04-11-2019 04:43 PM
Hi guys i need some help. Still new to cisco and learning. I have configured local area network with ISP. Everything is working. All hosts in my LAN can contact the "google" web server behind ISP with its public ip address. I created an ACL to block or to not translate the 192.168.1.0 /27 network when going out to the "internet" or when contacting the web server but the hosts can still contact the server. I dont know what i am doing wrong in the creating the ACL if i have to apply it to the subinterface or the main router which is connected to the ISP.
Solved! Go to Solution.
04-11-2019 05:29 PM - edited 04-11-2019 07:49 PM
Hi @Tuff ,
Try these configurations in your bordear router:
In the configured networks I kept the Sales network to perform ACL operation tests
In ACL deny-Sales, deny the Sales network and allow all others.
Then, you should only apply this ACL to the two internal interfaces
Regards
PD:
I think you are missing some configurations:
-You must apply the NAT to the inetrfaces of your border router:
Interface to ISP: ip nat outside
Internal Inetrfaces: ip nat inside
-The default route must be propagated by the RIP protocol (the one you are using) using the command: default-information originate.
If you still have doubts, you could compress your exercise (median winzip, for example) and attach it.
04-11-2019 05:29 PM - edited 04-11-2019 07:49 PM
Hi @Tuff ,
Try these configurations in your bordear router:
In the configured networks I kept the Sales network to perform ACL operation tests
In ACL deny-Sales, deny the Sales network and allow all others.
Then, you should only apply this ACL to the two internal interfaces
Regards
PD:
I think you are missing some configurations:
-You must apply the NAT to the inetrfaces of your border router:
Interface to ISP: ip nat outside
Internal Inetrfaces: ip nat inside
-The default route must be propagated by the RIP protocol (the one you are using) using the command: default-information originate.
If you still have doubts, you could compress your exercise (median winzip, for example) and attach it.
04-12-2019 06:07 PM
Thanks guys.. I did put the ACL on the serial interface and it worked.
04-11-2019 05:33 PM
As far as NAT goes - that is correct. I suspect you have some existing cached NAT translations which should timeout on their own. Perhaps you could clear them out manually and try again:
clear ip nat trans *
However I don't think this is a great solution. You should create an access list and apply it to the Serial interface and block the traffic at that point.
04-11-2019 06:03 PM - edited 04-11-2019 06:06 PM
@Tuff Hello,
Your nat configuration its ok.
apply nat inside uder sub-interfaces too
I think that it is a routing. On ISP, you dont have a route for internal lan in your main route, dont you? if you have, remove it and test again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide