|Access Lists & Static Routes - Guru Needed
|Page 1 of 1|
|Author:||depechemode [ Tue Mar 18, 2014 1:56 am ]|
|Post subject:||Access Lists & Static Routes - Guru Needed|
Hi everybody! I am having a very strange issue that I have not been able to solve for the last couple of days and have decided its about time I got some help.
I am trying to allow an L2TP user to access an internal LAN and I have accomplished this but not quite. If I remove all the access-lists and nat rules in the cisco router, the L2TP user can reach any subnet beyond the cisco router successfully. However, doing so will cut out the internet access for any host that has been affected by the removal of the access lists.
Below is a detailed description of my setup and what I have tried so far.
What I want to achieve: Allow my L2TP users to access the 192.168.3.0 subnet without this subnet losing access beyond the cisco router.
I would greatly appreciate any kind of advice/pointer that could help me diagnose the problem here.
Please let me know if there is anything more I can provide that can better explain the problem I am having.
Thanks in advance!
|Author:||UldisD [ Wed Mar 26, 2014 9:03 pm ]|
|Post subject:||Re: Access Lists & Static Routes - Guru Needed|
Your pings stopping because of NAT...
1. case, you have NAT ACL for all 192.168.3.0/30 thats why IP are translated and no one ping to this network is success.
2. case, you have changed NAT ACL to just host of your FTP, that why your PC can reach 192.168.3.1 but not 3.2, because it under nat now..
3. case, nat removed, of course your FTP can reach only network what he reach directly, no way any other...
Please need more configurations, what is on switch?
what is on router?
Interesting all routes, default routes...
If you want to use NAT, I recommend use static NAT here:
but you have to expect some more IP from range 192.168.2.0/30...you need more IP here, lets say change CIDR to 29 (6 IP for hosts)
and one IP should be reserved for FTP server. Don't forget reconfigure static routes and interfaces !
As your 184.108.40.206 can reach 192.168.2.0, cool here we will use nat to translate FTP 192.168.3.2 to 192.168.2.5.
ip nat inside source static 192.168.3.2 192.168.2.5
Thats it, your FTP is reachable from outside using IP 192.168.2.5 (ping from 220.127.116.11 is success) or back ping from 192.168.3.2 to 18.104.22.168 or etc success..
Your L2TP customers will use NAT IP for access to FTP server: 192.168.2.5 !
R5 user from 22.214.171.124/x
R5#ping 192.168.2.100 source 126.96.36.199
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.100, timeout is 2 seconds:
Packet sent with a source address of 188.8.131.52
Success rate is 100 percent (5/5), round-trip min/avg/max = 112/128/152 ms
sh ip nat transtaltions on R2 (router):
R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 192.168.2.100:61 192.168.3.2:61 184.108.40.206:61 220.127.116.11:61
--- 192.168.2.100 192.168.3.2 --- ---
now you will see that router translate IP to 192.168.3.2 and responding back.
This is classical static NAT usage !!!
|Page 1 of 1||All times are UTC|
|Powered by phpBB® Forum Software © phpBB Group