Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1006
Views
6
Helpful
7
Replies

Cant access the Internet, NAT not working properly

Tommy Svensson
Level 1
Level 1

‎06-14-2011 06:39 AM - edited ‎03-04-2019 12:42 PM

Hi.

I have configured my CIsco 2911 router and there seems to be something wrong with my configuration regarding subinterface 0/0.102

The hosts on this subnetwork cant access the Internet and i cant spot the error.

Hoping someone could shine some light on this matter.

Regards Tommy Svensson

Here is my running config on this matter.

class-map type inspect match-any LAN_TO_WAN

match access-group name LAN_TO_WAN

class-map type inspect match-any WAN_TO_LAN

match access-group name WAN_TO_LAN

class-map type inspect match-any GRE_TO_WAN

match access-group name GRE_TO_WAN

class-map type inspect match-any WAN_TO_GRE

match access-group name WAN_TO_GRE

class-map match-any WEB_MAIL_CLASS

match protocol http

match protocol secure-http

match protocol secure-imap

match protocol secure-pop3

match protocol ssh

match protocol smtp

match protocol imap

match protocol pop3

policy-map type inspect LAN_TO_WAN

class type inspect GRE_TO_WAN

pass

class type inspect LAN_TO_WAN

inspect

class class-default

drop

policy-map type inspect WAN_TO_LAN

class type inspect WAN_TO_GRE

pass

class type inspect WAN_TO_LAN

inspect

class class-default

drop

policy-map QOS_POLICY

class VOIP_CLASS

priority percent 30

set dscp ef

class WEB_MAIL_CLASS

bandwidth remaining percent 75

zone security VLAN10_ZONE

zone security WAN_ZONE

zone security VLAN1_ZONE

zone security VLAN11_ZONE

zone security VLAN12_ZONE

zone security VLAN13_ZONE

zone security VLAN14_ZONE

zone security VLAN15_ZONE

zone security VLAN50_ZONE

zone security VLAN100_ZONE

zone security VLAN101_ZONE

zone-pair security VLAN_10_TO_WAN source VLAN10_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_1_TO_WAN source VLAN1_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security WAN_TO_VLAN1 source WAN_ZONE destination VLAN1_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_VLAN10 source WAN_ZONE destination VLAN10_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_VLAN11 source WAN_ZONE destination VLAN11_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_VLAN12 source WAN_ZONE destination VLAN12_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_VLAN13 source WAN_ZONE destination VLAN13_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_VLAN14 source WAN_ZONE destination VLAN14_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_VLAN15 source WAN_ZONE destination VLAN15_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security VLAN_11_TO_WAN source VLAN11_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_12_TO_WAN source VLAN12_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_13_TO_WAN source VLAN13_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_14_TO_WAN source VLAN14_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_15_TO_WAN source VLAN15_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_50_TO_WAN source VLAN50_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_50_TO_VLAN1 source VLAN50_ZONE destination VLAN1_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_1_TO_VLAN50 source VLAN1_ZONE destination VLAN50_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security WAN_TO_VLAN50 source WAN_ZONE destination VLAN50_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security WAN_TO_VLAN100 source WAN_ZONE destination VLAN100_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security VLAN_100_TO_WAN source VLAN100_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security WAN_TO_VLAN101 source WAN_ZONE destination VLAN101_ZONE

service-policy type inspect WAN_TO_LAN

zone-pair security VLAN_101_TO_WAN source VLAN101_ZONE destination WAN_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_13_TO_VLAN_1 source VLAN13_ZONE destination VLAN1_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_1_TO_VLAN_13 source VLAN1_ZONE destination VLAN13_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_13_TO_VLAN_50 source VLAN13_ZONE destination VLAN50_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_13_TO_VLAN_10 source VLAN13_ZONE destination VLAN10_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_13_TO_VLAN_11 source VLAN13_ZONE destination VLAN11_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_13_TO_VLAN_12 source VLAN13_ZONE destination VLAN12_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_13_TO_VLAN_14 source VLAN13_ZONE destination VLAN14_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_13_TO_VLAN_15 source VLAN13_ZONE destination VLAN15_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_50_TO_VLAN101 source VLAN50_ZONE destination VLAN101_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_101_TO_VLAN50 source VLAN101_ZONE destination VLAN50_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_101_TO_VLAN13 source VLAN101_ZONE destination VLAN13_ZONE

service-policy type inspect LAN_TO_WAN

zone-pair security VLAN_13_TO_VLAN101 source VLAN13_ZONE destination VLAN101_ZONE

service-policy type inspect LAN_TO_WAN

interface GigabitEthernet0/0

description MANAGEMENT

ip address 10.10.1.1 255.255.255.0

no ip redirects

no ip unreachables

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security VLAN1_ZONE

duplex auto

speed auto

no mop enabled

!

