Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
300
Views
0
Helpful
1
Replies

NAT help needed

Go to solution
Michael Durham
Level 4
Level 4

‎04-25-2013 01:25 PM - edited ‎03-04-2019 07:43 PM

Up to today I used Verizoon 4G to a Windows Visata box running Internet connection Sharing to get my home lab connected to the Internet .  All was working well.

Today I had Hughesnet come and installl their service and I can no longer get access to the Internet from my PC netowrk.  Funny thing though, my VPN to my office for my IP phone coomes up an works just fine.  At the router I do have Internet access which then leads me to believe that my problem is NAT related.

My router is a 2851. 

When I enter PING 4.2.2.2 I get !!!!! but when i enter PING 4.2.2.2 SOURCE 192.168.69.3 I get .....

Here is my config info:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key vpnpassword address 40.197.68.9

crypto isakmp keepalive 30 5 periodic

!

crypto ipsec transform-set TS esp-3des esp-md5-hmac

!

crypto ipsec profile WA-FLA

set transform-set TS

!

interface Tunnel0

bandwidth 20000

ip address 172.30.1.2 255.255.255.252

ip mtu 1400

ip nhrp map multicast 40.197.68.9

ip nhrp map 172.30.1.1 40.197.68.9

ip nhrp network-id 1

ip nhrp holdtime 300

ip nhrp nhs 172.30.1.1

ip nhrp registration timeout 20

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0

tunnel destination 40.197.68.9

tunnel key 1

tunnel protection ipsec profile WA-FLA

!

interface GigabitEthernet0/0

description Router -

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Router - C3524 Port Fa0/20 Trunk

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.3

encapsulation dot1Q 3

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.69

encapsulation dot1Q 69

ip address 192.168.69.3 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.110

encapsulation dot1Q 110

ip address 10.110.0.1 255.255.255.0

ip helper-address 172.16.2.2

ip pim dense-mode

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.115

encapsulation dot1Q 115

ip address 10.115.0.1 255.255.255.0

ip helper-address 172.16.2.2

ip nat inside

ip virtual-reassembly in

!

router eigrp 1577

distribute-list 1577 out Tunnel0

network 172.30.1.0 0.0.0.3

network 192.168.3.0

network 192.168.69.0

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list NAT_ACL interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 100.75.37.121 254

ip route 10.110.0.0 255.255.255.0 GigabitEthernet0/1

ip route 10.115.0.0 255.255.255.0 GigabitEthernet0/1

ip route 172.16.2.0 255.255.255.252 192.168.69.2

ip route 192.168.50.0 255.255.255.0 192.168.69.2

ip route 192.168.69.0 255.255.255.0 192.168.69.2

ip route 192.168.100.0 255.255.255.0 192.168.69.2

ip route 192.168.125.0 255.255.255.0 192.168.69.2

ip route 192.168.200.0 255.255.255.0 192.168.69.2

!

ip access-list extended NAT_ACL

deny   ip host 172.30.1.1 any

permit ip 0.0.0.0 255.255.255.0 any

!

logging 192.168.69.150

access-list 1577 remark Networks advertized to NCL via EIGRP

access-list 1577 permit 192.168.3.0 0.0.0.255

!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎04-25-2013 01:49 PM

Hello, please edit your NAT_ACL to this:
ip access-list extended NAT_ACL
deny ip 172.30.1.0 0.0.0.3 any
permit ip any any

your current ACL says this:

permit ip 0.0.0.0 255.255.255.0 any

which says anything in the first 3 octets, but it must match the last octet to be '0'
Remember that the ACL's deal with wildcard masks too, not normal subnetting.

This is why it may not be working
Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Bilal Nawaz
VIP Alumni
VIP Alumni

‎04-25-2013 01:49 PM

Hello, please edit your NAT_ACL to this:
ip access-list extended NAT_ACL
deny ip 172.30.1.0 0.0.0.3 any
permit ip any any

your current ACL says this:

permit ip 0.0.0.0 255.255.255.0 any

which says anything in the first 3 octets, but it must match the last octet to be '0'
Remember that the ACL's deal with wildcard masks too, not normal subnetting.

This is why it may not be working
Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card