Hello, i want to configure a routerfirewall with two interfaces fastethernet between my Lan and a prolan.
Lan-----Routerfirewall----RouterProlan------Network's partners 192.168.x.0/RoamingUsers
I have configured only the routing and Nat without filtering but it don't work
I can ping only the 192.168.51.0 network but no others networks (partners) via the prolan. And roaming users cannot access to Lan
It's 1721 router with a Cisco 4-port 10/100BASE-T Fast Ethernet Switch WAN Interface Card (WIC-4ESW)
I think there is a problem with the Nat
Please a more clear setup details.
ip nat inside source list 101 pool overlag overload
access-list 101 permit ip 10.166.0.0 0.0.255.255 192.168.51.0 0.0.0.255
As of now, i could see that you are doing the only when you try to access 192.168.51.0/24
Hence if you try to access any other networks, your traffic will not get natted and will go via the default gateway 10.166.50.1, with the original source ip.
Static nat and the overload nat are in the network range 10.0.172.0/24
Hence ensure that you have a proper route in the "routerprolan" to route this subnet to your "routerfirewall".
in routerprolan, you should be having a route like this.
ip route 10.0.172.0 255.255.255.0 10.166.50.2
For the other static nat ips also ensure that you have proper return routes.
Also ensure that in your router, you are able to see the routes(via ospf) for the destination partner networks 192.168.11.0/24, 192.168.253.0/24, 192.168.52.0/24.
Ensure that the return routes for your nated ips are present in the partnet routers also.
Hi, thanks for your response
In fact, there is all the routes in the prolan router and partner router. There is already a Linux router, and everything works fine, and actually i am trying to replace this linux router by the Cisco routerfirewall. So i think the routes are good
Your access-list 101 statement only includes access to the network you can currently get to. It seems you are nat'ing this traffic for some reason. I assume you would have to do the same for all of the other networks. Add access lists for all of the other networks.
access-list 101 permit ip 10.166.0.0 0.0.255.255 192.168.11.0 0.0.0.255
access-list 101 permit ip 10.166.0.0 0.0.255.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 10.166.0.0 0.0.255.255 192.168.52.0 0.0.0.255
Kindly check the visio diagram. There is no problem with the ACL 101, that ACL is serving for 1 particular remote site.. Not for others. For others, they are doing static nat for reachability.
i made amistake on the visio the ip address of the Lan connected interface is 10.166.11.29 and not 10.166.11.22.
Also the ospf routes to partners networks 192.168.x.x are presents and good
Habbas, could you please double confirm it works when using a Linux server before w/ same IP address assignment ?
The VLAN 1 is 10.166.11.29/22 and it is not the same subnet of some users (10.166.52.x) behind the LAN. How do those users access to remote ?
Should the NAT be carried ar routeprolan instead of routerfirewall ?
Please clarify ? Thx.
Hi Jack, yes i confirm with the Linux router it works with no problem, this is the router in production. All we trying to do is unplug and replug the networks cables from Linux to Cisco router, we are using the same ip address
The other subnets are network agencies linked by another router. The network 10.166.8.0 /22 is the headoffice
The prolan router is an Isp's router, we can not configure it. It's a package IP/MPLS Prolan with the routers
Thanks for the clarification. What I believe the config. in routerfirewall is fine.
Did you check the config. in routerproflan to ensure there are routes for the return path of other three sites ?
Can you get the routing table of routerproflan and the three non-working sites ? Thx.
I am sorry, we cannot see the routes in the prolan routerprolan because it's belong to the isp and we do not have the password to connect to the router.
But we can know the routes for return are good in prolanrouter because with the linuxrouter in replacement of RouterFirewall it's works fine , it is what we are using for several months without any problem.
Thanks a lot
It is fine. I found the trace route is carried from the router prolann but according to the original config., there is no such static route.
Could you post the updated config. and confirm there is static route to point to the 10.166.50.2 as GW for the return path.
Moreover, due to you have the default route to point to the 10.166.50.1 as next-hop, so there is no need to set the static route for 192.168.11.0/24 unless you learn it somewhere.
Could you provide the traceroute from remote side (or remote PC) instead of from local router ? Thx.