03-12-2013 03:16 AM - edited 03-04-2019 07:15 PM
I configured my 888 and all seems to be working ok. I can reach the internet, i can reach the PC, and "sh ip nat trans" is showing me entries. But for some reason the PC is not able to connect to the internet. I tried all different settings, but i cannot figure out why this is not working. Not really sure anymore if this is a NAT problem or something else...
rtrsdsl#sh run
Building configuration...
Current configuration : 6898 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtrsdsl
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxx
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-623211236
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-623211236
revocation-check none
rsakeypair TP-self-signed-623211236
!
!
crypto pki certificate chain TP-self-signed-623211236
certificate self-signed 01
xxx
quit
no ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.31.20.254
!
ip dhcp pool ccp-pool
import all
network 10.31.20.0 255.255.255.0
default-router 10.31.20.253
dns-server 8.8.8.8
lease 0 2
!
ip dhcp pool IAS
import all
origin ipcp
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name paramelt.com
no ipv6 cef
!
!
!
!
username xxx privilege 15 secret 5 xxx
!
!
!
archive
log config
hidekeys
!
!
controller DSL 0
mode atm
line-mode auto enhanced
dsl-mode shdsl symmetric annex B
!
ip tcp synwait-time 10
ip ssh source-interface Vlan1
ip ssh version 2
!
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
ip flow ingress
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.31.20.253 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan2
ip address pool IAS
shutdown
!
interface Dialer0
ip address negotiated
ip verify unicast reverse-path
no ip redirects
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname KPN
ppp chap password 7 xxx
ppp pap sent-username kpn password 7 xxx
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp address accept
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.31.0.0 255.255.255.0 10.31.20.254
ip route 10.31.0.150 255.255.255.255 10.31.20.254
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface Dialer0 overload
!
logging trap debugging
access-list 10 permit 10.31.20.0 0.0.0.255
access-list 23 permit 10.31.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxx.xxx.94.192 0.0.0.7 any
access-list 100 permit ip 10.31.20.0 0.0.0.255 any
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
rtrsdsl#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp xxx.xxx.94.193:11894 10.31.20.36:11894 8.8.8.8:11894 8.8.8.8:11894
udp xxx.xxx.94.193:41263 10.31.20.36:41263 8.8.8.8:53 8.8.8.8:53
udp xxx.xxx.94.193:44634 10.31.20.36:44634 8.8.8.8:53 8.8.8.8:53
rtrdsl#debug ip nat
rtrdsl#sh log
015049: *Mar 12 11:43:28.785 PCTime: NAT*: s=8.8.8.8, d=xxx.xxx.94.193->10.31.20.36 [0]
015050: *Mar 12 11:43:29.773 PCTime: NAT*: s=10.31.20.36->xxx.xxx.94.193, d=8.8.8.8 [0]
Solved! Go to Solution.
03-12-2013 05:24 AM
Hi,
you have an inside zone but no outside zone so by default all traffic from a zone to a non zone member is dropped.
try this:
int dialer1
zone security out-zone
Regards.
Alain
Don't forget to rate helpful posts.
03-12-2013 06:01 AM
Hi,
no access-list 100 permit ip 10.31.20.0 0.0.0.255 any
Regards.
Alain
Don't forget to rate helpful posts.
03-12-2013 03:41 AM
Issue these command on you Dialer Interface.
interface Dialer1
mtu 1492
ip tcp adjust-mss 1452
** Do Rate Helpful Posts**
03-12-2013 04:23 AM
It's not working.
But the internet connection is working, so i don't understand what your suggestion might do to help? And I assume you meant Dialer0?
03-12-2013 05:24 AM
Hi,
you have an inside zone but no outside zone so by default all traffic from a zone to a non zone member is dropped.
try this:
int dialer1
zone security out-zone
Regards.
Alain
Don't forget to rate helpful posts.
03-12-2013 05:25 AM
Hello Ivan,
If I understand correctly, internet connection is working if you are trying from router, but your PC has no connection to internet.
Try remove this command ->
interface Vlan1
no zone-member security in-zone
I noticed that your outside interface Dialer0 is not member of any security zone.
Best Regards
Please rate all helpful posts and close solved questions
03-12-2013 05:40 AM
I get the feeling this is the right direction, but not really working yet. I do like to keep a security zone.
I added the security zone:
interface Dialer0
mtu 1492
ip address negotiated
ip verify unicast reverse-path
no ip redirects
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname KPN
ppp chap password 7 xxx
ppp pap sent-username kpn password 7 xxx
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp address accept
rtrdsl#debug zone security events
rtrdsl#sh log
017570: *Mar 12 14:05:53.132 PCTime: %FW-6-DROP_PKT: Dropping icmp session 10.31.20.36:0 8.8.8.8:0 on zone-pair ccp-zp-in-out class ccp-invalid-src due to DROP action found in policy-map with ip ident 0
017642: *Mar 12 14:09:01.632 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 10.31.20.36:34640 => 8.8.8.8:53 (target:class)-(ccp-zp-in-out:ccp-invalid-src)
03-12-2013 05:43 AM
I removed the security zone and indeed i have internet! So i think the problem is solved, but need to get the security zones working...
03-12-2013 06:01 AM
Hi,
no access-list 100 permit ip 10.31.20.0 0.0.0.255 any
Regards.
Alain
Don't forget to rate helpful posts.
03-12-2013 06:20 AM
this command removed the whole access-list, so I recreated it with this line left out. But this did the trick! Thanks alot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide