Solved: Re: Problem with routing from LAN to WAN

backdrift · ‎09-18-2009

Hello! I'm new to Cisco devices and now have troubles with routing from LAN to internet. My ISP offers PPTP connection via ethernet cable, and I'm trying to setup Cisco 871w (c870-advsecurityk9-mz.124-15.T7.bin). I managed to connect to ISP, so I'm now getting real ip and can ping/trace any remote host from router console. I can also ping router from desktop computers, but I can't ping default gateway or any other host in internet.

Network configuration is pretty simple. Desktops should go into 10.254.254.0 via ethernet or wifi (haven't tried it yet). Dialer17 connects to PPP server : ppp.inetvl.ru (172.16.4.1). Then it receives local ip address: 172.16.67.18, default gateway: 172.16.67.1.

ISP also gave me several static routes, I add them using `ip route`. So here goes `sh ru`:

--

Router#sh ru

Building configuration...

Current configuration : 2377 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service internal

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

dot11 syslog

no ip gratuitous-arps

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool HOME

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 192.168.1.1

lease infinite

!

ip multicast-routing

!

vpdn enable

!

vpdn-group 22

request-dialin

protocol pptp

rotary-group 17

initiate-to ip 172.16.4.1

!

username admin privilege 15 secret 5 $1$nHUH$PqLKF4ejczfixqn0/3N5p.

!

archive

log config

hidekeys

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

mac-address 0023.5a6e.ebb7

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer17

mtu 1450

bandwidth 100000

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer in-band

dialer idle-timeout 0

dialer string 123

dialer vpdn

dialer-group 22

no peer neighbor-route

no cdp enable

ppp pfc local request

ppp pfc remote apply

ppp encrypt mppe auto

ppp chap hostname ***

ppp chap password 0 ***

ppp ipcp dns request

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer17

ip route 95.154.112.64 255.255.255.192 172.16.67.1

ip route 95.154.113.0 255.255.255.128 172.16.67.1

ip route 172.16.0.0 255.240.0.0 172.16.67.1

ip route 192.168.0.0 255.255.0.0 172.16.67.1

!

no ip http server

no ip http secure-server

ip dns server

ip nat inside source list 24 interface Dialer17 overload

!

access-list 23 permit 0.0.0.0 255.255.255.0

access-list 24 permit 0.0.0.0 255.255.255.0

dialer-list 22 protocol ip permit

no cdp run

!

control-plane

!

line con 0

login local

no modem enable

transport preferred telnet

line aux 0

line vty 0 4

login

!

scheduler max-task-time 5000

end

--

...So the problem is that I can only ping 172.16.67.18 from desktop, but I can't reach 172.16.67.1 or any other remote address. How do I share internet from router to other computers in LAN?

Thanks in advance.

Giuseppe Larosa · ‎10-01-2009

Hello Nikolai,

if those ISP subnets have to be accessed without natting you need to exclude from translations those communications.

example

ip access-list extended NAT_TRAFFIC

deny ip 192.168.1.0 0.0.0.255 192.168.0.0. 0.0.255.255

deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

permit ip 192.168.1.0 0.0.0.255 any

in this way traffic for the internet is defined as all traffic not directed to ISP private subnets.

Hope to help

Giuseppe

View solution in original post

Jon Marshall · ‎09-19-2009

Your acl for the NAT doesn't look right. Assuming it is meant to be "permit any" then change to -

access-list 24 permit 0.0.0.0 255.255.255.255

Jon

backdrift · ‎09-30-2009

Thanks for reply, Jon, I almost got it. Now I have internet both on router and on desktop PCs. But still there's problem - can't access my ISP local resources.

Here's the scheme once again:

1. My Home LAN (fa0/3+wifi via BVI1): 192.168.1.0

2. FastEthernet4: 172.16.67.18 (gateway 172.16.67.1)

3. ISP LAN: 95.154.112.0, 95.154.113.0, 172.16.0.0, 192.168.0.0 (static routes)

4. Internet (PPTP via Dialer)

I made access-list with local IPs and created rule for overloaded NAT:

ip nat inside source list NAT_TRAFFIC interface Dialer17 overload

ip access-list extended NAT_TRAFFIC

permit ip 192.168.1.0 0.0.0.255 any

But in this case I can't access ISP LAN. If I change overloaded interface from Dialer to Fa4 I go into LAN, but Internet disappears) I made a picture just in case: http://yfrog.com/0uciscop

And config once again:

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service internal

!

dot11 ssid ***

vlan 1

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 0 ***

!

ip source-route

no ip gratuitous-arps

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool HOME

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 192.168.1.1

lease 0 2

!

ip cef

ip multicast-routing

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 22

request-dialin

protocol pptp

rotary-group 17

initiate-to ip 172.16.4.1

!

bridge irb

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

mac-address 0023.****.****

ip address 172.16.67.18 255.255.255.0

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ntp broadcast client

no cdp enable

!

interface Virtual-Template1

mtu 1476

no ip address

!

interface Dot11Radio0

no ip address

!

encryption mode ciphers tkip

!

encryption vlan 1 mode ciphers tkip

!

broadcast-key change 3600

!

ssid ***

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0

54.0

station-role root

l2-filter bridge-group-acl

no cdp enable

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 port-protected

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

load-interval 30

fair-queue

bridge-group 1

!

interface Dialer17

mtu 1476

bandwidth 100000

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer in-band

dialer idle-timeout 0

dialer string 123

dialer vpdn

dialer-group 22

no peer neighbor-route

no cdp enable

ppp pfc local request

ppp pfc remote apply

ppp encrypt mppe auto

ppp chap hostname ***

ppp chap password 0 ***

ppp ipcp dns request

!

interface BVI1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip default-gateway 172.16.67.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer17

ip route 95.154.112.64 255.255.255.192 172.16.67.1

ip route 95.154.113.0 255.255.255.128 172.16.67.1

ip route 172.16.0.0 255.240.0.0 172.16.67.1

ip route 192.168.0.0 255.255.0.0 172.16.67.1

!

ip dns server

ip dns spoofing

ip nat inside source list NAT_TRAFFIC interface Dialer17 overload

!

ip access-list extended NAT_TRAFFIC

permit ip 192.168.1.0 0.0.0.255 any

!

dialer-list 22 protocol ip permit

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

Giuseppe Larosa · ‎10-01-2009

Hello Nikolai,

if those ISP subnets have to be accessed without natting you need to exclude from translations those communications.

example

ip access-list extended NAT_TRAFFIC

deny ip 192.168.1.0 0.0.0.255 192.168.0.0. 0.0.255.255

deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

permit ip 192.168.1.0 0.0.0.255 any

in this way traffic for the internet is defined as all traffic not directed to ISP private subnets.

Hope to help

Giuseppe

backdrift · ‎10-07-2009

Thank's, giuslar. It works this way:

ip nat inside source list NAT_INTERNET interface Dialer17 overload

ip nat inside source list NAT_ISP interface FastEthernet4 overload

!

ip access-list extended NAT_INTERNET

deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

deny ip 192.168.1.0 0.0.0.255 95.154.112.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 95.154.113.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended NAT_ISP

remark From home LAN to ISP LAN

permit ip 192.168.1.0 0.0.0.255 any

!