12-28-2006 06:22 PM - edited 03-03-2019 03:12 PM
I know I've got a whacked out config, but there has to be a way to make everything work! My problem is computers on the 172.16.0.0 subnet cannot reach the internet. My requests either time out or I get destination host unreachable back from the router. I have a VPN tunnel setup between my lab router and my PIX at home going through the cable internet. 172.16.0.0 is my router subnet and 172.16.1.0 is my PIX home subnet. Here's my config:
interface FastEthernet0/0.1
description Voice Network
encapsulation dot1Q 210
ip address 172.16.0.2 255.255.255.0
ip nat inside
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/0.2
description Data Network
encapsulation dot1Q 2
ip address 192.168.1.1 255.255.255.0
ip nat inside
no snmp trap link-status
no cdp enable
!
interface FastEthernet0/1
description Cable Internet
ip address dhcp
ip nat outside
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
crypto map nolan
!
ip nat pool branch rrr.rrr.rrr.rrr rrr.rrr.rrr.rrr netmask 255.255.255.240
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool branch overload
ip nat inside source static tcp 172.16.0.16 5900 rrr.rrr.rrr.rrr 5900 route-map VNCCCM extendable
ip nat inside source static tcp 172.16.0.17 5959 rrr.rrr.rrr.rrr 5959 route-map VNCUNITY extendable
no ip http server
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 172.16.1.0 255.255.255.0 ppp.ppp.ppp.ppp
!
!
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www
access-list 120 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 130 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 130 permit ip 172.16.0.0 0.0.0.255 any
access-list 140 deny ip host 172.16.0.16 172.16.1.0 0.0.0.255
access-list 140 permit ip host 172.16.0.16 any
access-list 141 deny ip host 172.16.0.17 172.16.1.0 0.0.0.255
access-list 141 permit ip host 172.16.0.17 any
access-list 2223 permit tcp 192.168.0.0 0.0.255.255 any eq 22
access-list 2223 permit tcp 172.16.0.0 0.0.255.255 any eq 22
access-list 2223 permit tcp 192.168.0.0 0.0.255.255 any eq telnet
access-list 2223 permit tcp 172.16.0.0 0.0.255.255 any eq telnet
access-list 2223 permit tcp any eq 22 any eq 22
no cdp run
!
route-map VNCUNITY permit 10
match ip address 141
!
route-map VNCCCM permit 10
match ip address 140
!
route-map nonat permit 10
match ip address 130
Thanks!
12-28-2006 07:07 PM
Just a very simple question. Did you configure the correct default gateway at your PC ? Can you provide the trace route result ? Did you have the proper route at your PIX for the return traffic ?
Hope this helps.
12-28-2006 08:05 PM
I tried 172.16.0.2 and 192.168.1.1 for default gateways and neither works. I have computers on the 192 network and they work fine. So it has to be some kind of access-list problem.
The traces just show 172.16.0.2 for the first hope then the rest either time out or I get Destination Host Unreachable for the 2nd hop and it stops there.
12-29-2006 12:16 AM
I did not find the access-list to apply to any interface, there should be no effect on the router.
According to the config., if there is access to Internet, the traffic should pass to the Fa0/1. Therefore, the next-hop after 172.16.0.2 should be the DHCP address.
Can you try to ping to each hop one-by-one to verify where stop the packet. I suspect the ISP may not have your subnet.
Moreover, where is the PIX located ? At the same segment of Fa0/0.1 ? If yes, they are in different subnets, I believe the packet cannot reach the PIX too.
Hope this helps.
12-29-2006 12:52 AM
Sorry for my typo. I believem the PIX should be located at same user LAN segment.
Try to simplify the NAT rule and set it for Internet only then test again.
Moreover, the NAT pool is setting for the PIX connection and not the Internet connection. The traffic to Internet may not be NAT.
Hope this helps.
12-28-2006 09:21 PM
Mike
There are several things in your config that I do not understand. Perhaps if we can clarify some of them we might get closer to answering your problem.
I note that the static route for the remote subnet is:ip route 172.16.1.0 255.255.255.0 ppp.ppp.ppp.ppp. What and where is ppp.ppp.ppp.ppp?
I am trying to understand the various flavors of address translation that you are doing. The first one seems to be the one that includes 192.168.0.0
ip nat inside source list 101 interface FastEthernet0/1 overload.
And access list 101 is:
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www
so clearly it get any traffic from 192.168.1.0 but the second line is pretty odd. It is very unlikely that the source port will be 80 and the destination port also be 80 so I doubt that this line gets any matches.
Then the next one is this:
ip nat inside source route-map nonat pool branch overload
The route map excludes 172.16.0.0 going to 172.16.1.0 and then permits 172.16.0.0 to anywhere else. But it does not permit 192.168.1.0 so I am not sure how this relates to your processing.
Also I note that there is a crypto map on your public interface. This may have some impact on what is happening. Can you post details of the crypto configuration?
HTH
Rick
12-28-2006 09:28 PM
Thanks for the quick reply and sorry for any confusion. I forgot to state that ppp.ppp.ppp.ppp stands for my PIX's IP address from my ISP and rrr.rrr.rrr.rrr stands for the routers IP from my ISP. Obivously I removed the actual IPs for security reasons.
As of right now, I'm not worried about the 192.168.1.0 subnet using the VPN (172.16.1.0 subnet). That's why that IP range isn't currently permitted.
The access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www was my shot at fixing no internet on the 172.16.0.0 subnet. Obivously it's wrong! I was trying to allow the 172.16.0.0 subnet limited access to the internet.
I hope I answered your questions and you can help! Thanks!!
172.16.0.0 subnet = Lab Voice Server Network
172.16.0.0 subnet = Home PIX subnet
192.168.1.0 subnet = Lab Data Network
12-29-2006 09:13 AM
Mike
If there are aspects of this that I misunderstand please help me to understand it correctly. I think I understand that the main problem that you are trying to solve is that some of your PCs do not have access to Internet. If you use private addressing inside and have problems accessing Internet I have found that the most common problem is a problem with address translation. Especially when you say that the 192.168.1.0 PCs do successfully access the Internet but 172.16.0.0 PCs do not I believe that it is very likely that the problem is misconfigured NAT. I would suggest that you re-write the line in access list 101 to permit ip 172.16.0.0 0.0.0.255 any and see if the PCs do have Internet access. If they do then you can experiment with re-writing the rule to restrict their access in whatever way is appropriate, but you will know that Internet access does work.
HTH
Rick
12-29-2006 09:26 AM
Try and replace this:
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www
with this:
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit tcp 172.16.0.0 0.0.0.255 any.
However, if you are really set on not allowing anything but web-surfing for the 172.16.0.0/24 network.
You might want to try this one:
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 101 permit udp 172.16.0.0 0.0.0.255 any eq 53
access-list 101 permit tcp 172.16.0.0 0.0.0.255 any eq 53
access-list 101 permit tcp 172.16.0.0 0.0.0.255 any eq www.
You won't be able to trace though.
12-29-2006 11:11 AM
Making progress!
access-list 101 permit tcp 172.16.0.0 0.0.0.255 eq www any eq www made other things stop working like telnet from the other end of the VPN. The 2nd suggestion worked great! I guess I was on the right track before, but I didn't add port 53 to the access list.
I still have one more issue yet, but it's not that important...at least not that I found yet.
If I use DNS servers 207.255.0.130 and 207.255.0.130, I get DNS errors and can't surf the net, but they work for me at home. My home and work WAN IPs are also on the 207 subnet. Any ideas? You think my web traffic is going over the VPN instead of straight out to the internet? What ports would I have to open up to allow trace routes? Thanks!
12-30-2006 05:51 AM
Last thing first:
access-list 101 permit icmp 172.16.0.0 0.0.0.255 any traceroute
I hope it works, but try it out. You may need to experiment a bit, or just settle with permitting all ICMP from 172.16.0.0/24.
And concerning the DNS, try 4.2.2.2 as your DNS-server insteed. I don't know if you use the same ISP at home, as you do on the "whacked" out router.
But if 4.2.2.2 works we know what the problem is.
12-30-2006 04:21 PM
Found my problem with not being able to reach the 207.x.x.x DNS servers. no ip classless was in my config. Removed that line now EVERYTHING is working! Thanks!
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide