Solved: Some Help Would Be REALLY GOOD. WAN/NAT problem.

tyleradmin · ‎08-07-2013

Hi Guys.

I'm trying to configure a router for my client.

It's a 2911, 3 Gig interfaces with 1x EHWIC 1GE(RJ45/SFP)

I have an integrated firewall thru the security k9 bundle.

I've got a set of network static ips.

and the old network looks like this.

WAN -> HP MSR900 -> FIREWALL -> LOCAL LAN.

that said.

here's how it goes.

203.125.3.AA /30 (WAN) - > 220.255.13.BB/29 (Public IP) -> LAN 192.168.203.0/24.

But the new network goes like this.

WAN -> Cisco 2911 -> LOCAL LAN, 2 subnets 192.168.203.0/24 and 192.168.204.0/24.

The router will become the DHCP for 192.168.204.0/24 network only. the 203 network is being routed by the DHCP server from the current network.

The old firewall used to provide vpn services thru a simple pptp without authentication.

with my configuration as per below. im able to reach the next hop and google thru the router, but unable to reach the internet from the inside lan.

Ok, here's the question.

how can i configure the router to be able to route packets properly?

and is my configuration for the pptp correct?

that said,

Building configuration...

Current configuration : 6165 bytes

!

! Last configuration change at 16:19:22 UTC Tue Aug 6 2013 by admin

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname POWERRANGERS

!

boot-start-marker

boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin

boot-end-marker

!

no logging buffered

!

no aaa new-model

!

ip cef

!

ip dhcp excluded-address 192.168.204.1 192.168.204.30

ip dhcp excluded-address 192.168.204.251 192.168.204.254

!

ip dhcp pool Internal204NWPool

import all

network 192.168.204.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.204.1

lease 5

!

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group HLFVPN

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

crypto pki trustpoint TP-self-signed-2440568946

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2440568946

revocation-check none

rsakeypair TP-self-signed-2440568946

!

crypto pki certificate chain TP-self-signed-2440568946

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32343430 35363839 3436301E 170D3133 30383035 31343533

30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34343035

36383934 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B74E DD1317E6 F5D9E1B0 AC39C104 9E070D64 6CCD9E85 2F6E8D77 22B52996

737D2464 0F2A1913 D1240A3A 136F9D12 C0432048 9DA07BFB E04E1887 1B3B3A41

1BD53CBD B048E04C 6DE71BF3 1884F54E 5E399881 BEFACA71 0C4488CE AB0AFFCE

32D5A65C BE4F44B1 05CC6CFF 816E0CBC 69FB5D00 0397BB6A D47DC5B4 D19BAAF8

65350203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14F74D69 4D5F534F B1FBF5D2 99266BB1 759234C3 BD301D06

03551D0E 04160414 F74D694D 5F534FB1 FBF5D299 266BB175 9234C3BD 300D0609

2A864886 F70D0101 05050003 8181004A B7ED9E99 DE0195EC 70128B8D D9369539

D1DC8616 EA85159F D6360732 42AF9C64 2C328D7D 03AAEFCB 57EE3829 D91B78F3

89B82844 8BC6F280 6844B7CE 858FDFEE B3AC3132 1DDA0DB3 8FD3D7F8 B34797F1

6EA2066C 034E57C9 76B39621 6E9ECC85 F494E2E8 A00A431C 5BF3A0E8 5913D7A5

B11124E0 2971A2FE 8B102F4E 5EAE94

quit

license udi pid CISCO2911/K9 sn FGL171711LA

license accept end user agreement

!

username admin privilege 15 secret 4 yEpCjsAh.TR7Tes/KptX76P3WCk6hm100cT7/GVtxKI

!

redundancy

!

no ip ftp passive

!

bridge irb

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description SingNetWANLink

ip address 203.125.3.AA 255.255.255.252

ip virtual-reassembly in

duplex full

speed 100

!

interface GigabitEthernet0/1

description LAN192.168.203.0LINK

ip address 192.168.203.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description LAN192.168.204.0LINK

ip address 192.168.204.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

ip address 10.10.10.10 255.255.255.0

duplex auto

speed auto

media-type rj45

!

ip local pool WANPOOL 220.255.13.BB

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 101 pool WANPOOL overload

!

ip route 0.0.0.0 0.0.0.0 203.125.3.89

!

access-list 101 permit ip any any

access-list 101 permit ip 192.168.203.0 0.0.0.255 any

access-list 102 permit ip 192.168.204.0 0.0.0.255 any

!

control-plane

!

banner login ^CUnauthorized Login Will Be Prosecuted.^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login

transport input all

!

scheduler allocate 20000 1000

!

end

John Blakley · ‎08-07-2013

Can you post the existing config as it sits now?

The following config should work:

int g0/0

ip nat outside

interface GigabitEthernet0/1

description LAN192.168.203.0LINK

ip address 192.168.203.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description LAN192.168.204.0LINK

ip address 192.168.204.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat pool WANPOOL 220.255.13.x 220.255.13.x prefix-length 24

!

ip nat inside source list 101 pool WANPOOL overload

!

access-list 101 permit ip 192.168.203.0 0.0.0.255 any

access-list 101 permit ip 192.168.204.0 0.0.0.255 any

!

Your 192.168.204.0/24 subnet was not listed in your nat acl, and if you'll notice the original post was part of acl 102. I added that line to 101. You needed to fix your nat pool as local pools are used for VPN connections generally, but not used in the case of nat.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

mfurnival · ‎08-07-2013

Hello,

You need "ip nat outside" on your WAN interface.

tyleradmin · ‎08-07-2013

hi, after i put int the ip nat outside, the i cant ping the outside interface anymore.

mfurnival · ‎08-07-2013

Did you remove the line in the ACL as per Alain's advice too?

Can you ping 8.8.8.8 from the router?

cadet alain · ‎08-07-2013

Hi,

also remove this :

access-list 101 permit ip any any

Regards

Alain

Don't forget to rate helpful posts.

tyleradmin · ‎08-07-2013

also, where do i add in the line for the leased static ips?

cadet alain · ‎08-07-2013

Hi,

you may use one or more in your WAN pool and one or more for static NAT statements for port forwarding.

Regards

Alain

Don't forget to rate helpful posts.

tyleradmin · ‎08-07-2013

alright. let you guys know again :>

Majed Saeed · ‎08-07-2013

Hi , Can you remove below line :

ip local pool WANPOOL 220.255.13.BB

then replace it with :

ip nat pool WANPOOL 220.255.13.xx 220.255.13.yy netmask 255.255.255.248 .

Regards,

tyleradmin · ‎08-07-2013

Hi guys,

I cant seem to get the link up any more.

When i have the nat overload on the WANPOOL, it doesnt't work.

I'm only able to get it up thru the use of the ip nat inside source.........G0/0 Overload

Which also means that when i type Show ip nat translations,

all the addresses are actually originating from this. 203.125.3.AA /30

which is the WAN link ip instead of the leased static ips.

Help me i'm dying lol.

John Blakley · ‎08-07-2013

Can you post the existing config as it sits now?

The following config should work:

int g0/0

ip nat outside

interface GigabitEthernet0/1

description LAN192.168.203.0LINK

ip address 192.168.203.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description LAN192.168.204.0LINK

ip address 192.168.204.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip nat pool WANPOOL 220.255.13.x 220.255.13.x prefix-length 24

!

ip nat inside source list 101 pool WANPOOL overload

!

access-list 101 permit ip 192.168.203.0 0.0.0.255 any

access-list 101 permit ip 192.168.204.0 0.0.0.255 any

!

Your 192.168.204.0/24 subnet was not listed in your nat acl, and if you'll notice the original post was part of acl 102. I added that line to 101. You needed to fix your nat pool as local pools are used for VPN connections generally, but not used in the case of nat.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

tyleradmin · ‎08-09-2013

Hi John,

Good day. Is the line..

ip nat pool WANPOOL 220.255.13.x 220.255.13.x prefix-length 24

!

used for the public ip pool?

cause right now, my natting is only done on the WAN link IP. which is the IP between my current router and the net hop.

i need to nat it out on the IP that my ISP gave to me. any help?

tyleradmin · ‎08-09-2013

Here's my configuration as of now.

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot system flash:c2900-universalk9-mz.SPA.153-2.T.bin

boot-end-marker

!

logging userinfo

!

no aaa new-model

!

ip cef

!

ip dhcp excluded-address 192.168.204.1 192.168.204.30

ip dhcp excluded-address 192.168.204.250 192.168.204.254

!

ip dhcp pool Internal204NWPool

import all

network 192.168.204.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.204.1

lease 5

!

no ipv6 cef

!

vpdn enable

!

vpdn-group HLFVPN

! Default PPTP VPDN group

accept-dialin

protocol pptp

virtual-template 1

!

crypto pki trustpoint TP-self-signed-2440568946

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2440568946

revocation-check none

rsakeypair TP-self-signed-2440568946

!

crypto pki certificate chain TP-self-signed-2440568946

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32343430 35363839 3436301E 170D3133 30383037 31383335

31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34343035

36383934 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

81009B1C 60456DCD 9D14BC5B 1B8976D6 55D0D776 70728893 ECD5E6DD 8FDC71D9

F9F42447 0F3028B7 786E9CA3 07AE1738 483EE7DD 95BA1725 A9A9C2D4 B3F5DE5E

C671A88F D765FE5A 2CF0CB72 7CF0D87A 985BB5CE A8D4B688 3A85AB99 660BC7F1

E3DE0718 63761430 F15BCDA6 3EA2A130 532A2E10 D6529266 FCE9A8FD FEDC299D

8E710203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14C4AEC7 D9AFD8EE 7399FACA D70AFF56 B14DEF0A 9A301D06

03551D0E 04160414 C4AEC7D9 AFD8EE73 99FACAD7 0AFF56B1 4DEF0A9A 300D0609

2A864886 F70D0101 05050003 81810088 E6ED80B6 3313D1D3 E7CE64F7 1C118DCB

99D8D31D 1874F43B 6A3C6B07 991BA461 BB1BA030 51E20FC9 F2E22289 E7F3BA25

97A26F27 C0141E75 AD7D626E 14C7E388 089D0C21 1C02DD03 50366135 237434E6

53AEFF8C 7D1A33EC 385C7CA8 A27321B6 54FE9C3C 7559669F C429C6F4 BB869D81

F1AE980D 422983B8 04E8E7AE 878CD3

quit

license udi pid CISCO2911/K9 sn FGL171711LA

license accept end user agreement

!

redundancy

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 220.255.13.YY 255.255.255.248 secondary

ip address 203.125.3.XX 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

!

interface GigabitEthernet0/1

ip address 192.168.203.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

ip address 192.168.204.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

ip address 10.10.10.10 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1

ip unnumbered GigabitEthernet0/0

peer default ip address pool VPNPOOL

no keepalive

!

ip local pool VPNPOOL 192.168.204.10 192.168.204.20

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 203.125.3.XX

!

logging trap debugging

logging host 10.10.10.5

!

route-map 1 permit 10

!

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.203.0 0.0.0.255 any

access-list 101 permit ip 192.168.204.0 0.0.0.255 any

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login local

transport input all

line vty 5 15

login local

transport input all

!

scheduler allocate 20000 1000

!

end