cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2187
Views
0
Helpful
1
Replies

Cisco 1921 Setup question

gileschatham
Level 1
Level 1

Hey

I am setting up a new 1921 for a public library and I am running  into a problem and I bet I am missing something simple. All the internal stuff works and I can ping the outside IP on the 1921 but can't go any further to the internet. The 1921 has the 2 gig ethernet ports, 0/0 is connected to a DSL getting DHCP settings fine from the DSL modem. The other gig ethernet port 0/1 is running the inside network and its function fine, I have a server on it and other clients and they can ping and get dhcp settings etc.I've pasted the config output below and IP addresses of the main actors, any ideas would be greatly appreciated.Thanks

10.0.0.2 - DSL Router

10.0.0.3 - Gig 0/0

10.10.10.5 - Gig 0/1

10.10.10.10 - Server IP on Gig 0/1 that works fine

chatpublib#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 10.0.0.2 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 10.0.0.2
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.0.0.0/24 is directly connected, GigabitEthernet0/0
L        10.0.0.3/32 is directly connected, GigabitEthernet0/0
C        10.10.10.0/24 is directly connected, GigabitEthernet0/1
L        10.10.10.10/32 is directly connected, GigabitEthernet0/1
chatpublib#show running-config
Building configuration...

Current configuration : 3146 bytes
!
! Last configuration change at 19:23:13 UTC Tue May 1 2012 by helpdesk
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname chatpublib
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$0J8f$FHBN7Nu8diGWJogFrZ.fY.
enable password 7 021605551F0E0A33
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
no ip bootp server
ip domain name lib.ny.us
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
login block-for 360 attempts 3 within 30
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FTX152302BR
!
!
username helpdesk privilege 15 password 7 0103070A4F03031D
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip access-group autosec_firewall_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast source reachable-via rx allow-default 100
ip nat outside
ip inspect autosec_inspect out
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/1
ip address 10.10.10.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny   ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
!
no cdp run

!
!
!
!
!
control-plane
!
!
banner motd ^CAuthorized Access Only
THis system is the proptery of CCSD.
Unauthorized Access to this Device is Prohibited.
You must have explicit permission to access this device. All activities performed on this device
are logged. Any violations of access policy will result in disciplinary action.^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
login authentication local_auth
transport input telnet ssh
!
scheduler allocate 20000 1000
end

chatpublib#

1 Reply 1

Andrew Cink
Level 1
Level 1

Hey Giles,

Some notes for you.

You need to lock down the security on your device. Password 7 is easily cracked by any number of tools on the web. You don't have to be a panther to figure this one out.

Make sure you remove any reference to password 7 and use secret instead. Usename blahblah priv 15 secret blah, enable secret blah, no enable password, clean all that up.

Make sure to disable the ip http server completely, especially if the https server is already disabled. It's unencrypted access.

As for the problem you actually ASKED for help for: Try adding this, it looks like your NAT configuration is the problem you are not getting out.

access-list 50 permit ip 10.10.10.0 0.0.0.255

ip nat inside source list 50 interface g0/1 overload

I think this will get you going.

See this example:

http://www.blindhog.net/cisco-how-to-configure-nat-overload-pat/

Good luck!

Andy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: