Solved: NAT issues? Cant access internet from inside network? - Page 2

Shawnw4401 · ‎11-11-2016

I've been puzzled with this issue for a couple of days now. I am stuck on what the issue might be. The issue is that I can ping from my router, G0/0 and G0/1, to the internet. However, from my PC and switch, I cannot ping the Internet. I am pretty sure everything is configured properly, but here's my configuration for the switch and router:

Router 1:

version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LAN_Router_1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ***********************
!
no aaa new-model
!
no network-clock-participate slot 3
!
dot11 syslog
no ip source-route
!
ip cef
!
!
!
!
ip domain name MyTestLab.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC105013BA
username ********** privilege 15 secret 5 ***********************
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.254.1 255.255.255.255
!
interface GigabitEthernet0/0
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
glbp 100 ip 192.168.0.4
glbp 100 priority 115
glbp 100 preempt
duplex auto
speed auto
media-type rj45
!
router ospf 5
router-id 192.168.254.1
network 192.168.0.1 0.0.0.0 area 1
network 192.168.254.1 0.0.0.0 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 10 permit 192.168.94.32 0.0.0.15 log
access-list 10 permit 192.168.17.0 0.0.0.7 log
access-list 10 permit 192.168.52.0 0.0.0.7 log
access-list 10 permit 192.168.0.0 0.0.0.7 log
access-list 10 deny any log
!
!
!
!
!
!
control-plane
!
!
!
!

mgcp profile default
!
!
!
!
!
banner login ^C
W A R N I N G

THIS IS A PRIVATE COMPUTER SYSTEM.

This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

All computer systems may be monitored for all lawful purposes, including
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security.

Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During monitoring,
information may be examined, recorded, copied and used for authorized
purposes.

All information including personal information, placed on or sent over
this system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.

Unauthorized use may subject you to criminal prosecution. Evidence of
any such unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
^C
!
line con 0
logging synchronous
login local
line aux 0
line vty 0
login local
transport input ssh
transport output ssh
line vty 1 4
login
transport input all
!
scheduler allocate 20000 1000
ntp server 198.60.73.8
ntp server 13.85.70.43
event manager applet SaveRunConfig
event timer cron cron-entry "0 0 * * *"
action 1.0 cli command "enable"
action 2.0 cli command "write memory"

Router 2:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname LAN_Router_2
!
boot-start-marker
boot-end-marker
!
!
!card type command needed for slot 1
logging monitor warnings
enable secret 5 ******************
!
no aaa new-model
!
clock timezone CST -5 0
!
dot11 syslog
ip source-route
!
ip cef
!
!
!
!
ip domain name MyTestLab.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
parameter-map type inspect global
log dropped-packets enable
!
voice-card 0
!
!
!
!
!
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO3845-MB sn FOC1411592J
username ********************** secret 5 ***********************

!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.254.2 255.255.255.255
!
interface GigabitEthernet0/0
ip address dhcp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.0.2 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
glbp 100 ip 192.168.0.4
glbp 100 priority 110
duplex auto
speed auto
media-type rj45
!
router ospf 5
router-id 192.168.254.2
network 192.168.0.2 0.0.0.0 area 1
network 192.168.254.2 0.0.0.0 area 0
!
ip default-gateway 192.168.0.1
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended SSH
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
permit tcp host 192.168.0.1 any eq 22 log
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
denyip any any log
!
access-list 10 permit 192.168.94.32 0.0.0.15 log
access-list 10 permit 192.168.17.0 0.0.0.7 log
access-list 10 permit 192.168.52.0 0.0.0.7 log
access-list 10 permit 192.168.0.0 0.0.0.7 log
access-list 10 deny any log
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
banner login ^C
W A R N I N G

THIS IS A PRIVATE COMPUTER SYSTEM.

This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.

All computer systems may be monitored for all lawful purposes, including
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security.

Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During monitoring,
information may be examined, recorded, copied and used for authorized
purposes.

All information including personal information, placed on or sent over
this system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.

Unauthorized use may subject you to criminal prosecution. Evidence of
any such unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
^C
!
line con 0
session-timeout 360
exec-timeout 360 0
password 7 *********************
logging synchronous
login local
line aux 0
login
line vty 0 4
access-class SSH in
logging synchronous
login local
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
ntp server 198.60.73.8
ntp server 13.85.70.43
event manager applet SaveRunConfig
event timer cron cron-entry "0 0 * * *"
action 1.0 cli command "enable"
action 2.0 cli command "write memory"

Switch:

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname LAN_Switch
!
boot-start-marker
boot-end-marker
!
!
username ******privilege 15 secret 5 ***************************
!
!
!
no aaa new-model
clock timezone CST -6
switch 1 provision ws-c3750-24ts
system mtu routing 1500
ip routing
ip domain-name MyTestLab.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
!
!
!
spanning-tree mode rapid-pvst
spanning-tree logging
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
interface Loopback0
ip address 192.168.254.5 255.255.255.255
!
interface FastEthernet1/0/1
switchport access vlan 17
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/3
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/4
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/5
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/6
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/7
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/8
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/9
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/10
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/11
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/12
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/13
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/14
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/15
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/16
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/17
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/18
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/19
description ## PC ##
switchport access vlan 10
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/20
description ## X_BOX ##
switchport access vlan 666
switchport mode access
shutdown
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/21
switchport access vlan 94
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet1/0/22
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/23
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/24
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/1
switchport access vlan 666
shutdown
!
interface GigabitEthernet1/0/2
switchport access vlan 666
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan5
ip address 192.168.0.5 255.255.255.248
!
interface Vlan10
ip address 192.168.10.2 255.255.255.0
!
interface Vlan17
ip address 192.168.17.17 255.255.255.248
!
interface Vlan52
ip address 192.168.52.1 255.255.255.248
!
interface Vlan94
ip address 192.168.94.33 255.255.255.240
!
router ospf 5
router-id 192.168.254.5
log-adjacency-changes
network 192.168.0.5 0.0.0.0 area 1
network 192.168.10.2 0.0.0.0 area 2
network 192.168.17.17 0.0.0.0 area 2
network 192.168.52.1 0.0.0.0 area 2
network 192.168.94.33 0.0.0.0 area 2
network 192.168.254.5 0.0.0.0 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.0.4 permanent
no ip http server
no ip http secure-server
!
!
ip access-list extended SSH_IN
permit tcp host 192.168.52.2 any eq 22 log
permit tcp 192.168.10.0 0.0.0.255 any eq 22 log
permit tcp host 192.168.17.18 any eq 22 log
permit tcp host 192.168.0.1 any eq 22 log
permit tcp host 192.168.0.2 any eq 22 log
permit tcp host 192.168.0.3 any eq 22 log
permit tcp host 192.168.0.5 any eq 22 log
deny ip any any log
!
!
banner login ^C
W A R N I N G
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for
authorized used.
All computer systems may be monitored for all lawful purposes, including
to ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security.
Monitoring includes active attacks by authorized personnel and their
entities to test or verify the security of the system. During monitoring,
information may be examined, recorded, copied and used for authorized
purposes.
All information including personal information, placed on or sent over
this system may be monitored. Uses of this system, authorized or
unauthorized, constitutes consent to monitoring of this system.
Unauthorized use may subject you to criminal prosecution. Evidence of
any such unauthorized use collected during monitoring may be used for
administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
^C
!
line con 0
session-timeout 60
exec-timeout 60 0
logging synchronous
login local
line vty 0
access-class SSH_IN in
login local
line vty 1 4
access-class SSH_IN in
login
line vty 5 15
access-class SSH_IN in
login
!
ntp server 198.60.73.8
event manager environment suspend_ports_config flash:/susp_ports.dat
event manager environment suspend_ports_days 7
event manager directory user policy "flash:/policies/"
event manager session cli username "stw"
event manager policy sl_suspend_ports.tcl
event manager policy tm_suspend_ports.tcl
event manager applet SaveRunConfig
event timer cron cron-entry "0 0 * * *"
action 1.0 cli command "enable"
action 2.0 cli command "write memory"

Georg Pauwen · ‎11-12-2016

Glad that it got resolved. The issue has been around forever, that is probably why I had forgotten about it...:)

Georg Pauwen · ‎11-12-2016

Hello,

to be honest, I am not sure if your setup is going to work. Your switch has effectively been turned into a router by turning on 'ip routing'. I am taking a wild guess now, but try to configure interface Vlan 5 on the switch with 'ip nat inside' or 'ip nat enable'.

Shawnw4401 · ‎11-12-2016

Gpauwen,

I appreciate your help through this whole process. The issue was in the access-list. However, I did not see anything wrong with my access-list. Did you?