Solved: I see ip nat inside and ip

jsandau · ‎03-11-2016

I have a cisco 881 that can ping the internet but any computer behind it can't. The Computers are given a static IP, that is why there is no dchp assigned to any LAN interface. Here is the running config:

Building configuration...

Current configuration : 6435 bytes
!
! Last configuration change at 22:15:30 UTC Fri Mar 11 2016
!
version 15.5
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-76299383
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-76299383
revocation-check none
rsakeypair TP-self-signed-76299383
!
!
crypto pki certificate chain TP-self-signed-76299383
certificate self-signed 01
30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37363239 39333833 301E170D 31333031 33313231 30333034
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D373632 39393338
3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B39C
1F1F1B5A 620D3DB7 E4B82486 D8A6E928 E880F817 20D8D5D8 744A6985 B48A0AEF
072919C9 6ABF6428 272B2F4E 28382554 1D1CC5CD 701F9646 38EEE5CE 67F475C4
DD5B464B ECBD78AF A5B6B36B D2791CFE E6CB886F B030E179 7A209BC4 1CDC6BA1
711616C4 4FD6BE16 489DCC5F A5EE9729 365858FD 1654EA5F 3B7F90B2 19470203
010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
18301680 1465D9D2 8C6F18DF 98EF832A 03DE7ADD D45A6C59 97301D06 03551D0E
04160414 65D9D28C 6F18DF98 EF832A03 DE7ADDD4 5A6C5997 300D0609 2A864886
F70D0101 05050003 818100A6 928BFD76 AEE144B3 7DC2339D 540415EE B6142CF6
60E3A6DF 06DA321C 80755902 B711183C 2D1D9407 857F05ED B987C08D 25002B5F
F3C0F996 8CDA1830 3F85456B 6C6F2A4B 774B93DC 256AB90E 5A46126C C2D044DB
3B76F1A2 0E98D2F0 A0D656CF 5031C7D7 1D9D2F88 E97C7B83 4D188927 EEAA3915
ECF7239B 5B7F0FDD E4C9CA
quit
!
!
!
!
!
!
!
!

!
ip dhcp excluded-address 192.168.136.22 192.168.136.30
ip dhcp excluded-address 192.168.131.22 192.168.131.254
!
ip dhcp pool Internet
network 192.168.131.0 255.255.255.0
dns-server 70.28.245.227 184.151.118.254
default-router 192.168.131.157
!
!
!
ip name-server 70.28.245.227
ip name-server 184.151.118.254
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C881-K9 sn FGL1927224B
!
!
archive
log config
hidekeys
username **** privilege 15 secret 5 $1$TOHi$xwZvR0n8p6r00xE5nnBE11
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key****address 96.45.14.xx
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to96.45.14.xx
set peer 96.45.14.xx
set transform-set ESP-3DES-SHA2
match address 102
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
description WAN port
ip address dhcp
ip mask-reply
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description Control Network
ip address 192.168.131.157 255.255.255.0
ip access-group VLAN1_In in
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN 192.168.131.152 192.168.131.155
ip default-gateway 174.0.0.1
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip route 0.0.0.0 0.0.0.0 174.0.0.1 permanent
!
ip access-list extended VLAN1_In
remark Inbound Traffic
remark CCP_ACL Category=1
remark Cross Talk
deny ip 192.168.135.0 0.0.0.255 192.168.130.0 0.0.1.255
deny ip 192.168.136.0 0.0.0.255 192.168.130.0 0.0.1.255
remark Cross Talk
deny ip 192.168.130.0 0.0.1.255 192.168.135.0 0.0.0.255
deny ip 192.168.130.0 0.0.1.255 192.168.136.0 0.0.0.255
permit ip any any
ip access-list extended VLAN1_Out
remark For diagnositcs
remark CCP_ACL Category=1
remark Diag
permit ip any any log
ip access-list extended allow_all
remark CCP_ACL Category=1
permit ip any any log
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.130.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.131.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.131.0 0.0.0.255 192.168.120.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.131.0 0.0.0.255 192.168.125.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.131.128 0.0.0.31 192.168.125.0 0.0.0.255
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.131.0 0.0.0.255 192.168.125.0 0.0.0.255
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class allow_all in
access-class allow_all out
privilege level 15
password ****
login
transport input telnet
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
!
webvpn gateway WAN
ip address 192.168.126.9 port 44443
http-redirect port 80
ssl trustpoint TP-self-signed-76299383
inservice
!
webvpn context PLC
gateway WAN
!
ssl authenticate verify all
inservice
!
policy group default
functions svc-enabled
svc address-pool "VPN" netmask 255.255.255.224
svc keep-client-installed
svc rekey method new-tunnel
svc split include 192.168.131.0 255.255.255.224
mask-urls
default-group-policy default
!
end

Any ideas?

Thanks.

Richard Burts · ‎03-12-2016

I see ip nat inside and ip nat outside configured on interfaces. But I do not see any address translation configured. This would prevent any inside device from being able to access the Internet.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎03-12-2016

I see ip nat inside and ip nat outside configured on interfaces. But I do not see any address translation configured. This would prevent any inside device from being able to access the Internet.

HTH

Rick

HTH

Rick

jsandau · ‎03-12-2016

How would I add that? Sorry, I'm pretty new to cisco routers.

Richard Burts · ‎03-14-2016

It might look something like this

ip nat inside source list 50 interface FastEthernet4 overload

access-list 50 permit 192.168.131.0 0.0.0.255

If you want the Remote Access VPN users to be able to access the Internet then you would want to add a line in access list 50 to permit the IP address range used for Remote Access VPN.

