Can ping Internet but can't browse it

Unanswered Question
Jul 2nd, 2012

Hello

I'm experiencing problems with a Cisco 887M router. I have configured the same way I've done fozens of times but the users can't browse the internet. Everybody can ping public IP addresses, every user resolves URL but no one can't browse any website. The only time I found n issue like that I disabled the DNS forwarding under IP dns view default and it worked fine (it was on a UC500). Now I've done the same but the users can't browse the Internet. Any idea?

Thank you in advance for your help

DANi

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (1 ratings)
soroushm Mon, 07/02/2012 - 03:48

Hi Daniel,

connection and dns wise, there must be no problem, it should be something blocking ur TCP/UDP ports, double check that. see if you can telnet over internet.

HTH,


Soroush.

abdulsalaamk Mon, 07/02/2012 - 03:52

Hi Dan,

I think ur are not able to browse due as ur IPs are not able to resolve the DNS please follow below steps,

1)Connect the ISP link directly to single PC and configure the IP details provided by ISP.

2)Check if u are able to ping the gateway of ISP and browse

3)Change the DNS ip address (use public DNS for testing

  • 8.8.8.8
  • 8.8.4.4

  • 4.2.2.1
  • 4.2.2.2

4)IIf not resolved check the default route is pointed to proper IP

5)If not then co-ordinate with ISP for same might be their end issue.

d.vinyals Mon, 07/02/2012 - 04:03

Hi,

the tests I've done froma PC on the customer network:

- ping 8.8.8.8 , OK

- ping www.google.es and other url. Always resolves the URL into a public IP and the pings response

- repeat the tests with a LAN fixed IP address or DHCP. Same results

- change DNS: 8.8.8..8 or ISP provided or even others. Same results

- obviously I can ping the default-gateway.

- I can start PPTP sessions to hosts on the outside with no problem and access remote servers via VPN

and the best one:

- I'm not on customer's site right now but I have remote Telnet to the router and teamviewer access to a PC that can't browse the Internet!!

What am i missing?

DAni

d.vinyals Mon, 07/02/2012 - 04:06

The current config:

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname rtr1

!

boot-start-marker

boot-end-marker

!

!

!

no aaa new-model

memory-size iomem 10

clock timezone CET 1 0

clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

ip dhcp excluded-address 192.168.5.0 192.168.5.99

!

ip dhcp pool DATOS

   network 192.168.5.0 255.255.255.0

   default-router 192.168.5.1

   dns-server 8.8.8.8

!

!

ip cef

no ip domain lookup

no ipv6 cef

!

!

license udi pid CISCO887M-K9 sn xxxxx

!

!

archive

log config

  hidekeys

username xxxxx privilege 15 secret 5 x

!

!

!

!

!

!

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

spanning-tree portfast

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

spanning-tree portfast

!

interface FastEthernet3

switchport access vlan 2

spanning-tree portfast

!

interface Vlan1

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan2

no ip address

pppoe-client dial-pool-number 1

!

interface Dialer0

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

fair-queue

ppp authentication chap pap callin

ppp chap hostname adslppp@telefonicanetpa

ppp chap password 7 13041301071C143A

ppp pap sent-username

adslppp@telefonicanetpa password 7 1416161800143A3B

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source route-map NAT interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip access-list extended NAT

permit ip 192.168.5.0 0.0.0.255 any

!

logging esm config

!

!

!

!

route-map NAT permit 10

match ip address NAT

!

vishal.rane Mon, 07/02/2012 - 04:27

Hi Daniel

Can you change DNS to 4.4.2.2  and test.

what is the default gateway for the user  and what IP address they get 

paste the ouput of the following

show ip int brief

show ip nat translation

abdulsalaamk Mon, 07/02/2012 - 04:46

Its really strange that u have team viewer access but no browsing

What is the public wan ip as i dont see any in config and to which interface is it connected ?

John Blakley Mon, 07/02/2012 - 04:53

Daniel,

If you can ping by name, DNS works fine. If you can ping a public address from your private hosts, natting is working fine. Is there any other equipment between a host and the router like a firewall or in front of the router that could be blocking it?

John

d.vinyals Mon, 07/02/2012 - 04:58

I have tried with DNS 4.4.2.2 but we are unable to resolve URLs.

The IP addess the customer get is one from the pool 192.168.5.100 to 192.168.5.254 but now we are trying with 192.168.5.50, as you can see on the ip nat translations:

sukanyachavan Mon, 07/02/2012 - 05:06

Daniel,

Couple of suggestion...

1. Try removing virtual reassembly command on both LAN and WAN interface and check.

2. Remove manual set MTU size from Dialer as it will be default to 1492 for PPP anyways. Alternatively you can try set it to 1500 and check if it works.

3. Can you do extendend traceroute to google.com with source port of 80 ( keep debug ip packets on) and share the results.

4. Repeat the above step, but this time with debug ip icmp on.

5. show ip nat translation

Regards,

Sukanya

ericsonmisagal Mon, 07/02/2012 - 09:15

I have the same problem. I can ping from inside the router any site i.e www.yahoo.com. I can ping from the client side by domain name or by IP but I cannot browse. There is no any device in between like firewall and all PC's are connected directly to the switch including the 887 Router.

Router#sh run

Building configuration...

Current configuration : 1577 bytes

!

! Last configuration change at 15:35:29 UTC Mon Jul 2 2012

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

enable secret 4 HrS.bFmfxShOxxsSI7lS/jQKCkRk1Fbc45HNxy8A1KE

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

ip cef

no ipv6 cef

!

license udi pid CISCO887VA-K9 sn FCZ162090XZ

!

controller VDSL 0

!

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

ip address 192.168.115.3 255.255.255.0

ip nat inside

no ip virtual-reassembly in <-----orignally enabled

!

interface Dialer0

ip address negotiated

ip nat outside

no ip virtual-reassembly in <-----originally enabled

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname user

ppp chap password pass

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list NAT-ACL interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip access-list extended NAT-ACL 

permit ip 192.168.115.0 0.0.0.255 any

!

access-list 1 permit 192.168.115.0 0.0.0.255

!

line con 0

line aux 0

line vty 0 4

password ..........

login

transport input all

!

end

Router#

I even tried different access-list like access-list 1 permit any but still not working. I have spent too much time pulling my hair and banging my head but I cant solve it. I hope somebody out there can solve solve my problem.

johnlloyd_13 Mon, 07/02/2012 - 21:42

hi,

kindly insert these lines under your LAN and WAN interfaces and try again:

int vl1

ip tcp adjust-mss 1452

int d0

ip mtu 1492

thomas.torggler Mon, 07/02/2012 - 21:28

hi daniel, did you check the clients proxy settings? can you telnet to a server on the internet on port 80?

ericsonmisagal Mon, 07/02/2012 - 22:27

My problem was solved. I inserted this line ip tcp adjust-mss 1452 under interface vlan 1

interface Vlan1

ip address 192.168.115.3 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

many thanks.

johnlloyd_13 Mon, 07/02/2012 - 23:03

glad it's now working for you. please rate useful posts and mark as resolved. thanks!

vishal.rane Mon, 07/02/2012 - 23:37

Remove the lines

no ip virtual-reassembly in

from interface vlan 1

&

Interface Dialer0

Post the output of

show ip nat translation

show ip interface brief

show interface dialer 0

I would also call the ISP and inquire for the DNS IP and enter the same instead of 8.8.8.8 or 4.4.2.2

Hope this helps

Vishal

d.vinyals Tue, 07/03/2012 - 00:03

Hello everybody

I tried to remove the virtual reassembly commands from both vlan 1, vlan 2 and di0 but no results.

In my initial config there was ip tcp adjust-mss 1452 on vlan 1 and mtu 1492 on di0 but it didn't work. I tried to remove it and, how it didn't work, I configured them again but no results again.

I can't paste the output of shows int and ip nat trans because the customer has cancelled the project. Today it's going to be one of these days. Thank you all for the interest shown

DAni

Actions

Login or Register to take actions

This Discussion

Posted July 2, 2012 at 2:22 AM
Stats:
Replies:16 Avg. Rating:4
Views:4779 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard