Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2074
Views
40
Helpful
23
Replies

Internet on LAN

Go to solution
amh4y0001
Level 3
Level 3

‎08-26-2015 06:22 AM - edited ‎03-05-2019 02:09 AM

Hi All,

I have a CISCO Router 871 series and purchased a dedicated line from ISP.

I have a LAN setup connected with a CISCO switch getting IPs from DHCP (192.168.10.10) and gateway (192.168.10.1 - -> vlan 1)

Question is how to enable internet on this LAN that has private IPs?

Currently I configured Router's vlan 1 to have IP (192.168.10.1)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to amh4y0001

‎09-02-2015 09:54 AM

Can you be more specific ie. how are you testing internet ?

From your client if you ping 8.8.8.8 then what does the router show with "sh ip nat translations" ?

I need more information to help.

Jon

View solution in original post

0 Helpful
23 Replies 23

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-26-2015 06:28 AM

Presumably you have a public IP on the interface connecting to the ISP ?

If so you need to use NAT eg. -

int vlan 1
ip nat inside

int <x/y>  <-- this connects to ISP
ip nat outside

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 101 interface <x/y> overload

the above assumes you are have included the ISP DNS servers in your DHCP configuration.

Jon

Go to solution
amh4y0001
Level 3
Level 3
In response to Jon Marshall

‎08-26-2015 08:13 AM

Hi and Thanks for reply.

Yes I have public IP address, lets call it xx.xy.xz.123

 

the above assumes you are have included the ISP DNS servers in your DHCP configuration.

 

1. ISP didnt provided the DNS but I am using 8.8.8.8

2. Should I configure my DHCP role ro use this DNS as well?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to amh4y0001

‎08-26-2015 08:19 AM

That's fine to use as a DNS server.

Whichever way works best for you but your clients will need to have a DNS server to be able to connect to web sites etc.

Jon

Go to solution
amh4y0001
Level 3
Level 3
In response to Jon Marshall

‎08-26-2015 08:37 AM

Budle of thanks !

Which logs / commands to use /test /verify if internet connectivity is limited.

Will it affect the VPN setup?

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to amh4y0001

‎08-26-2015 08:48 AM

To test just try and connect to a web site.

If it works fine, if it doesn't look at "sh ip nat translations".

Yes it may well affect a VPN setup ie. the NAT configuration I gave you will NAT all traffic and you may not want it to be for the VPN.

You may have to exempt the VPN traffic from NAT.

Difficult to say without more details.

Jon

0 Helpful

Go to solution
amh4y0001
Level 3
Level 3
In response to Jon Marshall

‎08-26-2015 08:57 AM

Jon its VPN setup mainly.

You have replied on the thread regarding VPN issues,here are details of VPN.

https://supportforums.cisco.com/discussion/12585741/crypto-session-status-can-not-ping-remote-site

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to amh4y0001

‎08-26-2015 09:21 AM

Okay, still not sure what is happening with VPN but if you did not want the VPN traffic to be translated which you probably don't you would need to modify the acl above to -

access-list 101 deny ip 192.168.10.0 0.0.0.255 172.16.0.10.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any

note also I have used the same acl number as you have for your crypto map so you need to use a different number for the NAT acl.

Jon

0 Helpful

Go to solution
amh4y0001
Level 3
Level 3
In response to Jon Marshall

‎08-26-2015 02:35 PM

Thanks for reply.

Let make it simple by assuming we have VPN setup which is up and running.

Now for internet, I do the following on vlan 1 or WAN link?

access-list 102 deny ip 192.168.10.0 0.0.0.255 172.16.0.10.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to amh4y0001

‎08-26-2015 02:37 PM

You don't do it on either interface, you use that acl with your NAT statement.

Jon

0 Helpful

Go to solution
amh4y0001
Level 3
Level 3
In response to Jon Marshall

‎08-26-2015 10:43 PM

Hi and thanks for reply.

I have configured access list for VPN on Site A as:

access-list 101 permit ip 192.168.10.0 0.0.0.255 172.16.10.0 0.0.0.255

and writing the following wont block the traffic?

access-list 102 deny ip 192.168.10.0 0.0.0.255 172.16.0.10.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to amh4y0001

‎08-27-2015 03:52 AM

It won't block anything if you don't apply it to an interface.

As I said it is used in your NAT statement, the one I gave earlier as an example.

All it does it tell the router which IPs to translate so you don't translate VPN traffic but you do translate everything else ie. internet.

Jon

Go to solution
amh4y0001
Level 3
Level 3
In response to Jon Marshall

‎08-27-2015 03:34 PM

Creating VPN setup, will check out the ACL shortly.

0 Helpful

Go to solution
amh4y0001
Level 3
Level 3
In response to amh4y0001

‎09-01-2015 06:22 AM

Hello again,

Now VPN setup is complete and now I have tried to NAT the traffic in order to have internet connectivity but there is no internet connectivity.

Sh Ip NAT translation nothing returned.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to amh4y0001

‎09-01-2015 06:28 AM

Might be a good idea to post your configuration.

Jon

Customers Also Viewed These Support Documents