03-01-2014 04:39 PM - edited 03-04-2019 10:28 PM
Hi all,
I'm stuck with an issue with my home lab.
Here are the scenario:
Have a router (cisco 1841) connected with a Modem (ISP). The modem from the provider doesn't allow me to create a static route so i'm using NAT. The router is acting as a DHCP server of my LAN.
My router have two interfaces configured:
Fa0/0 - LAN
ip address 192.168.0.1 255.255.255.0
speed 100
duplex full
ip nat inside
no shutdown
Fa0/0/0 - INTERNET (TRANSIT SEGMENT)
ip address 10.0.0.2 255.255.255.0
speed 100
duplex full
ip nat outside
no shutdown
On the modem i have the ip 10.0.0.1
So here is the strange thing:
From the router i can ping google.com(DNS and IP) using both interfaces as Source. I also ping 10.0.0.1 fine. NAT translations for this communication (FROM THE ROUTER) works fine.
I have a computer connected direct on FA0/0. From this computer i can ping 192.168.0.1 and 10.0.0.2. But i can't ping www.google.com(DNS and IP)or 10.0.0.1.
No NAT Translations are created.
BUTTTTTTTTTTTT
Sometimes this communication works but most of the time it not work properly. I had upgrade the IOS but the issue remains.
Need help with that.
Sh run is below:
Building configuration...
Current configuration : 3596 bytes
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c1841-advsecurityk9-mz.151-4.M2.bin
boot-end-marker
!
!
logging buffered 4096
enable secret 5 $1$oyXY$nTSZ0e3otqtYxkaBahO4x/
!
no aaa new-model
!
dot11 syslog
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool LAN
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
lease 8
!
!
!
ip cef
ip domain name muniz
ip name-server 189.40.226.80
ip name-server 189.40.224.80
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3207839765
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3207839765
revocation-check none
rsakeypair TP-self-signed-3207839765
!
!
crypto pki certificate chain TP-self-signed-3207839765
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323037 38333937 3635301E 170D3134 30333031 32303236
32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32303738
33393736 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD90 7C1EC77C 9B4B6D46 7FABA72B 3AA0CEA7 8BED542C 84D4421F B11E9BA1
516D971F 6581F72B 4DDE65B6 F206F41B 391A4FBB 159A446E 9AAEA231 D0719E48
8BB8138C 1C1EE51C 7CDFDBBF 7B70C2FA 1707ED7D 337ACD8C B185C1B3 161FC8A1
F352E2B4 9977DAF1 D1FDDC13 C05BDD73 2C1D762F 13EA8865 137EC582 50EB7B11
82AF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 143545F6 909B61E1 641D1922 F11D6218 045ED985 06301D06
03551D0E 04160414 3545F690 9B61E164 1D1922F1 1D621804 5ED98506 300D0609
2A864886 F70D0101 05050003 81810028 827EB2AD AFAE6971 B8D355F0 EAEFB265
3E13C318 E9117DD1 37BC292C 96D819E6 521A7E75 414EBB5D F43AAF13 7FE6840A
ACA9EBD2 5534C915 FD9C5138 9C0DD6B3 4F18EA19 3D016294 B0C90D2A D51C6528
264E8FEA 6EC3E5E2 224C4111 DF09EBD7 435E0D93 61ACDF96 54E66AF0 F8E0F0BA
BC8DBC3C C9EDAF0C E250DB5A 99AF6D
quit
!
!
archive
log config
hidekeys
username murillo privilege 15 secret 5 deleted
username cisco privilege 15 secret 5 deleted
!
redundancy
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description ## CONEXAO LAN ##
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
description ## CONEXAO WAN - LIVETIM - 50MB ##
ip address 10.0.0.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
speed 100
full-duplex
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT interface FastEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
ip access-list standard NAT
permit 192.168.0.0 0.0.0.255 log
deny any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
logging synchronous
login local
transport input telnet ssh
line vty 5 15
logging synchronous
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
03-02-2014 11:15 AM
Okay, that usually is the issue.
Can you do a "clear ip nat translations" just in case there are any and then try using an extended acl as below. Note it may not work but i always use an extended acl for these sort of things eg.
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
no need for any deny statements in your NAT acl. Then modify the NAT statement.
Alternatively you can, if you want, use a named extended acl although i haven't used these with NAT but there is no reason why it wouldn't work.
Jon
03-02-2014 10:06 AM
Murillo
Try removing the log keyword from your NAT acl and retry.
Jon
03-02-2014 11:01 AM
Tried. But the issue remains.
03-02-2014 11:15 AM
Okay, that usually is the issue.
Can you do a "clear ip nat translations" just in case there are any and then try using an extended acl as below. Note it may not work but i always use an extended acl for these sort of things eg.
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
no need for any deny statements in your NAT acl. Then modify the NAT statement.
Alternatively you can, if you want, use a named extended acl although i haven't used these with NAT but there is no reason why it wouldn't work.
Jon
03-02-2014 11:40 AM
Jon,
I applied the following script into my router:
no ip access-list standard NAT
!
no ip nat inside source list NAT interface FastEthernet0/0/0 overload
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
ip nat inside source list 101 interface FastEthernet0/0/0 overload
!
Now it's working. But sometimes worked like it was before. I'll updated this topic to see if the problem was solved.
Can you explain me why to use a extendec ACL instead of Standard?
Regards.
03-02-2014 02:45 PM
Murillo
All i can say is that i have always used extended acls and NAT has worked for me.
Where i have seen issues is with -
1) using the log keyword in the NAT acl
2) using "any" instead of specifying the networks in a standard acl
another regular poster on these forums has reported issues using "any" as the destination in an extended acl but i have never come across that.
Like i say, using an extended acl where you specify the source IP networks has always worked for me.
Jon
03-03-2014 03:13 AM
Murillo,
There is no issue with you configuration, actually issue with connected system. Because when you ping google.com via 192.168.0.1 as source address, its reachable. So please check your system DNS IP in System LAN Setting and also remove this part of your configuration from router:
dns-server 192.168.0.1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: