Incomplete Cisco 1941W router configuration

Answered Question
Jul 29th, 2010
User Badges:

Good Day All;


I have been managing a small ecommerce business for the last 5 years on a Linksys home wireless router. Now that I have over 14 office workstations and 6 networked printers, it was time to move a step up.


I purchased a CISCO 1941W ISR to take us at Gigabit speed into the next decade along with a managed CISCO switch. I presumed the 1941W, although robust with scalability, would provide the same, simple setup process as in the Linksys (Cisco) product or at least a simple 1-2-3 procedure to get the basic connections made. I was incorrect and now I find that I am having some difficulty negotiating to the internet over the new router.


Included below is my NVRAM config. I am hoping that someone might point out where I may have some gaps in my config.


Please Note: this config is derived from an example on the net that seemed quite staightforward, so if you find yourself asking, "why did he do that???", hopefully this provides perspective.




Router setup in TEST
7/28/2010


Goal: Complete basic configuration to connect (and ping) to internet
Problem: Unable to conect to internet; Configuration suspected incomplete; perhaps poor NAT config or DNS issue
Observations: In Process.


TEXT FROM HYPERTERMINAL CONNECTION TO CONSOLE:



User Access Verification


Username: admin
Password:


TESTROUTER>enable
Password:
TESTROUTER#ping 8.8.8.8


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


TESTROUTER#show config
Using 2615 out of 262136 bytes
!
! Last configuration change at 01:33:34 CST Thu Jul 29 2010 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
service password-encryption
!
hostname TESTROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CST -6
service-module wlan-ap 0 bootimage autonomous
!
no ipv6 cef
no ip source-route
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 209.18.47.61
ip name-server 209.18.47.62
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941W-A/K9 sn XXXXXXXXXXX
hw-module ism 0
!
!
!
username admin password 7 XXXXXXXXXXXX
!
!
!
!
!
!
interface Wlan-GigabitEthernet0/0
description Internal switch interface connecting to the embedded AP
shutdown
!
interface GigabitEthernet0/0
description Connection to internet at TWC (ISP) Fiber/Ethernet Handoff
ip address AA.BB.CC.149 255.255.255.0
ip access-group 115 in
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
no mop enabled
no mop sysid
!
interface GigabitEthernet0/1
description Connection to internal LAN
ip address 10.10.10.1 255.255.255.0
ip access-group 116 in
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface Vlan1
no ip address
shutdown
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 AA.BB.CC.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 115 deny   ip 127.0.0.0 0.255.255.255 any
!
no cdp run


!
!
control-plane
!
!
line con 0
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
password 7 XXXXXXXXXXXXXX
!
scheduler allocate 20000 1000
end


TESTROUTER#



END OF HYPERTERMIAL TO CONSOLE TEXT



Thanks in advance to those who consider a reply.


Daniel

Correct Answer by Jon Marshall about 6 years 12 months ago

Daniel


You have an acl 115 on the outside interface and there is just one line in that acl which is a deny. Be aware that an acl has an implicit deny all at the end anyway so basically that acl is blocking all incoming traffic including the return icmp (ping) responses. Because you are pinging from the router using an IP not a DNS name then neither NAT nor DNS is an issue at present.


I suggest you rewrite acl 115 to -


access-list 115 permit icmp host 8.8.8.8 any echo-reply


and test again with your ping. If that works then it is the acl that is the problem and you need to write your acl so that what you want to allow is before what you want to deny.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 07/29/2010 - 02:29
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Daniel


You have an acl 115 on the outside interface and there is just one line in that acl which is a deny. Be aware that an acl has an implicit deny all at the end anyway so basically that acl is blocking all incoming traffic including the return icmp (ping) responses. Because you are pinging from the router using an IP not a DNS name then neither NAT nor DNS is an issue at present.


I suggest you rewrite acl 115 to -


access-list 115 permit icmp host 8.8.8.8 any echo-reply


and test again with your ping. If that works then it is the acl that is the problem and you need to write your acl so that what you want to allow is before what you want to deny.


Jon

greatlakesskipper Thu, 07/29/2010 - 20:29
User Badges:

Jon;


Thank you for that successful answer! I have marked this thread as "answered" for your fine direction here.


I removed the deny and inserted the permit statement and perfecto -- 5 packets in 20ms.


I appreciate your attention. Next I will have to learn more about those permissions and acls.


Thanks again.


Daniel

raulzulueta Sun, 08/15/2010 - 10:45
User Badges:

I am new to the cisco 1941w isr router platform and I  am having difficulty configuring the router.


I have g0/0


interface GigabitEthernet0/0
description Connection to internet at

ip address aaa.bbb.ccc.214 255.255.255.248
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable


and g0/1


interface GigabitEthernet0/1
description Connection to LAN

ip address 192.168.61.254 255.255.255.0
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable


I can ping 8.8.8.8 from my g0/0 interface but cannot ping 8.8.8.8 from my 192.168.61.254 interface. Am i missing an entry


i have

ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.214


Also, does this router do trunking. I need to trunk internal vlans on that g0/1 interface to carry several vlans out to the internet. It will be connected to an HP Procurve switch (I inherited this project after the other networker was asked to drop the project due to non-delivery of timelines).

Jon Marshall Sun, 08/15/2010 - 13:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN



You are missing NAT configuration ie. 192.168.61.x is a private subnet and will not route on the internet so add this to your config -


int gi0/0

ip nat outside


int gi0/1

ip nat inside


access-list 101 permit ip 192.168.61.0 0.0.0.255 any


ip nat inside source list 101 interface gi0/0 overload


note if you have any other internal subnets and it sounds like you might if you have several vlans you will need to add lines in acl 101 for those subnets as well.


As for trunking, yes it should do although you may not have the right feature set. Easiest way to tell is try to configure it ie.lets assume 192.168.61.0/24 is vlan 10 and 192.168.62.0/24 is vlan 11


int gi0/1

no ip address


int gi0/0.10

encapsulation dot1q 10

ip address 192.168.61.254 255,255,255.0

ip nat inside


int gi0/0.11

encapsulation dot1q 11

ip address 192.168.62.254 255.255.255.0

ip nat inside


Jon

raulzulueta Sun, 08/15/2010 - 15:18
User Badges:

That should work. I will try it and let you know. You guys are awesome. I am missing a few commands I am looking for but it seems that the person who ordered this equipment did not order the right feature sets. If I order the Security/Firewall feature set can I assume that I will get a completely functional router?


Thanks.

raulzulueta Mon, 08/16/2010 - 11:05
User Badges:

as for trunking, you meant for the sub-interfaces to be created in g0/1 and not g0/0.10 and g0/0.11, right?

Jon Marshall Mon, 08/16/2010 - 13:49
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

raulzulueta wrote:


as for trunking, you meant for the sub-interfaces to be created in g0/1 and not g0/0.10 and g0/0.11, right?


Raul


Yes, i did mean gi0/1.10 and gi0/1.11.


Apologies for the confusion.


Jon

greatlakesskipper Mon, 08/16/2010 - 08:12
User Badges:

Raul;


I also had to "flip-flop" my interfaces on the router to get it to work wirelessly.


gig0/0 should be your INTERNAL LAN and gig0/1 should be configured for your OUTSIDE WAN. This does not matter when only using the LAN, but once I tried to configure the WLAN using gig0/1 as the internal, the wireless would not work. Somehow the WLAN is "hardwired" to gig0/0 as best I can tell.


Great Lakes Skipper

Actions

This Discussion

Related Content