Solved: Question about IP Public (PAT)

JohnyJo123 · ‎10-28-2022

balaji.bandi · ‎10-28-2022

not sure what is ACL 101 you looking to do, and you applied wrong interface,

so remove

no interface FastEthernet0/0.20

interface FastEthernet0/1.20
ip access-group 101 in

the URL provided has some examples for the PAT if you looking for external access to an internal web server.

ip access-group 101 in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎10-28-2022

not sure what device you having. check below example can help you :

https://www.ciscozine.com/nat-and-pat-a-complete-explanation/

still have issues, post more information about your environment to suggest better examples.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

JohnyJo123 · ‎10-28-2022

Hi community !

I have questions for you about my school project.

Here a plan of my network :

(i forgot to put computer vlan 30 in this image)

I have 3 VLANs on my internal router

VLAN 10 = 10.1.1.0 /24

VLAN 20 = 10.1.2.0 /24

VLAN 30 = 10.1.3.0 /24

I need my VLANs to access internet but i dont have the access to the external router. I only have access to the internal router.

Heres the informations i have about the external router :

IP Public :62.1.15.9/30

IP inside : 192.168.100.1/24

I wanna configure PAT but i feel like i miss some information for that.

I am confused because i can ping 8.8.8.8 with my PCs but i dont know yet if i could go on a website because i dont have a Public IP (later i need to config a server with DNS so for now i cannot test access to a website)

Heres my config :

(i put access-list 101 deny tcp 10.1.2.0 0.0.0.255 any eq 3128 because i need to block vlan 20 to access internet !)

----------------------------------

interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.20
ip access-group 101 in
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 10.1.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.8
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip access-list extended SSH-ACCESS
permit tcp 10.1.1.0 0.0.0.255 any eq 22
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.2.0 0.0.0.255
access-list 1 permit 10.1.3.0 0.0.0.255
access-list 101 deny tcp 10.1.2.0 0.0.0.255 any eq 3128
access-list 101 permit ip any any
!
!
!
!

-----------------------------------
Thank you in advance !

Hi community !

I have questions for you about my school project.

Here a plan of my network :

(i forgot to put computer vlan 30 in this image)

I have 3 VLANs on my internal router

VLAN 10 = 10.1.1.0 /24

VLAN 20 = 10.1.2.0 /24

VLAN 30 = 10.1.3.0 /24

I need my VLANs to access internet but i dont have the access to the external router. I only have access to the internal router.

Heres the informations i have about the external router :

IP Public :62.1.15.9/30

IP inside : 192.168.100.1/24

I wanna configure PAT but i feel like i miss some information for that.

I am confused because i can ping 8.8.8.8 with my PCs but i dont know yet if i could go on a website because i dont have a Public IP (later i need to config a server with DNS so for now i cannot test access to a website)

Heres my config :

(i put access-list 101 deny tcp 10.1.2.0 0.0.0.255 any eq 3128 because i need to block vlan 20 to access internet !)

----------------------------------

interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.20
ip access-group 101 in
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.20
encapsulation dot1Q 20
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.30
encapsulation dot1Q 30
ip address 10.1.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.8
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip access-list extended SSH-ACCESS
permit tcp 10.1.1.0 0.0.0.255 any eq 22
!
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.2.0 0.0.0.255
access-list 1 permit 10.1.3.0 0.0.0.255
access-list 101 deny tcp 10.1.2.0 0.0.0.255 any eq 3128
access-list 101 permit ip any any
!
!
!
!

-----------------------------------
Thank you in advance !

balaji.bandi · ‎10-28-2022

not sure what is ACL 101 you looking to do, and you applied wrong interface,

so remove

no interface FastEthernet0/0.20

interface FastEthernet0/1.20
ip access-group 101 in

the URL provided has some examples for the PAT if you looking for external access to an internal web server.

ip access-group 101 in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help