HTH

Rick

HTH

Rick

jsandau · ‎03-14-2016

That solved the problem. Thanks.

Richard Burts · ‎03-14-2016

I am glad that my suggestions were helpful and allowed you to solve your problem. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions which have helpful information.

HTH

Rick

HTH

Rick

fotismark · ‎12-27-2017

Hello,

I am having a similar issue...Can u please help?

I have a cisco 881, and on it there is a PC and a Web Server!

My Web server gets translated to my puclic IP but when from the pc I have open web browser, the web page does not appear:( and I also cannot ping my server from the router! Weird.

MY web page opens only with local ip from browser but not with name.

ToiMoi_Iliopoulos#ping ultima.gr
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 84.254.38.185, timeout is 2 seconds:
!!!!!

ToiMoi_Iliopoulos#ping 10.79.55.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.79.55.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ToiMoi_Iliopoulos#sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 10.79.55.1              -   442b.03c5.468e ARPA   Vlan1
Internet 10.79.55.10            40   70ca.9b2e.a9f2 ARPA   Vlan1 <--------My PC
Internet 10.79.55.100            0   b8ae.ed71.54ee ARPA   Vlan1
ToiMoi_Iliopoulos#ping 10.79.55.100 <----------------Server
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.79.55.100, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

I am breaking my head! I need to see the web server from behind the router... Below is the running conf.

Building configuration...

Current configuration : 6253 bytes
!
! Last configuration change at 09:46:38 UTC Wed Dec 27 2017 by mnemonic
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ToiMoi_Iliopoulos
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable password mnemonic
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3702956536
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3702956536
revocation-check none
rsakeypair TP-self-signed-3702956536
!
!
crypto pki certificate chain TP-self-signed-3702956536
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373032 39353635 3336301E 170D3137 30333234 31373230
33355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37303239
35363533 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AC64 EF7E0892 C3483C90 40B9E4BC 946B47B8 6E71F4EC 865594E0 3C0AB70A
27353B8E 24411D03 7304A25D 69BF6222 382657BC A9E7924A B92F2E30 6585A341
71A2B627 387B5AF2 1BBB7EBD 84252139 E43AB7B9 B9A7D6EE 03A112A8 555E8307
C60A7B2D 3E1CB393 31055CF7 6B0B2F06 967199CD 4B9071CD 1013EBC1 22E2A878
FCC50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 146FB873 2B842A8A B9A834DD 9DC4B4D0 A8E56448 8F301D06
03551D0E 04160414 6FB8732B 842A8AB9 A834DD9D C4B4D0A8 E564488F 300D0609
2A864886 F70D0101 05050003 81810036 99F78926 E0926BE2 703A2200 9DF31401
B3A7AE69 B0686193 74356678 519AB829 7B0845CE 49059F43 07773BB6 98327729
C3DA7AEB E4DE1C6E 1C5395A3 E4EC4D6F 7396D7FB 4E0D286E AE458A07 77D98D56
A5F35467 DDBB25AA E5357D2B 2C687993 B40BDAD7 A9C6AE8E FBB8FC40 C598E1D3
A40F5816 961AC6BA 40541828 660F3F
quit
no ip source-route
!
!
!
ip dhcp excluded-address 10.79.55.1 10.79.55.9
ip dhcp excluded-address 10.79.55.101 10.79.55.254
!
ip dhcp pool ccp-pool1
network 10.79.55.0 255.255.255.0
dns-server 62.169.194.47 8.8.8.8
default-router 10.79.55.1
!
!
ip cef
ip domain name 8.8.8.8
ip name-server 8.8.8.8
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881GW-GN-A-K9 sn FTX161880ZN
license boot module c880-data level advipservices
!
!
username xxxxx privilege 15 password 0 xxxxx
!
!
!
!
controller Cellular 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key toimoi address 62.169.199.170
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxxxxxxxx
set peer xxxxxxxxxxxx
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Cellular0
no ip address
encapsulation ppp
!
interface Vlan1
ip address 10.79.55.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxx
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxxx password 0 xxxxx
crypto map SDM_CMAP_1
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source static tcp 10.79.55.100 25 interface Dialer0 25
ip nat inside source static tcp 10.79.55.100 110 interface Dialer0 110
ip nat inside source static tcp 10.79.55.100 443 interface Dialer0 443
ip nat inside source static tcp 10.79.55.100 80 interface Dialer0 80
ip nat inside source static tcp 10.79.55.100 53 interface Dialer0 53
ip nat inside source static tcp 10.79.55.100 389 interface Dialer0 389
ip nat inside source static tcp 10.79.55.100 26 interface Dialer0 26
ip nat inside source static tcp 10.79.55.100 44 interface Dialer0 44
ip nat inside source static tcp 10.79.55.100 1000 interface Dialer0 1000
ip nat inside source static tcp 10.79.55.100 143 interface Dialer0 143
ip nat inside source static tcp 10.79.55.100 995 interface Dialer0 995
ip nat inside source static tcp 10.79.55.100 993 interface Dialer0 993
ip nat inside source static tcp 10.79.55.100 8100 interface Dialer0 8100
ip nat inside source static tcp 10.79.55.100 3000 interface Dialer0 3000
ip nat inside source static tcp 10.79.55.100 1300 interface Dialer0 1300
ip nat inside source static tcp 10.79.55.100 21 interface Dialer0 21
ip nat inside source static tcp 10.79.55.100 5938 interface Dialer0 5938
ip nat inside source static udp 10.79.55.17 11155 interface Dialer0 11155
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.79.55.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.79.55.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.79.55.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 10.79.55.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line 3
no exec
line vty 0 4
password mnemonic
transport input all
!
end

Cisco 881 can ping internet but computers behind the router can't