03-08-2019 10:00 AM
I'm trying to all access to the internet through my Cisco 881, once I add IP permit any any I get disconnected:
ip dhcp excluded-address 10.70.82.1 10.70.82.200
ip dhcp excluded-address 10.70.82.251 10.70.82.255
!
ip dhcp pool 10.70.82.0/24
network 10.70.82.0 255.255.255.0
default-router 10.70.82.10
dns-server 8.8.8.8 8.8.4.4
interface Loopback1
description For Monitoring
ip address 10.255.66.30 255.255.255.248
!
interface Loopback2
ip address 10.255.65.30 255.255.255.248
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
shutdown
no cdp enable
!
interface FastEthernet2
shutdown
no cdp enable
!
interface FastEthernet3
shutdown
no cdp enable
!
interface FastEthernet4
description WAN Interface
ip address 10.82.20.10 255.255.0.0
ip access-group 110 in
ip access-group 124 out
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache
ip policy route-map Nat
duplex auto
speed auto
no cdp enable
crypto map topac
!
interface Vlan1
description LAN Interface Mapped to Fa0
ip address 10.70.82.10 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache
ip policy route-map Nat
!
ip local policy route-map Nat
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat pool custnat 10.255.66.25 10.255.66.25 prefix-length 30
ip nat inside source list 101 pool custnat overload
ip nat inside source list 124 interface FastEthernet4 overload
ip nat inside source static 10.70.82.16 10.255.66.26
ip nat outside source static 172.31.16.59 10.70.82.11 no-alias
ip route 0.0.0.0 0.0.0.0 10.82.20.1
access-list 99 permit 172.31.100.250
access-list 101 deny tcp any host 10.70.82.11 eq telnet
access-list 101 deny tcp any host 10.70.82.11 eq 992
access-list 101 deny tcp any 172.31.16.0 0.0.1.255 eq telnet
access-list 101 deny tcp any 172.31.16.0 0.0.1.255 eq 992
access-list 101 permit ip any 172.31.16.0 0.0.1.255
access-list 101 permit ip any host 10.70.82.11
access-list 110 permit ip 65.197.232.0 0.0.0.255 host 10.82.20.10
access-list 110 permit ip 209.67.131.0 0.0.0.255 host 10.82.20.10
access-list 110 permit ip host 8.8.8.8 host 10.82.20.10
access-list 110 permit ip host 4.2.2.1 host 10.82.20.1
access-list 110 permit ip 10.70.82.0 0.0.0.255 host 10.82.20.10
access-list 110 permit ip any host 209.67.131.160
access-list 123 permit ip 10.255.66.24 0.0.0.7 172.31.16.0 0.0.1.255
access-list 123 permit ip 10.255.66.24 0.0.0.7 172.31.100.0 0.0.0.255
access-list 123 permit ip 10.255.65.24 0.0.0.7 172.31.16.0 0.0.1.255
access-list 123 permit ip 10.255.65.24 0.0.0.7 172.31.100.0 0.0.0.255
access-list 124 permit tcp any any eq 443
access-list 124 permit ip any host 209.67.131.242
access-list 124 permit udp any any eq domain
access-list 124 permit icmp any any
access-list 124 permit ip any any
route-map Nat permit 10
match ip address 101
set ip next-hop 10.82.20.1
03-08-2019 10:24 AM
Hello,
make the changes marked in bold (after you are finished post the configuration again so we can check):
ip dhcp excluded-address 10.70.82.1 10.70.82.200
ip dhcp excluded-address 10.70.82.251 10.70.82.255
!
ip dhcp pool 10.70.82.0/24
network 10.70.82.0 255.255.255.0
default-router 10.70.82.10
dns-server 8.8.8.8 8.8.4.4
!
interface Loopback1
description For Monitoring
ip address 10.255.66.30 255.255.255.248
!
interface Loopback2
ip address 10.255.65.30 255.255.255.248
!
interface FastEthernet0
no cdp enable
!
interface FastEthernet1
shutdown
no cdp enable
!
interface FastEthernet2
shutdown
no cdp enable
!
interface FastEthernet3
shutdown
no cdp enable
!
interface FastEthernet4
description WAN Interface
ip address 10.82.20.10 255.255.0.0
--> no ip access-group 110 in
--> no ip access-group 124 out
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache
-->no ip policy route-map Nat
duplex auto
speed auto
no cdp enable
--> no crypto map topac
!
interface Vlan1
description LAN Interface Mapped to Fa0
ip address 10.70.82.10 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache
--> no ip policy route-map Nat
!
--> no ip local policy route-map Nat
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat pool custnat 10.255.66.25 10.255.66.25 prefix-length 30
--> no ip nat inside source list 101 pool custnat overload
--> no ip nat inside source list 124 interface FastEthernet4 overload
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 10.70.82.16 10.255.66.26
ip nat outside source static 172.31.16.59 10.70.82.11 no-alias
!
ip route 0.0.0.0 0.0.0.0 10.82.20.1
!
access-list 1 permit 10.70.82.0 0.0.0.255
!
--> no access-list 99
access-list 99 permit 172.31.100.250
access-list 101 deny tcp any host 10.70.82.11 eq telnet
access-list 101 deny tcp any host 10.70.82.11 eq 992
access-list 101 deny tcp any 172.31.16.0 0.0.1.255 eq telnet
access-list 101 deny tcp any 172.31.16.0 0.0.1.255 eq 992
access-list 101 permit ip any 172.31.16.0 0.0.1.255
access-list 101 permit ip any host 10.70.82.11
--> no access-list 110
access-list 110 permit ip 65.197.232.0 0.0.0.255 host 10.82.20.10
access-list 110 permit ip 209.67.131.0 0.0.0.255 host 10.82.20.10
access-list 110 permit ip host 8.8.8.8 host 10.82.20.10
access-list 110 permit ip host 4.2.2.1 host 10.82.20.1
access-list 110 permit ip 10.70.82.0 0.0.0.255 host 10.82.20.10
access-list 110 permit ip any host 209.67.131.160
--> no access-list 123
access-list 123 permit ip 10.255.66.24 0.0.0.7 172.31.16.0 0.0.1.255
access-list 123 permit ip 10.255.66.24 0.0.0.7 172.31.100.0 0.0.0.255
access-list 123 permit ip 10.255.65.24 0.0.0.7 172.31.16.0 0.0.1.255
access-list 123 permit ip 10.255.65.24 0.0.0.7 172.31.100.0 0.0.0.255
!
--> no access-list 124
access-list 124 permit tcp any any eq 443
access-list 124 permit ip any host 209.67.131.242
access-list 124 permit udp any any eq domain
access-list 124 permit icmp any any
access-list 124 permit ip any any
!
--> no route-map Nat permit 10
match ip address 101
set ip next-hop 10.82.20.1
03-08-2019 12:37 PM
That worked, thanks for the help and quick response.
03-09-2019 01:53 AM
Hello
@sshultes if @Georg Pauwen suggestion changes worked could you please rate his post and mark as solved so to assist others who may have the same issue in the future.
03-09-2019 01:46 AM
Hi,
I am checking your WAN interface configuration and NATing both are seems are wrong.
As
interface FastEthernet4 description WAN Interface ip address 10.82.20.10 255.255.0.0 no ip access-group 110 in no ip access-group 124 out no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly no ip route-cache ip policy route-map Nat duplex auto speed auto no cdp enable no crypto map topac
NATing Issue:
ip nat pool custnat 10.255.66.25 10.255.66.25 prefix-length 30 no ip nat inside source list 101 pool custnat overload no ip nat inside source list 124 interface FastEthernet4 overload
ip nat inside source list 1 interface FastEthernet4 overload ip nat inside source static 10.70.82.16 10.255.66.26 ip nat outside source static 172.31.16.59 10.70.82.11 no-alias
ACL Configuration Changes:
No ip access-list extended 101 No ip access-list extended 110 No ip access-list extended 124 Ip access-list standard 1 permit IP 10.70.82.0
Route Map Configuration Changes:
no route-map Nat permit 10
Regards,
Deepak Kumar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide