02-12-2014 08:03 AM - edited 03-04-2019 10:19 PM
Hi Guys,
I appreciate any help on this. I have a Cisco 1941 Router that i just factory defaulted. I configured the GB Inter 0/0 to be the LAN 192.168.4.250 255.255.255.0 and the GB Inter 0/1 (Public IP) 255.255.255.248. I can ping the internet and internal network pc's from the WAN interface (GB Inter 0/1). as for the GB Inter 0/0 i can ping the wan interface but i cannot ping an external source by name or ip address. I do have DNS configured on the router and any pc being used on the internal network. DHCP is disabled because we have a DHCP server. My show running-config is below. Any help is appreciated very much. Let me know if any other info is needed to diagnose the issue. Also no access lists are applied either.
Current configuration : 5397 bytes
!
! Last configuration change at 15:44:02 UTC Wed Feb 12 2014 by michael
! NVRAM config last updated at 15:40:26 UTC Wed Feb 12 2014
! NVRAM config last updated at 15:40:26 UTC Wed Feb 12 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 107TestRouter
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name libertysport.com
ip name-server 75.75.75.75
ip name-server 75.75.76.76
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3136076189
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3136076189
revocation-check none
rsakeypair TP-self-signed-3136076189
!
!
crypto pki certificate chain TP-self-signed-3136076189
certificate self-signed 01
Current configuration : 5397 bytes
!
! Last configuration change at 15:44:02 UTC Wed Feb 12 2014 by michael
! NVRAM config last updated at 15:40:26 UTC Wed Feb 12 2014
! NVRAM config last updated at 15:40:26 UTC Wed Feb 12 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 107TestRouter
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name libertysport.com
ip name-server 75.75.75.75
ip name-server 75.75.76.76
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3136076189
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3136076189
revocation-check none
rsakeypair TP-self-signed-3136076189
!
!
crypto pki certificate chain TP-self-signed-3136076189
certificate self-signed 01
Solved! Go to Solution.
02-12-2014 09:01 AM
Your NAT config would be -
int gi0/0
ip nat inside
int gi0/1
ip nat outside
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
ip nat inside source list 101 interface gi0/1 overload
Jon
02-12-2014 09:44 AM
If i understand your question correctly the acl used in the NAT statement is only used to tell the router which IPs to NAT. It is not applied to any interface as you would with an acl that was controlling traffic through that interface.
There are a lot of different uses for acls and for a lot of things the acl is not directly applied to the router's interfaces.
Jon
02-12-2014 08:08 AM
You haven't posted the full configuration but have do you have NAT setup for the internal clients ?
Jon
02-12-2014 08:59 AM
Hi Jon, thank you for your response. No I haven't setup NATing yet. Shall I config it with 0/1 outside and 0/0 inside? I'll post full config ASAP.
02-12-2014 09:01 AM
Your NAT config would be -
int gi0/0
ip nat inside
int gi0/1
ip nat outside
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
ip nat inside source list 101 interface gi0/1 overload
Jon
02-12-2014 09:32 AM
Jon, you fixed it! Im able to get out now. I can't believe it was that easy, must searches ive found lead me to the overload statement but wasnt sure enough to try it myself.
02-12-2014 09:35 AM
No problem, glad to have helped.
Jon
02-12-2014 09:36 AM
When i do a show ip interface gbint0/1 how come i dont see that the ip nat inside source list 101 interface gi0/1 overload is shown under outgoing or inbound access list?
02-12-2014 09:44 AM
If i understand your question correctly the acl used in the NAT statement is only used to tell the router which IPs to NAT. It is not applied to any interface as you would with an acl that was controlling traffic through that interface.
There are a lot of different uses for acls and for a lot of things the acl is not directly applied to the router's interfaces.
Jon
02-12-2014 09:51 AM
Understood and thank you. Is there a command to verify or view that this statement is in effect? kinda like viewing the acl's tied to an interface?
02-12-2014 09:54 AM
You can do -
1) a simple "sh run to see if it is configured
2) "sh access-list 101" to see if there are hits on the acl
3) "sh ip nat translations" to see exactly what NAT translations are happening on your router.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: