12-03-2003 06:34 PM - edited 03-02-2019 12:07 PM
i have a cisco router 1605 R series and i have configured my router with DHCP. when i type sh ip interface brief i see my public ip.
i ping known public ip addreses i get replies with no problem
but with my pc i can't ping any ip address outside and can't go to the internet.(my isp's dns are configured locally in my pc) do i have a problem in
my config?? Router#sh run
Building configuration...
Current configuration : 1292 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret xxxxx
!
username xxx password xxx
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default if-needed local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip dhcp excluded-address 192.168.0.254
!
ip dhcp pool client
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server x.x.245.106
lease infinite
!
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.0.254 255.255.255.0
ip access-group 100 in
ip access-group 100 out
ip nat inside
!
interface Ethernet1
ip address dhcp
ip access-group 100 in
ip access-group 100 out
ip nat outside
!
ip nat inside source route-map nonat interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip route 192.168.0.0 255.255.255.0 Ethernet0
ip http server
no ip http secure-server
!
!
access-list 10 permit any
access-list 100 permit ip any any
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
password xxxxx
transport preferred all
transport input all
transport output all
!
12-03-2003 11:59 PM
hi momo51,
you can create an access-list for your internal network
access-list 1 permit 192.168.0.0 255.255.255.0
access-list 1 deny any
and then create nat:
ip nat inside source list 1 pool yourpoolname overload
ip nat pool yourpoolname isp.given.ip.add netmask isp.given.netmask.add
and don't forget to check ip nat inside (on your internal interface) and ip nat outside (external)
good luck,
-b.go-
12-04-2003 11:28 AM
Hello,
as B.Go said, you need to create an access list to source the inside addresses. In your configuration you reference a route-map that does not exist, so your PC address never gets translated. The following config should work better:
Current configuration : 1292 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret xxxxx
!
username xxx password xxx
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default if-needed local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip dhcp excluded-address 192.168.0.254
!
ip dhcp pool client
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server x.x.245.106
lease infinite
!
interface Ethernet0
ip address 192.168.0.254 255.255.255.0
ip nat inside
!
interface Ethernet1
ip address dhcp
ip nat outside
!
ip nat inside source list 1 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip route 192.168.0.0 255.255.255.0 Ethernet0
ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
!
line con 0
transport preferred all
transport output all
line vty 0 4
password xxxx
transport preferred all
transport input all
transport output all
!
Regards,
Georg
12-04-2003 06:28 PM
THX!
it works !
but i don'tunderstand how come we don't have to apply ip access-group on interface e0 et e1
such on e0
ip access-group 1 out??
12-06-2003 01:08 AM
Hello,
putting access-lists on the Ethernet interfaces is not necessary for NAT to work. Access list 1 just tells the router which internal IP addresses to consider for translation.
Let us know if that is not clear :)
Regards,
Georg
12-06-2003 08:26 AM
OK! but can you still used access-list on interfces to controll the traffic in the lan or wan; with the nat implemented.
i always thought that when you configure something you are have to enable on the interface after??
but thanks for your help
12-09-2003 03:26 PM
I would think that you would use the access list if you have certain pc's that you would not want to access the internet or some other destination that you can route to. Or vise versa, allow certain pc's to access the internet.
I'm I wrong here?
Thanks,
BE
12-12-2003 12:09 AM
hi momo51,
the acl no. 1 is only for defining interesting traffic to be NATed. You can apply additional acls to incoming ethernet. So the denied hosts can't be NATed since they are not allowed to enter the incoming interface.
hope this will help. good luck.
regards,
-b.go-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide