11-06-2020 12:10 AM
Hi Everyone,
I need your help with this configuration.
The same configuration one my other with on a different branch but these configs are not working on my other branch.
I can reach the interface 10.10.1.1 and go to the internet without access-lists, yet I needed ACLs on my other router to do the same.
Now, what's the problem with that? I cannot reach the 10.10.1.0/24 LAN because this line:
->access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
if I am not mistaken should read, deny any ip address from the .3.0/24 network from being NATted
The path from this router should be:
GW:192.168.124.9
GW:192.168.124.1
GW:192.168.124.2
Router Interface:10.10.1.1
Problem 2: I can ping all those but when I do a traceroute to 10.10.1.1 or 192.168.124.2 the trace dies on 192.168.124.1, which is super confusing.
==================================================================================
ip source-route
!
!
ip dhcp relay information option
ip dhcp relay information trust-all
ip dhcp excluded-address 10.10.3.253
ip dhcp excluded-address 10.10.3.252
ip dhcp excluded-address 10.10.3.1 10.10.3.50
!
ip dhcp pool KITWE-POOL
network 10.10.3.0 255.255.255.0
default-router 10.10.3.3
dns-server 10.10.1.4
!
!
ip cef
no ip domain lookup
ip name-server 8.8.8.8
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
!
interface FastEthernet0
switchport access vlan 10
!
!
interface FastEthernet1
switchport access vlan 10
!
!
interface FastEthernet2
switchport access vlan 10
!
!
interface FastEthernet3
switchport access vlan 10
!
!
interface FastEthernet4
switchport access vlan 10
!
!
interface FastEthernet5
switchport access vlan 10
!
!
interface FastEthernet8
ip dhcp relay information option-insert
ip address 192.168.124.10 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0
no ip address
ip virtual-reassembly
shutdown
duplex auto
speed auto
!
!
interface Vlan1
no ip address
shutdown
!
!
interface Vlan10
ip address 10.10.3.3 255.255.255.0
ip helper-address 10.10.3.3
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip forward-protocol nd
ip forward-protocol udp talk
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 113 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.1
ip route 10.10.2.0 255.255.255.0 192.168.124.9
ip route 192.168.124.0 255.255.255.252 192.168.124.9
ip route 192.168.124.8 255.255.255.252 192.168.124.9
!
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any
no cdp run
========================================================================
Any Advice will be highly appreciated.
Solved! Go to Solution.
11-06-2020 07:15 AM
Hello @Jonathan Nali ,
in your configuration you are doing something different
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any
ip nat inside source list 113 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.1
ip route 10.10.2.0 255.255.255.0 192.168.124.9
ip route 192.168.124.0 255.255.255.252 192.168.124.9
ip route 192.168.124.8 255.255.255.252 192.168.124.9
where 192.168.124.9 is the next-hop for Fas8
interface FastEthernet8
ip dhcp relay information option-insert
ip address 192.168.124.10 255.255.255.252
ip nat outside
If you want to reach subnet 10.10.1.0/24 from 10.10.3.0/24 without being NATTed you should add a line for that in your ACL used for NAT
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any
Hope to help
Giuseppe
11-06-2020 08:23 AM - edited 11-06-2020 08:24 AM
Now, what's the problem with that? I cannot reach the 10.10.1.0/24 LAN because this line:
->access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
if I am not mistaken should read, deny any ip address from the .3.0/24 network from being NATted
Not exactly Jonathan,
If you want the source network 10.10.3.0/24 not to be natted to the IP 192.168.124.10 when it's trying to reach the destination network 10.10.1.0/24, then what you should do is denying that source & destination on your NAT ACL, which i belive is the ACL 113:
Like this:
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255 access-list 113 permit ip 10.10.3.0 0.0.0.255 any
As you're currently denying an incorrect destination network i belive 10.10.2.0/24.
11-06-2020 07:15 AM
Hello @Jonathan Nali ,
in your configuration you are doing something different
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any
ip nat inside source list 113 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.1
ip route 10.10.2.0 255.255.255.0 192.168.124.9
ip route 192.168.124.0 255.255.255.252 192.168.124.9
ip route 192.168.124.8 255.255.255.252 192.168.124.9
where 192.168.124.9 is the next-hop for Fas8
interface FastEthernet8
ip dhcp relay information option-insert
ip address 192.168.124.10 255.255.255.252
ip nat outside
If you want to reach subnet 10.10.1.0/24 from 10.10.3.0/24 without being NATTed you should add a line for that in your ACL used for NAT
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.2.0 0.0.0.255
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 113 permit ip 10.10.3.0 0.0.0.255 any
Hope to help
Giuseppe
11-09-2020 10:44 PM
Hi @paul driver @RicardoSN @Giuseppe Larosa ,
Thank you for your responses.
We discovered that the problem was with the ISP. They had no advertised the routers to my LAN.
11-06-2020 08:23 AM - edited 11-06-2020 08:24 AM
Now, what's the problem with that? I cannot reach the 10.10.1.0/24 LAN because this line:
->access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255
if I am not mistaken should read, deny any ip address from the .3.0/24 network from being NATted
Not exactly Jonathan,
If you want the source network 10.10.3.0/24 not to be natted to the IP 192.168.124.10 when it's trying to reach the destination network 10.10.1.0/24, then what you should do is denying that source & destination on your NAT ACL, which i belive is the ACL 113:
Like this:
access-list 113 deny ip 10.10.3.0 0.0.0.255 10.10.1.0 0.0.0.255 access-list 113 permit ip 10.10.3.0 0.0.0.255 any
As you're currently denying an incorrect destination network i belive 10.10.2.0/24.
11-06-2020 09:33 AM - edited 11-06-2020 09:33 AM
Hello
Just like to add, would suggest to remove route source routing, you do not want source addressing specify the route path also regards your static routing specify the physical interface of the next-hop also so recursive routing isnt invoked by the other static routes for the next-hop
no ip source-route
no ip route 0.0.0.0 0.0.0.0 192.168.124.1
no ip route 10.10.2.0 255.255.255.0 192.168.124.9
no ip route 192.168.124.0 255.255.255.252 192.168.124.9
no ip route 192.168.124.8 255.255.255.252 192.168.124.9
ip route 0.0.0.0 0.0.0.0 <interface> 192.168.124.1
ip route 10.10.2.0 255.255.255.0 <interface> 192.168.124.9
ip route 192.168.124.0 255.255.255.252 <interface> 192.168.124.9
ip route 192.168.124.8 255.255.255.252 <interface> 192.168.124.9
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide