Solved

cisco 3925E can't access Ineternet from Gigabyte internal interface

Posted on 2014-03-12
2
405 Views
Last Modified: 2014-03-26
Verizon setting up new Dedicated Ethernet line. I have HWIC two port card that I purchase to connect to WAN point to point.  They provided me with testing IP's and also with sample configuration that I have worked with.
Issue is that I am unable to access anything from secure interface GB0/0 to public FE0/0/0.
Router itself has no issues, I can ping, resolve remotely any address. This is done from console.

Here is the config.

ersion 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sentinel
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
crypto pki trustpoint TP-self-signed-1597241955
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1597241955
 revocation-check none
 rsakeypair TP-self-signed-1597241955
!
!
crypto pki certificate chain TP-self-signed-1597241955
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
ip cef
!
!
!
ip dhcp excluded-address 192.100.100.254
!
ip dhcp pool ccp-pool
 import all
 network 192.100.100.0 255.255.255.0
 default-router 192.100.100.254
 lease 0 2
!
!
!
ip domain name yourdomain.com
ip name-server 198.6.100.125
ip name-server 198.6.1.60
ip inspect name KAY_INSPECT dns
ip inspect name KAY_INSPECT ftp
ip inspect name KAY_INSPECT h323
ip inspect name KAY_INSPECT https
ip inspect name KAY_INSPECT icmp
ip inspect name KAY_INSPECT imap
ip inspect name KAY_INSPECT pop3
ip inspect name KAY_INSPECT netshow
ip inspect name KAY_INSPECT rcmd
ip inspect name KAY_INSPECT realaudio
ip inspect name KAY_INSPECT rtsp
ip inspect name KAY_INSPECT sqlnet
ip inspect name KAY_INSPECT streamworks
ip inspect name KAY_INSPECT tftp
ip inspect name KAY_INSPECT tcp
ip inspect name KAY_INSPECT udp timeout 240
ip inspect name KAY_INSPECT vdolive
ip inspect name FTP ftp
ip ips deny-action ips-interface
ip ips notify SDEE
no ipv6 cef
!
multilink bundle-name authenticated
!
!
license udi pid C3900-SPE100/K9 sn FOC17380S37
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 65.222.147.85 255.255.255.252
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description INT_LAN
 ip address 192.100.100.254 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description WAN
 no ip address
 ip access-group 101 in
 no ip redirects
 ip nat outside
 ip inspect FTP in
 ip inspect KAY_INSPECT out
 ip virtual-reassembly in
 duplex full
 speed 100
!
interface FastEthernet0/0/0.1
 encapsulation dot1Q 29
 ip address 152.179.172.194 255.255.255.252
!
interface FastEthernet0/0/1
 no ip address
 duplex auto
 speed auto
!
router rip
 version 2
 redistribute static
 redistribute odr
 network 192.100.100.0
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool POOL_NAT 65.222.147.85 65.222.147.85 netmask 255.255.255.252
ip nat inside source list 102 pool POOL_NAT overload
ip route 0.0.0.0 0.0.0.0 152.179.172.193
!
access-list 100 remark Inside-Out
access-list 100 deny   ip 152.179.172.192 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark Outside-In
access-list 101 permit tcp any host 152.179.172.194 eq telnet
access-list 101 permit udp any host 152.179.172.194 eq non500-isakmp
access-list 101 permit udp any host 152.179.172.194 eq isakmp
access-list 101 permit esp any host 152.179.172.194
access-list 101 permit ahp any host 152.179.172.194
access-list 101 deny   ip 192.100.100.0 0.0.0.255 any
access-list 101 permit icmp any host 152.179.172.194 echo-reply
access-list 101 permit icmp any host 152.179.172.194 time-exceeded
access-list 101 permit icmp any host 152.179.172.194 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 102 deny   ip 192.100.100.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.100.100.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:dtech39
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 17

Accepted Solution

by:
TimotiSt earned 500 total points
ID: 39924559
For starters, I'd say put the
ip nat outside

Open in new window

statement under interface FastEthernet0/0/0.1, not the physical interface.

Do you own the 192.100.100.0/24 network? If not, you'll want to consider moving to a subnet under 192.168.0.0/16. (Based on a simple lookup, 192.100.100 belongs to the US DoD, but I might be wrong.)

Tamas
0
 

Author Comment

by:dtech39
ID: 39924777
OMG you are master!!! I been working on this two days and thought the physical Interface is that you set this on . Thank you very much.

Well I do not own that subnet it is used within company as internal so that's why.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question