10 Replies Latest reply: Nov 7, 2018 2:16 PM by Juergen Ilse CCNA R&S RSS

    Having trouble implementing NAT and ACLs

    Damori

      First off I am still new to all this so my question is easy to some of you guys....

       

      I'm trying to implement NAT to route my PCs to the internet. I'm using ROAS method right now instead of L3 switching.

      I created a few ACEs and applied them to the interface going to the outside internet.... but my PCs cant reach outside the network.

      I'm certain I forgot a  step somewhere but I'm lost on which step... I went back through my CBT nuggets videos but I dont see what I missed.

       

      I have IPs, Vlans, and IP Routes all set up on my switches and routers and I can ping everything inside the network from my router, switch and PCs.

       

      But here are the issues:

       

      - when I ping from my router,192.168.0.100 fa0/0 (inside network), to anything it works fine... even to an outside DNS server I chose (8.8.8.8 and 4.2.2.2)

      -when I ping from PC1 to the switch port it works, PC1 to router (PC1 to R1 fa0/0.2) it works, PC1 to outside interface (PC1 to e1/0) it works, PC1 to home modem (PC1 to              192.168.0.1) it dies.

       

      I have two other PCs in this lab that are doing the same thing... Also I didn't include unneeded interfaces

       

      what am I missing?

       

      ***** DO NOT PAY ATTENTION TO THE IPs.... I CHANGED THEM FOR MY ENVIRONMENT ******

      Screen Shot 2018-11-07 at 11.52.02 AM.png

       

       

      PC config:

      IP: 192.168.2.52

      SM: /24

      DG:192.168.0.1

      DNS: 4.2.2.2

      ADNS: 8.8.8.8

      access Vlan2

       

       

      Router Config:

       

      Building configuration...

       

       

      Current configuration : 1929 bytes

      !

      version 12.4

      service timestamps debug datetime msec

      service timestamps log datetime msec

      service password-encryption

      !

      hostname TopRouter

      !

      boot-start-marker

      boot-end-marker

      !

      enable secret 5

      !

      no aaa new-model

      no network-clock-participate slot 1

      no network-clock-participate wic 0

      ip cef

      !

      !

      !

      !

      no ip domain lookup

      ip domain name pierce.com

      ip auth-proxy max-nodata-conns 3

      ip admission max-nodata-conns

      username pierce password 7

      !

      interface FastEthernet0/0

      no ip address

      ip access-group vlan2 in

      ip nat inside

      ip virtual-reassembly

      duplex auto

      speed auto

      !

      interface FastEthernet0/0.2

      encapsulation dot1Q 2

      ip address 192.168.1.1 255.255.255.0

      ip access-group NAT_ADRESSES out

      !

      interface FastEthernet0/0.3

      encapsulation dot1Q 3

      ip address 192.168.2.1 255.255.255.0

      ip access-group NAT_ADRESSES out

      !

      interface FastEthernet0/0.4

      encapsulation dot1Q 4

      ip address 192.168.3.1 255.255.255.0

      ip access-group NAT_ADRESSES out

      !

      interface Ethernet1/0

      ip address 192.168.0.50 255.255.255.0

      ip access-group NAT_ADDRESSES in

      ip access-group NAT_ADDRESSES out

      ip nat outside

      ip virtual-reassembly

      full-duplex

      !

      !

      ip forward-protocol nd

      ip route 0.0.0.0 0.0.0.0 192.168.0.1

      ip route 0.0.0.0 0.0.0.0 Ethernet1/0

      !

      !

      ip http server

      no ip http secure-server

      ip nat inside source list NAT_ADDRESSES interface Ethernet1/0 overload

      !

      ip access-list standard NAT_ADDRESSES

      permit 192.168.2.0 0.0.0.255

      permit 192.168.3.0 0.0.0.255

      permit 192.168.4.0 0.0.0.255

      permit any

      permit 192.168.0.0 0.0.255.255

      !

      control-plane

      !

      mgcp behavior g729-variants static-pt

      !

       

      line con 0

      exec-timeout 0 0

      password 7

      logging synchronous

      login local

      line aux 0

      line vty 0 4

      password 7

      logging synchronous

      login local

      transport input all

      !

      !

      end

       

       

       

      Switch config:


      Building configuration...

       

      Current configuration : 5149 bytes

      !

      version 12.2

      no service pad

      service timestamps debug datetime msec

      service timestamps log datetime msec

      service password-encryption

      !

      hostname TopSwitch

      !

      boot-start-marker

      boot-end-marker

      !

      !

      username pierce password 7

      !

