asked on
Cisco Internet with PAT and NAT Not Working
Hi Experts!
Hope everyone is well?
Im trying to configure our Router for Internet Access in one of our new offices. Our Supplier has given us a Ethernet Point for Internet Access and we have a Fixed IP Address.
I have setup a Home Router on the link and its working fine so know its not the link thats an issue.
What im after is Internet Connectivity and also allowing Port 80 to one of our servers on the Internat Network from the static IP.
I cant seem to get any external connectivity at the moment. I cant ping anything external.
Can anybody can see anything wrong with my attached Config.
Cheers
TME
Config.txt
Hope everyone is well?
Im trying to configure our Router for Internet Access in one of our new offices. Our Supplier has given us a Ethernet Point for Internet Access and we have a Fixed IP Address.
I have setup a Home Router on the link and its working fine so know its not the link thats an issue.
What im after is Internet Connectivity and also allowing Port 80 to one of our servers on the Internat Network from the static IP.
I cant seem to get any external connectivity at the moment. I cant ping anything external.
Can anybody can see anything wrong with my attached Config.
Cheers
TME
Config.txt
RoutersCiscoSwitches / Hubs
Last Comment
TrustGroup-UAE
ASKER
Hi Don,
Many thanks for your reply.
Sorry I may have worded it badley. Currently I can't get connectivity from the inside to the outside. I.e no internet access.
Of do I need to modify the all to allow it?
Cheers
TME
Many thanks for your reply.
Sorry I may have worded it badley. Currently I can't get connectivity from the inside to the outside. I.e no internet access.
Of do I need to modify the all to allow it?
Cheers
TME
Connectivity is a two-way street.
If you are trying to communicate from the inside to a host on the outside, the returning traffic has to be able to get in.
So you need to allow the returning traffic.
If you are trying to communicate from the inside to a host on the outside, the returning traffic has to be able to get in.
So you need to allow the returning traffic.
ASKER
Ah.
Excellent. I disnt realise that. I thought if it was sent it would return.
I'll give that a go. Is there is standard list of what needs to come back? Anywhere?
Cheers
TME
Excellent. I disnt realise that. I thought if it was sent it would return.
I'll give that a go. Is there is standard list of what needs to come back? Anywhere?
Cheers
TME
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi Don,
Thanks for your help again.
for testing i have added:
ip access-group 111 permit tcp any any
ip access-group 111 permit udp any any
Still nothing from the inside to the outside though:(
Any Idea's?
Cheers
SI
Thanks for your help again.
for testing i have added:
ip access-group 111 permit tcp any any
ip access-group 111 permit udp any any
Still nothing from the inside to the outside though:(
Any Idea's?
Cheers
SI
ASKER
Hi Again Don,
Just noticed ... Dont know if this is of any consequence or not ... but .. From a Client for example 10.2.1.99 i can ping 98.152.22.154 but from the route CLI i cannot.
Also i cant ping the Default External Gateway of 98.152.22.153 from either the router or the client?
Cheers Again
TME
Just noticed ... Dont know if this is of any consequence or not ... but .. From a Client for example 10.2.1.99 i can ping 98.152.22.154 but from the route CLI i cannot.
Also i cant ping the Default External Gateway of 98.152.22.153 from either the router or the client?
Cheers Again
TME
Please post the current config.
ASKER
Hi Don,
It's the same as posted earlier but the access-list 111 is now:-
p access-group 111 permit tcp any any
ip access-group 111 permit udp any any
No ther changes made.
Cheers again
TME
It's the same as posted earlier but the access-list 111 is now:-
p access-group 111 permit tcp any any
ip access-group 111 permit udp any any
No ther changes made.
Cheers again
TME
Hi TME,
For one thing, 98.152.22.153 is not pingable from the internet, I have tried from my end. Most likely they are blocking ICMP to this IP. You'll have to coordinate with your ISP on this.
Secondly, having your outside ACL as such:
For one thing, 98.152.22.153 is not pingable from the internet, I have tried from my end. Most likely they are blocking ICMP to this IP. You'll have to coordinate with your ISP on this.
Secondly, having your outside ACL as such:
interface FastEthernet0/0
ip access-group 111 in
!
access-list 111 permit tcp any any
access-list 111 permit udp any any
access-list 111 permit tcp any 98.x.x.x 80
access-list 111 permit icmp any 98.x.x.x echo-reply
!
ip nat inside source static tcp 10.2.1.101 80 92.x.x.x 80 extendable
line 1 allows only TCP 80 access to 98.x.x.x, which is then NATed to 10.2.1.101
line 2 allows ICMP echo-reply, do note that TCP and UDP is different from ICMP hence the second line is needed for ping reply to be received back
next, test to ping known reachable IP like google DNS (8.8.8.8), to check and see if you are able to ping external IP. As mentioned above 98.152.22.153, is not pingable from the internet.
All credit goes to Don, as he already mentioned all of this above.
ASKER
Hi,
I only did the any any on the ACL for testing purposes.
Unfortunatly i cant get anything from inside to outside still so dont think its the ACL causing the problem.
Cheers
Si
I only did the any any on the ACL for testing purposes.
Unfortunatly i cant get anything from inside to outside still so dont think its the ACL causing the problem.
Cheers
Si
ASKER
hi All,
Actually this is now working using:-
ip access-list extended IPFW-ACL
permit tcp any host 10.2.1.101 eq www
permit tcp any any gt 1023 established
permit tcp any any eq domain
permit udp any any eq domain
permit icmp any any administratively-prohibite
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit gre any any
deny ip any any log
ip access-list extended NAT-ACL
permit ip 10.2.1.0 0.0.0.255 any
permit ip 10.2.2.0 0.0.0.255 any
permit ip 10.2.4.0 0.0.0.255 any
permit ip 10.2.110.0 0.0.0.255 any
permit ip 10.2.190.0 0.0.0.255 any
permit ip 10.2.200.0 0.0.0.255 any
Many Thanks to Don and Ffleisma
Cheers
TME
Actually this is now working using:-
ip access-list extended IPFW-ACL
permit tcp any host 10.2.1.101 eq www
permit tcp any any gt 1023 established
permit tcp any any eq domain
permit udp any any eq domain
permit icmp any any administratively-prohibite
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit gre any any
deny ip any any log
ip access-list extended NAT-ACL
permit ip 10.2.1.0 0.0.0.255 any
permit ip 10.2.2.0 0.0.0.255 any
permit ip 10.2.4.0 0.0.0.255 any
permit ip 10.2.110.0 0.0.0.255 any
permit ip 10.2.190.0 0.0.0.255 any
permit ip 10.2.200.0 0.0.0.255 any
Many Thanks to Don and Ffleisma
Cheers
TME
Open in new window
The only traffic allowed in is TCP port 80 traffic going to 98.152.22.154. Period. Nothing else.
You need to add some permits for other traffic. Like ICMP echo-replies, and anything coming back from outgoing requests.
For example:
ip access-group 111 permit tcp any any gt 1023 est
ip access-group 111 permit icmp any any echo-reply