08-22-2004 08:00 AM - edited 03-09-2019 08:32 AM
Hi
I have a 2621 with connected to a ISP. the ISP requires PPPOE authentication. The router authenticates fine gets its public address etc. The ISP connection is on FA0/0, and the local lan (192.168.11.0/24) on fa0/1
I cannot get any traffic through the router from the local lan to the internet.
Can any one see what I am doing wrong, here is the config
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret xxxxx
enable password xxx
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip inspect name FW_OUTSIDE udp
ip inspect name FW_OUTSIDE tcp
ip inspect name FW_OUTSIDE ftp
ip inspect name FW_OUTSIDE http
ip inspect name FW_OUTSIDE fragment maximum 256 timeout 1
ip inspect name FW_OUTSIDE realaudio
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed auto
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.11.250 255.255.255.0
speed 100
full-duplex
!
interface Dialer0
ip address negotiated
ip access-group 105 in
ip mtu 1454
ip nat outside
ip inspect FW_OUTSIDE out
encapsulation ppp
ip tcp adjust-mss 1414
no ip mroute-cache
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication pap callin
ppp chap hostname natc
ppp chap password 0 c76aswxu
ppp chap refuse
!
interface Dialer1
no ip address
!
ip nat inside source route-map nonat interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 105 deny ip 192.168.11.0 0.0.0.255 any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any 192.168.11.0 0.0.0.255 time-exceeded
access-list 105 permit icmp any 192.168.11.0 0.0.0.255 packet-too-big
access-list 105 permit icmp any 192.168.11.0 0.0.0.255 traceroute
access-list 105 permit icmp any 192.168.11.0 0.0.0.255 unreachable
access-list 105 deny ip any any
dialer-list 1 protocol ip permit
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
!
voice-port 1/1/1
!
!
!
!
line con 0
line aux 0
line vty 0 4
password xxx
login
!
!
end
08-22-2004 10:40 AM
HI,
add these commands
interface FastEthernet0/1
ip nat inside
no ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source list 120 interface Dialer1 Overload
access-list 120 permit ip 192.168.11.0 0.0.0.255 any
Thanks
Nadeem
08-22-2004 10:48 AM
Hi,
It looks like you haven't finished your NAT configuration and need to add:
"ip nat inside" to your LAN interface (FastEthernet0/1)
Also you have specified to use a route map in your nat statement (ip nat inside source route-map nonat interface Dialer1 overload) however you haven't created the route map.
If this is a mistake, and you only wanted to NAT your internal range you could change it:
#ip nat inside source list 101 interface Dialer1 overload
#access-list 101 permit ip 192.168.11.0 0.0.0.255 any
Once you have added the above, make a connection to the web from a client, you can then run "show ip nat translations" and you should see a translation from your clients IP to your global address.
Also you really need to look at securing your router, although its running CBAC, you could and should still lock it down further by adding acls to your VTY lines, turning off or acling your http server, etc etc. If you need any further help let me know.
Thanks
Paddy
08-25-2004 04:01 PM
Hi Paddy
I modified the config as you suggested but still did not resolve the issue
Here is the current config
Router#sho run
Building configuration...
Current configuration : 1978 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$37E4$574sJORNdrSN3RnXMHn0M/
enable password cisc0
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip inspect name FW_OUTSIDE udp
ip inspect name FW_OUTSIDE tcp
ip inspect name FW_OUTSIDE ftp
ip inspect name FW_OUTSIDE http
ip inspect name FW_OUTSIDE fragment maximum 256 timeout 1
ip inspect name FW_OUTSIDE realaudio
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed auto
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 192.168.11.250 255.255.255.0
ip nat inside
speed 100
full-duplex
!
interface Dialer0
ip address negotiated
ip access-group 105 in
ip mtu 1454
ip nat outside
ip inspect FW_OUTSIDE out
encapsulation ppp
ip tcp adjust-mss 1414
no ip mroute-cache
dialer pool 1
dialer idle-timeout 0
dialer-group 1
ppp authentication pap callin
ppp chap hostname johnroche
ppp chap password pppoeisgreat
ppp chap refuse
!
ip nat inside source list 101 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
access-list 101 permit ip 192.168.11.0 0.0.0.255 any
access-list 105 deny ip 192.168.11.0 0.0.0.255 any
access-list 105 permit icmp any any echo-reply
access-list 105 permit icmp any 192.168.11.0 0.0.0.255 time-exceeded
access-list 105 permit icmp any 192.168.11.0 0.0.0.255 packet-too-big
access-list 105 permit icmp any 192.168.11.0 0.0.0.255 traceroute
access-list 105 permit icmp any 192.168.11.0 0.0.0.255 unreachable
access-list 105 deny ip any any
dialer-list 1 protocol ip permit
!
!
voice-port 1/0/0
!
voice-port 1/0/1
!
voice-port 1/1/0
!
voice-port 1/1/1
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password c1sc0
login
!
!
end
08-26-2004 09:35 AM
Hi -
Don't forget to specify which interface is the NAT Outside:
interface FastEthernet0/0
ip nat outside
08-26-2004 01:44 PM
Hi,
As mentioned in other posts, try adding "ip nat outside" to interface FastEthernet0/0 which i am assuming is connecting to your ISP?
Have you tried issuing a "debug dialer events" to see if you are triggering a connection when trying to access the internet.
Are you seeing any NAT entries on your router
"debug ip nat"
Rgds
Paddy
09-27-2004 10:28 PM
Your outside PPPoE interface is di0
So, do
ip nat inside source list 120 interface Dialer0 Overload
and not ... Dialer1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: