Solved: Re: cisco 878 config problem

ahmed-aftab · ‎03-15-2011

we have a small bracnch and have cisco 878

i configured svi but host are still unable to access internet

given below is the config for your kind review

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$uiYN$LFoF7dtH2wm8haGjFIXRO/

!

no aaa new-model

!

resource policy

!

ip cef

!

username scg privilege 15 secret 5 $1$n1xQ$Rlf9XVA67WZ5lxPKPyUo90

!

controller DSL 0

line-term cpe

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxx!

!

crypto ipsec transform-set TSET esp-3des esp-md5-hmac

!

crypto dynamic-map DMAP 1000

set transforSET

set pfs group2

match address 100

!

crypto dynamic-map vpn 20

set pfs group5

match address 100

!

crypto map SMAP 10 ipsec-isakmp dynamic DMAP

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 20

!

interface FastEthernet2

switchport access vlan 30

!

interface FastEthernet3

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 94.x.x.x 255.255.255.248 (public ip)

crypto map SMAP

!

interface Vlan20

ip address 192.168.0.1 255.255.255.0

!

interface Vlan30

ip address 10.1.1.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 94.200.103.73

!

no ip http server

no ip http secure-server

!

no ip http server

no ip http secure-server

!

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255

!

control-plane

!

line con 0

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

!

scheduler max-task-time 5000

regards

Aftab Ahmed

cadet alain · ‎03-15-2011

interface vlan 30

ip nat outside

Get rid of the ip nat outside here it has no meaning here.

Can you ping and at the same time post output of sh ip nat translation and also do a debug ip packet 101 where 101 is following acl: access-list 101 permit icmp any any.

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎03-15-2011

Hi,

Could you also post what you tried to communicate: from which IP to which IP and which protocol and post the result output.

Regards.

Alain.

Don't forget to rate helpful posts.

ahmed-aftab · ‎03-15-2011

hello 1

just want to access to internet but nops

the user form

192.168.0.0/24

and user

10.1.1.0/24 are not able to access internet

thanks and regards

Aftab Ahmed

cadet alain · ‎03-15-2011

Hi,

you have to configure NAT overload:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic3

Regards.

alain.

Don't forget to rate helpful posts.

ahmed-aftab · ‎03-15-2011

applied the following config but results are same

access-list 100 permit ip any any

ip nat inside source list 100 interface vlan 10 overload

interface vlan 10

ip nat outside

interface vlan 20

ip nat inside

interface vlan 30

ip nat outside

thank & regards

Aftab Ahmed

cadet alain · ‎03-15-2011

interface vlan 30

ip nat outside

Get rid of the ip nat outside here it has no meaning here.

Can you ping and at the same time post output of sh ip nat translation and also do a debug ip packet 101 where 101 is following acl: access-list 101 permit icmp any any.

Regards.

Alain.

Don't forget to rate helpful posts.

ahmed-aftab · ‎03-16-2011

thank you alain its done