Re: Cisco 1721 w/ 4 Port switch (Can't hit gateway)

CIBT Inc · ‎06-14-2012

Hey guys,

I've been racking my head about this a few days now, thought I'd see if anybody could tell me what is wrong. I have a c1721 with a 4 Port WIC. I can't seem to get anything out to the internet. I can hit the router itself, but it just wont pass any traffic.

The router can hit the internet, just anything behind the 192.168.33.0/29 network cannot. Below is my config.

Running C1700-ADVENTERPRISEK9-M), Version 12.4(8)

CIBT Inc · ‎06-14-2012

Building configuration...

Current configuration : 4976 bytes

!

! No configuration change since last restart

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname HOCC-remote10

!

boot-start-marker

boot system flash c1700-adventerprisek9-mz.124-8.bin

boot-end-marker

!

no aaa new-model

!

resource policy

!

memory-size iomem 15

clock timezone CEST 2

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.33.1

!

ip dhcp pool CIBT-HOCC-remote1_pool

import all

network 192.168.33.0 255.255.255.248

default-router 192.168.33.1

!

no ip domain lookup

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key * address X.X.X.X

!

crypto ipsec transform-set Myset esp-3des esp-sha-hmac

!

crypto map mymap 10 ipsec-isakmp

set peer X.X.X.X

set transform-set Myset

match address 102

!

interface Ethernet5

shutdown

!

interface FastEthernet0

description WAN

ip address dhcp

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

no cdp enable

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4 <----------------PC-------------->

!

interface Vlan1

ip address 192.168.33.1 255.255.255.248

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 192.168.0.1 <----------------Upstream-------------->

!

ip http server

no ip http secure-server

!

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.2.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.3.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.4.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.5.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.6.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.7.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.9.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.11.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.12.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.14.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 10.15.0.0 0.0.255.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 192.168.90.0 0.0.0.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 192.168.91.0 0.0.0.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 192.168.89.0 0.0.0.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 192.168.168.0 0.0.0.255

access-list 101 deny ip 192.168.33.0 0.0.0.255 192.168.169.0 0.0.0.255

access-list 101 permit ip 192.168.33.0 0.0.0.255 any

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.2.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.3.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.4.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.5.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.6.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.7.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.8.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.9.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.11.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.12.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.14.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 10.15.0.0 0.0.255.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 192.168.89.0 0.0.0.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 192.168.90.0 0.0.0.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 192.168.91.0 0.0.0.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 102 permit ip 192.168.33.0 0.0.0.255 192.168.168.0 0.0.0.255

!

control-plane

!

line con 0

exec-timeout 0 0

login local

line aux 0

line vty 0 4

password 7 *

login local

!

ntp clock-period 17180039

ntp server Y.Y.Y.Y

end

ryates_presido · ‎06-14-2012

I do not see any nat translation information you matching on. I see nat inside and outside but do not see where you tell it what to nat.

Sent from Cisco Technical Support iPad App

ryates_presido · ‎06-14-2012

Here is am link sorry

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

Sent from Cisco Technical Support iPad App

n_schloemer · ‎06-14-2012

you could create something like this:

ip access-list standard NAT

10 permit 192.168.33.0 0.0.0.255

ip nat inside source list NAT interface outside overload

That should get you out. I also noticed you have crypto configured and dont see any NAT exempt configuration for tunnel routing. Do you need to configure that as well?