Cisco Internet with PAT and NAT Not Working

Hi Experts!

Hope everyone is well?

Im trying to configure our Router for Internet Access in one of our new offices. Our Supplier has given us a Ethernet Point for Internet Access and we have a Fixed IP Address.

I have setup a Home Router on the link and its working fine so know its not the link thats an issue.

What im after is Internet Connectivity and also allowing Port 80 to one of our servers on the Internat Network from the static IP.

I cant seem to get any external connectivity at the moment. I cant ping anything external.

Can anybody can see anything wrong with my attached Config.

Cheers
TME
Config.txt
LVL 1
TrustGroup-UAEAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
interface FastEthernet0/0
 description ** Outsaide Connection **
 ip address 98.152.22.154 255.255.255.252
 ip access-group 111 in
!
access-list 111 permit tcp any host 98.152.22.154 eq www

Open in new window


I cant seem to get any external connectivity at the moment. I cant ping anything external.

The only traffic allowed in is TCP port 80 traffic going to 98.152.22.154.  Period.  Nothing else.
You need to add some permits for other traffic.  Like ICMP echo-replies, and anything coming back from outgoing requests.

For example:
ip access-group 111 permit tcp any any gt 1023 est
ip access-group 111 permit icmp any any echo-reply
0
TrustGroup-UAEAuthor Commented:
Hi Don,

Many thanks for your reply.

Sorry I may have worded it badley. Currently I can't get connectivity from the inside to the outside. I.e no internet access.

Of do I need to modify the all to allow it?

Cheers
TME
0
Don JohnstonInstructorCommented:
Connectivity is a two-way street.

If you are trying to communicate from the inside to a host on the outside, the returning traffic has to be able to get in.

So you need to allow the returning traffic.
0
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

TrustGroup-UAEAuthor Commented:
Ah.

Excellent. I disnt realise that. I thought if it was sent it would return.

I'll give that a go.  Is there is standard list of what needs to come back? Anywhere?

Cheers
TME
0
Don JohnstonInstructorCommented:
Using the "established" keyword will allow traffic in that is a response to outgoing TCP requests.  But that won't help with ICMP or UDP traffic.

Here is an article about configuring common ACLs.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TrustGroup-UAEAuthor Commented:
Hi Don,

Thanks for your help again.

for testing i have added:

ip access-group 111 permit tcp any any
ip access-group 111 permit udp any any

Still nothing from the inside to the outside though:(

Any Idea's?

Cheers
SI
0
TrustGroup-UAEAuthor Commented:
Hi Again Don,

Just noticed ... Dont know if this is of any consequence or not ... but .. From a Client for example 10.2.1.99 i can ping 98.152.22.154 but from the route CLI i cannot.

Also i cant ping the Default External Gateway of 98.152.22.153 from either the router or the client?

Cheers Again
TME
0
Don JohnstonInstructorCommented:
Please post the current config.
0
TrustGroup-UAEAuthor Commented:
Hi Don,

It's the same as posted earlier but the access-list 111 is now:-

p access-group 111 permit tcp any any
ip access-group 111 permit udp any any

No ther changes made.

Cheers again
TME
0
ffleismaSenior Network EngineerCommented:
Hi TME,

For one thing, 98.152.22.153 is not pingable from the internet, I have tried from my end. Most likely they are blocking ICMP to this IP. You'll have to coordinate with your ISP on this.

Secondly, having your outside ACL as such:
interface FastEthernet0/0
 ip access-group 111 in
!
access-list 111 permit tcp any any
access-list 111 permit udp any any

Open in new window

This is very unsecured as this basically means you are allowing all kinds of TCP/UDP traffic incoming. Consider reducing it as Don have suggested.
access-list 111 permit tcp any 98.x.x.x 80
access-list 111 permit icmp any 98.x.x.x echo-reply 
!
ip nat inside source static tcp 10.2.1.101 80 92.x.x.x 80 extendable

Open in new window

line 1 allows only TCP 80 access to 98.x.x.x, which is then NATed to 10.2.1.101
line 2 allows ICMP echo-reply, do note that TCP and UDP is different from ICMP hence the second line is needed for ping reply to be received back
next, test to ping known reachable IP like google DNS (8.8.8.8), to check and see if you are able to ping external IP. As mentioned above 98.152.22.153, is not pingable from the internet.
All credit goes to Don, as he already mentioned all of this above.
0
TrustGroup-UAEAuthor Commented:
Hi,

I only did the any any on the ACL for testing purposes.

Unfortunatly i cant get anything from inside to outside still so dont think its the ACL causing the problem.

Cheers
Si
0
TrustGroup-UAEAuthor Commented:
hi All,

Actually this is now working using:-

ip access-list extended IPFW-ACL
 permit tcp any host 10.2.1.101 eq www
 permit tcp any any gt 1023 established
 permit tcp any any eq domain
 permit udp any any eq domain
 permit icmp any any administratively-prohibited
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 permit gre any any
 deny   ip any any log
ip access-list extended NAT-ACL
 permit ip 10.2.1.0 0.0.0.255 any
 permit ip 10.2.2.0 0.0.0.255 any
 permit ip 10.2.4.0 0.0.0.255 any
 permit ip 10.2.110.0 0.0.0.255 any
 permit ip 10.2.190.0 0.0.0.255 any
 permit ip 10.2.200.0 0.0.0.255 any

Many Thanks to Don and Ffleisma

Cheers
TME
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.