cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
880
Views
5
Helpful
17
Replies

NAT issues? Cant access internet from inside network?

Shawnw4401
Level 1
Level 1

I've been puzzled with this issue for a couple of days now. I am stuck on what the issue might be. The issue is that I can ping from my router, G0/0 and G0/1, to the internet. However, from my PC and switch, I cannot ping the Internet. I am pretty sure everything is configured properly, but here's my configuration for the switch and router:

Router 1:

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LAN_Router_1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ***********************
!
no aaa new-model
!
no network-clock-participate slot 3
!
dot11 syslog
no ip source-route
!
ip cef
!
!
!
!
ip domain name MyTestLab.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC105013BA
username ********** privilege 15 secret 5 ***********************
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.254.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
glbp 100 ip 192.168.0.4
glbp 100 priority 115
glbp 100 preempt
duplex auto
speed auto
media-type rj45
!
router ospf 5
router-id 192.168.254.1
network 192.168.0.1 0.0.0.0 area 1
network 192.168.254.1 0.0.0.0 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 10 permit 192.168.94.32 0.0.0.15 log
access-list 10 permit 192.168.17.0 0.0.0.7 log
access-list 10 permit 192.168.52.0 0.0.0.7 log
access-list 10 permit 192.168.0.0 0.0.0.7 log
access-list 10 deny any log
!
!
!
!
!
!
control-plane
!
!
!
!

mgcp profile default
!
!
!
!
!
banner login ^C
W A R N I N G

THIS IS A PRIVATE COMPUTER SYSTEM.


This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

All computer systems may be monitored for all lawful purposes, including
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security.

Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During monitoring,
information may be examined, recorded, copied and used for authorized
purposes.

All information including personal information, placed on or sent over
this system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.

Unauthorized use may subject you to criminal prosecution. Evidence of
any such unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
^C
!
line con 0
logging synchronous
login local
line aux 0
line vty 0
login local
transport input ssh
transport output ssh
line vty 1 4
login
transport input all
!
scheduler allocate 20000 1000
ntp server 198.60.73.8
ntp server 13.85.70.43
event manager applet SaveRunConfig
event timer cron cron-entry "0 0 * * *"
action 1.0 cli command "enable"
action 2.0 cli command "write memory"

Router 2:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LAN_Router_2
!
boot-start-marker
boot-end-marker
!
!
!card type command needed for slot 1
logging monitor warnings
enable secret 5 ******************
!
no aaa new-model
!
clock timezone CST -5 0
!
dot11 syslog
ip source-route
!
ip cef
!
!
!
!
ip domain name MyTestLab.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
parameter-map type inspect global
log dropped-packets enable
!
voice-card 0
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC1411592J
username ********************** secret 5 ***********************

!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.254.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.0.2 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
glbp 100 ip 192.168.0.4
glbp 100 priority 110
duplex auto
speed auto
media-type rj45
!
router ospf 5
router-id 192.168.254.2
network 192.168.0.2 0.0.0.0 area 1
network 192.168.254.2 0.0.0.0 area 0
!
ip default-gateway 192.168.0.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended SSH
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
permit tcp host 192.168.0.1 any eq 22 log
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
deny
ip any any log
!
access-list 10 permit 192.168.94.32 0.0.0.15 log
access-list 10 permit 192.168.17.0 0.0.0.7 log
access-list 10 permit 192.168.52.0 0.0.0.7 log
access-list 10 permit 192.168.0.0 0.0.0.7 log
access-list 10 deny any log
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
banner login ^C
W A R N I N G

THIS IS A PRIVATE COMPUTER SYSTEM.

This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

All computer systems may be monitored for all lawful purposes, including
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security.

Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During monitoring,
information may be examined, recorded, copied and used for authorized
purposes.

All information including personal information, placed on or sent over
this system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.

Unauthorized use may subject you to criminal prosecution. Evidence of
any such unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
^C
!
line con 0
session-timeout 360
exec-timeout 360 0
password 7 *********************
logging synchronous
login local
line aux 0
login
line vty 0 4
access-class SSH in
logging synchronous
login local
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
ntp server 198.60.73.8
ntp server 13.85.70.43
event manager applet SaveRunConfig
event timer cron cron-entry "0 0 * * *"
action 1.0 cli command "enable"
action 2.0 cli command "write memory"

Switch: 

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname LAN_Switch
!
boot-start-marker
boot-end-marker
!
!
username ******privilege 15 secret 5 ***************************
!
!
!
no aaa new-model
clock timezone CST -6
switch 1 provision ws-c3750-24ts
system mtu routing 1500
ip routing
ip domain-name MyTestLab.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
interface Loopback0
ip address 192.168.254.5 255.255.255.255
!
interface FastEthernet1/0/1
switchport access vlan 17
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/3
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/4
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/5
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/6
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/7
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/8
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/9
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/10
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/11
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/12
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/13
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/14
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/15
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/16
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/17
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/18
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/19
description ## PC ##
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/20
description ## X_BOX ##
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/21
switchport access vlan 94
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/22
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/23
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/1
switchport access vlan 666
shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 666
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
ip address 192.168.0.5 255.255.255.248
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
!
interface Vlan17
ip address 192.168.17.17 255.255.255.248
!
interface Vlan52
ip address 192.168.52.1 255.255.255.248
!
interface Vlan94
ip address 192.168.94.33 255.255.255.240
!
router ospf 5
router-id 192.168.254.5
log-adjacency-changes
network 192.168.0.5 0.0.0.0 area 1
network 192.168.10.2 0.0.0.0 area 2
network 192.168.17.17 0.0.0.0 area 2
network 192.168.52.1 0.0.0.0 area 2
network 192.168.94.33 0.0.0.0 area 2
network 192.168.254.5 0.0.0.0 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.4 permanent
no ip http server
no ip http secure-server
!
!
ip access-list extended SSH_IN
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
permit tcp host 192.168.0.1 any eq 22 log
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
deny ip any any log
!
!
banner login ^C
W A R N I N G
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.
All computer systems may be monitored for all lawful purposes, including
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security.
Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During monitoring,
information may be examined, recorded, copied and used for authorized
purposes.
All information including personal information, placed on or sent over
this system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of
any such unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
^C
!
line con 0
session-timeout 60
exec-timeout 60 0
logging synchronous
login local
line vty 0
access-class SSH_IN in
login local
line vty 1 4
access-class SSH_IN in
login
line vty 5 15
access-class SSH_IN in
login
!
ntp server 198.60.73.8
event manager environment suspend_ports_config flash:/susp_ports.dat
event manager environment suspend_ports_days 7
event manager directory user policy "flash:/policies/"
event manager session cli username "stw"
event manager policy sl_suspend_ports.tcl
event manager policy tm_suspend_ports.tcl
event manager applet SaveRunConfig
event timer cron cron-entry "0 0 * * *"
action 1.0 cli command "enable"
action 2.0 cli command "write memory"
1 Accepted Solution

Accepted Solutions

Well, I totally forgot about the 'log' keyword and NAT:

Does Cisco IOS NAT support ACLs with a "log" keyword?

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html

So your problem is not the wildcard mask, but the 'log' command...

View solution in original post

17 Replies 17

Hello,

I think the problem is with your GLBP configuration. Try to configure host dependent load balancing (do that on the other GLBP router as well):

interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
glbp 100 ip 192.168.0.4
glbp 100 priority 115
glbp 100 preempt

glbp 100 load-balancing host-dependent 
duplex auto
speed auto
media-type rj45

Gpauwen,

 Thanks for pointing out the host-dependent for me. I did forget to add it when I was setting up glbp, but unfortunately, that wasn't the issue to this problem. Here was the results:

LAN_Router_2#show run int g0/1
Building configuration...

Current configuration : 280 bytes
!
interface GigabitEthernet0/1
ip address 192.168.0.2 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
glbp 100 ip 192.168.0.4
glbp 100 priority 110
glbp 100 load-balancing host-dependent
duplex auto
speed auto
media-type rj45
end

LAN_Router_2#ping google.com source 192.168.0.2
Translating "google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.220.112.151, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/17/20 ms
LAN_Router_2#exit

[Connection to 192.168.0.4 closed by foreign host]
LAN_Switch#ping google.com source vl 5

Translating "google.com"...domain server (8.8.8.8) (8.8.4.4)
^
% Invalid input detected at '^' marker.

LAN_Switch#show int vl 5
Vlan5 is up, line protocol is up
Hardware is EtherSVI, address is 001a.2f87.b641 (bia 001a.2f87.b641)
Internet address is 192.168.0.5/29
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:07, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
131670 packets input, 12246694 bytes, 0 no buffer
Received 0 broadcasts (9930 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
52020 packets output, 5077358 bytes, 0 underruns
0 output errors, 2 interface resets
0 output buffer failures, 0 output buffers swapped out
LAN_Switch#


Hello,

I am not sure if the syntax is right:

LAN_Switch#ping google.com source vl 5

try

LAN_Switch#ping google.com source 192.168.0.5

gpauwen,

I get the same error when typing the IP address into the syntax. 

LAN_Switch#ping google.com source 192.168.0.5

Translating "google.com"...domain server (8.8.8.8) (8.8.4.4)
^
% Invalid input detected at '^' marker.

