Solved: Re: Problem with NAT on Cisco 1841 LAB

Murillo Muniz · ‎03-01-2014

Hi all,

I'm stuck with an issue with my home lab.

Here are the scenario:

Have a router (cisco 1841) connected with a Modem (ISP). The modem from the provider doesn't allow me to create a static route so i'm using NAT. The router is acting as a DHCP server of my LAN.

My router have two interfaces configured:

Fa0/0 - LAN

ip address 192.168.0.1 255.255.255.0

speed 100

duplex full

ip nat inside

no shutdown

Fa0/0/0 - INTERNET (TRANSIT SEGMENT)

ip address 10.0.0.2 255.255.255.0

speed 100

duplex full

ip nat outside

no shutdown

On the modem i have the ip 10.0.0.1

So here is the strange thing:

From the router i can ping google.com(DNS and IP) using both interfaces as Source. I also ping 10.0.0.1 fine. NAT translations for this communication (FROM THE ROUTER) works fine.

I have a computer connected direct on FA0/0. From this computer i can ping 192.168.0.1 and 10.0.0.2. But i can't ping www.google.com(DNS and IP)or 10.0.0.1.

No NAT Translations are created.

BUTTTTTTTTTTTT

Sometimes this communication works but most of the time it not work properly. I had upgrade the IOS but the issue remains.

Need help with that.

Sh run is below:

Building configuration...

Current configuration : 3596 bytes

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot system flash:c1841-advsecurityk9-mz.151-4.M2.bin

boot-end-marker

!

logging buffered 4096

enable secret 5 $1$oyXY$nTSZ0e3otqtYxkaBahO4x/

!

no aaa new-model

!

dot11 syslog

ip source-route

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1 192.168.0.10

!

ip dhcp pool LAN

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 192.168.0.1

lease 8

!

ip cef

ip domain name muniz

ip name-server 189.40.226.80

ip name-server 189.40.224.80

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3207839765

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3207839765

revocation-check none

rsakeypair TP-self-signed-3207839765

!

crypto pki certificate chain TP-self-signed-3207839765

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33323037 38333937 3635301E 170D3134 30333031 32303236

32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32303738

33393736 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100BD90 7C1EC77C 9B4B6D46 7FABA72B 3AA0CEA7 8BED542C 84D4421F B11E9BA1

516D971F 6581F72B 4DDE65B6 F206F41B 391A4FBB 159A446E 9AAEA231 D0719E48

8BB8138C 1C1EE51C 7CDFDBBF 7B70C2FA 1707ED7D 337ACD8C B185C1B3 161FC8A1

F352E2B4 9977DAF1 D1FDDC13 C05BDD73 2C1D762F 13EA8865 137EC582 50EB7B11

82AF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 143545F6 909B61E1 641D1922 F11D6218 045ED985 06301D06

03551D0E 04160414 3545F690 9B61E164 1D1922F1 1D621804 5ED98506 300D0609

2A864886 F70D0101 05050003 81810028 827EB2AD AFAE6971 B8D355F0 EAEFB265

3E13C318 E9117DD1 37BC292C 96D819E6 521A7E75 414EBB5D F43AAF13 7FE6840A

ACA9EBD2 5534C915 FD9C5138 9C0DD6B3 4F18EA19 3D016294 B0C90D2A D51C6528

264E8FEA 6EC3E5E2 224C4111 DF09EBD7 435E0D93 61ACDF96 54E66AF0 F8E0F0BA

BC8DBC3C C9EDAF0C E250DB5A 99AF6D

quit

!

archive

log config

hidekeys

username murillo privilege 15 secret 5 deleted

username cisco privilege 15 secret 5 deleted

!

redundancy

!

interface FastEthernet0/0

description ## CONEXAO LAN ##

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

speed 100

full-duplex

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/0/0

description ## CONEXAO WAN - LIVETIM - 50MB ##

ip address 10.0.0.2 255.255.255.0

ip nat outside

ip virtual-reassembly in

speed 100

full-duplex

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip dns server

ip nat inside source list NAT interface FastEthernet0/0/0 overload

ip route 0.0.0.0 0.0.0.0 10.0.0.1

!

ip access-list standard NAT

permit 192.168.0.0 0.0.0.255 log

deny any

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0 4

logging synchronous

login local

transport input telnet ssh

line vty 5 15

logging synchronous

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Jon Marshall · ‎03-02-2014

Okay, that usually is the issue.

Can you do a "clear ip nat translations" just in case there are any and then try using an extended acl as below. Note it may not work but i always use an extended acl for these sort of things eg.

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

no need for any deny statements in your NAT acl. Then modify the NAT statement.

Alternatively you can, if you want, use a named extended acl although i haven't used these with NAT but there is no reason why it wouldn't work.

Jon

View solution in original post

Jon Marshall · ‎03-02-2014

Murillo

Try removing the log keyword from your NAT acl and retry.

Jon

Murillo Muniz · ‎03-02-2014

Tried. But the issue remains.

Jon Marshall · ‎03-02-2014

Okay, that usually is the issue.

Can you do a "clear ip nat translations" just in case there are any and then try using an extended acl as below. Note it may not work but i always use an extended acl for these sort of things eg.

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

no need for any deny statements in your NAT acl. Then modify the NAT statement.

Alternatively you can, if you want, use a named extended acl although i haven't used these with NAT but there is no reason why it wouldn't work.

Jon

Murillo Muniz · ‎03-02-2014

Jon,

I applied the following script into my router:

no ip access-list standard NAT

!

no ip nat inside source list NAT interface FastEthernet0/0/0 overload

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

!

ip nat inside source list 101 interface FastEthernet0/0/0 overload

!

Now it's working. But sometimes worked like it was before. I'll updated this topic to see if the problem was solved.

Can you explain me why to use a extendec ACL instead of Standard?

Regards.

Jon Marshall · ‎03-02-2014

Murillo

All i can say is that i have always used extended acls and NAT has worked for me.

Where i have seen issues is with -

1) using the log keyword in the NAT acl

2) using "any" instead of specifying the networks in a standard acl

another regular poster on these forums has reported issues using "any" as the destination in an extended acl but i have never come across that.

Like i say, using an extended acl where you specify the source IP networks has always worked for me.

Jon

Sajid Ali · ‎03-03-2014

Murillo,

There is no issue with you configuration, actually issue with connected system. Because when you ping google.com via 192.168.0.1 as source address, its reachable. So please check your system DNS IP in System LAN Setting and also remove this part of your configuration from router:

dns-server 192.168.0.1