01-28-2014 03:05 PM - edited 03-04-2019 10:11 PM
Guys I need a hand!
This is my proof of concept lab set-up. (See basic diagram attached)
I have a 2821 router with a ADSL WIC1T Installed. I have an internet connection sucessfully set up to my ISP.
I have configured NAT overload to use interface Dialer 1. I have a routed non-natted ASA 5510's outside interface directly connected to the routers G0/1 port.
The ASA's inside interface is plugged into a Layer 2 switch with a xp host connected.
The problem being I'm unable to browse or ping to the internet from the XP host through the firewall which in turn should NAT through the router.
Here is my config and connectivity tests.
Someone put me out of my misery please!!!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname VOIP-GW
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
enable secret 5 $1$GNJD$RvsmCC1kB2bgE1COh1D.P.
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxxxx password xxxxxxxx
archive
log config
hidekeys
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex full
speed 1000
!
interface GigabitEthernet0/1
description ***To ASA Outside Interface***
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
!
interface ATM0/0/0
description ***ADSL WAN Link***
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0/1/0
no ip address
shutdown
duplex full
speed 100
!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication pap chap ms-chap callin
ppp chap hostname bt@btinternet.com
ppp chap password 7 xxxxxxxxxx
ppp pap sent-username jobloggs@mail.com password 7 xxxxxxxxxx
ppp ipcp address accept
hold-queue 224 in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.1.0 255.255.255.0 172.16.0.254
no ip http server
ip http secure-server
!
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 172.16.0.0 0.0.0.255 log
access-list 1 permit 10.10.1.0 0.0.0.255 log
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
end
Routes on Voice router
VOIP-GW#sh ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
86.0.0.0/32 is subnetted, 1 subnets
C 86.150.132.89 is directly connected, Dialer1
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.0.0 is directly connected, GigabitEthernet0/1
213.120.155.0/32 is subnetted, 1 subnets
C 213.120.155.227 is directly connected, Dialer1
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.1.0 [1/0] via 172.16.0.254
S* 0.0.0.0/0 is directly connected, Dialer1
Ping from Voice router to bbc.co.uk sourcing from 172.16.0.1 NAT Inside interface
VOIP-GW#ping
Protocol [ip]:
Target IP address: bbc.co.uk
Translating "bbc.co.uk"...domain server (8.8.8.8) [OK]
Pings get through.
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.58.246.104, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/40/44 ms
NAT Translations see
VOIP-GW#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 86.150.132.89:7 172.16.0.1:7 212.58.246.104:7 212.58.246.104:7
VOIP-GW#
Can Ping ASA Outside interface from Voice router
VOIP-GW#ping 172.16.0.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.10.1.43
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.1.251
Can ping Voice Router from host.
C:\Documents and Settings\reeveradmin>ping 172.16.0.1
Pinging 172.16.0.1 with 32 bytes of data:
Reply from 172.16.0.1: bytes=32 time=1ms TTL=255
Reply from 172.16.0.1: bytes=32 time=1ms TTL=255
Reply from 172.16.0.1: bytes=32 time=1ms TTL=255
Reply from 172.16.0.1: bytes=32 time=1ms TTL=255
Ping statistics for 172.16.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
C:\Documents and Settings\reeveradmin>
Ping from host on 10.10.1.43 to google dns..no reply
C:\Documents and Settings\reeveradmin>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Real time logs on ASA 5510 testing icmp
6 Jan 28 2014 22:19:07 302021 8.8.8.8 0 10.10.1.43 512 Teardown ICMP connection for faddr 8.8.8.8/0 gaddr 10.10.1.43/512 laddr 10.10.1.43/512
No NAT Translations seen?
VOIP-GW#sh ip nat translations
VOIP-GW#
Browse from host on 10.10.1.43 to bbc.co.uk
Real time logs on ASA 5510 testing http
6 Jan 28 2014 22:20:56 302015 10.10.1.43 1423 213.120.234.22 53 Built outbound UDP connection 32813 for Outside:213.120.234.22/53 (213.120.234.22/53) to LAN-Inside:10.10.1.43/1423 (10.10.1.43/1423)
6 Jan 28 2014 22:20:02 302015 10.10.1.43 1388 213.120.234.22 53 Built outbound UDP connection 32812 for Outside:213.120.234.22/53 (213.120.234.22/53) to LAN-Inside:10.10.1.43/1388 (10.10.1.43/1388)
6 Jan 28 2014 22:20:02 302015 10.10.1.43 1388 213.120.234.22 53 Built outbound UDP connection 32812 for Outside:213.120.234.22/53 (213.120.234.22/53) to LAN-Inside:10.10.1.43/1388 (10.10.1.43/1388)
No NAT Translations seen again?
VOIP-GW#sh ip nat translations
VOIP-GW#
ASA is int routed mode no NAT taking place!
Solved! Go to Solution.
01-28-2014 11:12 PM
Hi,
Can you try to edit ACL 1 and remove the log keyword from it and let us know.
Regards
Alain
Don't forget to rate helpful posts.
01-28-2014 11:12 PM
Hi,
Can you try to edit ACL 1 and remove the log keyword from it and let us know.
Regards
Alain
Don't forget to rate helpful posts.
01-29-2014 01:53 AM
Alain I tip my hat to you sir
You have hit the nail on the head!
I have been pulling my hair out over this! The only reason I put the key word "log" at the end of the the ACl was to troubleshoot lol.
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml
Thanks again!
Matt
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: