cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1653
Views
6
Helpful
8
Replies

Cisco 888 NAT problems

Ivan Tesselaar
Level 1
Level 1

I configured my 888 and all seems to be working ok. I can reach the internet, i can reach the PC, and "sh ip nat trans" is showing me entries. But for some reason the PC is not able to connect to the internet. I tried all different settings, but i cannot figure out why this is not working. Not really sure anymore if this is a NAT problem or something else...

rtrsdsl#sh run

Building configuration...

Current configuration : 6898 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname rtrsdsl

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 xxx

!

no aaa new-model

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint TP-self-signed-623211236

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-623211236

revocation-check none

rsakeypair TP-self-signed-623211236

!

!

crypto pki certificate chain TP-self-signed-623211236

certificate self-signed 01

  xxx

quit

no ip source-route

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.31.20.254

!

ip dhcp pool ccp-pool

   import all

   network 10.31.20.0 255.255.255.0

   default-router 10.31.20.253

   dns-server 8.8.8.8

   lease 0 2

!

ip dhcp pool IAS

   import all

   origin ipcp

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name paramelt.com

no ipv6 cef

!

!

!

!

username xxx privilege 15 secret 5 xxx

!

!

!

archive

log config

  hidekeys

!

!

controller DSL 0

mode atm

line-mode auto enhanced

dsl-mode shdsl symmetric annex B

!

ip tcp synwait-time 10

ip ssh source-interface Vlan1

ip ssh version 2

!

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

no ip redirects

ip flow ingress

pvc 2/32

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 10.31.20.253 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan2

ip address pool IAS

shutdown

!

interface Dialer0

ip address negotiated

ip verify unicast reverse-path

no ip redirects

ip flow ingress

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname KPN

ppp chap password 7 xxx

ppp pap sent-username kpn password 7 xxx

ppp ipcp dns request

ppp ipcp mask request

ppp ipcp address accept

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.31.0.0 255.255.255.0 10.31.20.254

ip route 10.31.0.150 255.255.255.255 10.31.20.254

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 10 interface Dialer0 overload

!

logging trap debugging

access-list 10 permit 10.31.20.0 0.0.0.255

access-list 23 permit 10.31.0.0 0.0.255.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip xxx.xxx.94.192 0.0.0.7 any

access-list 100 permit ip 10.31.20.0 0.0.0.255 any

access-list 101 permit ip any any

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

rtrsdsl#sh ip nat trans

Pro Inside global         Inside local          Outside local         Outside global

icmp xxx.xxx.94.193:11894  10.31.20.36:11894     8.8.8.8:11894         8.8.8.8:11894

udp xxx.xxx.94.193:41263   10.31.20.36:41263     8.8.8.8:53            8.8.8.8:53

udp xxx.xxx.94.193:44634   10.31.20.36:44634     8.8.8.8:53            8.8.8.8:53

rtrdsl#debug ip nat

rtrdsl#sh log

015049: *Mar 12 11:43:28.785 PCTime: NAT*: s=8.8.8.8, d=xxx.xxx.94.193->10.31.20.36 [0]

015050: *Mar 12 11:43:29.773 PCTime: NAT*: s=10.31.20.36->xxx.xxx.94.193, d=8.8.8.8 [0]

2 Accepted Solutions

Accepted Solutions

Hi,

you have an inside zone but no outside zone so by default all traffic from a zone to a non zone member is dropped.

try this:

int dialer1

zone security out-zone

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

Hi,

no access-list 100 permit ip 10.31.20.0 0.0.0.255 any

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

8 Replies 8

jawad-mukhtar
Level 4
Level 4

Issue these command on you Dialer Interface.

interface Dialer1

mtu 1492

ip tcp adjust-mss 1452

** Do Rate Helpful Posts**

Jawad

It's not working.

But the internet connection is working, so i don't understand what your suggestion might do to help? And I assume you meant Dialer0?

Hi,

you have an inside zone but no outside zone so by default all traffic from a zone to a non zone member is dropped.

try this:

int dialer1

zone security out-zone

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello Ivan,

If I understand correctly, internet connection is working if you are trying from router, but your PC has no connection to internet.

Try remove this command ->

interface Vlan1

no zone-member security in-zone

I noticed that your outside interface Dialer0 is not member of any security zone.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

I get the feeling this is the right direction, but not really working yet. I do like to keep a security zone.

I added the security zone:

interface Dialer0

mtu 1492

ip address negotiated

ip verify unicast reverse-path

no ip redirects

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname KPN

ppp chap password 7 xxx

ppp pap sent-username kpn password 7 xxx

ppp ipcp dns request

ppp ipcp mask request

ppp ipcp address accept

rtrdsl#debug zone security events

rtrdsl#sh log

017570: *Mar 12 14:05:53.132 PCTime: %FW-6-DROP_PKT: Dropping icmp session 10.31.20.36:0 8.8.8.8:0 on zone-pair ccp-zp-in-out class ccp-invalid-src due to  DROP action found in policy-map with ip ident 0

017642: *Mar 12 14:09:01.632 PCTime: %FW-6-LOG_SUMMARY: 2 packets were dropped from 10.31.20.36:34640 => 8.8.8.8:53 (target:class)-(ccp-zp-in-out:ccp-invalid-src)

I removed the security zone and indeed i have internet! So i think the problem is solved, but need to get the security zones working...

Hi,

no access-list 100 permit ip 10.31.20.0 0.0.0.255 any

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

this command removed the whole access-list, so I recreated it with this line left out. But this did the trick! Thanks alot.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco