×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Trouble with Cisco 881 connecting to internet

Answered Question
Jul 27th, 2012
User Badges:

I have a Newly addedCisco 881 connected to a firewall, which is connected to DSL. We added it for wireless and when wireless clients connect to the network  (using standalone APs) they are able to ping everything on the 192.168.88.0 network. They can also ping the firewall 10.0.88.1, but only because it's on the same network as port fa4. It sounds to me like there is a problem with my default routes, but they seem right, and I've tried different methods for this. Here is the running-config on my 881, please help!          


Wireless_881#show run
Building configuration...

Current configuration : 3679 bytes
!
! Last configuration change at 15:45:48 UTC Fri Jul 27 2012
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Wireless_881
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 Ng0lbQgI3BKsMMXv78pz6UP80gaDVrhUBQB3XKZMl3M
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1620898290
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1620898290
revocation-check none
rsakeypair TP-self-signed-1620898290
!
!
crypto pki certificate chain TP-self-signed-1620898290
certificate self-signed 01
  3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31363230 38393832 3930301E 170D3132 30373132 31353431
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36323038
  39383239 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100ED42 50BD2E07 D6A61E1C 7A8C236F 5499F47D 0FF2F1AC 23657162 66769F02
  92921298 C4E68A84 B90B572D 300C6653 ADAB41F2 005F1544 122C99DF 16AA1F01
  D3DC117D B92750F5 F6C2D4CE D6D173C5 A197E9C2 7B5EEF9B 4B2404BD D8243ABB
  14EFF08B 21DE9D0A B11610EB 624E3B22 60212253 17BA1C73 DE86D7B8 EFD5771E
  18B90203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
  03551D11 04253023 82215769 72656C65 73735F38 38312E70 616C6D65 74746F63
  6974697A 656E732E 6F726730 1F060355 1D230418 30168014 BDFA0DBF FE8B72A7
  9B2D214C 466C1EDF 33D2FA3F 301D0603 551D0E04 160414BD FA0DBFFE 8B72A79B
  2D214C46 6C1EDF33 D2FA3F30 0D06092A 864886F7 0D010104 05000381 8100E0EF
  6D122A92 75ABE448 620EEDAD 131569D2 05BEB6D9 FA77DF2F 87FD464F 8111454F
  CAE20CC2 580C8DC8 421065CD 00722044 31CF2F79 4B99E26A 5C48FD2D 2DCE835B
  D0ADBD53 B768064B 9E4AB048 F0E9F751 11C9DA51 8EA9C1D3 DCEB136A EE3944D7
  FD7EF038 DE965699 DAC4186F 3AAEBD85 B95F05D1 B3AF0BD5 566498C3 6424
        quit
!
!
!
ip dhcp excluded-address 192.168.88.1 192.168.88.10
!
ip dhcp pool PCFCU
network 192.168.88.0 255.255.255.0
default-router 192.168.88.1
dns-server 208.67.222.222
!
!
!
no ip domain lookup
ip domain name ****************
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX161080BP
!
!
username mgaskin privilege 15 secret 5 $1$y8..$cCDIZqgRtHqBbsh36XW9d.
username jlivingston privilege 15 secret 5 $1$Qs6L$mhAtoKguqLmzmlfGbMYqW/
!
!
!
!
!
ip ssh authentication-retries 5
!
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport access vlan 880
no ip address
!
interface FastEthernet1
switchport access vlan 880
no ip address
!
interface FastEthernet2
switchport access vlan 880
no ip address
!
interface FastEthernet3
switchport access vlan 880
no ip address
!
interface FastEthernet4
ip address 10.0.88.2 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan880
ip address 192.168.88.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip default-gateway 10.0.88.2
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface FastEthernet4 overload
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 10.0.88.1
!
access-list 10 permit 192.168.88.0 0.0.0.255
no cdp run
!
!
!
line con 0
line aux 0
line vty 0 4
password 7 144F425C5D14292D273D6B657A46
login
transport input telnet
!
scheduler max-task-time 5000
!
end

Correct Answer by Vincenzo Errante about 5 years 3 weeks ago

and if you disconnect the router ad use pc directly to firewall with ip 10.0.88.2 work?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
CSCO12052693 Fri, 07/27/2012 - 09:07
User Badges:

I added "ip default-network 0.0.0.0" and "ip default-gateway 10.0.88.2" in hopes that was the problem, still no connection with just "ip route 0.0.0.0 0.0.0.0 10.0.88.1"

CSCO12052693 Fri, 07/27/2012 - 09:23
User Badges:

It's there,


Wireless_881#show vlan-switch brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
880  wireless                         active    Fa0, Fa1, Fa2, Fa3
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
Wireless_881#

Vincenzo Errante Fri, 07/27/2012 - 09:27
User Badges:

but what is the ip address of your firewall?


you need to point the ip address of firewall


ip route 0.0.0.0 0.0.0.0 


and then delete


ip default-network 0.0.0.0

and

ip default-gateway 10.0.88.2

CSCO12052693 Fri, 07/27/2012 - 09:35
User Badges:

deleted those two lines, and kept "ip route 0.0.0.0 0.0.0.0 10.0.88.1" which is the ip of firewall. still no luck

Vincenzo Errante Fri, 07/27/2012 - 09:39
User Badges:

yes because 10.0.88.1 is an interface of your router instead you need insert the next hop (the ip address interface of your firewall)

but because

ip route 0.0.0.0 0.0.0.0 10.0.88.1 have precedence compared to of ip default-gateway and ip default-network the router use for 0.0.0.0/0 10.0.88.1 and this is incorrect

CSCO12052693 Fri, 07/27/2012 - 09:43
User Badges:

Correct, 10.0.88.2 is the interface of the router, the firewall's IP is 10.0.88.1

CSCO12052693 Fri, 07/27/2012 - 10:01
User Badges:

On the router, it does ping it's own interface 10.0.88.2 and it also pings the firewall 10.0.88.1, only because it is directly connected, but it doesn't ping any internet address like Open DNS's address 208.67.222.222 or google's address 74.125.137.100.

Correct Answer
Vincenzo Errante Fri, 07/27/2012 - 10:06
User Badges:

and if you disconnect the router ad use pc directly to firewall with ip 10.0.88.2 work?

CSCO12052693 Fri, 07/27/2012 - 10:18
User Badges:

Not a full Ping,


Reply from 192.168.88.13: Destination host unreachable.

CSCO12052693 Fri, 07/27/2012 - 10:39
User Badges:

Ah, sorry, wireless nic was on. after plugging it up directly to the firewall. could ping the 10.0.88.1 but couldnt any outside addresses. received: PING: transmit failed. General Failure.

Vincenzo Errante Fri, 07/27/2012 - 10:47
User Badges:

try these step


1) verify your gw in your nic and check you have 10.0.88.1

2) verify your dns in your nic 

3) check to resolve with ping www.google.com if don't resolve try next step

4) try your nic in dhcp mode

5) if on dhcp mode assigned an ip verify dns assigned to nic

6) try with ip static and assign dns returned with dhcp mode

CSCO12052693 Fri, 07/27/2012 - 14:07
User Badges:

The firewall did end up being the cause of the problem. We had to add a acl static NATing the address coming from the router. Thanks for all the help!

Edison Ortiz Fri, 07/27/2012 - 09:01
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

The router configuration looks fine.


Can you post the 'show ip nat trans' output as well as 'show ip route'?

CSCO12052693 Fri, 07/27/2012 - 09:05
User Badges:

nothing show's up after "show ip nat trans"


this is what i get  for "show ip route"


Gateway of last resort is 10.0.88.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.0.88.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.88.0/29 is directly connected, FastEthernet4
L        10.0.88.2/32 is directly connected, FastEthernet4
      192.168.88.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.88.0/24 is directly connected, Vlan880
L        192.168.88.1/32 is directly connected, Vlan880
Wireless_881#

Edison Ortiz Fri, 07/27/2012 - 09:57
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

You should have an output from 'show ip nat translations'.


Do you have any active clients sitting behind the router trying to connect to the internet?

CSCO12052693 Fri, 07/27/2012 - 10:05
User Badges:

I do, i sit on a laptop and successfully connect (on the wireless with no other connection), pinging everything on the 192.168.88.0 network and able to ping the interface connecting to the firewall and including the firewall.

Edison Ortiz Fri, 07/27/2012 - 10:32
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Everything looks fine but NAT isn't taking place which is needed for your connection.

Not sure what could be causing the issue, perhaps trying rebooting the router?

Edwin Summers Fri, 07/27/2012 - 10:58
User Badges:
  • Bronze, 100 points or more

I agree with Edison - sounds like a NAT issue.


What is the IP address of the firewall's OUTSIDE interface (the one connected to the DSL modem), and what is providing it? (i.e. Did you statically assign it, or is it assigned by the modem via DHCP?)


Note that some inexpensive/consumer devices like home "routers" do not NAT for networks they are not serving.  For example, the device will NAT for the 192.168.1.0/24 network if it is "serving" it (it's inside interface is in this network, or it is serving the network via DHCP), but it will not NAT for other networks.


I didn't see if this equipment had ever worked...were you ever able to access public IPs from the firewall, or anything connected directly to the DSL modem?  it may be a good time to start at the demarc and work backwards.  Ping from your firewall (using it's OUTSIDE interface).  if that works, ping from the inside interface address.  Proceed from there.  You may need to move your NAT point to your firewall or take an alternate route with the design.  Best of luck!

CSCO12052693 Fri, 07/27/2012 - 11:42
User Badges:

After rebooting the router I do have output for nat translations


Wireless_881#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
udp 10.0.88.2:137      192.168.88.13:137  208.67.222.222:137 208.67.222.222:137
tcp 10.0.88.2:38438    192.168.88.13:38438 192.168.60.64:2869 192.168.60.64:2869
udp 10.0.88.2:50394    192.168.88.13:50394 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:50707    192.168.88.13:50707 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:52809    192.168.88.13:52809 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:56392    192.168.88.13:56392 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:57330    192.168.88.13:57330 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:57351    192.168.88.13:57351 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:58410    192.168.88.13:58410 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:61212    192.168.88.13:61212 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:61217    192.168.88.13:61217 192.168.60.64:1900 192.168.60.64:1900
udp 10.0.88.2:61810    192.168.88.13:61810 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:62428    192.168.88.13:62428 208.67.222.222:53 208.67.222.222:53
udp 10.0.88.2:64523    192.168.88.13:64523 208.67.222.222:53 208.67.222.222:53
Wireless_881#

Actions

This Discussion

Related Content