Re: problem with my cable config

momo51 · ‎12-03-2003

i have a cisco router 1605 R series and i have configured my router with DHCP. when i type sh ip interface brief i see my public ip.

i ping known public ip addreses i get replies with no problem

but with my pc i can't ping any ip address outside and can't go to the internet.(my isp's dns are configured locally in my pc) do i have a problem in

my config?? Router#sh run

Building configuration...

Current configuration : 1292 bytes

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret xxxxx

!

username xxx password xxx

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default if-needed local

aaa session-id common

ip subnet-zero

no ip domain lookup

ip dhcp excluded-address 192.168.0.254

!

ip dhcp pool client

import all

network 192.168.0.0 255.255.255.0

default-router 192.168.0.254

dns-server x.x.245.106

lease infinite

!

interface Ethernet0

ip address 192.168.0.254 255.255.255.0

ip access-group 100 in

ip access-group 100 out

ip nat inside

!

interface Ethernet1

ip address dhcp

ip access-group 100 in

ip access-group 100 out

ip nat outside

!

ip nat inside source route-map nonat interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip route 192.168.0.0 255.255.255.0 Ethernet0

ip http server

no ip http secure-server

!

access-list 10 permit any

access-list 100 permit ip any any

!

line con 0

transport preferred all

transport output all

line vty 0 4

password xxxxx

transport preferred all

transport input all

transport output all

!

b.go · ‎12-03-2003

hi momo51,

you can create an access-list for your internal network

access-list 1 permit 192.168.0.0 255.255.255.0

access-list 1 deny any

and then create nat:

ip nat inside source list 1 pool yourpoolname overload

ip nat pool yourpoolname isp.given.ip.add netmask isp.given.netmask.add

and don't forget to check ip nat inside (on your internal interface) and ip nat outside (external)

good luck,

-b.go-

Georg Pauwen · ‎12-04-2003

Hello,

as B.Go said, you need to create an access list to source the inside addresses. In your configuration you reference a route-map that does not exist, so your PC address never gets translated. The following config should work better:

Current configuration : 1292 bytes

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret xxxxx

!

username xxx password xxx

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default if-needed local

aaa session-id common

ip subnet-zero

no ip domain lookup

ip dhcp excluded-address 192.168.0.254

!

ip dhcp pool client

import all

network 192.168.0.0 255.255.255.0

default-router 192.168.0.254

dns-server x.x.245.106

lease infinite

!

interface Ethernet0

ip address 192.168.0.254 255.255.255.0

ip nat inside

!

interface Ethernet1

ip address dhcp

ip nat outside

!

ip nat inside source list 1 interface Ethernet1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1

ip route 192.168.0.0 255.255.255.0 Ethernet0

ip http server

no ip http secure-server

!

access-list 1 permit 192.168.0.0 0.0.0.255

!

line con 0

transport preferred all

transport output all

line vty 0 4

password xxxx

transport preferred all

transport input all

transport output all

!

Regards,

Georg

momo51 · ‎12-04-2003

THX!

it works !

but i don'tunderstand how come we don't have to apply ip access-group on interface e0 et e1

such on e0

ip access-group 1 out??

Georg Pauwen · ‎12-06-2003

Hello,

putting access-lists on the Ethernet interfaces is not necessary for NAT to work. Access list 1 just tells the router which internal IP addresses to consider for translation.

Let us know if that is not clear :)

Regards,

Georg

momo51 · ‎12-06-2003

OK! but can you still used access-list on interfces to controll the traffic in the lan or wan; with the nat implemented.

i always thought that when you configure something you are have to enable on the interface after??

but thanks for your help

beisenhamer · ‎12-09-2003

I would think that you would use the access list if you have certain pc's that you would not want to access the internet or some other destination that you can route to. Or vise versa, allow certain pc's to access the internet.

I'm I wrong here?

Thanks,

BE

b.go · ‎12-12-2003

hi momo51,

the acl no. 1 is only for defining interesting traffic to be NATed. You can apply additional acls to incoming ethernet. So the denied hosts can't be NATed since they are not allowed to enter the incoming interface.

hope this will help. good luck.

regards,

-b.go-