Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

natting, routing or acl problem ?

Hi, I have configured a cisco router 871 with the following configuration,

but I have some problem, probably a natting or routing problem.

The VLAN10 (DMZ) works fine and I can connect my servers with the public ip assigned by my ISP. The servers can see internet.

The VLAN1, (private LAN), doesn't work very well: I can ping my internal LAN gateway (10.10.1.1) and my servers with public ip (on VLAN10), but I can't see internet.

Someone can help me to resolve this problem ?

Subnet public IP assigned by provider (VLAN10)

Subnet: xxx.yyy.zzz.248

Router IP: xxx.yyy.zzz.249

Available IPs: xxx.yyy.zzz.250 .. xxx.yyy.zzz.254

Broadcast: xxx.yyy.zzz.255

Netmask: 255.255.255.248

Subnet LAN (VLAN1)

Subnet: 10.10.1.0

Gateway: 10.10.1.1

Netmask: 255.255.255.0

My router config (see attachment)

9 REPLIES

Re: natting, routing or acl problem ?

You can try to move nat to vlan 10 from dial0.

int dial0

no ip nat out

int vlan10

ip nat out

You'll also need to change:

ip nat inside source list 101 interface Dialer0 overload

to

ip nat inside source list 101 interface Vlan10 overload

See if that works, but I'm not sure it will.

John

HTH, John *** Please rate all useful posts ***
New Member

Re: natting, routing or acl problem ?

Hi John,

doesn't work this configuration.

This configuration break the dmz (VLAN10) and the LAN doesn't work...

Bronze

Re: natting, routing or acl problem ?

Everything looks good, however the thing I can see is you are using the same ACL for your NAT and your Access-group...

ip access-group 101 in

ip access-group 102 out

I would take the 102 line out altogether, and the 101 line would be locked down according to your needs, IE TCP25,80, etc. Right now it looks like your DMZ is wide open.

As for the nat issue. Write mem, reload and see if its resolved. Also try show ip nat trans and show ip nat stat and post your results.

Hope this helps, rate if it does,

JB

New Member

Re: natting, routing or acl problem ?

Hi JB,

thank you for your reply.

I don't speak very well english and I don't have understood what you mean... can you get me an example please ?

Thanks

Luca

New Member

Re: natting, routing or acl problem ?

maybe,

I need to invert in and out access-list?

interface Dialer0

ip unnumbered Vlan10

ip access-group 101 in

ip access-group 102 out

...

ip nat inside source list 102 interface Dialer0 overload

...

access-list 101 permit ip any any

access-list 102 permit ip 10.10.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

New Member

Re: natting, routing or acl problem ?

Hi JB,

I have changed the following settings

ip nat inside source list 103 interface Dialer0 overload

!

!

access-list 101 remark *** ACL INBOUND DAILER0***

access-list 101 permit ip any any

access-list 102 remark *** ACL OUTBOUND DAILER0***

access-list 102 permit ip any any

access-list 103 remark *** ACL FOR NAT***

access-list 103 permit ip 10.10.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

without any success!

from the VLAN10 I can see Internet, but not from natted VLAN1...

P.S.: I know that the inbound is wide open, but before to close all unused ports, I want to see that the router work fine...

New Member

Re: natting, routing or acl problem ?

sorry, I have forgotted to post results

#show ip nat trans

-> no results !

#show ip nat stat

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Outside interfaces:

Dialer0, Virtual-Access1

Inside interfaces:

Vlan1

Hits: 0 Misses: 0

CEF Translated packets: 0, CEF Punted packets: 4

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 103 interface Dialer0 refcount 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

Bronze

Re: natting, routing or acl problem ?

Here's a couple things you could try.

1) On Dialer 0 remove the access-groups

Conf t

int dialer 0

no ip access-group 101 in

no ip access-group 102 out

2) Try adding ip nat outside to int vlan 10

conf t

int vlan 10

ip nat outside

I think what's going on has to do with the IP Unnumbered command on the dialer interface. The dialer is being told to use the ip of VLAN10, and nat for it as well. See if that works, I'm assuming #2 fixes the problem and #1 is just unnecessary configuration.

Hope this helps, rate if it does.

JB

New Member

Re: natting, routing or acl problem ?

Hi JB, today I have resolved the issue.

I have simply changed from

ip nat inside source list 103 interface Dialer0 overload

to

ip nat inside source list 103 interface Vlan10 overload

Now my router works fine!

It's the moment to apply somes ACL :-)

Thank you for your help.

165
Views
0
Helpful
9
Replies