!

interface GigabitEthernet0/0.10

description Company10

encapsulation dot1Q 10

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security VLAN10_ZONE

no cdp enable

!

interface GigabitEthernet0/0.11

description Company11

encapsulation dot1Q 11

ip address 10.10.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 3144000 5000 5000 conform-action continue exceed-action drop

rate-limit output 3144000 5000 5000 conform-action continue exceed-action drop

zone-member security VLAN11_ZONE

no cdp enable

!

interface GigabitEthernet0/0.12

description Company12

encapsulation dot1Q 12

ip address 10.10.12.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security VLAN12_ZONE

no cdp enable

!

interface GigabitEthernet0/0.13

description Company13

encapsulation dot1Q 13

ip address 10.10.13.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security VLAN13_ZONE

no cdp enable

!

interface GigabitEthernet0/0.14

description Company14

encapsulation dot1Q 14

ip address 10.10.14.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security VLAN14_ZONE

no cdp enable

!

interface GigabitEthernet0/0.15

description Company15

encapsulation dot1Q 15

ip address 10.10.15.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 3144000 5000 5000 conform-action continue exceed-action drop

rate-limit output 3144000 5000 5000 conform-action continue exceed-action drop

zone-member security VLAN15_ZONE

no cdp enable

!

interface GigabitEthernet0/0.50

description WLAN

encapsulation dot1Q 50

ip address 10.10.50.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security VLAN50_ZONE

no cdp enable

!

interface GigabitEthernet0/0.100

description WLAN_Guest

encapsulation dot1Q 100

ip address 10.10.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly

rate-limit input 3496000 5000 5000 conform-action continue exceed-action drop

rate-limit output 3496000 5000 5000 conform-action continue exceed-action drop

zone-member security VLAN100_ZONE

no cdp enable

!

interface GigabitEthernet0/0.101

description WLAN_Tedacthuset

encapsulation dot1Q 101

ip address 10.10.101.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

zone-member security WAN_ZONE

no cdp enable

!

interface GigabitEthernet0/0.102

encapsulation dot1Q 102

ip address 10.10.102.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security VLAN101_ZONE

no cdp enable

!

interface GigabitEthernet0/1

description NOT_USED

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

!

interface GigabitEthernet0/2

description WAN

bandwidth 10240

ip address 212.181.40.67 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security WAN_ZONE

duplex auto

speed auto

no mop enabled

crypto map VPNMAP

!

service-policy output QOS_POLICY

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/2

ip nat inside

ip virtual-reassembly

zone-member security VLAN13_ZONE

peer default ip address pool test

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap-v2

!

!

interface Virtual-Template2

ip unnumbered GigabitEthernet0/0.101

ip nat inside

ip virtual-reassembly

zone-member security VLAN13_ZONE

peer default ip address pool test

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap-v2

ip nat pool with_overload2 212.181.40.xx 212.181.40.xx prefix-length 28

ip nat inside source list 105 pool with_overload2 overload

ip nat inside source static 10.10.11.20 212.181.40.xx extendable

ip nat inside source static 10.10.11.30 212.181.40.xx extendable

ip nat inside source static tcp 10.10.11.40 20 212.181.40.xx 20 extendable no-payload

ip nat inside source static tcp 10.10.11.40 21 212.181.40.xx 21 extendable no-payload

ip nat inside source static tcp 10.10.11.40 22 212.181.40.xx 22 extendable no-payload

ip nat inside source static tcp 10.10.11.40 80 212.181.40.xx 80 extendable no-payload

ip nat inside source static tcp 10.10.11.40 443 212.181.40.xx 443 extendable no-payload

ip nat inside source static tcp 10.10.11.40 873 212.181.40.xx 873 extendable no-payload

ip nat inside source static tcp 10.10.11.40 2049 212.181.40.xx 2049 extendable no-payload

ip nat inside source static udp 10.10.11.40 2049 212.181.40.xx 2049 extendable no-payload

ip route 0.0.0.0 0.0.0.0 212.181.40.xx

ip access-list extended GRE_TO_WAN

permit gre any any

ip access-list extended LAN_TO_WAN

permit ip any any

ip access-list extended WAN_TO_GRE

permit gre any any

ip access-list extended WAN_TO_LAN

permit tcp any any eq 22

permit tcp any any eq 2087

permit tcp any any eq 443

permit tcp any any eq www

permit tcp any any eq smtp

permit tcp any any eq ftp

permit tcp any any eq ftp-data

permit ip 192.168.3.0 0.0.0.255 10.10.15.0 0.0.0.255

permit udp any any eq isakmp

permit icmp any any

permit tcp any any eq 3389

permit tcp any eq 3389 any

permit tcp any eq ftp-data any

permit tcp any eq ftp any

permit tcp any eq 22 any

permit tcp any eq www any

permit tcp any eq 443 any

permit ip 192.168.0.0 0.0.0.255 any

access-list 105 deny   ip 10.10.14.0 0.0.0.255 192.168.0.0 0.0.0.255 log

access-list 105 deny   ip 10.10.13.0 0.0.0.255 192.168.0.0 0.0.0.255 log

access-list 105 deny   ip 10.10.12.0 0.0.0.255 192.168.0.0 0.0.0.255 log

access-list 105 deny   ip 10.10.11.0 0.0.0.255 192.168.0.0 0.0.0.255 log

access-list 105 deny   ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.0.255 log

access-list 105 deny   ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255 log

access-list 105 deny   ip 10.10.15.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 105 deny   ip 10.10.15.0 0.0.0.255 192.168.0.0 0.0.0.255 log

access-list 105 deny   ip 10.10.13.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 105 deny   ip 192.168.0.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 105 deny   ip 10.10.1.0 0.0.0.255 192.168.0.0 0.0.0.255 log

access-list 105 deny   ip 10.10.50.0 0.0.0.255 10.10.1.0 0.0.0.255

access-list 105 deny   ip 10.10.1.0 0.0.0.255 10.10.50.0 0.0.0.255

access-list 105 deny   ip 10.10.15.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 105 deny   ip 10.10.1.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 105 permit ip 10.10.1.0 0.0.0.255 any

access-list 105 permit ip 10.10.10.0 0.0.0.255 any

access-list 105 permit ip 10.10.11.0 0.0.0.255 any

access-list 105 permit ip 10.10.12.0 0.0.0.255 any

access-list 105 permit ip 10.10.13.0 0.0.0.255 any

access-list 105 permit ip 10.10.14.0 0.0.0.255 any

access-list 105 permit ip 10.10.15.0 0.0.0.255 any

access-list 105 permit ip 10.10.50.0 0.0.0.255 any

access-list 105 permit ip 10.10.100.0 0.0.0.255 any

access-list 105 permit ip 10.10.101.0 0.0.0.255 any

access-list 105 permit ip 192.168.0.0 0.0.0.255 any log

access-list 105 permit ip 10.10.102.0 0.0.0.255 any log

Labels:
0 Helpful
7 Replies 7

Tommy Svensson
Level 1
Level 1

‎06-14-2011 06:46 AM

I should add that i dont get any hits on the following line:

access-list 105 permit ip 10.10.102.0 0.0.0.255 any log

0 Helpful

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to Tommy Svensson

‎06-14-2011 06:59 AM

Hi,

   10.10.102.0/24 network is used for VLAN102 on your network. Right? Without any ZBF configurations, Can you connect the internet from VLAN102?

Toshi

Tommy Svensson
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎06-14-2011 09:40 AM

No i cant, that did not work. Thank you for your time.

Regards Tommy Svensson

0 Helpful

fgasimzade
Level 4
Level 4
In response to Tommy Svensson

‎06-14-2011 10:17 AM

Lets begin from basics

Can you ping

ip address 10.10.102.1 255.255.255.0 from your PC?

Tommy Svensson
Level 1
Level 1
In response to fgasimzade

‎06-14-2011 10:40 AM

Yes i can.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Tommy Svensson

‎06-14-2011 11:29 AM

Hi,

Do all following tests without the the interfaces in security zones

Do PCs in VLAN102 have correct default gateway? Is there a NAT translation, which type of traffic is not working?

Did you try a traceroute from PC?

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

oni.somroy
Level 1
Level 1

‎06-15-2011 08:45 AM

Ok, the PC can ping its default gateway. This verifies local network access.

Can the PC ping the routers other IP interfaces. This will verify the traffic doesn't stop on interface 0/0.102

Try pinging:

10.10.1.1

10.10.14.1

212.181.40.67

etc.

Can the PC ping hosts on the other networks connected to the router? This will verify the traffic doesn't stop at the router's other interfaces.

-Try pinging a host in the 10.10.1.0 /24 network

-Try pinging a host in the 10.10.14.0 /24 network

-Try pinging the default gateway of the actual router, as in where the router sends all it's default-traffic, which is the ISP router

If you can ping hosts on the other networks connected to the router, but not get out to the internet, then it's not your router blocking the traffic. I have a feeling the traffic isn't getting that far though, so running those tests will help see where the traffic is being dropped.

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card