Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Access to Internet.

There are two clients in our network who are connected to the ISP via a POP Router. There is something wrong in the config which is why only client1 is able to access the internet and not client 02.

Configs:

Client1 Router:

interface FastEthernet0/0

ip address 192.168.0.1 255.255.255.0

ip nat inside

interface Serial0/0/0

ip address 10.20.0.2 255.255.255.252

ip nat outside

ip nat pool client01 10.30.0.6 10.30.0.14 netmask 255.255.255.240

ip nat inside source list natpool pool client01

ip classless

ip route 0.0.0.0 0.0.0.0 10.20.0.1

ip access-list extended natpool

permit ip any any

!

!

ip dhcp pool client01

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 10.10.0.10

Client2 Router:

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface Serial0/0/0

ip address 10.20.0.6 255.255.255.252

ip nat outside

ip nat pool client02 10.30.0.20 10.30.0.30 netmask 255.255.255.240

ip nat inside source list natpool pool client02

ip classless

ip route 0.0.0.0 0.0.0.0 10.20.0.5

ip access-list extended natpool

permit ip any any

!

!

ip dhcp pool client02

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 10.10.0.10

ISP Router:

interface FastEthernet0/0

ip address 204.60.0.1 255.255.255.0

ip nat outside

interface Serial0/0/0

ip address 10.11.0.18 255.255.255.252

ip nat inside

router ospf 10

log-adjacency-changes

redistribute static subnets

network 10.11.0.16 0.0.0.3 area 0

default-information originate

ip nat pool natclient01 204.60.0.9 204.60.0.14 netmask 255.255.255.0

ip nat inside source list natclient01 pool natclient01 overload

ip classless

ip route 0.0.0.0 0.0.0.0 204.60.0.254

!

!

ip access-list extended natclient01

permit ip 10.30.0.0 0.0.0.15 any.

Please assist.

Regards,

12 REPLIES
Hall of Fame Super Silver

Re: Access to Internet.

Hello Faizan,

on last router:

ip access-list extended natclient01

permit ip 10.30.0.0 0.0.0.15 any.

this doesn't match ip addresses of client2 that are in range 10.30.0.20 10.30.0.30

use

ip access-list extended natclient012

permit ip 10.30.0.0 0.0.0.31 any.

but what is the interface of client2 to isp router ?

it needs ip nat inside too

or there is another router in the middle collecting both access links ? I guess it is so.

Hope to help

Giuseppe

New Member

Re: Access to Internet.

Giuseppe,

Thanx for your support :)

I've got it.

Client 01 also has an internal server that they would like internet users to be able to reach.

The public IP address to use for this is 204.60.0.3. What would be the command for it?

The server has been assigned the IP address 192.168.0.254

The public DNS has already been put in place for this on public DNS server 4.2.2.2 as www.client01.com

I've to make DNS entries so that internal users can reach it.

I've Use first available NAT in the reserved section of the NAT pool.

Kindly assist.

Regards.

New Member

Re: Access to Internet.

A layer 3 swicth connects the border router, DNS server (4.2.2.2) and a host.

The vlans on L3 switch are as follows:

interface Vlan1

ip address 204.10.0.254 255.255.255.0

!

interface Vlan2

ip address 4.2.2.254 255.255.255.0

!

interface Vlan60

ip address 204.60.0.254 255.255.255.0

!

interface Vlan70

ip address 204.70.0.1 255.255.255.0

Regards.

Hall of Fame Super Silver

Re: Access to Internet.

Hello ,

>>The public IP address to use for this is 204.60.0.3. What would be the command for it?

>>The server has been assigned the IP address 192.168.0.254

you are doing NAT at two different sections of the network.

So you need to do two static NATs

one for client1 to

one on the border router.

to work well you need to use a dedicated address that is not in the pools to avoid competition with dynamic NAT

the basic command is

ip nat source inside static local-addr global-addr

r1client1:

ip nat inside source static 192.168.0.254 10.30.0.5

isp router

ip nat inside source static 10.30.0.5 204.60.0.3

remember also to exclude ip address 192.68.0.254 from dhcp pool

use from global config:

r1client1:

ip dhcp excluded-address 192.198.0.1 192.168.0.254

Hope to help

Giuseppe

New Member

Re: Access to Internet.

Thanx for your support. I have made all the above changes.

I am still not able to ping the internal server from Internet user.

I am confused because the ISP router has a range of 204.60.0.0/24. I want to assign public IP 204.60.0.3 to the internal server connected to client01 router. How can I assign a public IP to the internal server from a pool of private IPs which have already been assigned to ISP router.

Please reply.

Regards.

Hall of Fame Super Silver

Re: Access to Internet.

Hello Faisan,

add the option reversible to both nat commands

because:

An initial session from inside-to-outside is required to trigger a NAT. New translation sessions can then be initiated from outside-to-inside to the inside host that triggered the initial translation.

see

http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iadnat_addr_consv_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1074422

Hope to help

Giuseppe

New Member

Re: Access to Internet.

Thank you for your assistance Giuseppe.

I have followed that link but still I'm not able to make out.

I have designed the network on CPT, and attached with this post for you to understand the scenario better.

Thanks.

Hall of Fame Super Silver

Re: Access to Internet.

Hello Faizan,

let's try to add two lines like

ip nat outside source static global-ip local-ip

to create the entries from the outside interface.

Use the same addresses used before but in reverse order in the two commands.

Hope to help

Giuseppe

New Member

Re: Access to Internet.

None of the routers are accepting the

ip nat outside source static global-ip local-ip command.

New Member

Re: Access to Internet.

Hey Giussepe,

Thank you very much for your help.

I have made all the changes successfully.

You have been really very helpful.

Best regards.

Hall of Fame Super Silver

Re: Access to Internet.

Hello Faizan,

nice news it is working, by the way, what is the combination of commands that is working ?

just to indicate the right solution.

Hope to help

Giuseppe

New Member

Re: Access to Internet.

Hi Giuseppe,

The command which you gave me where the one which were required to make the change. It was simple yet tricky.

r1client1:

ip nat inside source static 192.168.0.254 10.30.0.5

isp router

ip nat inside source static 10.30.0.5 204.60.0.3

There was no need to put

ip dhcp excluded-address 192.198.0.1 192.168.0.254

Everything is working fine now and the user can now connect to server.

Thank you very much for your assistance!

The issue is completely resolved.

Regards.

246
Views
15
Helpful
12
Replies
CreatePlease to create content