the same addresses used before but in reverse order in the two commands.

Hope to help

Giuseppe

None of the routers are accepting the

ip nat outside source static global-ip local-ip command.

Hey Giussepe,

Thank you very much for your help.

I have made all the changes successfully.

You have been really very helpful.

Best regards.

Hello Faizan,

nice news it is working, by the way, what is the combination of commands that is working ?

just to indicate the right solution.

Hope to help

Giuseppe

Hi Giuseppe,

The command which you gave me where the one which were required to make the change. It was simple yet tricky.

r1client1:

ip nat inside source static 192.168.0.254 10.30.0.5

isp router

ip nat inside source static 10.30.0.5 204.60.0.3

There was no need to put

ip dhcp excluded-address 192.198.0.1 192.168.0.254

Everything is working fine now and the user can now connect to server.

Thank you very much for your assistance!

The issue is completely resolved.

Regards.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: