Solucionado: Re: Router on-Stick y configurado PAT

Armando Freire · ‎08-02-2023

Hello, I have a problem in a network where PAT and Router-on-Stick are configured but they cannot access the internet and at the same time I have also configured a VPN tunnel connected to another network that would be the remote office but it does not work either. In R2 the router-on-stick and PAT are configured , from R2 it pings the INTERNET network but the other devices do not.

R1 HEAD OFFICE

Current configuration : 3475 bytes

!

version 15.1

service timestamps log datetime msec

no service timestamps debug datetime msec

service password-encryption

!

hostname R1

!

login block-for 300 attempts 3 within 30

login on failure

login on success

!

enable secret xxx

!

no ip cef

no ipv6 cef

!

username spmunu secret xxx

!

license udi pid CISCO2911/K9 sn xxx

!

ip domain-name lasociados.com

ip name-server 70.0.0.38

!

spanning-tree mode pvst

!

interface Tunnel0

ip address 172.16.0.1 255.255.255.252

mtu 1476

tunnel source Serial0/0/0

tunnel destination 90.0.0.1

!

Gigabit Ethernet0/0 interface

ip address 192.168.1.254 255.255.255.248

ip access-group OUTSIDE in

ip nat inside

duplex car

speed car

!

Gigabit Ethernet0/1 interface

no ip address

duplex car

speed car

shutdown

!

Gigabit Ethernet0/2 interface

no ip address

duplex car

speed car

shutdown

!

interface Serial0/0/0

ip address 80.0.0.1 255.255.255.0

ip access-group INSIDE in

ip nat outside

clock rate 2000000

!

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

ospf router 1

log-adjacency-changes

network 192.168.1.0 0.0.0.255 area 0

network 172.16.0.0 0.0.0.3 area 0

!

ip nat inside source list 1 interface Serial0/0/0 overload

ip nat inside source static tcp 192.168.1.130 80 80.0.0.1 80

ip nat inside source static tcp 192.168.1.130 443 80.0.0.1 443

classless ip

ip route 90.0.0.0 255.255.255.0 80.0.0.2

ip route 192.168.1.0 255.255.255.128 192.168.1.253

ip route 192.168.1.128 255.255.255.224 192.168.1.253

ip route 192.168.1.160 255.255.255.240 192.168.1.253

ip route 192.168.1.240 255.255.255.248 192.168.1.253

ip route 70.0.0.0 255.255.255.0 80.0.0.2

!

ip flow-export version 9

!

ip access list extended sl_def_acl

deny tcp any any eq telnet

deny tcp any any eq www

deny tcp any any eq 22

permit tcp any any eq 22

access-list 1 permit 192.168.1.0 0.0.0.255

ip access-list standard VTY

allow 192.168.1.160 0.0.0.15

deny any

ip access-list extended INSIDE

allow tcp 70.0.0.0 0.0.0.255 host 80.0.0.1 eq 443

deny tcp 70.0.0.0 0.0.0.255 host 80.0.0.1 eq www

permit tcp 70.0.0.0 0.0.0.255 any established

permit icmp 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255

permit icmp 70.0.0.0 0.0.0.255 any echo-reply

deny ip any any

ip access list extended OUTSIDE

permit icmp 192.168.1.0 0.0.0.255 any

permit tcp 192.168.1.0 0.0.0.255 any eq www

allow tcp 192.168.1.0 0.0.0.255 any eq 443

permit tcp 192.168.1.0 0.0.0.255 any established

deny ip any any

!

banner motd ^C

**************************************************** ******

************ RH LOPEZ AND ASSOCIATES ********************

**************************************************** ******

*** Unauthorized access to the device ***************

*** is punishable by international law. *********

**************************************************** ******

** If you are not authorized, log out immediately ****

**************************************************** ******

^C

!

logging trap debugging

record 192.168.1.132

line con 0

password xxx

login

!

line aux 0

!

line vty 0 4

access-class VTY in

exec-timeout 5 30

local login

transport input ssh

line vty 5 15

access-class VTY in

exec-timeout 5 30

local login

transport input ssh

!

ntp server 80.0.0.2

ntp update-calendar

!

end

R2 REMOTE OFFICE

version 15.1

service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname R2

!

login block-for 300 attempts 3 within 30

login on failure

login on success

!

ip dhcp excluded-address 172.20.0.62

ip dhcp excluded-address 172.20.0.30

ip dhcp excluded-address 172.20.0.1 172.20.0.3

!

ip dhcp pool Factory

network 172.20.0.0 255.255.255.224

default-router 172.20.0.30

dns-server 192.168.1.130

ip dhcp pool Distribution

network 172.20.0.32 255.255.255.224

default-router 172.20.0.62

dns-server 192.168.1.130

!

no ip cef

no ipv6 cef

!

license udi pid CISCO2911/K9 sn xxx

!

spanning-tree mode pvst

!

interface Tunnel0

ip address 172.16.0.2 255.255.255.252

mtu 1476

tunnel source Serial0/0/0

tunnel destination 80.0.0.1

!

Gigabit Ethernet0/0 interface

description Connection to S4 with TRUNK

no ip address

ip nat inside

duplex car

speed car

!

Gigabit Ethernet0/0.10 interface

description VLAN of the Factory department

encapsulation dot1Q 10

ip address 172.20.0.30 255.255.255.224

!

interface Gigabit Ethernet0/0.20

description VLAN of the Distribution department

encapsulation dot1Q 20

ip address 172.20.0.62 255.255.255.224

!

interface Gigabit Ethernet0/0.99

ADM Vlan description

encapsulation dot1Q 99 native

ip address 172.20.0.254 255.255.255.248

!

Gigabit Ethernet0/1 interface

no ip address

duplex car

speed car

shutdown

!

Gigabit Ethernet0/2 interface

no ip address

duplex car

speed car

shutdown

!

interface Serial0/0/0

ip address 90.0.0.1 255.255.255.0

ip nat outside

!

interface Serial0/0/1

no ip address

clock rate 2000000

shutdown

!

interface Vlan1

no ip address

shutdown

!

ospf router 1

log-adjacency-changes

network 172.16.0.0 0.0.0.3 area 0

network 172.20.0.0 0.0.0.255 area 0

!

rip router

!

ip nat inside source list 1 interface Serial0/0/0 overload

classless ip

ip route 70.0.0.0 255.255.255.0 90.0.0.2

ip route 80.0.0.0 255.255.255.0 90.0.0.2

!

ip flow-export version 9

!

ip access list extended sl_def_acl

deny tcp any any eq telnet

deny tcp any any eq www

deny tcp any any eq 22

permit tcp any any eq 22

access-list 1 permit 172.20.0.0 0.0.0.255

!

no cdp run

!

banner motd ^C

**************************************************** ******

************ RH LOPEZ AND ASSOCIATES ********************

**************************************************** ******

*** Unauthorized access to the device ***************

*** is punishable by international law. *********

**************************************************** ******

** If you are not authorized, log out immediately ****

**************************************************** ******

^C

!

logging trap debugging

record 192.168.1.132

line con 0

!

line aux 0

!

line vty 0 4

exec-timeout 5 30

login

line vty 5 15

exec-timeout 5 30

login

!

ntp server 90.0.0.2

!

end

Jose Suarez · ‎08-02-2023

Hello,

The 'ip nat inside' command has to be placed on the subinterfaces, not on the main interface.

R2(config)#int gigabitEthernet 0/0

R2(config-if)#no ip nat in

R2(config-if)#no ip nat inside

R2(config-if)#exit

R2(config)#int gigabitEthernet 0/0.20

R2(config-subif)#ip nat inside

R2#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 90.0.0.1:20 172.20.0.35:20 70.0.0.1:20 70.0.0.1:20

icmp 90.0.0.1:21 172.20.0.35:21 70.0.0.1:21 70.0.0.1:21

icmp 90.0.0.1:22 172.20.0.35:22 70.0.0.1:22 70.0.0.1:22

-----------------------------------------------

C:\>ipconfig

FastEthernet0 Connection:(default port)

Connection-specific DNS Suffix..:

Link-local IPv6 Address.........: FE80::203:E4FF:FEAC:378

IPv6 Address....................: ::

IPv4 Address....................: 172.20.0.35

Subnet Mask.....................: 255.255.255.224

Default Gateway.................: ::172.20.0.62

C:\>ping 70.0.0.1

Pinging 70.0.0.1 with 32 bytes of data:

Reply from 70.0.0.1: bytes=32 time=2ms TTL=253

Reply from 70.0.0.1: bytes=32 time=21ms TTL=253

Ping statistics for 70.0.0.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 2ms, Maximum = 21ms, Average = 6ms

Regards

Jose Suarez
CCIE No. 66421

.

Ver la solución en mensaje original publicado

Jose Suarez · ‎08-02-2023

The problem with the tunnel was in the ACL in R1, that didn't allow GRE traffic.

ip access-list extended INSIDE
permit tcp 70.0.0.0 0.0.0.255 host 80.0.0.1 eq 443
deny tcp 70.0.0.0 0.0.0.255 host 80.0.0.1 eq www
permit tcp 70.0.0.0 0.0.0.255 any established
permit icmp 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
permit icmp 70.0.0.0 0.0.0.255 any echo-reply
permit icmp any any echo
permit gre any any
deny ip any any

--------------------

R1#sh ip route ospf

172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks

O 172.20.0.0 [110/1001] via 172.16.0.2, 00:03:43, Tunnel0

O 172.20.0.32 [110/1001] via 172.16.0.2, 00:03:43, Tunnel0

O 172.20.0.248 [110/1001] via 172.16.0.2, 00:03:43, Tunnel0

"I hope this is helpful to you. Remember to support with a like, and if this solves your question, please select it as the chosen answer."

Jose Suarez
CCIE No. 66421

.

Ver la solución en mensaje original publicado

Jose Suarez · ‎08-02-2023

Hello,

The 'ip nat inside' command has to be placed on the subinterfaces, not on the main interface.

R2(config)#int gigabitEthernet 0/0

R2(config-if)#no ip nat in

R2(config-if)#no ip nat inside

R2(config-if)#exit

R2(config)#int gigabitEthernet 0/0.20

R2(config-subif)#ip nat inside

R2#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 90.0.0.1:20 172.20.0.35:20 70.0.0.1:20 70.0.0.1:20

icmp 90.0.0.1:21 172.20.0.35:21 70.0.0.1:21 70.0.0.1:21

icmp 90.0.0.1:22 172.20.0.35:22 70.0.0.1:22 70.0.0.1:22

-----------------------------------------------

C:\>ipconfig

FastEthernet0 Connection:(default port)

Connection-specific DNS Suffix..:

Link-local IPv6 Address.........: FE80::203:E4FF:FEAC:378

IPv6 Address....................: ::

IPv4 Address....................: 172.20.0.35

Subnet Mask.....................: 255.255.255.224

Default Gateway.................: ::172.20.0.62

C:\>ping 70.0.0.1

Pinging 70.0.0.1 with 32 bytes of data:

Reply from 70.0.0.1: bytes=32 time=2ms TTL=253

Reply from 70.0.0.1: bytes=32 time=21ms TTL=253

Ping statistics for 70.0.0.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 2ms, Maximum = 21ms, Average = 6ms

Regards

Jose Suarez
CCIE No. 66421

.

Jose Suarez · ‎08-02-2023

The problem with the tunnel was in the ACL in R1, that didn't allow GRE traffic.

ip access-list extended INSIDE
permit tcp 70.0.0.0 0.0.0.255 host 80.0.0.1 eq 443
deny tcp 70.0.0.0 0.0.0.255 host 80.0.0.1 eq www
permit tcp 70.0.0.0 0.0.0.255 any established
permit icmp 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
permit icmp 70.0.0.0 0.0.0.255 any echo-reply
permit icmp any any echo
permit gre any any
deny ip any any

--------------------

R1#sh ip route ospf

172.20.0.0/16 is variably subnetted, 3 subnets, 2 masks

O 172.20.0.0 [110/1001] via 172.16.0.2, 00:03:43, Tunnel0

O 172.20.0.32 [110/1001] via 172.16.0.2, 00:03:43, Tunnel0

O 172.20.0.248 [110/1001] via 172.16.0.2, 00:03:43, Tunnel0

"I hope this is helpful to you. Remember to support with a like, and if this solves your question, please select it as the chosen answer."

Jose Suarez
CCIE No. 66421

.

Armando Freire · ‎08-03-2023

Thank you very much @Jose Suarez