No internet access with Cisco Router

Add this:

conf t
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any

>ip nat inside source list 100 interface FastEthernet0 overload
But, you do not even have acl 100 defined.

access-list 100 deny ip host 192.168.10.111 any
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any

interface FastEthernet0
 ip address 24.227.206.180 255.255.255.248 secondary  <== you don't need this. I would remove it.

Thanks for the fast response.  I had made changes to ACL 100 and ended up without one.  However entering the lines per JFrederick did not correct.  When I tried the JMoore lines I got an error when I tried to add the ip nat inside source list line, it gave me the message that dynamic mapping active, cannot change.  In any case I will need to work from the console of the router because I may want to start the config over from scratch.  However, it may be best to show you the configuration from which I started working.  Everything worked in this configuration except my e-mails show as coming from the router's address of 24.227.206.178 instead of the IP address 24.227.206.180, which is what I need.  Perhaps there is a better approach to this problem than the one I attempted.  I am attaching that original configuration.

Again thanks for the responses.
Main1-21-09.TXT

I will be trying that this PM.
Thanks.

Your configuration addition has worked in every way I could test it and the e-mail shows the correct IP address.  The only thing I could not test were the VPN connections from the remote offices connecting with the PIX 501s.  I will know that in the morning.

Thanks for your help.

Well everything did work, but the remote offices connected by PIX did not. They could not access resources on the internal network.  Here is the config I had after applying your changes.  Do I need to add lines to the ACL split?


Main01-26-09.TXT

Pardon my lack of understanding.  The dialer VPN connections with the Cisco VPN client did work, but the connections from the remote PIXs didn't.  Is there a reason why the NATing is different for these two similar types of connections?

Thanks again.

No, not really.  What isn't working?  Were they working before?

With the configuration I posted this morning (Main01-26-09) the following worked: E-mail correctly showed as coming from 24.227.206.180, remote admin of the server from outside worked, FTP and Web access to the server from outside worked, access to the internet from the internal network worked, and the Cisco VPN dialer client worked.  What did not work was the VPN access from the remote offices via the PIX to main office router.

With the config I posted first (MainChngesNoOutbound) All the above worked except there was no outbound traffic allowed to the internet from the internal network.  The exception was the server at 192.168.10.111 (the e-mail/DNS/WINS server), which could browse the internet with port 80, but could not ping the internet). I had a report that the remote offices could connect, but I did not completely verify that with the other sites.

With my original configuration (Main1-21-09) everything worked, except e-mail showed as coming from 24.227.206.178 instead of 24.227.206.180, which was my original problem.

So with each configuration I've had a different problem.

OK.  I started with my Main1-21-09 config, added the lrmoore lines of 1-25 and then the JFrederick lines of 1-27.  I ended up with the attached config.  All seems to be working.  My only question concerns what limits the types of trafiic to 192.168.10.111 to SMTP, Remote Admin, SMTP, and HTTP?

Thanks for all the help with this question.

Ross

Access-list 198 applied inbound on the FastEthernet0 interface is restricting the access.

Starting with confi Main1-21-09 and adding the changes I noted above, I did not have an access list 198.  I am assuming I should add back in ACL 196, ACL 198, ACL 199 and basically add to the config MainChngesNoOutbound, the make the additions you recommended.

I started with the config I had originally poste (MainChngesNoOutbound), added LRMoore changes, added JFrederick29 changes and came up with the attached config.  With this config i have no internet from the internal network.

I probably have misinterpreted your suggestions. If you make suggestions, please cite which config to use as the starting point.
MainStillNoInternet.txt

Looks good except for access-list 198 blocking all traffic to the outside interface.

Do this:

conf t
ip access-list ext 198
no deny ip any host 24.227.206.180
no permit ip any any
permit udp any eq 53 any
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any time-exceeded

This allows DNS replies and the ability to ping from inside but denies everything else.  The other statements in 198 allow traffic to the server and the tcp established rule allows return TCP traffic.

Oops, nevermind.  Disregard my last post.  Thought the .180 address was the F0 interface IP.

I'm kinda back where I started - one choice being e-mail comping from the wrong IP or the problem corrected, but no internet access from the inside.  What is odd is that PIXs or ASAs with static (inside, outside) stements do direct SMTP traffic out the correct IP.  It seems to be much more difficult with the routers.

Thanks again.

I don't see anything wrong with your last config "MainStillNoInternet.txt" posted 1/28.  The email server should appear to the Internet as 24.227.206.180 and the 192.168.10.0/24 subnet should have Internet access (translated to 24.227.206.178).  Can you post an "ipconfig /all" from the 192.168.10.x PC you are testing from and also the following output from a command prompt on the PC:

ping www.google.com
ping 74.125.95.147
telnet www.google.com 80
telnet 74.125.95.147 80

When using those commands on the PC, do the following on the router:

show ip nat t | i 192.168.10.x

Where 192.168.10.x is the IP of the PC you are testing with.

OK.  I did the following:  I returned to the config I had most recently posted, however, I eliminated ACL 1.

Here are the results:
Inbound and outbound e-mail works as long as it is to a DNS cached destination on the outbound.
Access to the 192.168.10.111 server works over port 80, 3389, and 21. This is the WINS/DNS server for the network.
Dialer VPN works.  Access from the remote sites work.
From the 192.168.10.111 server I cannot ping the internet nor get DNS from the external DNS hosts.
New things:
 I can access the internet via port 80 if I know the IP addess, but cannot get IP addresses from 192.168.10.111.
I can ping the internet from another host (192.168.10.50).  I can connect to the internet via port 80 if I know the IP address.
So it looks like I have internet access on hosts except for 192.168.10.111, but I do have access using at least port 80 and port 3389 (same ports on the inbound access list). Sine I don't have access over port 53, I'm not getting DNS.

Here are screens from Show IP T: (from 192.168.10.111)

udp 24.227.206.180:1038 192.168.10.111:1038 4.2.2.2:53       4.2.2.2:53
udp 24.227.206.180:1038 192.168.10.111:1038 24.28.131.62:53  24.28.131.62:53
udp 24.227.206.180:1038 192.168.10.111:1038 24.28.131.63:53  24.28.131.63:53
tcp 24.227.206.180:3389 192.168.10.111:3389 66.162.88.196:61405 66.162.88.196:61
405
tcp 24.227.206.180:34931 192.168.10.111:34931 74.125.95.147:80 74.125.95.147:80
--- 24.227.206.180     192.168.10.111     ---                ---

AND from 192.168.10.50
icmp 24.227.206.178:512 192.168.10.50:512 74.125.95.147:512  74.125.95.147:512
tcp 24.227.206.178:4834 192.168.10.50:4834 8.14.192.48:80    8.14.192.48:80
tcp 24.227.206.178:4864 192.168.10.50:4864 74.125.95.147:80  74.125.95.147:80

Attached is the config that gave the described results.
So it now appears we only have the internet access problem from 192.168.10.111.  This is different from my first post where I had not internet access.

Thanks.
Main1-31-09.txt

It appears all is working now.  Thanks for the help.

I ultimately needed the input from both of you.  I appreciate your sticking with this complex issue.