Hi rick.
We have 2 circuits in place.

Corporate LAN is connected to Comcast and AT&T is the new one that was
currently implemented and Cisco router is connected to this AT&T circuit.
I was assuming if I will create ACL for permit any statement for inbound it
will instantly work for inbound connection.

when I run tracert to laptop that connected to Cisco device i got next
output

Tracing route to 12.69.154.178 over a maximum of 30 hops

1 1 ms 1 ms 1 ms 10.254.1.1
2 13 ms 14 ms 17 ms 96.120.3.9
3 12 ms 7 ms 11 ms
te-0-0-0-2-ur03.charleston.sc.chrlstn.comcast.net [68.85.123.193]
4 22 ms 13 ms 18 ms be-60-ar03.charleston.sc.chrlstn.comcast.net
[96.108.171.181]
5 17 ms 44 ms 80 ms 96.108.117.9
6 153 ms 140 ms 145 ms be-33489-cr02.miami.fl.ibone.comcast.net
[68.86.95.45]
7 134 ms 150 ms 139 ms be-12274-pe01.nota.fl.ibone.comcast.net
[68.86.82.154]
8 132 ms 146 ms 138 ms 192.205.36.169
9 60 ms 65 ms 58 ms igs1.fldfl.ip.att.net [12.122.155.170]
10 65 ms 61 ms 64 ms cr2.ormfl.ip.att.net [12.123.6.50]
11 64 ms 63 ms 110 ms 12.122.28.49
12 58 ms 63 ms 63 ms cr1.nwrla.ip.att.net [12.122.30.73]
13 58 ms 63 ms 63 ms 12.122.28.29
14 53 ms 56 ms 55 ms gar1.atmga.ip.att.net [12.122.85.145]
15 64 ms 60 ms 64 ms 12.69.154.180
16 * * * Request timed out.
17 * * * Request timed out.
18 * * * Request timed out.
19 * * * Request timed out.
20 * * * Request timed out.
21 * * * Request timed out.
22 * * * Request timed out.
23 * * * Request timed out.
24 * * * Request timed out.
25 * * * Request timed out.
26 * * * Request timed out.
27 * * * Request timed out.
28 * * * Request timed out.
29 * * * Request timed out.
30 * * * Request timed out.

It is difficult to know what is going on here, especially since you have given so many IP addresses as x.x.x.x. But I do see one thing and that might point at the issue. I see in the partial config that you posted that you have configured ip nat to perform address translation for traffic originating on the LAN and going out the WAN. Doing address translation that way allows devices inside to initiated traffic to outside (and outside is successful in responding because when the response gets to your router it has an entry in the translation table for your address). But there is a problem when something outside attempts to initiate traffic to your PC inside. If the packet from outside arrives at your router it looks into its translation table and does not find an entry for your address. To enable devices outside to initiate traffic to your device you would need a static nat translation for your address.

 

I would also note that the access lists you are using on the interfaces (access-list 2 permit any) are not doing any good. You might as well remove them from the configuration.

 

HTH

 

Rick

Thank you! I will try that!
Also, here is output with IP addresses in case it will be any help.

interface GigabitEthernet0/0/0
description WAN_GW
ip address 12.249.90.94 255.255.255.252
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description LAN_GW
ip address 12.69.154.177 255.255.255.240
ip nat inside
negotiation auto
!
ip nat pool ATT-POOL 12.69.154.179 12.69.154.190 netmask 255.255.255.240
ip nat inside source list 1 pool ATT-POOL
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 12.249.90.93
ip route 12.249.90.92 255.255.255.252 12.249.90.93
!
!

Thank you for the additional information. Seeing the IP addresses is helpful. It shows that on your LAN/inside interface that you are using Public IP addresses. This makes me wonder why you are using address translation. Address translation is usually used when the inside addresses are private addresses (192.168.x.x, etc) but that is not the case with your config. I know that address translation is very frequently part of the configuration of a router with an interface which connects to the Internet. So is there a reason why you use address translation other than the assumption that it part of a normal config for an Internet facing router?

 

HTH

 

Rick

After writing that response I read through the complete discussion and noticed a few details. In your trace route you are using destination address of 12.69.154.178. This is an address in the subnet assigned to that interface and is not in your pool of addresses for translation. And the last response in your trace route is from 12.69.154.180 which is an address in your pool of addresses for translation. So I believe that this demonstrates that address translation is causing your problem. It looks like the trace route gets to your PC and your PC sends a response. But the response goes through address translation and the source address is changed. So the trace route is failing because the response packets comes back with a different address.

 

If there is some reason to have address translation then we need to find a way to configure it so that it does not interfere with communication to your PC. If there is not particularly a reason to have address translation then remove the translation.

 

HTH

 

Rick 

Thank you so much for detailed explanation, as this is really important
task for me and first experience to work in production environment.

Just to back of little bit:
We have new AT&T unmanageable circuit in place that is connected to Cisco
router to WAN interface.

They provided us with next information:
WAN interface IP for Cisco : 12.249.90.94/30
<>
WAN GW: 12.249.90.93

LAN IP: 12.69.154.178/28
<>
(12.69.154.178-12.69.154.190
usable)
LAN GW: 12.69.154.177

After I applied config, my boss suggested me apply static network settings
for laptop and connect it to LAN and make sure I can connect to the
internet and I was able to.

The settings were:
12.69.154.178
255.255.255.240
12.69.154.177

But he also wants me to make sure we are able to get inbound traffic
working as well.
I agree that there is some reconfiguration with NAT

Thanks for the additional explanation. It seems to me that we probably need to consider both the current situation and what the situation may be a little further down the road. In terms of your current situation you have a router with two subnets, you have an outside subnet and an inside subnet. And you have used Public IP addressing on both subnets. In your current situation there is no need to have address translation - and we see that address translation does interfere with getting traffic from outside into your inside network. So for the current situation you should remove address translation.

 

But what will the situation be a little further down the road? You indicate that this is a new connection to Internet which will replace the current connection. Almost certainly that will change the situation and will probably have several (perhaps many) subnets connected to this router. And it is likely that these subnets will not all be using Public IP addressing. In that situation you will need address translation. 

 

There are several questions that you need to address:

- is the goal of your activities just to configure the router to test the new connection and prove that it does work? Or is the goal to produce a configuration that would provide the starting point for migration from the old connection to the new connection?

- if all you need is a configuration to test the new connection then remove address translation and you should be fine.

- if you need a more comprehensive configuration then you need to consider what you need in terms of address translation. Certainly you will need dynamic address translation similar to what you have and it will allow devices inside the network to initiate traffic to the Internet and to receive responses.

- but do you need for devices in the Internet to initiate traffic to devices in your network? To enable Internet devices to initiate traffic to devices inside your network then you will need static address translation for those devices (in addition to dynamic translation for the rest of the network).

- you can probably look at the existing Internet router and see what kind of address translation it is using and that can guide your decision about what you need on this router.

- another important question is about access lists. I suggested that you remove the access list that you had configured. That was because in the current situation there is no need for it. But as you start to use this new connection for your real network, you will almost certainly need access lists configured. Again looking at the existing Internet connection router should give you guidance about what kind of access lists you need.

 

HTH

 

Rick

Thank you!
Indeed to remove the NAT made the trick and I have Inbound connection!
I think I was confused by the provided information (scope of provided IP
addresses does not need to participate in NAT and they will be statically
assigned to other devices that we will connect to LAN side (firewall
interfaces in general).


Again, thank you so much for detailed explanation.

Lesson learned :)

This has been an interesting discussion and I am glad that it has been helpful to you. Perhaps the most significant thing to take away from it might be the need to distinguish between what is needed to accomplish the short term goal of testing the new connection and the longer term goal of preparing to move the network from one provider to the new provider. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.

 

I hope to see you continue to be active in the community.

 

HTH

 

Rick