Solved: Router 1811 internet to workstations

nowal1234 · ‎07-26-2007

I have ISP connected between ADSL modem to router 1811 in FastEthernet0 port. Wowrstations connected in switchports 2-9 and they have not internet :(

Plz help i'm neewbe in cisco network and configuration. What wrong in config?

Router Config.

!This is the show startup-config output of the router: show startup-config

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname 1811

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret xxx

enable password xxx

!

no aaa new-model

!

resource policy

!

clock timezone PCTime 7

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

no ip source-route

no ip gratuitous-arps

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.0.1

!

ip dhcp pool sdm-pool1

import all

network 172.16.0.0 255.255.255.0

dns-server 172.16.0.1

default-router 172.16.0.1

!

ip tcp synwait-time 10

no ip bootp server

ip domain name renome-pb.ru

ip name-server 172.16.0.1

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto pki trustpoint TP-self-signed-2201697271

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2201697271

revocation-check none

rsakeypair TP-self-signed-2201697271

!

crypto pki certificate chain TP-self-signed-2201697271

certificate self-signed 01 nvram:IOS-Self-Sig#3103.cer

username nowal privilege 15 secret xxx

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address xxx.yyy.134.158 255.255.255.252

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

interface FastEthernet1

no ip address

ip route-cache flow

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

shutdown

!

interface FastEthernet4

shutdown

!

interface FastEthernet5

shutdown

!

interface FastEthernet6

shutdown

!

interface FastEthernet7

shutdown

!

interface FastEthernet8

shutdown

!

interface FastEthernet9

shutdown

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 172.16.0.1 255.255.0.0

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

interface Async1

no ip address

encapsulation slip

!

ip route 0.0.0.0 0.0.0.0 xxx.yyy.134.158

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source static tcp 172.16.0.2 80 interface FastEthernet0 80

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 172.16.0.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

spremkumar · ‎07-26-2007

Hi

In your first post you haved mentioned about NAT overload and in the second post you are using nat pool.

Can you try removing the usage of pool and try with simple overload ?

May there are chances that your SP doesnt have a reverse route for the nat pool being used in your router..

regds

View solution in original post

spremkumar · ‎07-26-2007

Hi

Can you try this and check ?

no ip route 0.0.0.0 0.0.0.0 xxx.yyy.134.158

ip route 0.0.0.0 0.0.0.0 FastEthenet0 xxx.yyy.134.157

regds

nowal1234 · ‎07-26-2007

so,

ping from router to public ip successfully, but from work station ping don't go. And not access to Internet from workstation.

I'm edit my default confing

change in nat route configuration.

Now it look like this:

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.1.1

!

ip dhcp pool sdm-pool1

import all

network 172.16.1.0 255.255.255.0

default-router 172.16.1.1

!

no ip bootp server

no ip domain lookup

ip domain name renome-pb.ru

!

interface FastEthernet0

description $FW_OUTSIDE$$ES_WAN$$ETH-WAN$

ip address xxx.yyy.134.158 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 172.16.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0 xxx.yyy.134.157

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool pool1 xxx.yyy.134.150 xxx.yyy.134.156 netmask 255.255.255.240

ip nat inside source list 1 pool pool1

!

access-list 1 permit 172.16.1.0 0.0.0.255

no cdp run

!

spremkumar · ‎07-26-2007

Hi

In your first post you haved mentioned about NAT overload and in the second post you are using nat pool.

Can you try removing the usage of pool and try with simple overload ?

May there are chances that your SP doesnt have a reverse route for the nat pool being used in your router..

regds

nowal1234 · ‎07-26-2007

back in first config not effect pings saves but ping from workstation to internet don't go

now nat and route conf is:

ip route 0.0.0.0 0.0.0.0 FastEthernet0 xxx.yyy.134.157

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source static tcp 172.16.1.2 80 interface FastEthernet0 80

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 172.16.1.0 0.0.0.255

no cdp run

spremkumar · ‎07-26-2007

Hi

Can you try a ping from your local pc and paste the output of show ip nat translations here ?

Also can you do a tracert to external site and find the path its taking...

To verify the reverse route for your nat pool from the external world you can make use of any route-servers from where u can do a trace to ur nat pool and find out the path/results on whether its reaching ur router properly...

regds

nowal1234 · ‎07-26-2007

Pro Inside global Inside local Outside local Outside global

tcp xxx.yyy.134.158:80 172.16.1.2:80 --- ---

Trace from my route1811 to external host

Type escape sequence to abort.

Tracing the route to 213.59.42.120

1 * * *

2 xx.yy.128.253 44 msec 44 msec 48 msec

3 xx.yy.128.254 48 msec 108 msec 44 msec

4 xx.yy.128.162 44 msec 48 msec 88 msec

5 xx.yy.128.106 80 msec 56 msec 56 msec

6 143.24.217.249 56 msec 48 msec 48 msec

7 185.161.70.53 48 msec 124 msec 452 msec

8 227.106.5.162 56 msec 48 msec 48 msec

9 213.59.42.120 48 msec 44 msec 44 msec

Trace from External host to xxx.yyy.134.158 (myhost)

1 <1 мс 1 ms 1 ms 10.2.0.1

2 3 ms 4 ms 4 ms gateway 34.231.42.22

3 4 ms 5 ms 5 ms host1 [227.106.5.138]

4 4 ms 5 ms 6 ms host2 [185.161.70.54]

5 307 ms 362 ms 363 ms host3 [143.24.217.250]

6 143 ms 142 ms 142 ms host4 [xx.yy.128.105]

7 185 ms 148 ms 149 ms host5 [yy.xx.128.165]

8 147 ms 151 ms 147 ms host6 [xx.yy.128.253]

9 * * * host7

10 192 ms 188 ms 188 ms www.myhost.ru [xxx.yyy.134.158]

Now ping going form workstation to public net but not by IP address, trying ping google.com not effect "server not found". In IE i can visit site by ip adress no by domain name. How can debug it?

spremkumar · ‎07-26-2007

hi

under your dhcp config change the dns server ip address from 172.16.0.1 to the dns ip recieved from your SP.

You can get the dns details which can be used in ur lan from ur SP..

regds

nowal1234 · ‎07-27-2007

All work. respect to you.

One more quiestion. ISP take me 8 public ip address under 1 adsl connect. How i can takes 2-3 ip to my didecate servers for public services. I have 3 cisco connected by scheme:

ISP-> Router 1811 -> ASA5505 -> Switch Catalyst 2960. On 2960 i plane take 3 VLAN every be have web-service this access from public net. All workstations connected to catalyst 2960 and sort by 3 Vlan

What service (route, nat, pat, trunk... etc) i should be up on cisco devices?

spremkumar · ‎07-27-2007

Hi

i would suggest to have the public ips mapped onto your ASA so that your servers wont be exposed to the outside world.

For that you need to have the ethernet of the router configured in that public subnet and the outside interface of the ASA also to be part of the same subnet...

On the ASA you define the required access to the inside server ips with the one to one NAT configured.

regds