      !

      no aaa new-model

      switch 1 provision ws-c3750v2-48ps

      system mtu routing 1500

      ip domain-name pierce.com

      !

      !

      spanning-tree mode pvst

      spanning-tree extend system-id

      !

      vlan internal allocation policy ascending

      !

      !

      !

      interface FastEthernet1/0/1

      switchport access vlan 2

      switchport mode access

      spanning-tree portfast

      !

      interface FastEthernet1/0/2

      switchport access vlan 2

      spanning-tree portfast

      !

      interface FastEthernet1/0/3

      switchport access vlan 2

      spanning-tree portfast

      !

      interface GigabitEthernet1/0/1

      switchport trunk encapsulation dot1q

      switchport trunk allowed vlan 1-4

      switchport mode trunk

      !

      interface Vlan1

      no ip address  <------ DO I NEED AN IP ADDRESS HERE?

      no ip route-cache

      shutdown

      !

      interface Vlan2

      ip address 192.168.1.2 255.255.255.0

      no ip route-cache

      !

      interface Vlan3

      ip address 192.168.2.2 255.255.255.0

      no ip route-cache

      !

      interface Vlan4

      ip address 192.168.3.2 255.255.255.0

      no ip route-cache

      !

      ip classless

      ip http server

      ip http secure-server

      !

      !

      !

      line con 0

      exec-timeout 0 0

      password 7 123D120517135D5D727E

      logging synchronous

      login local

      line vty 0 4

      login

      line vty 5 15

      login

      !

      end

        • 1. Re: Having trouble implementing NAT and ACLs
          Ing_Percy

          Hi!

           

          Detail and put the configuration in bold:

           

          interface FastEthernet0/0

          no ip address

          ip access-group vlan2 in

          ip nat inside

          ip virtual-reassembly

          duplex auto

          speed auto

          !

          interface FastEthernet0/0.2

          encapsulation dot1Q 2

          ip address 192.168.1.1 255.255.255.0

          ip access-group NAT_ADRESSES out

          ip nat inside

          !

          interface FastEthernet0/0.3

          encapsulation dot1Q 3

          ip address 192.168.2.1 255.255.255.0

          ip access-group NAT_ADRESSES out

          ip nat inside

          !

          interface FastEthernet0/0.4

          encapsulation dot1Q 4

          ip address 192.168.3.1 255.255.255.0

          ip access-group NAT_ADRESSES out

          ip nat inside

          !

          interface Ethernet1/0

          ip address 192.168.0.50 255.255.255.0

          ip access-group NAT_ADDRESSES in

          ip access-group NAT_ADDRESSES out

          ip nat outside

          ip virtual-reassembly

          full-duplex

           

          ip nat inside source list NAT_ADDRESSES interface Ethernet1/0 overload

          !

          ip access-list standard NAT_ADDRESSES

          permit 192.168.2.0 0.0.0.255

          permit 192.168.3.0 0.0.0.255

          permit 192.168.4.0 0.0.0.255

          permit any

          permit 192.168.0.0 0.0.255.255

           

          Best regards!

          • 2. Re: Having trouble implementing NAT and ACLs
            Mustafa

            Be aware of this in your config

            "ip route 0.0.0.0 0.0.0.0 192.168.0.1

            ip route 0.0.0.0 0.0.0.0 Ethernet1/0"

             

            you don't need the first raw.

             

            you only need def. route to outside world

            ip route 0.0.0.0 0.0.0.0 Ethernet1/0

             

            but in the real world put IP address of your upstream router instead your router interface

            • 3. Re: Having trouble implementing NAT and ACLs
              Damori

              AWESOME! Thank you so much..... so basically i had the commands backwards, D'oh! lol

              • 4. Re: Having trouble implementing NAT and ACLs
                Ing_Percy

                Hi!

                 

                If your connection outside is Ethernet, I recommend you put the next-hop ip-address, not the interface

                "ip route 0.0.0.0 0.0.0.0 192.168.0.1"

                or

                "ip route 0.0.0.0 0.0.0.0 Ethernet1/0 192.168.0.1"

                 

                I suppose this ip address 192.168.0.1 is the next-hop ip address

                 

                Best regards!

                • 5. Re: Having trouble implementing NAT and ACLs
                  Mustafa

                  def. route can be, per given figure

                   

                  ip route 0.0.0.0 0.0.0.0 200.1.1.X   where is "X" ip address of Internet router interface

                   

                  or per given config

                   

                  ip route 0.0.0.0 0.0.0.0 192.168.0.X  where is "X" ip address of next hop router

                  • 6. Re: Having trouble implementing NAT and ACLs
                    Damori

                    I appreciate you providing me with the right answer but the question is, "Why what I entered wrong".... I like to know why my answer is wrong so I can get the concept of what I'm learning

                    • 7. Re: Having trouble implementing NAT and ACLs
                      Damori

                      will try that next time... for right now I'm following along with the video tuts ...

                      • 8. Re: Having trouble implementing NAT and ACLs
                        Damori

                        Also I have a new question:

                         

                        when I take this ACE out of the ACL I can't reach the internet.... Why?

                         

                        TopRouter(config)#do sh access-lists

                        Standard IP access list NAT_ADDRESSES

                            10 permit 192.168.2.0, wildcard bits 0.0.0.255 (19694 matches)

                            20 permit 192.168.3.0, wildcard bits 0.0.0.255 (32266 matches)

                            30 permit 192.168.4.0, wildcard bits 0.0.0.255

                            40 permit any (55599 matches)

                        TopRouter(config)#ip access-list standard NAT_ADDRESSES

                        TopRouter(config-std-nacl)#no  permit 192.168.2.0 0.0.0.255

                        TopRouter(config-std-nacl)#no permit 192.168.3.0 0.0.0.255

                        TopRouter(config-std-nacl)#no permit 192.168.4.0 0.0.0.255

                        TopRouter(config-std-nacl)#do sh access-lists

                        Standard IP access list NAT_ADDRESSES

                            40 permit any (56541 matches)

                        TopRouter(config-std-nacl)#do ping 4.2.2.2

                        Type escape sequence to abort.

                        Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

                        !!!!!

                        Success rate is 100 percent (5/5)

                        ^^^^ Still have internet connection ^^^^

                         

                        TopRouter(config-std-nacl)#permit 192.168.4.0 0.0.0.255

                        TopRouter(config-std-nacl)#permit 192.168.3.0 0.0.0.255

                        TopRouter(config-std-nacl)#permit 192.168.2.0 0.0.0.255

                        TopRouter(config-std-nacl)#permit 192.168.1.0 0.0.0.255

                        TopRouter(config-std-nacl)#do sh access-lists

                        Standard IP access list NAT_ADDRESSES

                            40 permit any (56684 matches)

                            50 permit 192.168.4.0, wildcard bits 0.0.0.255

                            60 permit 192.168.3.0, wildcard bits 0.0.0.255

                            70 permit 192.168.2.0, wildcard bits 0.0.0.255

                            80 permit 192.168.1.0, wildcard bits 0.0.0.255

                        TopRouter(config-std-nacl)#no  permit any

                        TopRouter(config-std-nacl)#do sh access-lists

                        Standard IP access list NAT_ADDRESSES

                            50 permit 192.168.4.0, wildcard bits 0.0.0.255

                            60 permit 192.168.3.0, wildcard bits 0.0.0.255

                            70 permit 192.168.2.0, wildcard bits 0.0.0.255

                            80 permit 192.168.1.0, wildcard bits 0.0.0.255

                         

                        TopRouter(config-std-nacl)#do ping 4.2.2.2

                        Type escape sequence to abort.

                        Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

                        .....

                        Success rate is 0 percent (0/5)

                        TopRouter(config-std-nacl)#

                         

                        ^^^^^NO INTERNET CONNECTION^^^^

                        • 9. Re: Having trouble implementing NAT and ACLs
                          Juergen Ilse CCNA R&S

                          Correct. fa0/0 is not a Layer3 interface, You have to apply the "ip nat" command to the layer3 innterfaces (and that aare in your case the subinterfaces of fa0/0, not the interface fa0/0 itself).

                          • 10. Re: Having trouble implementing NAT and ACLs
                            Juergen Ilse CCNA R&S

                            Mustafa schrieb:

                             

                            Be aware of this in your config

                            "ip route 0.0.0.0 0.0.0.0 192.168.0.1

                            ip route 0.0.0.0 0.0.0.0 Ethernet1/0"

                             

                            you don't need the first raw.

                             

                            you only need def. route to outside world

                            ip route 0.0.0.0 0.0.0.0 Ethernet1/0

                             

                            but in the real world put IP address of your upstream router instead your router interface

                            Don't do that. Never set a default-route directly to the interface without specifying the default gateway address. Otherwise, your device will try to send out apr requests for every outside ip address (which will unnecessary fill the arp table) and if the router on the other end of the link is configured *not* to do proxy-arp, you may have connectivity issue with all outside hosts except of the ISP router.