The cisco I am on is not managed by the ISP.  I can ping the gateway (managed by the ISP) and other things (google, yahoo, etc) from the LAN machines, just not from the router directly. I am able to make any connection from inside the LAN to the router, or from the LAN and out tru the WAN interface to the world.  If I am logged into the router, I can not connect from the router to the outside world, but it will connect to machines inside the LAN.

(LAN) 192.168.5.x  -> 1841 -> WAN   works.

WAN -> 1841 -> LAN works.

1841 -> LAN works

1841 -> WAN does not work.

In most cases I would not mind this, however, I need to setup a VPN to a remote site and the cisco can not connect outbound to the remote VPN router (or anything else).

Hi Andrew

I am still bit unclear on the actual network setup in question here ?

Can you please clarifiy that the WAN here we are referring to is another Cisco Router after 1841 managed by you. For the LAN gateway is 1841 and then we are using routing between 1841 and WAN further. Where is the NAT happening in this case ? Is it on the WAN router managed by you . Is the link between 1841 to WAN a private subnet ? Is that allowed in the NAT Policy on the WAN router ?

Regards

Varma

Yes, the WAN connection is to another Cisco managed by the ISP (which is then connected to a fiber network, all managed by the ISP).  Their cisco passes all the real IP traffic to my 1841, which acts as the Router/Firewall between the WAN and LAN.  They control the .1 gateway for the classC, my 1841 is setup as .2

LAN (192.168.5.x) --> Cisco 1841 (firewall/nat/etc) -> WAN (4.3.2.x) Cisco 2800 (ISP controlled) --> Fiber/MetroE

Gateway:  4.3.2.1 

Cisco 1841 WAN:  4.3.2.2

Cisco 1841 LAN:  192.168.5.1

Inside LAN:  192.168.5.x

I am stumped because all traffic from LAN to WAN and WAN to LAN (including al NAT, ACL, etc) works as intended except for the 1841 being unable to make a connection from itself out thru the WAN.  It will connect from itself to the LAN, ie 'ping 192.168.5.10' works, 'ping 4.3.2.1' does not. (nor does any other outgoing connection that originates from the local 1841)

Hi,

So you say you can ping the ISP address from the LAN but not from router WAN address?

Can you post  your sanitized running-config.

Regards.

Alain.

Exactly.  I can ping from LAN to WAN, router to LAN, but not router to WAN.

Hi,

post your config.

Alain.

Some settings are X'd out, relevant config should all be there.

!

! Last configuration change at 12:24:32 EST Sun Oct 23 2011 by admin

! NVRAM config last updated at 12:42:39 EST Sun Oct 23 2011

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service sequence-numbers

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

!

no aaa new-model

clock timezone EST -5

ip cef

!

!

!

!

ip domain name XXXXXXXXXXXXXXXXXX.com

ip name-server XXXXXXXXXXX

ip name-server XXXXXXXXXXX

ip name-server XXXXXXXXXXX

ip name-server XXXXXXXXXXX

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip inspect name SDM_LOW pop3s

ip inspect name SDM_LOW imaps

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip ips sdf location flash://128MB.sdf autosave

ip ips notify SDEE

ip ips name sdm_ips_rule

!

!

crypto pki trustpoint TP-self-signed-720109512

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-720109512

revocation-check none

rsakeypair TP-self-signed-720109512

!

!

crypto pki certificate chain TP-self-signed-720109512

certificate self-signed 01

  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

  quit

username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

!

!

controller T1 0/0/0

framing esf

linecode b8zs

!

controller T1 0/1/0

framing esf

linecode b8zs

!

!

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$

ip address 192.168.5.1 255.255.255.0

ip access-group sdm_fastethernet0/0_in in

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$

ip address 66.83.7.2 255.255.255.0

ip access-group sdm_fastethernet0/1_in in

ip verify unicast reverse-path

ip nat outside

ip inspect SDM_LOW out

ip ips sdm_ips_rule in

ip virtual-reassembly

duplex auto

speed auto

!

no ip classless

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 66.83.7.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool WAN-MAIN 66.83.7.241 66.83.7.254 prefix-length 24

ip nat inside source list 1 pool WAN-MAIN

ip nat inside source static 192.168.5.11 66.83.7.11

ip nat inside source static 192.168.5.12 66.83.7.12

ip nat inside source static 192.168.5.13 66.83.7.13

ip nat inside source static 192.168.5.15 66.83.7.15

ip nat inside source static 192.168.5.32 66.83.7.32

ip nat inside source static 192.168.5.221 66.83.7.221

ip nat inside source static 192.168.5.222 66.83.7.222

!

ip access-list extended sdm_fastethernet0/0_in

remark SDM_ACL Category=1

remark Permit all outbound traffic

permit ip any any

ip access-list extended sdm_fastethernet0/1_in

remark SDM_ACL Category=1

permit tcp any host XXXXXXXXXX eq XXXX

permit tcp any host XXXXXXXXXX eq XXXX

permit tcp any host XXXXXXXXXX eq XXXX

permit tcp any host XXXXXXXXXX eq XXXX

permit tcp any host XXXXXXXXXX eq XXXX

permit tcp any host XXXXXXXXXX eq XXXX

permit tcp any host XXXXXXXXXX eq XXXX

deny   ip any any

!

access-list 1 permit 192.168.5.0 0.0.0.255

disable-eadi

!

!

!

control-plane

!

!

!

line con 0

password XXXXXXXXX

login

line aux 0

line vty 0 4

privilege level 15

password XXXXXXXXX

login

transport input telnet ssh

line vty 5 15

privilege level 15

password XXXXXXXXX

login

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Thank Alain,  That did it.  I suspected it may have been related to SDM but never would have found that in a million years.

thanks again.