cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2686
Views
4
Helpful
12
Replies

C1700 setup, no internet access...

cmedley67
Level 1
Level 1

Hello!

   New to 1710 setup, I have been fighting this for awhile and am getting back to it. One Vlan, everything passes fine with the connections but no internet access from PCs on the Vlan1 side to FA0, to the DSL router <non-Cisco, providers box>. Below is my config, would love some help or a better config to use that will get the access I need. I'm sure it's something simple I am missing.Oddly enough I can connect to the providers DSL modem fine in a browser, just not past that. <Some areas censored...>

Thanks!


Carl

!This is the running config of the router: 192.168.1.64
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C1700
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1xxF/Z$.gai39xxxxxxxxxxxxxx/
enable password cisco
!
no aaa new-model
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.9
ip dhcp excluded-address 192.168.2.20 192.168.2.254
!
ip dhcp pool DHCP1
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
!
!
ip cef
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
crypto pki trustpoint TP-self-signed-cccccccc
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-ccccccccccc
revocation-check none
rsakeypair TP-self-signed-ccccccccc
!
!
crypto pki certificate chain TP-self-signed-ccccccccccc
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  quit
username xxxxx privilege 15 password 0 xxxxx
!
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address dhcp client-id FastEthernet0
ip access-group sdm_fastethernet0_in in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip access-group sdm_vlan1_in in
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0 permanent
ip http server
ip http authentication local
ip http secure-server
!
ip nat pool Pool1 192.168.2.3 192.168.2.9 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet0 overload
!
!
!
ip access-list extended sdm_fastethernet0_in
remark SDM_ACL Category=1
remark Auto generated by SDM for NTP (123) 129.6.15.28
permit udp host 129.6.15.28 eq ntp any eq ntp
remark Auto generated by SDM for NTP (123) 129.6.15.29
permit udp host 129.6.15.29 eq ntp any eq ntp
remark Permit_All
permit ip any any
ip access-list extended sdm_vlan1_in
remark SDM_ACL Category=1
remark Auto generated by SDM for NTP (123) 129.6.15.28
permit udp host 129.6.15.28 eq ntp host 192.168.2.1 eq ntp
remark Auto generated by SDM for NTP (123) 129.6.15.29
permit udp host 129.6.15.29 eq ntp host 192.168.2.1 eq ntp
remark Permit_All
permit ip any any
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
password xxxxx
login local
transport input telnet ssh
!
ntp clock-period 17180018
ntp server 129.6.15.29 source FastEthernet0 prefer
ntp server 129.6.15.28 source FastEthernet0 prefer
end

1 Accepted Solution

Accepted Solutions

Hello,

Can you ping internet from the router itself? Can you try to ping 4.2.2.2

from the router?

Also, check the output of "show ip route" on the router to see if the

default gateway is set properly. You might want to remove "ip route 0.0.0.0

0.0.0.0 FastEthernet0 permanent" and let the dhcp server (ISP dhcp server)

provide the default gateway information to the router.

Hope this helps.

Regards,

NT

View solution in original post

12 Replies 12

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Your configuration looks good. One thing I see missing in your DHCP

configuration is the DNS server information. Have you tried to access the

internet using IP address instead of URL? If not, can you please try to

access google.com using 74.125.19.147 IP address? If that works, could you

please try the following:

ip dhcp pool DHCP1

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server

exit

Hope this helps.

Regards,

NT

I will try adding the DNS, thoughtI had. :-)

For a basic router setup where you want it to be wide open, do I have to have an access list? Seems like everytime I try to set a list, I get locked out.

Thanks again!

Carl

Hello,

You are correct, you do not need to worry about the Access-list if you are opening up the router for all access.

Regards,

NT

Hello,

   I added the DNS entry and when I ping Google, I do get the initial DNS resolution which shows the conversion to an IP address. However, the pings themselves still give "Request timed out" and I still have no internet access.

   I did end up resetting my config to strip it down a little more in hopes of simplifying, but I'm still at the same problem with the exception that now I get the IP resolution.

   One add'l note that I wanted to mention, I AM able to ping and access my DSL gateway, open it's web config page, etc. I'm just not getting any internet access beyond that. I have even thrown the 1700 into the DMZ so that the DSL box passes the external IP to the 1700 but no luck, which leads me back to thinking it's a 1700 config issue. Am I wrong? I'm sure I'm just overlooking something.

Appreciate the help!

Carl

Hello,

Can you ping internet from the router itself? Can you try to ping 4.2.2.2

from the router?

Also, check the output of "show ip route" on the router to see if the

default gateway is set properly. You might want to remove "ip route 0.0.0.0

0.0.0.0 FastEthernet0 permanent" and let the dhcp server (ISP dhcp server)

provide the default gateway information to the router.

Hope this helps.

Regards,

NT

Hello!

   Removing the default 0.0.0.0. route made the difference! I was thinking you had to have either a static route or a dynamic route protocol running in order for routing to occur.

   One add'l question, I have completed the security audit and let it fix everything , with the version of IOS I have <12.4 (23)>, is it safe enough for exposure to the internet? I'm not blessed enough to have access to newer IOS downloads, SDM updates etc, don't want to risk being unsecured enough but want to be able to use it behind the DSL modem in the DMZ so I can use VPN, etc. Thoughts?

Appreciate all the help!

Carl

Hello,

12.4(23) does not seem to be affected by any Security vulnerabilities. You could use it on the router. If you find a document that suggests that the IOS is vulnerable, you could request for a fixed IOS version through TAC (keep the document that states the image is vulnerable handy).

Hope this helps.

Regards,

NT

>>provide the default gateway information to the router.

I am curious, when the def gateway information is provided to the router, will it show up in sh ip route?

Just curious.....

Hello,

It will show up as gateway of last resort. Also, when you configure static

route, it will show up at the very end.

Regards,

NT

I am curious......

>>You might want to remove "ip route 0.0.0.0

0.0.0.0 FastEthernet0 permanent" and let the dhcp server (ISP dhcp server)

provide the default gateway information to the router.

Why didnt that statement work?   If we forward everything out the interface to the ISP to take over, what additional information is provided by the DHCP server to make this work (or do we have enough information to answer that)?

Thank you

Hello,

When you have the static route "ip route 0.0.0.0 0.0.0.0 FastEthernet0"

command, the router ARPs for every internet destination on the FastEthernet0

interface. At this point, the ISP router need to respond to those ARP

requests, then only the communication will be possible. If the ISP router

does not reply to ARP requests (which is the general case), the router

(1700) has to drop the packets.

On the other hand, if you let the DHCP assign the IP address and set the

default route (DHCP generally sends the default router information along

with IP address), the router will ARP for the default gateway (which

off-course the ISP router will respond to) and then forward all traffic to

the ISP router.

So, to summarize, in the first case, the 1700 will not know whom to forward

the traffic to and in the second case, through dhcp, the 1700 knows who the

default gateway is and will forward all traffic to that default gateway.

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800ef7b2

.shtml

Hope this helps.

Regards,

NT

Hope this helps????

You rock....thank you for your informative explanation, it helped me alot.

Thank you,

Jimmy

btw, if it matters, I ranked you 5, but moved my mouse right before I clicked, it rated 4, but you should of recv'd a 5!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: