Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
5
Helpful
6
Replies

CBAC routing issue

johnroche_2
Level 1
Level 1

‎08-22-2004 08:00 AM - edited ‎03-09-2019 08:32 AM

Hi

I have a 2621 with connected to a ISP. the ISP requires PPPOE authentication. The router authenticates fine gets its public address etc. The ISP connection is on FA0/0, and the local lan (192.168.11.0/24) on fa0/1

I cannot get any traffic through the router from the local lan to the internet.

Can any one see what I am doing wrong, here is the config

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

enable secret xxxxx

enable password xxx

!

no aaa new-model

ip subnet-zero

ip cef

!

!

!

ip inspect name FW_OUTSIDE udp

ip inspect name FW_OUTSIDE tcp

ip inspect name FW_OUTSIDE ftp

ip inspect name FW_OUTSIDE http

ip inspect name FW_OUTSIDE fragment maximum 256 timeout 1

ip inspect name FW_OUTSIDE realaudio

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

speed auto

full-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 192.168.11.250 255.255.255.0

speed 100

full-duplex

!

interface Dialer0

ip address negotiated

ip access-group 105 in

ip mtu 1454

ip nat outside

ip inspect FW_OUTSIDE out

encapsulation ppp

ip tcp adjust-mss 1414

no ip mroute-cache

dialer pool 1

dialer idle-timeout 0

dialer-group 1

ppp authentication pap callin

ppp chap hostname natc

ppp chap password 0 c76aswxu

ppp chap refuse

!

interface Dialer1

no ip address

!

ip nat inside source route-map nonat interface Dialer1 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

access-list 105 deny ip 192.168.11.0 0.0.0.255 any

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any 192.168.11.0 0.0.0.255 time-exceeded

access-list 105 permit icmp any 192.168.11.0 0.0.0.255 packet-too-big

access-list 105 permit icmp any 192.168.11.0 0.0.0.255 traceroute

access-list 105 permit icmp any 192.168.11.0 0.0.0.255 unreachable

access-list 105 deny ip any any

dialer-list 1 protocol ip permit

!

!

voice-port 1/0/0

!

voice-port 1/0/1

!

voice-port 1/1/0

!

voice-port 1/1/1

!

!

!

!

line con 0

line aux 0

line vty 0 4

password xxx

login

!

!

end

Labels:
0 Helpful
6 Replies 6

nkhawaja
Cisco Employee
Cisco Employee

‎08-22-2004 10:40 AM

HI,

add these commands

interface FastEthernet0/1

ip nat inside

no ip nat inside source route-map nonat interface Dialer1 overload

ip nat inside source list 120 interface Dialer1 Overload

access-list 120 permit ip 192.168.11.0 0.0.0.255 any

Thanks

Nadeem

0 Helpful

paddyxdoyle
Level 6
Level 6

‎08-22-2004 10:48 AM

Hi,

It looks like you haven't finished your NAT configuration and need to add:

"ip nat inside" to your LAN interface (FastEthernet0/1)

Also you have specified to use a route map in your nat statement (ip nat inside source route-map nonat interface Dialer1 overload) however you haven't created the route map.

If this is a mistake, and you only wanted to NAT your internal range you could change it:

#ip nat inside source list 101 interface Dialer1 overload

#access-list 101 permit ip 192.168.11.0 0.0.0.255 any

Once you have added the above, make a connection to the web from a client, you can then run "show ip nat translations" and you should see a translation from your clients IP to your global address.

Also you really need to look at securing your router, although its running CBAC, you could and should still lock it down further by adding acls to your VTY lines, turning off or acling your http server, etc etc. If you need any further help let me know.

Thanks

Paddy

0 Helpful

johnroche_2
Level 1
Level 1
In response to paddyxdoyle

‎08-25-2004 04:01 PM

Hi Paddy

I modified the config as you suggested but still did not resolve the issue

Here is the current config

Router#sho run

Building configuration...

Current configuration : 1978 bytes

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$37E4$574sJORNdrSN3RnXMHn0M/

enable password cisc0

!

no aaa new-model

ip subnet-zero

ip cef

!

!

!

ip inspect name FW_OUTSIDE udp

ip inspect name FW_OUTSIDE tcp

ip inspect name FW_OUTSIDE ftp

ip inspect name FW_OUTSIDE http

ip inspect name FW_OUTSIDE fragment maximum 256 timeout 1

ip inspect name FW_OUTSIDE realaudio

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

speed auto

full-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 192.168.11.250 255.255.255.0

ip nat inside

speed 100

full-duplex

!

interface Dialer0

ip address negotiated

ip access-group 105 in

ip mtu 1454

ip nat outside

ip inspect FW_OUTSIDE out

encapsulation ppp

ip tcp adjust-mss 1414

no ip mroute-cache

dialer pool 1

dialer idle-timeout 0

dialer-group 1

ppp authentication pap callin

ppp chap hostname johnroche

ppp chap password pppoeisgreat

ppp chap refuse

!

ip nat inside source list 101 interface Dialer1 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

access-list 101 permit ip 192.168.11.0 0.0.0.255 any

access-list 105 deny ip 192.168.11.0 0.0.0.255 any

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any 192.168.11.0 0.0.0.255 time-exceeded

access-list 105 permit icmp any 192.168.11.0 0.0.0.255 packet-too-big

access-list 105 permit icmp any 192.168.11.0 0.0.0.255 traceroute

access-list 105 permit icmp any 192.168.11.0 0.0.0.255 unreachable

access-list 105 deny ip any any

dialer-list 1 protocol ip permit

!

!

voice-port 1/0/0

!

voice-port 1/0/1

!

voice-port 1/1/0

!

voice-port 1/1/1

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

password c1sc0

login

!

!

end

0 Helpful

robhorniachek
Level 1
Level 1
In response to johnroche_2

‎08-26-2004 09:35 AM

Hi -

Don't forget to specify which interface is the NAT Outside:

interface FastEthernet0/0

ip nat outside

0 Helpful

paddyxdoyle
Level 6
Level 6
In response to johnroche_2

‎08-26-2004 01:44 PM

Hi,

As mentioned in other posts, try adding "ip nat outside" to interface FastEthernet0/0 which i am assuming is connecting to your ISP?

Have you tried issuing a "debug dialer events" to see if you are triggering a connection when trying to access the internet.

Are you seeing any NAT entries on your router

"debug ip nat"

Rgds

Paddy

0 Helpful

INFOTECH.jw
Level 1
Level 1
In response to johnroche_2

‎09-27-2004 10:28 PM

Your outside PPPoE interface is di0

So, do

ip nat inside source list 120 interface Dialer0 Overload

and not ... Dialer1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents