Access Lists & Static Routes - Guru Needed
Page 1 of 1

Author:  depechemode [ Tue Mar 18, 2014 1:56 am ]
Post subject:  Access Lists & Static Routes - Guru Needed

Hi everybody! I am having a very strange issue that I have not been able to solve for the last couple of days and have decided its about time I got some help.

I am trying to allow an L2TP user to access an internal LAN and I have accomplished this but not quite. If I remove all the access-lists and nat rules in the cisco router, the L2TP user can reach any subnet beyond the cisco router successfully. However, doing so will cut out the internet access for any host that has been affected by the removal of the access lists.

Below is a detailed description of my setup and what I have tried so far.


What I want to achieve:
Allow my L2TP users to access the subnet without this subnet losing access beyond the cisco router.

I would greatly appreciate any kind of advice/pointer that could help me diagnose the problem here.

Please let me know if there is anything more I can provide that can better explain the problem I am having.

Thanks in advance!

Author:  UldisD [ Wed Mar 26, 2014 9:03 pm ]
Post subject:  Re: Access Lists & Static Routes - Guru Needed

Your pings stopping because of NAT...
1. case, you have NAT ACL for all thats why IP are translated and no one ping to this network is success.
2. case, you have changed NAT ACL to just host of your FTP, that why your PC can reach but not 3.2, because it under nat now..
3. case, nat removed, of course your FTP can reach only network what he reach directly, no way any other...

Please need more configurations, what is on switch?
what is on router?
Interesting all routes, default routes...

If you want to use NAT, I recommend use static NAT here:
but you have to expect some more IP from range need more IP here, lets say change CIDR to 29 (6 IP for hosts)
and one IP should be reserved for FTP server. Don't forget reconfigure static routes and interfaces !

As your can reach, cool here we will use nat to translate FTP to

on router:
ip nat inside source static

Thats it, your FTP is reachable from outside using IP (ping from is success) or back ping from to or etc success..
Your L2TP customers will use NAT IP for access to FTP server: !

R5 user from
R5#ping source

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/128/152 ms

sh ip nat transtaltions on R2 (router):

R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- ---

now you will see that router translate IP to and responding back.

This is classical static NAT usage !!!


Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group