Solved: Hello Collins,

H7577-IT · ‎11-23-2016

Hello all,

I have a bit of a challenge here and I would like to get help from any one here.

I am configuring a cisco 2900 router and after I have finished, I can ping the internet, the gateway and dns serevr given to me by my ISP from the router. However, from the host, I cant pint the dns server or the internet but I can pinmg the router.

I would appreciate any suggestion from anyone as I am in dire need of help right now.

below is a copy of my running config on the cisco 2900 router

HDV_RTR#sh run
Building configuration...

Current configuration : 4313 bytes
!
! Last configuration change at 16:56:17 UTC Wed Nov 23 2016 by samuel
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname HDV_RTR
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 172.16.50.1 172.16.50.10
ip dhcp excluded-address 172.16.50.71 172.16.50.90
ip dhcp excluded-address 172.16.100.1 172.16.100.10
!
ip dhcp pool AP_MGMT
   network 172.16.50.0 255.255.255.0
   default-router 172.16.50.1
   dns-server 41.75.80.80 41.75.80.85
!
ip dhcp pool USERS
   network 172.16.100.0 255.255.254.0
   default-router 172.16.100.1
   dns-server 41.75.80.84 41.75.80.85
!
!
ip name-server 41.75.80.85
ip name-server 4.2.2.2
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3859548040
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3859548040
revocation-check none
rsakeypair TP-self-signed-3859548040
!
!
crypto pki certificate chain TP-self-signed-3859548040
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383539 35343830 3430301E 170D3136 31313233 31343337
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38353935
34383034 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C159 1C19F37A 1F82C9C4 752FCE2A 918FC38F 7F4D9580 30C2CB8A 79FDABA9
01F6497D C26E7B59 4F4DF741 373D8084 D7627614 FCEC353B C220E48F 05DEA6D9
53A39E2A D000C7CE A8A68462 4808884C C692C9E1 4ACE2610 F476AF32 C847542E
6BCC4CAA C1FF75F7 D482804D 137762CA A38762B6 A5D56EFE D4DB1146 4EE45379
31210203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07484456 5F525452 301F0603 551D2304 18301680 14D72C56
5A5BB819 F07511D5 79B7AE34 B1270771 C3301D06 03551D0E 04160414 D72C565A
5BB819F0 7511D579 B7AE34B1 270771C3 300D0609 2A864886 F70D0101 04050003
8181005C 0812E4CA F027CFA1 5EF8B63B BC5F7302 4D3CB697 D9477BD6 62E89652
06B2D384 A3DEDD0B 2D1F0AC4 49F2E1F6 07CE0B4A 38557BDA C72F083A 94CA5A0E
3AF82529 23F35571 01C7406D 46560611 18CF8E63 7932858A DD8ED5BB 498D452D
F633AB44 26122EDC A43DBA7D FBA7A355 53C4F6B5 FD8E3702 B7CA83FA 119C75A6 C8A316
        quit
license udi pid CISCO2911/K9 sn FTX1420AJJR
!

!
!
interface Tunnel1
ip address 10.10.10.10 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 154.113.84.17
!
interface GigabitEthernet0/0
description CONNECTION TO ISP
ip address 154.113.84.21 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip address 172.16.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 172.16.100.1 255.255.254.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.150
encapsulation dot1Q 150
ip address 192.168.1.253 255.255.255.0
!
interface GigabitEthernet0/1.200
encapsulation dot1Q 200
ip address 172.16.200.1 255.255.255.0
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool INTERNET 154.113.84.20 154.113.84.30 prefix-length 28
ip nat source list GUEST_USERS pool INTERNET overload
ip default-network 154.113.84.0
ip route 0.0.0.0 0.0.0.0 154.113.84.17 name DEFAULT
ip route 129.100.100.0 255.255.255.0 Tunnel1
!
ip access-list standard GUEST_USERS
permit 172.16.100.0 0.0.1.255
permit 172.16.50.0 0.0.0.255
permit any
!
access-list 23 permit any
!
!
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Collin Clark · ‎11-23-2016

Here's a known working NAT example.

ip nat inside source route-map NAT_RULES interface GigabitEthernet0/0 overload

!
route-map NAT_RULES permit 10
match ip address 150
!
!

access-list 150 remark Networks to NAT
access-list 150 permit ip 172.16.100.0 0.0.1.255 any
access-list 150 permit ip 172.16.50.0 0.0.0.255 any

View solution in original post

Collin Clark · ‎11-23-2016

You need inspection (CBAC or Zone Base FW).

http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/13814-32.html

H7577-IT · ‎11-23-2016

Hello Collins,

Thanks for your response. but I know without CBAC, I should still be able to route traffic from my internal network to the internet. which is not happening now.

However, I just tried the CBAC and still yet my host cant connect to the internet.

Collin Clark · ‎11-23-2016

You can access the internet without CBAC, but you will need to create an ACL that will allow return traffic. If it's still failing with CBAC configured, can you post the results of a "sh ip nat trans * "

H7577-IT · ‎11-23-2016

Hi Colins

I just did the sh ip nat translation and I got nothing. what does that mean.. see the result below

HDV_RTR#
HDV_RTR#
HDV_RTR#sh ip nat ?
nvi NVI information
statistics Translation statistics
translations Translation entries

HDV_RTR#sh ip nat tr
HDV_RTR#sh ip nat translations

HDV_RTR#

Collin Clark · ‎11-23-2016

That means none of your internal users are NAT'ing to a public address. What is the client IP you're testing from?

H7577-IT · ‎11-23-2016

Ok... do you mean the ip of the host? its 172.16.100.87

Collin Clark · ‎11-23-2016

Yes, that's what I meant. From 172.16.100.87 are you able to ping 172.16.100.1?

H7577-IT · ‎11-23-2016

yes I can ping 172.16.100.1 and I can also ping 154.113.84.21

but I cant ping 154.113.84.17 which is the gateway that was given to me by my ISP

Georg Pauwen · ‎11-23-2016

Hello,

you have configured:

ip nat source list GUEST_USERS pool INTERNET overload

That is to enable NAT on a virtual interface without inside or outside specification.

Change that to:

ip nat inside source list GUEST_USERS pool INTERNET overload

Collin Clark · ‎11-23-2016

Here's a known working NAT example.

ip nat inside source route-map NAT_RULES interface GigabitEthernet0/0 overload

!
route-map NAT_RULES permit 10
match ip address 150
!
!

access-list 150 remark Networks to NAT
access-list 150 permit ip 172.16.100.0 0.0.1.255 any
access-list 150 permit ip 172.16.50.0 0.0.0.255 any

H7577-IT · ‎11-23-2016

Hi Collins,

Tried it and it worked.. all users can now access the internet... you are the bomb...

I really appreciate your effort and assistance....

Thanks a bunch

Paul Chapman · ‎11-23-2016

Hi -

I see a slight oddity in your config. I suggest removing the "ip default-network" statement as it is redundant with your static route. The rest of your NAT config looks fine. I do tend to agree with Collin that you're going to need to add some protection mechanisms for the router (and users).

PSC

Users cant ping internet but Router can ping internet