03-11-2019 09:51 PM
I can not understand the work of NAT.
1. Cisco 881
2. PPTP tunnel to the internet provider.
3. NAT on the tunnel.
4. DNS queries pass through NAT successfully.
Mar 11 17:26:05.767: NAT: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [1331]
Mar 11 17:26:05.811: NAT: s=8.8.8.8, d=90.157.26.245->192.168.0.12 [2313]
5. All other requests (ping, RDP, http) do not pass through NAT. More precisely, NAT request conversion is present, but the answer is not present at all. As if there is no server response.
Mar 11 17:26:06.527: NAT*: s=192.168.0.12->90.157.26.245, d=213.189.197.94 [29678]
Mar 11 17:26:07.527: NAT*: s=192.168.0.12->90.157.26.245, d=213.189.197.94 [29679]
Mar 11 17:26:09.527: NAT*: s=192.168.0.12->90.157.26.245, d=213.189.197.94 [29680]
cisco.k259#ping 213.189.197.94 df-bit size 1436
Sending 5, 1436-byte ICMP Echos to 213.189.197.94, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/29/32 ms
Help me understand the essence of the error.
cisco.k259#show run
Building configuration...
Current configuration : 7255 bytes
!
! Last configuration change at 22:08:00 GMT Mon Mar 11 2019 by atest
! NVRAM config last updated at 14:43:41 GMT Sun Mar 10 2019 by atest
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname cisco.k259
!
boot-start-marker
boot-end-marker
!
!
logging discriminator FAN-FAIL severity drops 3 facility drops FAN mnemonics drops FAN_FAILED
logging buffered discriminator FAN-FAIL
no logging console
logging monitor discriminator FAN-FAIL
enable secret 5 $1$WSti$mDMsh6sXY2iguEI/Mchiy1
enable password xxxxxxxx_
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 5 0
!
crypto pki trustpoint TP-self-signed-3690135629
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3690135629
revocation-check none
rsakeypair TP-self-signed-3690135629
!
!
crypto pki certificate chain TP-self-signed-3690135629
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.7
!
ip dhcp pool k259
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.3
domain-name k259
dns-server 192.168.0.12 8.8.8.8
lease 0 2
!
!
!
ip domain name k259
ip name-server 192.168.0.12
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group PPTP_CLIENT
description Rostelecom ISP
request-dialin
protocol pptp
pool-member 1
initiate-to ip 10.0.0.1
!
cts logging verbose
license udi pid CISCO881W-GN-E-K9 sn FCZ164190LZ
!
!
username atest privilege 15 secret 4 6in4Lru2ZZ8N8cUij4q7JvPlkL..hsURCkjm.d4NOR2
!
!
!
!
no cdp run
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 10.0.47.132 255.255.255.0
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 10.10.11.1 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.0.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
!
interface Dialer0
description $ETH-WAN$
mtu 1436
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1360
dialer pool 1
dialer idle-timeout 0
dialer string 123
dialer persistent
dialer vpdn
ppp authentication ms-chap-v2 callin
ppp chap hostname 90.157.26.245
ppp chap password 0 XXXXXXXXXX
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
!
no ip ftp passive
ip dns server
ip nat translation max-entries all-host 400
ip nat inside source static tcp 192.168.0.12 3389 interface Dialer0 3389
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 3
ip route 10.0.0.1 255.255.255.255 10.0.47.1
ip route 10.10.11.0 255.255.255.0 wlan-ap0
!
dialer-list 1 protocol ip permit
!
snmp-server community k259 RO
access-list 1 remark internet
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.0.0 0.0.0.15
access-list 101 remark internet2
access-list 101 remark CCP_ACL Category=2
access-list 101 remark test 2
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 remark WAN rule
access-list 150 remark CCP_ACL Category=1
access-list 150 remark WAN rule entry
access-list 150 permit ip any any
!
vstack
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
^C
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 23 in
privilege level 15
password xxxxxxxx
login local
transport input telnet ssh
!
ntp master
ntp update-calendar
ntp server ntp2.stratum2.ru
!
end
03-12-2019 10:30 AM
Hello
Have you made the changes suggested and what is the present status?
03-13-2019 10:12 AM
from router
cisco.k259#ping 8.8.8.8 source 192.168.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/44 ms
cisco.k259#
Mar 13 16:57:56.436: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1657]
Mar 13 16:57:56.480: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.480: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1658]
Mar 13 16:57:56.524: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.524: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1659]
Mar 13 16:57:56.568: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.568: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1660]
Mar 13 16:57:56.612: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.612: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1661]
Mar 13 16:57:56.656: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
from client
C:\>ping 8.8.8.8
cisco.k259#
Mar 13 16:58:44.073: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8632]
Mar 13 16:58:48.706: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8633]
Mar 13 16:58:53.706: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8634]
Mar 13 16:58:58.706: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8635]
03-13-2019 10:25 AM
Hello
so to summarise what is failing
03-13-2019 10:57 AM
03-15-2019 08:16 AM
So, gentlemens,, the problem was at CEF.
no ip cef
Brings NAT to the working state.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide