03-18-2006 09:46 AM - edited 03-03-2019 02:21 AM
There are 3 routers in the main office. OX router (outside x.x.x.x and inside 192.168.0.250) connects the Internet. Cisco 1841 192.168.0.81 and USR 8200 192.168.0.95 connect to a switch. Both 192.168.0.x and 192.168.2.x subnets can access the Internet without any issues.
Cisco 1841 192.168.100.1 in the main office also connects to Cisco 1841 192.168.100.2 in a remote office. The remote office 192.168.1.x can access the main office without problems, but no Internet. The computers in the remote office even cant ping the OX router 192.168.0.250. Tracert 4.2.2.1 stop 192.168.100.1.
The main office 1841 has these routing command
ip route 0.0.0.0 0.0.0.0 192.168.0.250
ip route 192.168.1.0 255.255.255.0 192.168.100.2
The remote office 1841 has these routing command
ip route 0.0.0.0 0.0.0.0 192.168.100.1
ip route 192.168.0.0 255.255.255.0 192.168.100.1
Ay ideas why the remote office cant access the Internet?
The drawing can be found here http://www.howtonetworking.com/ciscoissues.htm
Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
03-18-2006 10:55 AM
Hi Friend,
Lets take a scenario when your remote office sends a ping request to 4.2.2.1 it will hit your remote office router which has a default route to reach 192.168.100.1 which is your main office 1841 router. Good till far.
Your main office 1841 router has a default router to reach 192.168.0.250 and from there onwards it goes to internet but think of the reply back.
Your routes to reach back the source 192.168.1.x subnet is not proper.
From internet when the request comes back to your OX router does your OX router know how to come back to 192.168.1.x subnet?
If yes it will reach your main office 1841 router and from there onwards it will reach your remote office and you will be good to go.
But I think your OX router does not know how to reach 192.168.1.x subnet so if possible add a route on your OX router to send a reply for destination 192.168.1.x subnet to main office 1841 router and after that everything is ok.
HTH, if yes please rate the post.
Ankur
03-18-2006 11:49 AM
Thank you for the quick reply. You are right. The OX router may not route back to the Cisco router. I thought that but not sure. First of all, we cant manage the OX router and only the ISP manages the router. The ISP wants to limit the Internet access to just one subnet 192.168.0.x. So I cant tell that for sure. I have another question. Why does the USR router work without OX router without knowing how to come back to 192.168.2.x subnet?
03-18-2006 09:31 PM
Hi Friend,
Could be 2 reasons why your OX router send the reply back to 192.168.2.x subnet.
One, might be your USR router doing some kind of natting and changing the source ip of 192.168.2.x subnet to the USR 192.168.0.x source which is on the ootgoing interace of USR.
Second, might be your OX router has some route to reach back to USR router for reply to 19.168.2.x subnet.
Can you confirm the config of USR router if it does some kind of natting?
HTH, if yes please rate the post.
Ankur
03-19-2006 07:06 AM
Hi Ankur,
Yes, USR router is doing the NAT. What are the command lines for setup the same NAT on Cisco 1841? I am new to the Cisco router, can I use the SDM to setup NAT. If yes how? Please give the details.
Thank you.
03-19-2006 09:07 AM
Hi Friend,
So now we know what the problem is and we are very close to the solution.
We just need to enable your 1841 main office router with NAT so that anything coming from remote office moving out from there goes out to the internet with 192.168.0.x subnet which your OX router know how to reply back.
But sorry to say I have never cofigured 1841 router using SDM but still you can try this link.
I think one entry for static nat is enough for your scenario. Check this link to configure static NAT entry.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
http://www.cisco.com/warp/public/556/12.html
Don't forget to rate the helpful post.
Ankur
03-19-2006 09:27 AM
I will rate this post. I am reading the links and have one more question. When I do the NAT, should I do inside to outside and also outside to inside (becaue both LANs need to access each other?
Thank you.
03-19-2006 09:43 AM
Hi Friend,
NAT is bi-directional (2 way) so if you just have one static nat statement from inside to outside it will be enough.
HTH
Ankur
03-20-2006 12:27 PM
I tried to setup NAT, but not sure I did right. It doesn't work. Here are the code.
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 192.168.0.81 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
ip address 192.168.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.250
ip route 192.168.1.0 255.255.255.0 192.168.100.2
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static network 192.168.100.1 192.168.0.81 /32
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.100.0 0.0.0.255
no cdp run
03-20-2006 10:03 PM
Hi Friend,
Lets do some changes in NAT first you have configured a static NAT statement with an ip and not for a network.
Second instead of static NAT lets have a dynamic NAT
Remove your previous NAT statement and configure this and update if it worked
ip nat inside source list 3 interface FastEthernet0/1 overload
access-list 3 permit 192.168.100.0 0.0.0.255
HTH, if yes please rate the post.
Ankur
03-21-2006 06:11 AM
Aftre setup what you listed, I lost the access to the Cisco router 192.168.0.81 (I was remote access it remotely).How can I setup NAT to let both sites can access each other? Can access-list 3 permit ay will do that?
Thank you.
03-21-2006 07:12 AM
Hi Friend,
First of all I am really sorry as I mistook the ip address and cause of which you lost the access of the router.
I hope you have got the access back now.
I think you are accessing this router from your remote site which is 192.168.1.x subnet? Please confirm his.
You just need to change you access list
access-list 3 permit 192.168.1.0 0.0.0.255
HTH
Ankur
03-21-2006 10:07 AM
II was accessing the 192.168.0.81 from the Internet. That mean from the Internet to 192.168.0.0 and from 192.168.0.0 access the router 192.168.0.81. The good news is I didn't save, So I have some one to re-set the router and I can access it now.
What they want to is be able to access eatch other, remote office and mian office. Plus the remote office access the internet. Should I add
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.0.0 0.0.0.255
or
access-list 3 permit any
03-21-2006 09:42 PM
Hi Friend,
access-list 3 permit 192.168.1.0 0.0.0.255 is enough to get any one from your remote office access the internet and if any one waan a access remote site 1841 router from internet also it should work
Make sure you are implementing this on your 1841 Main office router.
HTH
Ankur
03-24-2006 06:53 PM
Still the same problem that 192.168.1.x and Cisco router on the remote office (192.168.1.91/192.168.100.2) cant pass the XO router even I tried the following commands. Can some one take look the configuration (see below)?
I tried these:
interface FastEthernet0/1
ip address 192.168.0.81 255.255.255.0
ip nat outside
interface Serial0/0/0
ip address 192.168.100.1 255.255.255.0
ip nat inside
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet0/1 overload
I also tried these:
conf t
int fat0/1
ip nat outside
int s0/0/0
ip nat inside
exit
access-list 99 permit any
ip nat inside source list 99 fa0/1 overload
end
Here are the code:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$40lL$Jy2/yuIKx9wL3RrgzpzyH.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
!
username ccmd privilege 15 secret 5 $1$s9Yv$6buU8kcAE6XxF5lBnfzmk1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 192.168.0.81 255.255.255.0
ip access-group sdm_fastethernet0/1_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
ip address 192.168.100.1 255.255.255.0
ip access-group sdm_serial0/0/0_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.250
ip route 192.168.1.0 255.255.255.0 192.168.100.2
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source static network 192.168.100.1 192.168.0.81 /32
!
ip access-list extended sdm_fastethernet0/1_in
remark SDM_ACL Category=1
permit ip any any
ip access-list extended sdm_serial0/0/0_in
remark SDM_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.100.0 0.0.0.255
access-list 99 remark SDM_ACL Category=16
access-list 99 permit any
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
password 7 08314D5D1A0E0A05164B5C
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 4000 1000
end
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: