08-31-2015 06:36 PM - edited 03-08-2019 01:35 AM
Hi,
I have problem with my configuration on my router my ISP provider just gave me the Public IP and i already configured it to my router and I can ping both outside (websites) and internal IP (local IP) but the problem is if I deployed it on my network my client PC wont get thru to the internet.
Network: 10.21.93.27.36/29 |
Netmask: 255.255.255.248 = 29 |
Wildcard: 0.0.0.7 |
Gateway: 10.21.93.27.37 |
IP range : 10.21.93.27.38 - 10.21.93.27.42 |
and below is my router config
interface FastEthernet0/0
description INTERNET
ip address 10.21.93.38 255.255.255.248
ip access-group 100 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN
ip address 192.168.1.2 255.255.255.192
ip access-group 100 in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip default-gateway 10.21.93.37
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.2.0 255.255.255.0 FastEthernet0/1
!
!
no ip http server
no ip http secure-server
ip nat pool mypool 10.21.93.38 10.21.93.38 prefix-length 29
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq www
access-list 100 permit tcp 192.168.2.0 0.0.0.255 any eq www
access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq telnet
access-list 100 permit icmp 192.168.1.0 0.0.0.255 any echo
snmp-server community public RO
!
thanks
dudz
09-01-2015 01:16 AM
Hi Dudz,
Looks like your access-group on fa0/0 will be dropping all your traffic. The packet path on IOS is:
*The inbound ACL of the input interface is applied
*The NAT inbound is applied
*The NAT outbound is applied
*The outbound ACL of the output interface is applied
*Advanced firewall inspection processing occurs
*The IP packet goes through the output interface
If you want an ACL to be applied for outgoing NAT'd traffic then you'll need a new ACL which has a source address of the Inside-Global address (10.21.93.38).
To confirm this, add the following ACL entry:
!
ip access-list std 100
deny ip any any log
!
...check your logging to confirm is your internal network traffic is being dropped on fa0/0 .
cheers,
Seb.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide