It is currently Mon Jul 16, 2018 2:51 am


All times are UTC




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: Access Lists & Static Routes - Guru Needed
PostPosted: Tue Mar 18, 2014 1:56 am 
Offline

Joined: Tue Mar 18, 2014 1:51 am
Posts: 1
Hi everybody! I am having a very strange issue that I have not been able to solve for the last couple of days and have decided its about time I got some help.

I am trying to allow an L2TP user to access an internal LAN and I have accomplished this but not quite. If I remove all the access-lists and nat rules in the cisco router, the L2TP user can reach any subnet beyond the cisco router successfully. However, doing so will cut out the internet access for any host that has been affected by the removal of the access lists.

Below is a detailed description of my setup and what I have tried so far.

Image

What I want to achieve:
Allow my L2TP users to access the 192.168.3.0 subnet without this subnet losing access beyond the cisco router.

I would greatly appreciate any kind of advice/pointer that could help me diagnose the problem here.

Please let me know if there is anything more I can provide that can better explain the problem I am having.

Thanks in advance!




Top
 Profile  
 
 Post subject: Re: Access Lists & Static Routes - Guru Needed
PostPosted: Wed Mar 26, 2014 9:03 pm 
Offline

Joined: Sun Apr 25, 2010 4:57 pm
Posts: 214
Your pings stopping because of NAT...
1. case, you have NAT ACL for all 192.168.3.0/30 thats why IP are translated and no one ping to this network is success.
2. case, you have changed NAT ACL to just host of your FTP, that why your PC can reach 192.168.3.1 but not 3.2, because it under nat now..
3. case, nat removed, of course your FTP can reach only network what he reach directly, no way any other...

Please need more configurations, what is on switch?
what is on router?
Interesting all routes, default routes...


If you want to use NAT, I recommend use static NAT here:
but you have to expect some more IP from range 192.168.2.0/30...you need more IP here, lets say change CIDR to 29 (6 IP for hosts)
and one IP should be reserved for FTP server. Don't forget reconfigure static routes and interfaces !

As your 50.50.50.1 can reach 192.168.2.0, cool here we will use nat to translate FTP 192.168.3.2 to 192.168.2.5.

on router:
ip nat inside source static 192.168.3.2 192.168.2.5

Thats it, your FTP is reachable from outside using IP 192.168.2.5 (ping from 50.50.50.1 is success) or back ping from 192.168.3.2 to 8.8.8.8 or etc success..
Your L2TP customers will use NAT IP for access to FTP server: 192.168.2.5 !

R5 user from 50.50.50.0/x
R5#ping 192.168.2.100 source 50.50.50.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 seconds:
Packet sent with a source address of 50.50.50.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/128/152 ms

sh ip nat transtaltions on R2 (router):

R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.2.100:61 192.168.3.2:61 50.50.50.2:61 50.50.50.2:61
--- 192.168.2.100 192.168.3.2 --- ---

now you will see that router translate IP to 192.168.3.2 and responding back.

This is classical static NAT usage !!!

UD
CCIE R&S




Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group

phpBB SEO