GNS3
http://forum.gns3.net/

Access Lists & Static Routes - Guru Needed
http://forum.gns3.net/topic8764.html
Page 1 of 1

Author:  depechemode [ Tue Mar 18, 2014 1:56 am ]
Post subject:  Access Lists & Static Routes - Guru Needed

Hi everybody! I am having a very strange issue that I have not been able to solve for the last couple of days and have decided its about time I got some help.

I am trying to allow an L2TP user to access an internal LAN and I have accomplished this but not quite. If I remove all the access-lists and nat rules in the cisco router, the L2TP user can reach any subnet beyond the cisco router successfully. However, doing so will cut out the internet access for any host that has been affected by the removal of the access lists.

Below is a detailed description of my setup and what I have tried so far.

Image

What I want to achieve:
Allow my L2TP users to access the 192.168.3.0 subnet without this subnet losing access beyond the cisco router.

I would greatly appreciate any kind of advice/pointer that could help me diagnose the problem here.

Please let me know if there is anything more I can provide that can better explain the problem I am having.

Thanks in advance!

Author:  UldisD [ Wed Mar 26, 2014 9:03 pm ]
Post subject:  Re: Access Lists & Static Routes - Guru Needed

Your pings stopping because of NAT...
1. case, you have NAT ACL for all 192.168.3.0/30 thats why IP are translated and no one ping to this network is success.
2. case, you have changed NAT ACL to just host of your FTP, that why your PC can reach 192.168.3.1 but not 3.2, because it under nat now..
3. case, nat removed, of course your FTP can reach only network what he reach directly, no way any other...

Please need more configurations, what is on switch?
what is on router?
Interesting all routes, default routes...


If you want to use NAT, I recommend use static NAT here:
but you have to expect some more IP from range 192.168.2.0/30...you need more IP here, lets say change CIDR to 29 (6 IP for hosts)
and one IP should be reserved for FTP server. Don't forget reconfigure static routes and interfaces !

As your 50.50.50.1 can reach 192.168.2.0, cool here we will use nat to translate FTP 192.168.3.2 to 192.168.2.5.

on router:
ip nat inside source static 192.168.3.2 192.168.2.5

Thats it, your FTP is reachable from outside using IP 192.168.2.5 (ping from 50.50.50.1 is success) or back ping from 192.168.3.2 to 8.8.8.8 or etc success..
Your L2TP customers will use NAT IP for access to FTP server: 192.168.2.5 !

R5 user from 50.50.50.0/x
R5#ping 192.168.2.100 source 50.50.50.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 seconds:
Packet sent with a source address of 50.50.50.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/128/152 ms

sh ip nat transtaltions on R2 (router):

R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.2.100:61 192.168.3.2:61 50.50.50.2:61 50.50.50.2:61
--- 192.168.2.100 192.168.3.2 --- ---

now you will see that router translate IP to 192.168.3.2 and responding back.

This is classical static NAT usage !!!

UD
CCIE R&S

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/