Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
0
Helpful
3
Replies

1941 router and comcast

tjd2112pcca
Level 1
Level 1

‎07-09-2010 08:18 AM - edited ‎03-04-2019 09:01 AM

Hello all,

I am adding a 1941 router to our network to test a new comcast cable circuit with a /29 static block that they sold us. The only config I have done to the router is the interfaces and the default route. When I change my pc's default gateway to the new router, I can't access anything beyond the router. From the router I can ping any internet host succesfully. Traceroutes don't always complete successfully from the router though. If I hook a pc directly into the cable modem, I can browse the internet. Config of 1941 posted below. Any ideas?

Thank you.

----------------------------

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname name

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

aaa session-id common

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

no ip domain lookup

ip domain name yourdomain.com

ip name-server 68.87.64.150

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-3735527223

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3735527223

revocation-check none

rsakeypair TP-self-signed-3735527223

!

!

crypto pki certificate chain TP-self-signed-3735527223

certificate self-signed 01

        quit

license udi pid CISCO1941/K9 sn number

!

!

username user privilege 15 secret 5 password

!

redundancy

!

!

!

!

!

!

!

!

!

interface GigabitEthernet0/0

description Internal LAN

ip address 10.1.9.251 255.255.255.0

ip mask-reply

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

interface GigabitEthernet0/1

ip address 75.151.154.178 255.255.255.248

ip mask-reply

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

no mop enabled

!

!

ip forward-protocol nd

!

ip http server

ip http authentication local

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 75.151.154.182

!

!

no cdp run

!

!

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

line vty 5 15

privilege level 15

transport input ssh

!

scheduler allocate 20000 1000

end

Labels:
0 Helpful
3 Replies 3

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎07-09-2010 08:28 AM

Hello,

I guess you are missing the NAT rules on the router. Please try the

following:

interface overload

For example, if FastEthernet 0/0 is internet interface and FastEthernet 0/1

is inside interface with 64.1.1.1 and 192.168.1.1 as IP addresses, the

sample configuration would be:

interface fastethernet 0/0

ip nat outside

exit

interface fastethernet 0/1

ip nat inside

exit

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat source list 1 fastethernet 0/0 overload

Hope this helps,

Regards,

NT

0 Helpful

mloraditch
Level 7
Level 7

‎07-09-2010 08:34 AM

At a minimum you need to add ip nat statements to each interface,  an overall ip nat statement setting up overload or 1to1 nats, an ACL for the overload nat if you use it and either a CBAC or ZBF firewall setup.

The following is bare bones and uses CBAC, ZBF is the new thing and recommended but for a basic setup this should work Notes are in { }:

ip inspect CBAC tcp  {setups CBAC firewall named CBAC that inspects all TCP traffic and allows inbound responses to outbound request, same for next two lines udp and imcp}

ip inspect CBAC udp

ip inspect CBAC icmp

int gi0/0

     ip nat inside {says this is NAT inside interface, when traffic goes to an interface with ip nat outside, translate it}

    

int gi0/1

     ip nat outside {says this is NAT outside interface, when traffic goes to an interface with ip nat inside, translate it}

     ip inspect CBAC out {says use the CBAC firewall named CBAC when going out

ip nat inside source list 105 interface GigabitEthernet0/1 overload {says when translating from in to out, use the ip of gi0/1 and overload, aka PAT and only nat things in ACL 105}

access-list 105 permit ip 10.0.0.0 0.255.255.255 any {allows 10.0.0.0/8 anywhere in this cases allows said subnet to be nat'd}

Lastly you should apply some sort of ACL to your internet interface in the inbound direction. Usually you might just allow inbound ssh or other management sessions and maybe certain icmp packets. If you end up nat'ing to servers that need external access you would do that here also.

0 Helpful

tjd2112pcca
Level 1
Level 1
In response to mloraditch

‎07-09-2010 08:46 AM

That did it, thanks! One note though. It did not take the "ip inspect CBAC out" command.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card