01-14-2025 01:01 PM
Hello!
I am trying to get a router set up (cisco 2821). I will include the config below. What i happening is that I want to be able to ping our internal equipment from the PC connected on the network. I can get out to the internet from said PC, but cannot ping any of our internal equipment. I am certain I am missing something simple, but i've been stuck on this for a bit now.
(Also just to be sure, I set up a basic Netgear router with the same WAN IP and was able to get out to the internet and access all internet equipment)
lock timezone EDT -5 0
clock summer-time EDT recurring
!
dot11 syslog
ip source-route
!
!
ip cef
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
domain-name headnet
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.1.1
lease 2
!
!
!
ip domain name network.com
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2821 sn FTX0913C1SR
!
redundancy
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.2
description MGMT
encapsulation dot1Q 2
ip address 10.1.1.87 255.255.255.0
!
interface GigabitEthernet0/0.11
description WAN
encapsulation dot1Q 11
ip address xxx.xxx.xxx.xxx 255.255.255.240
no ip redirects
ip nat outside
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.600
description LAN
encapsulation dot1Q 600
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nat inside
ip nat enable
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat pool LAN xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.240
ip nat inside source list 1 interface GigabitEthernet0/0.11 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
ip route 10.1.200.0 255.255.255.0 10.1.1.1
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
banner motd ^CC
******************** W A R N I N G *************************
AUTHORIZED ACCESS ONLY
UNAUTHORIZED ACCESS, MISUSE OR SOLICITATION OF THIS SYSTEM,
AND/OR MODIFICATION TO ITS DATA IS STRICTLY PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device are
logged and violations of this policy will result in
disciplinary or criminal action.
******************** W A R N I N G *************************
^C
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input all
line vty 5 15
exec-timeout 0 0
logging synchronous
transport input all
01-14-2025 01:09 PM
In which interface your internal equipment is connected?
If you run a tracerouter from the PC, where the traceroute stop?
01-15-2025 09:22 AM
traceroute stops right after 1921.168.1.1
01-15-2025 09:59 AM - edited 01-15-2025 09:59 AM
Sounds to me that route is missing on the destination. If your "internal equipment" is connected to a Layer3 devices, you need to tell that Layer3 devices how to reply to 192.168.1.0 255.255.255.0 (considering your hosts is connected in this network)
01-14-2025 01:18 PM
Hello @DavidGIP ,
what do you mean by "internal equipment"? Are they hosts on network 192.168.1.0/24 (Vlan 600) or are they host on network 10.1.200.0 accessible through interface GigabitEthernet 0/0.2 (Vlan 2)?
01-15-2025 06:32 AM
They are on network 10.1.1.1 and 10.1.200.1 through GigabitEthernet 0/0.2. By internal equipment, I mean our core equipment.
01-14-2025 02:36 PM
Hello
If you want to access an internal host from the internet via a NAT then it would be applicable to set a static 121 nat/pat statement, as at present you are just overloading
Also suggest you remove the NVI Nat off your interfaces as they are not being utilized and provide a more definitive non recursive default route
Example:
ip nat inside source static <inside host><outside host>
or
ip nat source static tcp<inside host> <port> <outside host><port>
no ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0.11 xxx.xxx.xxx.xxx
int x/x
no ip nat enable
01-14-2025 10:06 PM
your config is correct except you need to remove "" ip nat enable"" from both interface
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide