No Internet access via LAN clients

Unanswered Question
Apr 28th, 2012

Hi All,

I have a Cisco 1841 router that is connected to a switch. I have WAN/LAN configured on the router and the switch is handing out internal IP's.

The issus that none of the client machines can access the Internet. From within the router console, I am able to ping external domain names, my ISP DNS servers.

Once the client machines picks up an IP they are unable to ping any external domain names or IP's and not even the ISP DNS servers, but they can ping the Cisco router IP. As a note I have tried my ISP DNS servers and as a test Google's DNS servers, but neither will allow access to the Internet.

I have checked google looking for an answer on why, but I am missing something I just don't know why. Any help would be helpful.

Thanks,

Ron

Below is the current running config:

Building configuration...

Current configuration : 1440 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$qY4A$6u.zFbIIHacEB51di1Sda.

enable password astec72

!

no aaa new-model

no ip routing

no ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.14

ip dhcp excluded-address 10.10.10.51 10.10.10.254

!

ip dhcp pool SpyTraer

   import all

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server 8.8.8.8 8.8.4.4

!

!

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

!

!

!

!

!

interface FastEthernet0/0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip nat inside

no ip route-cache

speed auto

half-duplex

no cdp enable

no mop enabled

!

interface FastEthernet0/1

description $ETH-WAN$

ip address dhcp client-id FastEthernet0/1

ip nat outside

no ip route-cache

duplex auto

speed auto

no cdp enable

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent

!

!

ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/1 overload

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit any

snmp-server community public RO

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password astec

login

!

scheduler allocate 20000 1000

no process cpu extended

no process cpu autoprofile hog

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.3 (3 ratings)
dancicioiu Sat, 04/28/2012 - 08:44

Hi Ron,

no ip routing

You might want to enable ip routing, and ip cef.

enable

conf t

ip routing

ip cef

Dan

dancicioiu Sat, 04/28/2012 - 08:45

Also ,

interface FastEthernet0/0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip nat inside

no ip route-cache

speed auto

half-duplex

no cdp enable

no mop enabled

Check the duplex configuration of the equipment connected to the router's Fa0/0.

Dan

blkandstrong1966 Sat, 04/28/2012 - 14:36

Hi Dan,

Thanks for the reply. I ran the command you suggested to enable ip routing. After executing the command, I am still unable to get to the Internet and now I am unable to ping any external domains for external IP's from the router. I checked as you asked for the duplex mode on the switch which is set to Auto,

One other piece of information, I am running Cisco Configuration professional and when doing a test check connection, I get an error when testing the connection which fails on pinging the destination host.

Below is the latest running config after enabling routing as you requested.

Thanks for taking the time to help me.

Ron

Building configuration...

Current configuration : 1483 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$qY4A$6u.zFbIIHacEB51di1Sda.

enable password astec72

!

no aaa new-model

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.14

ip dhcp excluded-address 10.10.10.51 10.10.10.254

!

ip dhcp pool SpyTraer

   import all

   network 10.10.10.0 255.255.255.0

   default-router 10.10.10.1

   dns-server 66.18.32.2 66.18.32.3

!

!

ip name-server 66.18.32.2

ip name-server 66.18.32.3

!

!

!

!

!

!

interface FastEthernet0/0

description $ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip flow ingress

ip flow egress

ip nat inside

speed auto

half-duplex

no cdp enable

no mop enabled

!

interface FastEthernet0/1

description $ETH-WAN$

ip address dhcp client-id FastEthernet0/1

ip flow ingress

ip flow egress

ip nat outside

duplex auto

speed auto

no cdp enable

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent

!

!

ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/1 overload

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit any

snmp-server community public RO

!

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password astec

login

!

scheduler allocate 20000 1000

no process cpu extended

no process cpu autoprofile hog

end

jpvh12345 Sat, 04/28/2012 - 09:44

You said the switch is handing out ips but the router has dhcp configured. What is the configuration on the switch?

Sent from Cisco Technical Support iPad App

blkandstrong1966 Sat, 04/28/2012 - 14:38

Hi Jeff,

You are correct. I sent the incorrect information.

The Cisco is setup as DHCP and assigning private IP's through the switch to client workstations.

Correction, the switch is not handing out IP's. Sorry for the misleading information before.

Thanks,

Ron

John Blakley Sat, 04/28/2012 - 14:40

You'll probably want to tighten your access list for natting and not do everything. Change it to:

Access-list 1 permit 10.10.10.0 0.0.0.255 and see if that helps.

Edit: leave ip routing on like Dan suggested. It's needed.

Sent from Cisco Technical Support iPhone App

blkandstrong1966 Sat, 04/28/2012 - 15:44

Hi Jblakley,

Did as you suggested - output from command:

access-list 1 remark CCP_ACL Category=2

access-;ist 1 permit any

access-list 1 permit 10.10.10.0 0.0.0.255

still no Internet access or pinging any outside domain via IP including ISP dns servers.

Thanks,

Ron

John Blakley Sat, 04/28/2012 - 16:21

Ron,

You'll need to get rid of the permit any statement. Try this:

no access-list 1

access-list 1 permit 10.10.10.0 0.0.0.255

blkandstrong1966 Sat, 04/28/2012 - 16:54

Sorry I misunderstood your previous request change.

New output shows: access-list 1 permit 10.10.10.0 0.0.0.255

Still same issues as before.

The only thing that has changed was that I added to the command for enabling routing, but since then no outside pinging.

Dan is on the right track and you are right on with ACL.

Since I am unable to ping the ISP DNS servers this is not good.

Thanks,

Ron

blkandstrong1966 Sat, 04/28/2012 - 17:00

Show IP Route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

66.0.0.0/32 is subnetted, 1 subnets

S     66.18.63.164 [254/0] via 108.174.105.1, FastEthernet0/1

     10.0.0.0/24 is subnetted 1 subnets

C     10.10.10.0 is directly connected FastEthernet0/0

     108.0.0.0/24 is subnetted, 1 subnets

C     108.174.105.0 is directly connected, FastEthernet0/1

S*     0.0.0.0/0 is directly connected, FastEthernet0/1

John Blakley Sat, 04/28/2012 - 17:21

Ron,

Let's try this:

change the default route to:

ip route 0.0.0.0 0.0.0.0 fa0/1 dhcp

Shut your fa0/1 interface and bring it back up.

Once you get this, try to ping:

4.2.2.1

Then try to ping that while sourcing from the inside interface. If that works, you're natting fine. If it doesn't work and the above doesn't work, something else between you and the router isn't working.

ping 4.2.2.1 source fa0/0

If that doesn't work, we'll need to get into debugging because the above looks fine. Your routing table should show a next hop though which is why we're adding the dhcp tag at the end of the default route. If your original default route doesn't go away after adding this one, go ahead and delete it and put the one above. We'll only want the one.

blkandstrong1966 Sat, 04/28/2012 - 17:56

OK I am now able to ping 4.2.2.1 from the router and from a connected client.

I am also able to ping my ISP DNS servers as well.

Issue now is that I am dropping about 40% of packets to all ping locations.

Browsing is also really, really slow.

Any idea why?

Thanks -Ron

John Blakley Sat, 04/28/2012 - 18:02

Ron,

That problem probably goes back to the half-duplex setting that you have on your internal interface. Try hard setting that to 100/full:

int fa0/0

speed 100

duple full

John

Please remember to rate all helpful posts...

dancicioiu Sat, 04/28/2012 - 18:50

I can bet that the switch has 100 , half-duplex auto-negociated

After you check , set on the router's interface.

default speed

default duplex

Dan

blkandstrong1966 Sat, 04/28/2012 - 21:28

Hi Dan,

After running the commands you suggested I am still experncing 40% packet loss on pings and very slow Internet browsing speed.

Thanks,

Ron

charliediebel Sun, 04/29/2012 - 14:10

On the link between the two interfaces where the packet loss is occurring, one of two things is going on

you must have half duplex being set for some reason...which is incorrect....make absolutely sure both of the links are hard set to the same parameters...if that is not the problem, there must be something physically wrong with the fiber or copper between the two interfaces..if a fiber link...have the light levels tested at both ends to verify no more than 4db light difference between the two ends...or you will start getting errors and dropped packets.

Sent from Cisco Technical Support iPad App

blkandstrong1966 Sun, 04/29/2012 - 14:52

Hi Charlie,

I just ran show inf and both links are showing

Full-duplex, 100Mb/s 100BaseTX/FX

MTU 1500 bytes, BW 100000 Kbit

I have also changed out the switch that I had in place with another switch and the same speed issues remain.

Thanks,

Ron

John Blakley Sun, 04/29/2012 - 15:59

Ron,

Do you lose packets if you ping 4.2.2.1 from the router? Try this:

ping 4.2.2.1 rep 5000

Let me know how this goes...

John

blkandstrong1966 Sat, 04/28/2012 - 18:57

Sorry for the delay

cisco#sh int fa0/1

FastEthernet0/1 is up, line protocol is down

  Hardware is Gt96k FE, address is 0023.ebd6.7e71 (bia 0023.ebd6.7e71)

  Description: $ETH-WAN$

  Internet address is 108.174.105.127/24

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Auto-duplex, Auto Speed, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:03:58, output 00:03:00, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     3095 packets input, 1753793 bytes

     Received 212 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     3540 packets output, 321416 bytes, 0 underruns

     0 output errors, 0 collisions, 5 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

cisco#

cisco#sh int fa0/0

FastEthernet0/0 is up, line protocol is up

  Hardware is Gt96k FE, address is 0023.ebd6.7e70 (bia 0023.ebd6.7e70)

  Description: $ETH-LAN$

  Internet address is 10.10.10.1/24

  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation ARPA, loopback not set

  Keepalive set (10 sec)

  Full-duplex, 100Mb/s, 100BaseTX/FX

  ARP type: ARPA, ARP Timeout 04:00:00

  Last input 00:01:41, output 00:00:03, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

  Queueing strategy: fifo

  Output queue: 0/40 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     9866 packets input, 1208741 bytes

     Received 1395 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

     0 watchdog

     0 input packets with dribble condition detected

     6692 packets output, 2740942 bytes, 0 underruns

     0 output errors, 41 collisions, 8 interface resets

     0 unknown protocol drops

     0 babbles, 0 late collision, 0 deferred

     0 lost carrier, 0 no carrier

     0 output buffer failures, 0 output buffers swapped out

cisco#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets

C       10.10.10.0 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 is directly connected, FastEthernet0/1

cisco#

cisco#sh ip nat trans

Pro Inside global      Inside local       Outside local      Outside global

tcp 108.174.105.127:50105 10.10.10.18:50105 208.48.254.107:80 208.48.254.107:80

tcp 108.174.105.127:50109 10.10.10.18:50109 208.28.224.10:80 208.28.224.10:80

tcp 108.174.105.127:50317 10.10.10.18:50317 208.28.224.18:80 208.28.224.18:80

tcp 108.174.105.127:50345 10.10.10.18:50345 65.55.121.241:80 65.55.121.241:80

tcp 108.174.105.127:50347 10.10.10.18:50347 65.55.239.146:80 65.55.239.146:80

tcp 108.174.105.127:50348 10.10.10.18:50348 208.28.224.49:80 208.28.224.49:80

tcp 108.174.105.127:50427 10.10.10.18:50427 173.194.37.32:443 173.194.37.32:443

tcp 108.174.105.127:50429 10.10.10.18:50429 184.28.190.176:443 184.28.190.176:443

tcp 108.174.105.127:50434 10.10.10.18:50434 184.28.190.176:443 184.28.190.176:443

tcp 108.174.105.127:50445 10.10.10.18:50445 184.28.98.176:443 184.28.98.176:443

tcp 108.174.105.127:50447 10.10.10.18:50447 184.28.98.176:443 184.28.98.176:443

tcp 108.174.105.127:50450 10.10.10.18:50450 184.28.98.176:443 184.28.98.176:443

tcp 108.174.105.127:50501 10.10.10.18:50501 184.28.212.176:443 184.28.212.176:443

tcp 108.174.105.127:50505 10.10.10.18:50505 184.28.212.176:443 184.28.212.176:443

tcp 108.174.105.127:50509 10.10.10.18:50509 184.28.212.176:443 184.28.212.176:443

tcp 108.174.105.127:50511 10.10.10.18:50511 184.28.212.176:443 184.28.212.176:443

tcp 108.174.105.127:50513 10.10.10.18:50513 184.28.212.176:443 184.28.212.176:443

tcp 108.174.105.127:50524 10.10.10.18:50524 184.28.212.176:443 184.28.212.176:443

tcp 108.174.105.127:50533 10.10.10.18:50533 65.54.93.17:80   65.54.93.17:80

dancicioiu Sun, 04/29/2012 - 04:03

I would delete the static default route :

no ip route 0.0.0.0 0.0.0.0 fa0/1 dhcp

And any default route configured. The default route is automatically configured from the information received via the DHCP.

Fa0/1 is and ethernet segment and you do not have any next hop set, just the interface.

Dan

blkandstrong1966 Sun, 04/29/2012 - 18:01

Hi John and Dan,

I finally got it working. Per Dan's request to delete the static routes, I did not delete the static route, but instead I entered the forwarding next hop as the ISP gateway address (IP Address) and that fixed it.

Thank you both for your time and effort on this matter.

Regards,

Ron

Actions

Login or Register to take actions

This Discussion

Posted April 28, 2012 at 7:51 AM
Stats:
Replies:26 Avg. Rating:4.33333
Views:1434 Votes:0
Shares:0
Categories: Routers
+

Related Content

Discussions Leaderboard