Happy new year to you all.
I have a problem that has me perplexed. I have a production 1841 that was working fine but stopped behaving after a reload, and I can't get it going properly again. He is a Picture of what is meant to happen. http://i48.tinypic.com/30nktgm.png
How it was setup, and working fine for months,
fa/0/0 - 203.xx.xx.28 all other IPs allotted by ISP were just routed by them to this IP.
Loopback5 - 203.xx.xx.96
Vlan 1 - 192.168.84.0/24 subnet overload NAT'd out fa0/0
VLan 86 - 192.168.86.0/24 subnet overload NAT'd out lo5 (so that .86 traffic appeared to originate from 203.xx.xx.96)
after the reload, this would work for a few minutes (about 5) then just stop allowing any NAT or Static PAT on the 86 subnet (others still worked fine).
I can see no errors in the logs, the sh int shows nothing untoward, the deb ip pack shows the packets being routed but then just disappearing.
So I gave up and sent the 86 outbound traffic to be overload NAT'd with the rest of the traffic and that worked fine. But it shows the traffic originating from the wrong IP to the internet. (this is an issue for the mail server in particular).
in this configuration I then assigned the 203.xx.xx.96 IP to the fa0/0 port so we could still use static PAT. If I assign that IP to a loopback again, it works fine for 5 minutes then stops passing traffic again.
The router had a smartnet and it ran out 3 weeks prior to it playing up. it is being renewed but being Christmas that is taking too long to get a tac case opened.
Any suggestions on how to diagnose the problem properly? Ask any questions you want.
My goal, as per the diagram, is for 84 subnet to appear to the net to come from 203.xx.xx.28 and the 86 subnet to appear to the net to come from 203.xx.xx.96.
Message was edited by: Ross Marston
Message was edited by: Ross Marston and current config attached.
In your current config if you add the below mentioned config it should work
ip nat pool 20 203.xx.xx.96 203.xx.xx.96 netmask 255.255.255.0
ip nat inside source list aclAllowXxxxVPN pool 20 overload
In the above config i have assumed that the ACL aclAllowXxxxVPN would be the traffic need to be natted to .96 ip address.
Actually the aclAllowXxxVPN ACL is the interesting traffic for the Crypto Map. Some traffic originating on the 192.168.86.0/24 subnet does not get NAT'd to the internet. It get nNAT'd over Lo1 and out the CryptoMap to a ThirdParty if it is destined for 172.27.1.0/24 or 10.125.0.0/16.
That idea of the NAT pool should work but I cant seem to get it to. If we used that method to Overload NAT the .86. traffic destined for the internet, and we also wanted traffic sourced from the internet to be PAT'd to servers on the .86. subnet, where should we assign (bind) the 203.xx.xx.96 IP?
OK, To supply the results of some additional testing...
I re tried the pool method outlined about and added the following to the config.
That worked great for about 5 minutes again. Then it just stops allowing any traffic sourced from the 192.168.86.0/24 subnet to return to it. for instance, after about 5 minutes I can no longer ping the DG from VL86 (I can when the config is first applied) After 5 minutes or so, I can no longer ping 18.104.22.168 from vl86, whereas I can when i first apply the config. I see no errors in deb ip pack det (appart from a lack of returning traffic)
So I have left that config in place and added ip address 203.xx.xx.96 255.255.255.0 secondary back on to the fa0/0 interface and it seems to be working for now.
If anyone can shed any light on this I would be greatly appreciative.
check wildcard mask.i think in your configuration so many access list is there. better to configure 2 access list for 2 diffrent interface 1st block all and then allow which you want via access list with proper wildcard mask
R1(config)# access-list 100 permit ip 192.168.0.0 0.0.0.255 any
R1(config)# ip nat inside source list 100 interface serial 0/0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.214.171.124 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 126.96.36.199(Remote user) 255.255.255.255
access-list 101 deny ip X.X.X.X 0.0.1.255 Y.Y.Y.Y.0.0.0.0
access-list 101 deny ip X.X.X.X 0.0.1.255 Y.Y.Y.Y 0.0.0.0
access-list 101 permit ip X.X.X.X 0.0.1.255 any
modify you ip address and try