Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

cisco 2901 k  will not nat internet traffic  not passing traffic in or out

Posted on 2014-03-20
17
Medium Priority
?
658 Views
Last Modified: 2014-03-24
I have a   2901k9 router that has the attached config.

My issue is  that is now does connect the vpn or indeed allow internet +web traffic into the local network..

stumped.

Thanks

Matthew
r1config.txt
0
Comment
Question by:Maphew
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 5
  • 4
17 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39943683
You don't have NAT configured.

ip nat inside source list 1 int g0/1 overload
access-list 1 permit 192.168.10.0 0.0.1.255
access-list 1 permit 192.168.250.0 0.0.0.255
0
 

Author Comment

by:Maphew
ID: 39943860
thanks for your response, just amended config with your suggestion still not working
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39944001
Delete your last NAT and ACL commands but keep your existing interface NAT config

Copy and paste the following into a global configuration prompt:

access-list 101 deny ip 192.168.10.0 0.0.1.255 10.98.136.0 0.0.1.255
access-list 101 permit ip 192.168.10.0 0.0.1.255 any
access-list 101 permit ip 192.168.250.0 0.0.0.255 any
ip nat inside source list 101 int gi0/1 overload
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 50

Expert Comment

by:Don Johnston
ID: 39944068
TCP_179: How is your config functionally any different from the one I posted?
0
 

Author Comment

by:Maphew
ID: 39946427
Sorry, which config is preferred way ?
0
 
LVL 50

Accepted Solution

by:
Don Johnston earned 1200 total points
ID: 39946524
Use the standard ACL.  There's absolutely no benefit to using an extended ACL.

Also, trim your config down to the minimum. Remove any VPN configurations, etc.

Finally, you have what could be conflicting default routes. Remove the one that references the outside interface.  Keep ONLY the one that has a next hop address.
0
 

Author Comment

by:Maphew
ID: 39946540
Thank you donjohnston   but i need the vpn there as it used for hosted desktops.



the only config i need is  for all users behind network 192.168.10.0/23   to nat out to internet.
these users should be able to connect to hosted desktops

the nat inbound is only for 3 ports....    RDP  3389 ,  TCP port 6200 and tcp port 554

which is the default route you suggest to delete ?  the one ending gigabitethernet0/1 ?

Thank you for your time
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39946571
Yes, delete the route that uses the interface.

When troubleshooting, sometimes it helps to remove extraneous info from the config.
0
 

Author Comment

by:Maphew
ID: 39946580
that worked!!!!!  Thank you
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948083
My solution would have worked and the extended ACL was meant to exempt NAT when the destination was that of another subnet over the VPN, donjohnson.

There was absolutely no reason to remove the VPN configuration.
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948085
Now when Maphew adds his VPN configuration back it will again not work...
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948222
Mathew,

I'm going to supply proof that my solution would have indeed solved your problem without the unnecessary deletion of your VPN configuration.

First, here is a diagram of the lab.

VPN LAB
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948230
Here is R2's configuration; only the important output is posted here... below you will notice that pings to the internet and fa0/0 of R3 are successful, however due to the lack of a nat exemption, a ping to the subnet over the tunnel is not successful...

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
crypto isakmp key cisco123 address 10.0.0.6
!
!
crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
 set peer 10.0.0.6
 set transform-set aesset
 match address ACL_VPN

interface Loopback2
 ip address 10.20.0.2 255.255.255.255
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map aesmap

ip access-list standard NAT_ACL
 permit 10.20.0.2 0.0.0.0

!
ip access-list extended ACL_VPN
 permit ip host 10.20.0.2 host 10.30.0.3


R2#ping
Protocol [ip]:
Target IP address: 10.0.0.6
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.6, timeout is 2 seconds:
Packet sent with a source address of 10.20.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/46/64 ms
R2#
R2#
R2#
R2#ping
Protocol [ip]:
Target IP address: 172.16.0.254
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.254, timeout is 2 seconds:
Packet sent with a source address of 10.20.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/32/44 ms
R2#
R2#
R2#
R2#ping
Protocol [ip]:
Target IP address: 10.30.0.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.0.3, timeout is 2 seconds:
Packet sent with a source address of 10.20.0.2
.....
Success rate is 0 percent (0/5)
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948232
Now, here's where we use an Extended ACL and add a NAT exemption to prevent the IPsec tunnel traffic from being translated to the outside ip address:

R2(config)#do show ip access-list
Standard IP access list NAT_ACL
    10 permit 10.20.0.2 (4 matches)
Extended IP access list ACL_VPN
    10 permit ip host 10.20.0.2 host 10.30.0.3 (28 matches)
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#
R2(config)#no ip access-list standard NAT_ACL
R2(config)#
R2(config)#
R2(config)#ip access-list extended NAT_ACL
R2(config-ext-nacl)#deny ip 10.20.0.2 0.0.0.0 10.30.0.3 0.0.0.0
R2(config-ext-nacl)#permit ip 10.20.0.2 0.0.0.0 any
R2(config-ext-nacl)#end
R2#
R2#
R2#pi
*Mar  1 00:32:39.383: %SYS-5-CONFIG_I: Configured from console by console
R2#ping
Protocol [ip]:
Target IP address: 10.30.0.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.20.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.30.0.3, timeout is 2 seconds:
Packet sent with a source address of 10.20.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/63/88 ms
R2#
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39948240
Mathew, I hope you follow my advice Sir... I will also upload my lab files for you to examine at your convenience.  Have a good weekend, and please feel free to contact me any time you have any issues.  SEE ATTACHED FOR LAB AND CONFIGS

NOTE: Due to not being able to upload .cfg and .net files, I changed any of these file types to .txt.  If you wish to run the lab in GNS3, please thange topology.txt to topology.net, and change all files in the configs folder to .cfg, thank you.
VPN-NAT.zip
0
 

Author Comment

by:Maphew
ID: 39951269
Thank you TCP_179 for the detailed support you were correct on the re adding of vpn.
Ca you explain again why this issue reappeared ?
 I am using CCP to create the VPN ut it detects my previous NAT rules ..

Thank you again
CCP-vpn.png
0
 
LVL 1

Expert Comment

by:TCP_179
ID: 39952488
Sure, the NAT rules that you were told to use translated your private LANs whether they went over the VPN or not; no matter the destination.  That is why when I presented the solution to you I used an extended ACL to deny the "Interesting" traffic, or simply your VPN subnet from being translated when going over the VPN tunnel, and then permitted the same subnet, including your other LAN subnet to be translated when going to any destination.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question