Cisco 2921 Router - Troubleshooting

Answered Question
Apr 8th, 2010

Please ignore my ignorance.  I'm new to this and am trying to work my way through.  I have a router with 1 lan, and 3 wan prots. On the wan side I have a dsl connected with DHCP from the ISP on the wan port.  I have gateway of last resort set to that interface.  When I change my pc to use the lan ip of the router as my gateway address I cannot get a web page.

How can I troubleshoot this? And or can you point me in the right direction.  I don't have much setup.  Just a lan IP, security license installed and the dsl connect to the wan port.

Thanks in advance.

I have this problem too.
0 votes
Correct Answer by shailesh.h about 4 years 11 hours ago

Excellent!

1. ip nat inside will allow inside ip address range to NAT to outside whenever you are communicating. This will be defined by the access list of source interfaces as clarified in the example link provided

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

2. IP overload also term as PAT i.e. using one ip address (may be interface ip) for multiple communcation using different ports.. One of the example will clarify you in detail

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00809bd825.shtml

Please remember to rate if this post useful to you..

Cheers!

Shailesh

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
coto.fusionet Thu, 04/08/2010 - 19:17

Hi,

If the 2921 has the public IP address, you should configure NAT on the router.

If the 2921 does not have the public IP, then all you need is the default gateway configured for Internet access.

Do the following test:

From the router itself, send a PING to 4.2.2.2

router# ping 4.2.2.2

And check if you get a reply. If you do, it means you have connectivity with the Internet.

Federico.

bhicks@wfsltd.com Thu, 04/08/2010 - 20:05

Thanks for the reply.

The wan interface on the router is getting it's IP from the dsl modem.  The dsl moden has the ip from the isp.  On the router I can can ping both the wan interface and the lan interface.  So am I right in assuming I don't need nat enabled on that interfae?

Is there a way to see how or what is happening to the traffice between the lan and the wan interface?

Thanks.

Here is my config.

!

! Last configuration change at 01:20:07 UTC Fri Apr 9 2010 by admin

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname xxxrtr1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$chdV$R7/1YzNlBPodrtvBMCOVU.

!

no aaa new-model

!

!

!

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

!

no ip bootp server

no ip domain lookup

ip domain name w3k.xxxltd.com

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1058945512

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1058945512

revocation-check none

rsakeypair TP-self-signed-1058945512

!

!

crypto pki certificate chain TP-self-signed-1058945512

certificate self-signed 01

3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303538 39343535 3132301E 170D3130 30343035 31333038

32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353839

34353531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100DCE2 45A4C549 019CB875 EEFDB498 48D22C8B E87D0B92 2C84E367 80E43E6E

6287BFAC 5A216BDF 978E6C65 F3B8887E 8D30B5A8 43091F62 F09F198C 57FC3640

33D4C8DF A0921246 3D06FAB3 14F9C65F 1B752154 1DC84878 7191B087 F7CF2179

434FEF56 F9F052D9 D97FBC4C 62547FB9 537287C5 D4E61A3F EF4DCFF0 EDE12175

2E150203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603

551D1104 1A301882 16776673 72747231 2E77336B 2E776673 6C74642E 636F6D30

1F060355 1D230418 30168014 E8E96EB1 D0936BB8 875DEDF1 45FF4148 2EF22A72

301D0603 551D0E04 160414E8 E96EB1D0 936BB887 5DEDF145 FF41482E F22A7230

0D06092A 864886F7 0D010104 05000381 8100D050 CCC45B08 4B0D4C10 6C5A0577

4AFC9484 4BC80E2C 135C8037 C29AB1DE 48574E80 8B39CD6F 5166588D A86E5BF1

B1EF6ECB 34AC83D6 CFBEB9F8 BC2A247A 5B7995E7 9D5DDFC4 3B45386D 6F20C77B

D6149579 5F58AE62 B6FB6013 85718268 59CE273F 6DE3DA11 1D4B2AA4 4790FC70

B4F510B4 574B2BB8 87087211 67BCD90E 9CEA

quit

license udi pid CISCO2921/K9 sn FTX1350AHE7

!

!

username admin privilege 15 secret 5 $1$9fd4$O1UOvROcMhgSGkd7GJmih/

!

redundancy

!

!

ip tcp synwait-time 10

!

!

!

!

!

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$

ip address 172.24.201.190 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

!

interface GigabitEthernet0/1

description $ES_WAN$

ip address 172.25.0.100 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

!

interface GigabitEthernet0/2

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

!

interface FastEthernet0/0/0

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0

!

logging trap debugging

!

no cdp run

!

!

!

!

!

control-plane

!

!

banner exec 

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

banner login 

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Leo Laohoo Thu, 04/08/2010 - 20:24

1.  Where's your NAT statment???
2.  Correct me if I'm wrong but isn't the Fast0/0/0 of a 2900 ISR G2 used for OoBM (similar to the F0 of a 3560E/3750E)?

bhicks@wfsltd.com Thu, 04/08/2010 - 20:33

Do I put nat on the outside interface?

The fastethernet0/0/0 was a new card that we got.

When all is said and done, we will have.

gb0/0 ==> lan.

gb0/1 ==> asa5505==>internet

gb0/2 == wan dsl

fe/0/0/0 ==> wan dsl

coto.fusionet Thu, 04/08/2010 - 20:27

Your fastethernet 0/0/0 interface is your outside interface (where the default gateway is).

Let's check which IP address are you receiving from your ISP on that interface.

Please check with the command: ''sh ip interface brief''

Federico.

bhicks@wfsltd.com Thu, 04/08/2010 - 20:31

The sh ip interface shows:

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         172.24.201.190  YES manual up                    up
GigabitEthernet0/1         unassigned    YES NVRAM  administratively down down
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down
FastEthernet0/0/0          192.168.254.3   YES DHCP   up                    up

the gigabitEthernet0/1 and 0/2 will not be used unitl I get this working. Then I will be adding a second dsl like the first, and then an asa5505 with nat.  That's why we have 4 interfaces.  The 3 that came with the router, and a new fastethernet card for the other dsl.

coto.fusionet Thu, 04/08/2010 - 20:38

You have no public IPs on the router and the IP getting via DHCP is a private one also.

This means your dsl modem should be doing NAT.

Can you verify this by doing a ping from the 2921 to the internet (i always use 4.2.2.2) to see if you get the replies?

Federico.

coto.fusionet Thu, 04/08/2010 - 20:44

You don't need to enable NAT on the router since there are no public IPs on the router. The public IP is in your dsl modem.

If you cannot PING from the router to the Internet, I would say that the problem is either with your dsl model or the internet connection with your provider.

Can you do a test?

Can you connect a computer directly to the dsl modem and see if it gets an IP and if it can browse the Internet?

If it does not work, you need to check your dsl link with your provider.

Federico.

bhicks@wfsltd.com Thu, 04/08/2010 - 20:47

That's Federico.  I'm at home so I will give it a try in the morning.

Thank you so much for  your patient and all the help you have been providing me.

--Bobby.

bhicks@wfsltd.com Fri, 04/09/2010 - 03:59

Hi  Frederico,

I connected a laptop directly to the modem has you suggested, and it connects to the internet within seconds.

ismailmohammed Thu, 04/08/2010 - 23:07

Hi Fred,

Why would you want to enable the NAT for Public IP address on the WAN interface, isnt it should run without NAT as well right ?

Ismail

Paolo Bevilacqua Fri, 04/09/2010 - 02:13

Would really recommend you enage a reputable consultant or certfied partner for the setup.

As you have seen, things quickly become confusing and frustrating when trying to do by yourself.

shailesh.h Fri, 04/09/2010 - 08:20

Appreciate your efforts and appears that there is no problem from ISP end..to progress further you may

follow few simple steps.

1.. Please share the output of ipconfig/all when u r laptop connected to dsl modem

2. develop the topology what you want to achieve (share the ip addresses of the LAN)

3.. share the ip address / dns setting of the laptop when u trying to reach to web site

4. share the traceroute output as well (trace yahoo.com etc..)

based on this i can suggest something...

bhicks@wfsltd.com Fri, 04/09/2010 - 08:38

Thanks for the repy.

1. My ipconfig/all shows:

Windows IP Configuration

        Host Name . . . . . . . . . . . . : lenovo-3aecc5bb
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : domain.invalid

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : domain.invalid
        Description . . . . . . . . . . . : Broadcom NetLink (TM) Fast Ethernet
        Physical Address. . . . . . . . . : 00-26-22-CC-58-66
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.254.4
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.254.254
        DHCP Server . . . . . . . . . . . : 192.168.254.254
        DNS Servers . . . . . . . . . . . : 192.168.254.254
                                            192.168.254.254
        Lease Obtained. . . . . . . . . . : Friday, April 09, 2010 11:27:39 PM
        Lease Expires . . . . . . . . . . : Monday, January 18, 2038 8:14:07 PM

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN
        Physical Address. . . . . . . . . : 00-1E-65-B5-2C-CC

2.  I want to have several DSL's and ultimate have pbr enabled.  But until I can get a internet connection through this route, those plans are on hold.  Our man purpose in gettng this router is to direct media traffic from our subnets out throug a dsl gateway.

3. The laptop is set to DHCP.  No dns values or ip addresses are specified.

4. Tracert command output.

Tracing route to any-fp.wa1.b.yahoo.com [67.195.16
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  192.168.254.254
  2     *        *        *     Request timed out.
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5     *        *        *     Request timed out.

I'm updating this ticket from the laptop that is plugged directly into the dsl modem.

Thanks.

shailesh.h Fri, 04/09/2010 - 08:42

1. What is the Laptop IP address when connected in LAN

2. Kindly share the tracert of yahoo.com from your laptop / desktop connected to LAN

bhicks@wfsltd.com Fri, 04/09/2010 - 08:57

IPCONFIG from laptop on our lan.

Windows IP Configuration

        Host Name . . . . . . . . . . . . : lenovo-3aecc5bb
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : private.wfsltd.com

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . : private.wfsltd.com
        Description . . . . . . . . . . . : Broadcom NetLink (TM) Fast Ethernet
        Physical Address. . . . . . . . . : 00-26-22-CC-58-66
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 172.24.100.42
        Subnet Mask . . . . . . . . . . . : 255.255.0.0
        Default Gateway . . . . . . . . . : 172.24.201.251
        DHCP Server . . . . . . . . . . . : 172.24.201.2
        DNS Servers . . . . . . . . . . . : 172.24.201.2
                                            209.226.175.236
                                            209.226.175.237
        Lease Obtained. . . . . . . . . . : Friday, April 09, 2010 8:49:43 AM
        Lease Expires . . . . . . . . . . : Friday, April 16, 2010 8:49:43 AM

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Intel(R) WiFi Link 5100 AGN
        Physical Address. . . . . . . . . : 00-1E-65-B5-2C-CC

Trace is as follows:

Tracing route to any-fp.wa1.b.yahoo.com [69.147.125.65]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  172.24.201.254
  2    <1 ms    <1 ms    <1 ms  192.168.254.254
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out.
  5

Thanks.

The dls modem is connected to a 50.00 dlink router, that has no settings on it other then an ip on the lan side of our netowrk.  This is to facilitate users being able to use a different gateway.

bhicks@wfsltd.com Fri, 04/09/2010 - 11:55

Problem Sovled.  Turned out to be nat.  I do have another question.

The changes are marked with (************ CHANGED  ***************).

My questions are this.

- What affect does the ip nat inside have?  I will be hooking up an asa that does nat later, and I'm not sure if this will affect that.

- What does overload do.

Thanks guys for you help and your patient.  A cisco engineer had it fix in minutes.

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$

ip address 172.24.201.190 255.255.0.0

ip nat inside (************ CHANGED  ***************)

ip virtual-reassembly (************ CHANGED  ***************)

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

!

interface GigabitEthernet0/2

ip address dhcp

ip nat outside      (************ CHANGED  ***************)

ip virtual-reassembly (************ CHANGED  ***************)

duplex auto

speed auto

!

!

interface FastEthernet0/0/0

no ip address

shutdown

duplex auto

speed auto

!

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 100 interface GigabitEthernet0/2 overload            (************ CHANGED  ***************)

!

access-list 23 permit 172.24.0.0 0.0.255.255

access-list 100 permit ip 172.24.0.0 0.0.255.255 any  (************ CHANGED  ***************)

Correct Answer
shailesh.h Mon, 04/12/2010 - 05:00

Excellent!

1. ip nat inside will allow inside ip address range to NAT to outside whenever you are communicating. This will be defined by the access list of source interfaces as clarified in the example link provided

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

2. IP overload also term as PAT i.e. using one ip address (may be interface ip) for multiple communcation using different ports.. One of the example will clarify you in detail

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00809bd825.shtml

Please remember to rate if this post useful to you..

Cheers!

Shailesh

bhicks@wfsltd.com Mon, 04/12/2010 - 05:10

Thanks.

Am I right in assuming that in my case so far that nat will only take place when going from g0/0 to g0/2, because of the following statement:

ip nat inside source list 100 interface GigabitEthernet0/2 overload      

Does the IP NAT INSIDE on G0/0 only specifiy that nat can take place and the above statement actually causes the nat to trigger?


Thanks for you help.

shailesh.h Mon, 04/12/2010 - 05:35

Following is TRUE

Am I right in assuming that in my case so far that nat will only take place when going from g0/0 to g0/2, because of the following statement:

ip nat inside source list 100 interface GigabitEthernet0/2 overload 

Following statement - NAT will happen based on the access-list 100 i.e. for IP address mentioned in the access-list...

Does the IP NAT INSIDE on G0/0 only specifiy that nat can take place and the above statement actually causes the nat to trigger?

With regards,

Shailesh

Actions

Login or Register to take actions

This Discussion

Posted April 8, 2010 at 6:39 PM
Stats:
Replies:21 Avg. Rating:5
Views:7332 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard