07-01-2008 08:35 AM - edited 03-05-2019 11:55 PM
Hi All,
The scenario:
Office LAN connected to ADSL line through a 851 Router (static IP) . LAN clients should have internet access through FE4 (ADSL Static IP)
Also remote users should connect with cisco VPN Client.
i have tried the configuration on my home pc.
I gave my PC the addres of the GW X.X.X.129 255.255.255.252 (My routers FE4 interface is X.X.X.130 255.255.255.252)
When at home and my network card was connected on the routers FE4 port i could connect with telnet to the router interface and log in. I could use cisco vpn client and connect and also when on router with consoel i could ping the local private IP my PC was obtaining from the router. when i connect my PC on the switch interface and enable automatic IP ti gets IP from routers dhcp. I could not do any more tests.
My friend took the router and istalled it and the problems are:
WE cannot ping Router FE4. WE cannot telnet anymore to the router. The inside users on private LAN (192.168.40.0) cannot access the internet !!!
the adsl modem works and works with for internet access with a simple SDM configuration !!!
Pleae review my config if you can and let me know what could be wrong !!!
I suspect NAT (cause i used source-map nat) for LAN not going on internet, but then again why cant i telnet ???
Please help !!!
Thanks,
GEorge
07-02-2008 12:44 AM
Hi
Couple of things here for you to try.
1. Change the default route to ip route 0.0.0.0 0.0.0.0 x.x.x.129 where x.x.x.129 is the next hop
2. add the command 'login' to the line vty 04
i.e.
conf t
line vty 0 4
login
This should allow telnet sessions inbound.
The Nat command looks good. Use the 'show ip nat trans' to show active nat translations. This will help you troubleshoot NAT.
Also, check with your ISP to see if any type of authentication is required. i.e. PPPOE etc..
HTH (Please rate if it does)
Stephen
07-02-2008 02:41 AM
no access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 100 deny ip 192.168.40.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
no ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 0.0.0.0 0.0.0.0 X.X.X.129
07-02-2008 05:22 AM
Why you need route-map?
can you remove route-map and check once?
in that case you have to change your nat statement:
ip nat inside source static nat interface FastEthernet4 overload
Thanks,
Dharmesh Purohit
07-02-2008 08:41 PM
Hi All,
Thanks all for your replies.
My concerns were about my default route (using FastE instead of static IP) ...
I will try the above (or get my friend to try them) and let you know what happens.
Can someone also please take a look at the VPN connection (Remote user Access) and comment if they seem ok (they worked ok with cisco vpn client but not XP client when i was on same cable with the router)
Thanks all.
George
07-08-2008 02:17 PM
Don't use Route-Maps for NAT - its a pain in the butt - use ACL's... You should also have an ACL applied to your Outside interface.
If you don't tell the router that your VPN traffic should NOT go out through NAT - it will.
Here is what my NAT ACL looks like;
ip access-list extended NAT
deny ip 192.168.12.0 0.0.0.255 any !vpn client traffic
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.11.0 0.0.0.255 any
Hope this helps...
Cheers,
Josh
07-08-2008 08:48 PM
Hi josh,
I will take that onboard...
meanwhile i havent been able to try the above suggestions but i will as soon as i find some time.
all the help here is appreciated !
Thanks,
George
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide