Solved

cisco 3925E can't access Ineternet from Gigabyte internal interface

Posted on 2014-03-12
2
388 Views
Last Modified: 2014-03-26
Verizon setting up new Dedicated Ethernet line. I have HWIC two port card that I purchase to connect to WAN point to point.  They provided me with testing IP's and also with sample configuration that I have worked with.
Issue is that I am unable to access anything from secure interface GB0/0 to public FE0/0/0.
Router itself has no issues, I can ping, resolve remotely any address. This is done from console.

Here is the config.

ersion 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sentinel
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
crypto pki trustpoint TP-self-signed-1597241955
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1597241955
 revocation-check none
 rsakeypair TP-self-signed-1597241955
!
!
crypto pki certificate chain TP-self-signed-1597241955
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
ip cef
!
!
!
ip dhcp excluded-address 192.100.100.254
!
ip dhcp pool ccp-pool
 import all
 network 192.100.100.0 255.255.255.0
 default-router 192.100.100.254
 lease 0 2
!
!
!
ip domain name yourdomain.com
ip name-server 198.6.100.125
ip name-server 198.6.1.60
ip inspect name KAY_INSPECT dns
ip inspect name KAY_INSPECT ftp
ip inspect name KAY_INSPECT h323
ip inspect name KAY_INSPECT https
ip inspect name KAY_INSPECT icmp
ip inspect name KAY_INSPECT imap
ip inspect name KAY_INSPECT pop3
ip inspect name KAY_INSPECT netshow
ip inspect name KAY_INSPECT rcmd
ip inspect name KAY_INSPECT realaudio
ip inspect name KAY_INSPECT rtsp
ip inspect name KAY_INSPECT sqlnet
ip inspect name KAY_INSPECT streamworks
ip inspect name KAY_INSPECT tftp
ip inspect name KAY_INSPECT tcp
ip inspect name KAY_INSPECT udp timeout 240
ip inspect name KAY_INSPECT vdolive
ip inspect name FTP ftp
ip ips deny-action ips-interface
ip ips notify SDEE
no ipv6 cef
!
multilink bundle-name authenticated
!
!
license udi pid C3900-SPE100/K9 sn FOC17380S37
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 65.222.147.85 255.255.255.252
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description INT_LAN
 ip address 192.100.100.254 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/0/0
 description WAN
 no ip address
 ip access-group 101 in
 no ip redirects
 ip nat outside
 ip inspect FTP in
 ip inspect KAY_INSPECT out
 ip virtual-reassembly in
 duplex full
 speed 100
!
interface FastEthernet0/0/0.1
 encapsulation dot1Q 29
 ip address 152.179.172.194 255.255.255.252
!
interface FastEthernet0/0/1
 no ip address
 duplex auto
 speed auto
!
router rip
 version 2
 redistribute static
 redistribute odr
 network 192.100.100.0
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool POOL_NAT 65.222.147.85 65.222.147.85 netmask 255.255.255.252
ip nat inside source list 102 pool POOL_NAT overload
ip route 0.0.0.0 0.0.0.0 152.179.172.193
!
access-list 100 remark Inside-Out
access-list 100 deny   ip 152.179.172.192 0.0.0.3 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark Outside-In
access-list 101 permit tcp any host 152.179.172.194 eq telnet
access-list 101 permit udp any host 152.179.172.194 eq non500-isakmp
access-list 101 permit udp any host 152.179.172.194 eq isakmp
access-list 101 permit esp any host 152.179.172.194
access-list 101 permit ahp any host 152.179.172.194
access-list 101 deny   ip 192.100.100.0 0.0.0.255 any
access-list 101 permit icmp any host 152.179.172.194 echo-reply
access-list 101 permit icmp any host 152.179.172.194 time-exceeded
access-list 101 permit icmp any host 152.179.172.194 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 102 deny   ip 192.100.100.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.100.100.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
!
!
!
control-plane
!
!
!
line con 0
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:dtech39
2 Comments
 
LVL 17

Accepted Solution

by:
TimotiSt earned 500 total points
ID: 39924559
For starters, I'd say put the
ip nat outside

Open in new window

statement under interface FastEthernet0/0/0.1, not the physical interface.

Do you own the 192.100.100.0/24 network? If not, you'll want to consider moving to a subnet under 192.168.0.0/16. (Based on a simple lookup, 192.100.100 belongs to the US DoD, but I might be wrong.)

Tamas
0
 

Author Comment

by:dtech39
ID: 39924777
OMG you are master!!! I been working on this two days and thought the physical Interface is that you set this on . Thank you very much.

Well I do not own that subnet it is used within company as internal so that's why.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
GRE Trunnel with IPsec Encryption Issue 3 34
VLAN question 7 46
SRX240 SYSLOG Setting 6 53
Server Room Hardware 5 50
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now