Hello,

can you do an extended traceroute with 192.168.0.5 as the source ? I am curious to know where the address is being routed...

gpauwen,

Sure, when I did a extended traceroute, here was my result:

LAN_Switch#traceroute
Protocol [ip]:
Target IP address: 8.8.8.8
Source address: 192.168.0.5
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 8.8.8.8

1 192.168.0.3 0 msec 0 msec 0 msec
2 * !H *

LAN_Switch#

What device is 192.168.0.3 configured on ? It is not one of of the routers or the switch...

gpauwen,

Not really sure why it went to 192.168.0.3, but I'll post it's configurations. It's part of the glbp as well. The router was down when I was posting.

version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LAN_Router_3
!
boot-start-marker
boot-end-marker
!
!
enable secret ***************
!
no aaa new-model
!
no network-clock-participate slot 3
!
dot11 syslog
no ip source-route
!
!
!
ip cef
!
!
ip domain name MyTestLab.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC1050590C
username ****** privilege 15 secret *****************
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.254.3 255.255.255.255
!
interface GigabitEthernet0/0
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
no ip virtual-reassembly in
duplex full
speed 100
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.0.3 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
glbp 100 ip 192.168.0.4
glbp 100 priority 105
glbp 100 load-balancing host-dependent
duplex auto
speed auto
media-type rj45
!
router ospf 5
router-id 192.168.254.3
network 192.168.0.3 0.0.0.0 area 1
network 192.168.254.3 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended SSH_IN
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
permit tcp host 192.168.0.1 any eq 22 log
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
deny ip any any log
!
access-list 10 permit 192.168.94.32 0.0.0.15 log
access-list 10 permit 192.168.17.0 0.0.0.7 log
access-list 10 permit 192.168.52.0 0.0.0.7 log
access-list 10 permit 192.168.0.0 0.0.0.7 log
access-list 10 deny any log
!
!
!
!
!
control-plane
!
!
banner login ^C
W A R N I N G

THIS IS A PRIVATE COMPUTER SYSTEM.

This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

All computer systems may be monitored for all lawful purposes, including
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security.

Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During monitoring,
information may be examined, recorded, copied and used for authorized
purposes.

All information including personal information, placed on or sent over
this system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.

Unauthorized use may subject you to criminal prosecution. Evidence of
any such unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
^C
!
line con 0
session-timeout 180
logging synchronous
login local
line aux 0
line vty 0
session-timeout 180
access-class SSH_IN in
logging synchronous
login local
transport input ssh
transport output ssh
line vty 1 4
session-timeout 180
access-class SSH_IN in
login
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
ntp server 198.60.73.8
ntp server 13.85.70.43
event manager applet SaveRunConfig
event timer cron cron-entry "0 0 * * *"
action 1.0 cli command "enable"
action 2.0 cli command "write memory"
!


Some more useful information, maybe? I did a show ip nat translation of the three routers. Here was the finding:

Router 1:

LAN_Router_1#ping google.com source 192.168.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.220.112.153, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms
LAN_Router_1#show ip nat trans
LAN_Router_1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 24.***.***.***:22 192.168.0.1:22 192.168.0.3:59415 192.168.0.3:59415

Router 2:

LAN_Router_2#ping google.com source 192.168.0.2
Translating "google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.220.112.155, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/18/20 ms
LAN_Router_2#show ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 24.***.***.***:0 192.168.0.2:0 24.220.112.155:0 24.220.112.155:0

Router 3:

LAN_Router_3#ping google.com source 192.168.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 24.220.112.24, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms
LAN_Router_3#show ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 96.***.***.***:3 192.168.0.3:3 24.220.112.24:3 24.220.112.24:3
LAN_Router_3#

Hello,

how is the switch connected to the router, that is, what interfaces on both devices are being used ?

Gpauwen,

The interfaces of how the devices are connected:

Internet <- GigabitEthernet0/0 Router 1: GigabitEthernet0/1 -> Switch FastEthernet1/0/22

Internet <- GigabitEthernet0/0 Router 2: GigabitEthernet0/1 -> Switch FastEthernet1/0/23

Internet <- GigabitEthernet0/0 Router 3: GigabitEthernet0/1 -> Switch FastEthernet1/0/24

Not sure what was really wrong with my access-list, but that seemed to be the problem. 

Here's what my access-list looked like:
access-list 10 permit 192.168.94.32 0.0.0.15 log
access-list 10 permit 192.168.17.0 0.0.0.7 log
access-list 10 permit 192.168.52.0 0.0.0.7 log
access-list 10 permit 192.168.0.0 0.0.0.7 log
access-list 10 deny any log

Here's what I changed it too:
access-list 10 permit 192.168.0.0 0.0.255.255

Can someone elaborate on what the issue is with my previous access-list? Also, if I use the same access-list 10 permit 192.168.0.0 0.0.255.255 with a log and access-list 10 deny any log, I will get the same result of no internet access. 

Well, I totally forgot about the 'log' keyword and NAT:

Does Cisco IOS NAT support ACLs with a "log" keyword?

A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html

So your problem is not the wildcard mask, but the 'log' command...

Gpauwen,

I appreciate that little inside note. I never knew that. I could have sworn my ACL always had a deny any log and work. (Apparently not) Thanks for all your help with this issue, it is greatly appreciated and even learned something new. The wonders of troubleshooting.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: