Solved: ip nat problem

tristanrafael63184 · ‎01-06-2020

hi all,

I use a Cisco router, my computer Server can't connect to the internet. the router gets an IP address from the firewall as dhcp, From the router, I can also ping ip dns. but can't ping the domain name server.

below is my Cisco "show run"

Router
========================

Building configuration...
Current configuration : 3025 bytes

cwmp
!
vlan 1
!
vlan 10
 name VLAN-MGMT
!
vlan 16
 name VLAN_DMZ
!
vlan 20
 name VLAN-WIFI
!
!
no service password-encryption
service dhcp
!
ip dhcp excluded-address 192.168.10.1 192.168.10.9
ip dhcp excluded-address 192.168.20.1 192.168.20.9
ip dhcp excluded-address 172.16.10.1 172.16.10.9
!
!
ip dhcp pool User_Pool
 network 192.168.10.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.10.1
!
ip dhcp pool User_Pool_20
 network 192.168.20.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.20.1
!
ip dhcp pool DMZ_Pool
 network 172.16.10.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 172.16.10.1
!
control-plane
!
control-plane protocol
 acpp bw-rate 1250 bw-burst-rate 2500
!
control-plane manage
 port-filter
 arp-car 5
 acpp bw-rate 1250 bw-burst-rate 2500
!
control-plane data
 glean-car 5
 acpp bw-rate 1250 bw-burst-rate 2500
!
enable secret 5 $1$mniP$pC9F4FzyuA3Dxyvx
enable service web-server http
enable service web-server https
!
interface GigabitEthernet 0/0
 ip nat outside
 ip address dhcp
 duplex auto
 speed auto
!
interface GigabitEthernet 0/1
 duplex auto
 speed auto
!
interface GigabitEthernet 0/2
 duplex auto
 speed auto
!
interface GigabitEthernet 0/3
 duplex auto
 speed auto
!
interface GigabitEthernet 1/0
!
interface GigabitEthernet 1/1
 switchport mode trunk
!
interface GigabitEthernet 1/2
!
interface GigabitEthernet 1/3
!
interface GigabitEthernet 1/4
!
interface GigabitEthernet 1/5
!
interface GigabitEthernet 1/6
!
interface GigabitEthernet 1/7
!
interface GigabitEthernet 1/8
!
interface GigabitEthernet 1/9
!
interface GigabitEthernet 1/10
!
interface GigabitEthernet 1/11
!
interface GigabitEthernet 1/12
!
interface GigabitEthernet 1/13
!
interface GigabitEthernet 1/14
!
interface GigabitEthernet 1/15
!
interface GigabitEthernet 1/16
!
interface GigabitEthernet 1/17
!
interface GigabitEthernet 1/18
!
interface GigabitEthernet 1/19
!
interface GigabitEthernet 1/20
!
interface GigabitEthernet 1/21
!
interface GigabitEthernet 1/22
!
interface GigabitEthernet 1/23
!
interface VLAN 1
 ip address 192.168.1.1 255.255.255.0
!
interface VLAN 10
 ip nat inside
 ip address 192.168.10.1 255.255.255.0
!
interface VLAN 16
 ip nat inside
 ip address 172.16.10.1 255.255.255.0
!
interface VLAN 20
 ip nat inside
 ip address 192.168.20.1 255.255.255.0
!
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
end


switch-1
===========================

Building configuration...
Current configuration: 2524 bytes

!
no spanning-tree
!
cwmp
!
sysmac 0074.9c14.605f
!
nfpp
!
no service password-encryption
!
redundancy
!
no zam
!
vlan 10
 name VLAN_MGMT
!
vlan 16
 name VLAN_DMZ
!
vlan 20
 name VLAN-WIFI
!
vlan 1
!
interface GigabitEthernet 0/1
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/2
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/3
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/4
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/5
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/6
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/7
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/8
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/9
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/10
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/11
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/12
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/13
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/14
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/15
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/16
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/17
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/18
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/19
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/20
 switchport access vlan 10
 poe enable
!
interface GigabitEthernet 0/21
 switchport access vlan 20
 poe enable
!
interface GigabitEthernet 0/22
 switchport access vlan 20
 poe enable
!
interface GigabitEthernet 0/23
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/24
 switchport mode trunk
 poe enable
!
interface TenGigabitEthernet 0/25
!
interface TenGigabitEthernet 0/26
!
interface TenGigabitEthernet 0/27
!
interface TenGigabitEthernet 0/28
!
interface VLAN 10
 ip address 192.168.10.2 255.255.255.0
!
interface VLAN 16
 ip address 172.16.10.3 255.255.255.0
!
interface VLAN 20
 ip address 192.168.20.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.20.1
!
line console 0
line vty 0 4
 login
!
end



SWITCH-2
================================

Building configuration...
Current configuration: 2340 bytes
!
no spanning-tree
!
cwmp
!
sysmac 0074.9c71.70cf
!
nfpp
!
no service password-encryption
!
redundancy
!
no zam
!
vlan 16
 name DMZ
!
vlan 1
!
interface GigabitEthernet 0/1
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/2
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/3
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/4
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/5
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/6
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/7
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/8
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/9
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/10
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/11
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/12
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/13
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/14
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/15
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/16
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/17
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/18
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/19
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/20
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/21
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/22
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/23
 switchport access vlan 16
 poe enable
!
interface GigabitEthernet 0/24
 switchport access vlan 16
 poe enable
!
interface TenGigabitEthernet 0/25
!
interface TenGigabitEthernet 0/26
!
interface TenGigabitEthernet 0/27
!
interface TenGigabitEthernet 0/28
!
interface VLAN 16
 ip address 172.16.10.4 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.10.1
!
line console 0
line vty 0 4
 login
!
end

thanks for your reply.

Seb Rupik · ‎01-06-2020

Hi there,

firstly try adding the following config to the router:

!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
!
ip access-list standard NAT
 permit 192.168.1.0 0.0.0.255
 permit 192.168.10.0 0.0.0.255
 permit 172.16.10.0 0.0.0.255
 permit 192.168.20.0 0.0.0.255
!

What device is 10.1.1.1 ?

cheers,

Seb.

View solution in original post

paul driver · ‎01-06-2020

Hello
You dont require L3 interface on all 3 devcies, having them just on the router would be fine
So remove the L3 addressing/ip routing from the switchs apart from the mgt vlan interface and just have them run as host switches with a default gateway pointing rtrs L3 address of the mgt vlan.

The trunks between the two switchs need to alow all applicable vlans to travesre their interconnect and so does the trunk from the switch towards the router.

On the router make the follwoing changes:
conf t
no ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 gig0/0 dhcp
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 172.16.10.0 0.0.0.255
ip nat inside source list 1 interface gig0/0

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Seb Rupik · ‎01-06-2020

Hi there,

firstly try adding the following config to the router:

!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
!
ip access-list standard NAT
 permit 192.168.1.0 0.0.0.255
 permit 192.168.10.0 0.0.0.255
 permit 172.16.10.0 0.0.0.255
 permit 192.168.20.0 0.0.0.255
!

What device is 10.1.1.1 ?

cheers,

Seb.

tristanrafael63184 · ‎01-07-2020

Thank you, your solution works for me. Now, my computer server can access the internet.
but what interface is used on the firewall to allow traffic from WAN to LAN
as an example:

xxx.xxx.xxx.xx:443 is directed to the computer server's ip address 172.16.10.12:443

thanks.

Seb Rupik · ‎01-07-2020

Try:

!
ip nat inside source static tcp 172.16.10.12 443 interface gi0/0 443 ext
!

cheers,

Seb.

tristanrafael63184 · ‎01-26-2020

hi, i'm trying

ip nat inside source static tcp 172.16.10.12 443 interface gi0/0 443 ext

I got this:

ip nat inside source static tcp 172.16.10.12 443 interface gi0/0 443 ext
^
% Invalid input detected at '^' marker.

Georg Pauwen · ‎01-26-2020

Hello,

the 'extendable' keyword is not suppported when you use the syntax you have posted. What are you trying to accomplish ?

tristanrafael63184 · ‎01-26-2020

I want to access the computer server from WAN, as example:

xxxx.xxx.xxx.xx:8080 directed to the private ip address 172.16.10.10 on port 443

detailed in this forum:

https://community.spiceworks.com/topic/2254023-failed-to-access-lan-on-port-80-of-wan

thank you.

paul driver · ‎01-06-2020

Hello
You dont require L3 interface on all 3 devcies, having them just on the router would be fine
So remove the L3 addressing/ip routing from the switchs apart from the mgt vlan interface and just have them run as host switches with a default gateway pointing rtrs L3 address of the mgt vlan.

The trunks between the two switchs need to alow all applicable vlans to travesre their interconnect and so does the trunk from the switch towards the router.

On the router make the follwoing changes:
conf t
no ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 gig0/0 dhcp
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 172.16.10.0 0.0.0.255
ip nat inside source list 1 interface gig0/0

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul