Solved

cisco 2901 k  will not nat internet traffic  not passing traffic in or out

Posted on 2014-03-20
17
617 Views
Last Modified: 2014-03-24
I have a   2901k9 router that has the attached config.

My issue is  that is now does connect the vpn or indeed allow internet +web traffic into the local network..

stumped.

Thanks

Matthew
r1config.txt
0
Comment
Question by:Maphew
  • 8
  • 5
  • 4
17 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39943683
You don't have NAT configured.

ip nat inside source list 1 int g0/1 overload
access-list 1 permit 192.168.10.0 0.0.1.255
access-list 1 permit 192.168.250.0 0.0.0.255
0
 

Author Comment

by:Maphew
ID: 39943860
thanks for your response, just amended config with your suggestion still not working
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39944001
Delete your last NAT and ACL commands but keep your existing interface NAT config

Copy and paste the following into a global configuration prompt:

access-list 101 deny ip 192.168.10.0 0.0.1.255 10.98.136.0 0.0.1.255
access-list 101 permit ip 192.168.10.0 0.0.1.255 any
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
ip nat inside source list 101 int gi0/1 overload
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39944068
TCP_179: How is your config functionally any different from the one I posted?
0
 

Author Comment

by:Maphew
ID: 39946427
Sorry, which config is preferred way ?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 300 total points
ID: 39946524
Use the standard ACL.  There's absolutely no benefit to using an extended ACL.

Also, trim your config down to the minimum. Remove any VPN configurations, etc.

Finally, you have what could be conflicting default routes. Remove the one that references the outside interface.  Keep ONLY the one that has a next hop address.
0
 

Author Comment

by:Maphew
ID: 39946540
Thank you donjohnston   but i need the vpn there as it used for hosted desktops.



the only config i need is  for all users behind network 192.168.10.0/23   to nat out to internet.
these users should be able to connect to hosted desktops

the nat inbound is only for 3 ports....    RDP  3389 ,  TCP port 6200 and tcp port 554

which is the default route you suggest to delete ?  the one ending gigabitethernet0/1 ?

Thank you for your time
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39946571
Yes, delete the route that uses the interface.

When troubleshooting, sometimes it helps to remove extraneous info from the config.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:Maphew
ID: 39946580
that worked!!!!!  Thank you
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948083
My solution would have worked and the extended ACL was meant to exempt NAT when the destination was that of another subnet over the VPN, donjohnson.

There was absolutely no reason to remove the VPN configuration.
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948085
Now when Maphew adds his VPN configuration back it will again not work...
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948222
Mathew,

I'm going to supply proof that my solution would have indeed solved your problem without the unnecessary deletion of your VPN configuration.

First, here is a diagram of the lab.

VPN LAB
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948230
Here is R2's configuration; only the important output is posted here... below you will notice that pings to the internet and fa0/0 of R3 are successful, however due to the lack of a nat exemption, a ping to the subnet over the tunnel is not successful...

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
crypto isakmp key cisco123 address 10.0.0.6
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
 set peer 10.0.0.6
 set transform-set aesset
 match address ACL_VPN

interface Loopback2
 ip address 10.20.0.2 255.255.255.255
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map aesmap

ip access-list standard NAT_ACL
 permit 10.20.0.2 0.0.0.0

!
ip access-list extended ACL_VPN
 permit ip host 10.20.0.2 host 10.30.0.3


R2#ping
Protocol [ip]:
Target IP address: 10.0.0.6
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
Packet sent with a source address of 10.20.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/46/64 ms
R2#
R2#
R2#
R2#ping
Protocol [ip]:
Target IP address: 172.16.0.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.254, timeout is 2 seconds:
Packet sent with a source address of 10.20.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/32/44 ms
R2#
R2#
R2#
R2#ping
Protocol [ip]:
Target IP address: 10.30.0.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.0.3, timeout is 2 seconds:
Packet sent with a source address of 10.20.0.2
.....
Success rate is 0 percent (0/5)
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948232
Now, here's where we use an Extended ACL and add a NAT exemption to prevent the IPsec tunnel traffic from being translated to the outside ip address:

R2(config)#do show ip access-list
Standard IP access list NAT_ACL
    10 permit 10.20.0.2 (4 matches)
Extended IP access list ACL_VPN
    10 permit ip host 10.20.0.2 host 10.30.0.3 (28 matches)
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#no ip access-list standard NAT_ACL
R2(config)#
R2(config)#
R2(config)#ip access-list extended NAT_ACL
R2(config-ext-nacl)#deny ip 10.20.0.2 0.0.0.0 10.30.0.3 0.0.0.0
R2(config-ext-nacl)#permit ip 10.20.0.2 0.0.0.0 any
R2(config-ext-nacl)#end
R2#
R2#
R2#pi
*Mar  1 00:32:39.383: %SYS-5-CONFIG_I: Configured from console by console
R2#ping
Protocol [ip]:
Target IP address: 10.30.0.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.0.3, timeout is 2 seconds:
Packet sent with a source address of 10.20.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/63/88 ms
R2#
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948240
Mathew, I hope you follow my advice Sir... I will also upload my lab files for you to examine at your convenience.  Have a good weekend, and please feel free to contact me any time you have any issues.  SEE ATTACHED FOR LAB AND CONFIGS

NOTE: Due to not being able to upload .cfg and .net files, I changed any of these file types to .txt.  If you wish to run the lab in GNS3, please thange topology.txt to topology.net, and change all files in the configs folder to .cfg, thank you.
VPN-NAT.zip
0
 

Author Comment

by:Maphew
ID: 39951269
Thank you TCP_179 for the detailed support you were correct on the re adding of vpn.
Ca you explain again why this issue reappeared ?
 I am using CCP to create the VPN ut it detects my previous NAT rules ..

Thank you again
CCP-vpn.png
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39952488
Sure, the NAT rules that you were told to use translated your private LANs whether they went over the VPN or not; no matter the destination.  That is why when I presented the solution to you I used an extended ACL to deny the "Interesting" traffic, or simply your VPN subnet from being translated when going over the VPN tunnel, and then permitted the same subnet, including your other LAN subnet to be translated when going to any destination.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now