Thanks for your reply dear..

Actually i am new for this setup. I have purchased new 2901 router and purchased one internet line from ISP.

can you tell me how can i connect my internal users to internet with use of this ISP line and router 2901?

I have ISP line details and my internal lan ip details.

Thanks and Regard's

Amit Sharma

This  looks ok...

ip dhcp pool LAN_POOL

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server ???

   lease 0 8

spanning-tree vlan 10 priority 4096

interface FastEthernet0

description LAN

switchport access vlan 10

interface FastEthernet1

description LAN

switchport access vlan 10

interface FastEthernet2

description LAN

switchport access vlan 10

interface FastEthernet3

description LAN

switchport access vlan 10

interface FastEthernet4

description INTERNET

ip address 197.255.52.91 255.255.255.252

ip nat outside

interface Vlan10

description LAN

ip address 192.168.1.1 255.255.255.0

ip verify unicast reverse-path

ip nat inside

! default route

ip route 0.0.0.0 0.0.0.0 197.255.52.87

! deny RFC1918

ip route 10.0.0.0 255.0.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

! NAT

ip nat inside source list LAN_NAT_POLICY interface FastEthernet4 overload

ip access-list extended LAN_NAT_POLICY

deny   ip 192.168.1.0 0.255.255.255 192.168.1.0 0.255.255.255

permit ip 192.168.1.0 0.255.255.255 any

!
!
!
!
!
what is use of these commands:?

ip route 10.0.0.0 255.0.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

why use in nat these 2 commands:?

p access-list extended LAN_NAT_POLICY

deny   ip 192.168.1.0 0.255.255.255 192.168.1.0 0.255.255.255

why putting first deny command?

permit ip 192.168.1.0 0.255.255.255 any

this is ok for permit this range to net....!

Thanks and Regard's

Amit Sharma

Hi Amit

what is use of these commands:?
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0

These commands are used to disable to route packets with private IPs in dst field of IPv4 header to internet. Also you should add ACL on WAN interface to deny packets with private IPs in src field of IPv4 header.

ip access-list extended BLOCK_PRIVATE_IPv4

deny   ip any 10.0.0.0 0.255.255.255

deny   ip any 172.16.0.0 0.15.255.255

deny   ip any 192.168.0.0 0.0.255.255

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

permit ip any any

intterface G0/0

ip access-group BLOCK_PRIVATE_IPv4 out

You probably use default route toward the ISP so everything will be routed to internet. You should make sure that any packet with private IP in src or dst field will be routed to internet.

why use in nat these 2 commands:?
p access-list extended LAN_NAT_POLICY
deny   ip 192.168.1.0 0.255.255.255 192.168.1.0 0.255.255.255
why putting first deny command?
permit ip 192.168.1.0 0.255.255.255 any
 this is ok for permit this range to net....!

You need to NAT your LAN when you want to access some internet servers. This access list ensure that only interesting traffic will be NATed. Actually ACL should look like this:

ip access-list extended LAN_NAT_POLICY 
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255

deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 192.168.1.0 0.0.0.255 any

This ACL ensure that any traffic destinated to private IPs will not be NATed, than LAN will be NATed and everything else will not.

Also I noticed that wild card masks were not correct at link I provided for you, probably some copy&paste error.

thanks dear..>!

i got your point...i was in confusion with same ip in deny command...!

Thanks and Regard's

Amit Sharma

is deny command correct with same ip ?

Thanks and Regard's

Amit Sharma

Dear.

one thing that if i transfer my whole internal range ip to internet what nat configuration need for this 2901 router?

Thanks and Regard's

Amit Sharma

ip access-list extended LAN_NAT_POLICY 
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.1.0 0.0.0.255 any

ip nat inside source list LAN_NAT_POLICY interface WAN_IFC/IP_ADDR overload

interface LAN

  ip nat inside

interface WAN

  ip nat outside

yes dear..!

i have done it..!

thanks for your help!

i will check these all pints and come back with results.

Thanks and Regard's

Amit Sharma

Hi Patrick,

sorry for bother you about this, but I need some information about 2901 router.

I requested a new internet link over fiber to my ISP provider, and the technician installed a cisco switch ME 3400 where the fiber is connected, then an ethernet cable connects this switch to the port GE 0/1 of the router 2901 and he told me the new internet link was ip and running.

my question is:

now i have to connect the GE 0/0 port of the router 2901 to another dedicated switch? in this case I have to configure this port with my LAN details?

thanks a lot

alberto tosato