cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
882
Views
0
Helpful
1
Replies
Highlighted
Beginner

NAT: host can ping outside global interface, but no further.

Cisco 2911, IOS 15.0(1)M4

Can anyone see an error in my configuration? From the router NAT translation works fine. I'm able to ping from the internal interface (ge0/1) to the outside world without issue. However, hosts on the internal network are not able to reach the outside, they are able to ping as far as the outside global address. I've reconfigured the entire router, this time using CCP (just to make I wasn't screwing something up). Still no luck, any thoughts?

version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname techno
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
no ipv6 cef
no ip source-route
no ip routing
no ip cef
!
!
!
!
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
password encryption aes
!
redundancy
!
!
! 
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key 6 asdf address a.b.c.d
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set DC_VPN_SET esp-3des esp-md5-hmac 
!
crypto map DC_VPN_MAP 10 ipsec-isakmp 
 set peer a.b.c.d
 set transform-set DC_VPN_SET 
 match address 150
!
!
!
!
!
interface GigabitEthernet0/0
 description EXTERNAL
 ip address 68.x.x.10 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
 no mop enabled
 crypto map DC_VPN_MAP
 !
!
interface GigabitEthernet0/1
 description INTERNAL
 ip address 10.10.10.1 255.255.255.192
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 duplex auto
 speed auto
 !
!
interface GigabitEthernet0/2
 no ip address
 no ip route-cache
 shutdown
 duplex auto
 speed auto
 !
!
ip default-gateway 68.x.x.9
ip forward-protocol nd
!
ip http server
ip http access-class 50
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 68.x.x.9
!
access-list 100 remark CCP_ACL Category=2
access-list 100 deny   ip 10.10.10.0 0.0.0.63 192.168.0.0 0.0.3.255
access-list 100 permit ip 10.10.10.0 0.0.0.63 any
access-list 150 permit ip 10.10.10.0 0.0.0.63 192.168.0.0 0.0.3.255
!
!
!
route-map SDM_RMAP_2 permit 1
 match ip address 100
!
!
snmp-server community public RO
snmp-server community private RW
!
control-plane
 !
!
line con 0
 login local
line aux 0
line vty 0 4
 access-class 50 in
 privilege level 15
 logging synchronous
 login local
 transport input telnet ssh
line vty 5 15
 access-class 50 in
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 91.189.94.4 prefer source GigabitEthernet0/0
end
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

you have "ip routing" disabled for some reason. Reenable "ip routing", and also enable cef "ip cef".

Otherwise your configuration looks correct.

View solution in original post

1 REPLY 1
Highlighted
Rising star

you have "ip routing" disabled for some reason. Reenable "ip routing", and also enable cef "ip cef".

Otherwise your configuration looks correct.

View solution in original post

Content for Community-Ad