Hello
i have a problem with NAT in my subinterfaces
the problem is the clients can ping they're gateway(invalid ip) but they cant ping any valid ips or open any
webpages
Current configuration : 7392 bytes
!
version 12.1
service nagle
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname AS5300
!
logging buffered 1000000 debugging
logging history errors
aaa new-model
aaa authentication login default local
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa accounting update newinfo
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
!
!
!
resource-pool disable
!
!
!
!
!
clock timezone IRT 3 30
clock summer-time IRT recurring
ip subnet-zero
no ip source-route
no ip icmp rate-limit unreachable
ip rcmd rsh-enable
ip wccp web-cache
ip cef
ip tcp selective-ack
ip tcp synwait-time 10
ip name-server 217.218.127.104
ip name-server 217.218.127.105
ip name-server 217.218.127.106
!
isdn switch-type primary-net5
mta receive maximum-recipients 0
!
!
controller E1 0
clock source line primary
pri-group timeslots 1-31
!
controller E1 1
shutdown
framing NO-CRC4
clock source line secondary 1
ds0-group 1 timeslots 1-15,17-31 type r2-digital
cas-custom 1
!
controller E1 2
shutdown
pri-group timeslots 1-31
!
controller E1 3
shutdown
ds0-group 1 timeslots 1-15,17-31 type r2-digital
cas-custom 1
!
!
!
!
interface Ethernet0
ip address 172.16.10.1 255.255.255.0
ip nat inside
!
interface Serial0:15
no ip address
encapsulation ppp
isdn switch-type primary-net5
isdn incoming-voice modem
ppp authentication pap chap
!
interface Serial2:15
no ip address
isdn switch-type primary-net5
no cdp enable
!
interface FastEthernet0
description connected to The Internet
no ip address
ip access-group 111 in
ip access-group 111 out
no ip unreachables
ip nat outside
duplex full
speed 100
!
interface FastEthernet0.100
encapsulation dot1Q 100
ip address valid ip
ip nat outside
no ip mroute-cache
!
interface FastEthernet0.200
encapsulation dot1Q 200
ip address 10.186.100.248 255.255.255.0
ip access-group 115 in
ip access-group 115 out
!
interface FastEthernet0.520
encapsulation dot1Q 520
ip address 192.168.0.1 255.255.255.0
ip nat inside
traffic-shape group 20 128000 128000 128000 1000
!
interface FastEthernet0.522
encapsulation dot1Q 522
ip address 192.168.2.1 255.255.255.0
ip nat inside
traffic-shape group 22 128000 128000 128000 1000
!
interface FastEthernet0.524
encapsulation dot1Q 524
ip address 192.168.6.1 255.255.255.0
ip nat inside
!
interface FastEthernet0.526
encapsulation dot1Q 526
ip address 192.168.8.1 255.255.255.0
ip nat inside
!
interface FastEthernet0.528
encapsulation dot1Q 528
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface Group-Async1
ip unnumbered FastEthernet0.100
ip access-group 120 in
ip access-group 120 out
no ip unreachables
ip nat inside
encapsulation ppp
ip route-cache policy
ip tcp header-compression
no ip mroute-cache
ip policy route-map ptt
keepalive 10
async mode dedicated
peer default ip address pool nat40
no cdp enable
ppp authentication chap pap
group-range 1 120
!
ip local pool nat40 192.168.40.10 192.168.40.200
ip nat inside source list 20 interface FastEthernet0 overload
ip nat inside source list 22 interface FastEthernet0 overload
ip nat inside source list 24 interface FastEthernet0 overload
ip nat inside source list 30 interface Ethernet0 overload
ip nat inside source list 40 interface FastEthernet0.100 overload
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 80.191.231.33
no ip http server
!
access-list 20 permit 192.168.0.0 0.0.0.255
access-list 22 permit 192.168.2.0 0.0.0.255
access-list 24 permit 192.168.4.0 0.0.0.255
access-list 26 permit 192.168.6.0 0.0.0.255
access-list 28 permit 192.168.8.0 0.0.0.255
access-list 30 permit 172.16.10.0 0.0.0.255
access-list 40 permit 192.168.40.0 0.0.0.255
access-list 111 deny udp any any eq 4257
access-list 111 deny udp any any eq 1434
access-list 111 deny tcp any any eq 6667
access-list 111 deny tcp any any eq 5554
access-list 111 deny tcp any any eq 9996
access-list 111 deny tcp any any eq 135
access-list 111 deny tcp any any eq 139
access-list 111 deny tcp any any eq 445
access-list 111 deny tcp any any eq 4444
access-list 111 deny tcp any any eq 707
access-list 111 deny udp any any eq 135
access-list 111 deny udp any any eq netbios-ss
access-list 111 deny udp any any eq 445
access-list 111 deny udp any any eq netbios-ns
access-list 111 deny udp any any eq netbios-dgm
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip 224.0.0.0 31.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 permit ip any any
access-list 115 deny udp any any eq 4257
access-list 115 deny udp any any eq 1434
access-list 115 deny tcp any any eq 6667
access-list 115 deny tcp any any eq 5554
access-list 115 deny tcp any any eq 9996
access-list 115 deny tcp any any eq 135
access-list 115 deny tcp any any eq 139
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 4444
access-list 115 deny tcp any any eq 707
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny udp any any eq 445
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny ip host 0.0.0.0 any
access-list 115 permit ip 10.186.100.192 0.0.0.63 any
access-list 115 deny ip any any
access-list 120 deny tcp any any range 135 139
access-list 120 deny tcp any any eq 4444
access-list 120 deny tcp any any eq 1434
access-list 120 deny tcp any any eq 1433
access-list 120 deny tcp any any eq 445
access-list 120 deny tcp any any eq 593
access-list 120 deny tcp any any eq 9898
access-list 120 deny tcp any any eq 5554
access-list 120 deny tcp any any eq 5556
access-list 120 deny tcp any any eq 9996
access-list 120 deny udp any any eq 1434
access-list 120 deny udp any any eq 1433
access-list 120 deny udp any any eq 995
access-list 120 deny udp any any eq 996
access-list 120 deny udp any any eq 997
access-list 120 deny udp any any eq 998
access-list 120 deny udp any any eq 999
access-list 120 deny udp any any eq netbios-ns
access-list 120 deny udp any any eq netbios-dgm
access-list 120 deny udp any any eq netbios-ss
access-list 120 deny ip 10.0.0.0 0.255.255.255 any
access-list 120 permit ip any any
!!
....
end
موضوعات مشابه: