cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17524
Views
0
Helpful
39
Replies

891W: Basic WAN setup? (IP and DNS)

cluovpemb
Level 1
Level 1

Hi all.  I"m not much of a Cisco tech as yet but I am trying to configure the FE8 (WAN port) to connect to the Internet.  We're swtiching ISP'ssoon so this router was set up at my office and has since been deployed at the client site.  So far it is just plugged in and powered, with a console cable attached but no LAN cabling since this router will replace an existing one using the same addressing (except the WAN settings of course).  So for now I am just focused on working on the WAN side since I have the ISP's cable modem attached .  I had intiially used CP Express to config the wan port with an IP and mask and the various port forwarding options I intend to use. 

Now, connected via console cable, I tried pinging the IP of the wan port, which works.  Beyond that, can't ping anyting (8.8.8.8 - a Google IP), also can't resovle any DNS names which makes sense with no apparent connectivity. 

Likely my config is just imcomplete.  Nowhere in sh run do I see a Default Gateway, yet this ISP did specify one so I assume I need to enter it.  Not sure what's the right way - I get confusing results on searches telling me either to use ip default-gateway or ip default-network.  I want to think that it's as simple as entering in the IP but so far I've learned with the IOS that you never do anythign without knowing all the possible implications, which I don't.  Can anybody advise? 

Also while I am at it, I don't know what I should have for DNS entries.  This router will not be a DNS server for any internal systems that function will be managed by the two Windows 2008 R2 DNS machines.  The ISP has also provided two IP's for their DNS servers.  I thought it would be a simple matter of just adding two entrires via ip name-server command, which I did.  So now I have four entries, first the two internal servers (inaccessible currently due to no LAN cabing to this router), and the two ISP servers.  Can't ping those either, but again there's no default gateway. 

Just abouteverything is an out of the box config, CP Express being the only method I used to get most things done.  Please help!

39 Replies 39

lonjaco91
Level 1
Level 1

You won't have to worry about the ip default command because you have a default route. You can use your show run and move your nat commands over any where you see your fa8 configured with something( like ip nat outside). but make sure you Change your default route. Enter

No ip route 0.0.0.0 0.0.0.0 fa8 the enter

Ip route 0.0.0.0 0.0.0.0 giga0 and move your ips to giga 0

And it should work. Let us know how it goes.

Sent from Cisco Technical Support iPhone App

Hi,

you should always put the IP next hop on a static route with a multipoint outgoing interface which is the case here so don't

configure it with the interface BUT with either the next-hop or both because when you configure a static route with a multipoint  outgoing interface the router is gonna do the L3-L2 mapping for the destination IP which is not on the local subnet( but the router thinks it is as it is a multipoint interface) and so if the next hop is not implementing proxy ARP (in ethernet case) the router won't be able to encapsulate the packet and for performance reasons even if proxy ARP is enabled it is not a good idea to do this because for each destination IP you'll have an ARP request and the arp cache is gonna get very large.

Now if you are routing you won't use the ip default-gateway( only used when not routing) but the static default route or any other default route.

As I said before  ip default-network is for advertising a default route into RIP and EIGRP but it is not the preferred way of doing this.

Regards.

Alain

Don't forget to rate helpful posts.

Parvesh Paliwal
Level 3
Level 3

What I have seen very nuisance in the config is "Gateway of last resort is 0.0.0.0 to network 0.0.0.0".

Second, I dont think that a router can limit you to send wan traffic to a particular interface only.

Change the default route properly and it should work.

Your default route should point to the next hop ip and not towards your own interface, it may lead to several other issues.

Waiting for further findings.!!

----

Parvesh    

Alright I do believe I am confused now Sorry guys.  It seems like there are differing suggestions on what to use for this default route (or ip route, or gateway, or whatever it is referred to as).  Also Alain sorry for my mistake, you were indeed saying not to use default-network but when I re-read your original post I realized I thought you were saying default-gateway, my mistake Your most recent post sounds like you know your stuff but it confusd the hell out of me to be honest (due mainly to my lack of knowledge).  I understand ARP basics though so did sort of understand what you were getting at.  Also the references to a multipoint interface confuse me - isn't my wan port just a single point, single IP? 

I have completed the changes to the ip nat lines and to the "ip route 0.0.0.0 0.0.0.0..." that London mentioned. 

Now, if I do a sh run | i FastEthernet8 I get only the actual interface config section for that interface so all other references are now set to GigabitEthernet0. 

No change to the problem with pinging though.  I can ping the ISP's device (my WAN IP on gig0 is 66.28.150.126/30, the ISP's next hop IP is 66.28.150.125/30), but nothing outside that (8.8.8.8 for example) replies. 

I've attached a sh run here but will edit for privacy and exclude what I can to reduce the output size. 

Thanks again everyone. 

Hi Colin,

1) change the static defaul route to point to netx-hop like I explained above, even if you only have one device connected directly to an ethernet interface for the router it is still a multipoint interface because it could very well be linked to a switch with other devices in the same LAN.

2) looking at your previous post I remembered you had ZBF enabled and I had asked you in the beginning to include this global config command: ip inspect log drop-pkt and logging console 7 Can you do it please.

But I can tell you that from the router your pings won't succeed:

policy-map type inspect ccp-permit

class class-default

  drop

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

So first do :

zone-pair security ccp-zp-out-self source out-zone destination self

no service-policy type inspect ccp-permit

then you'll tell me which traffic you want to filter for your router and we'll modify this policy.

after doing these 2 changes then ping 8.8.8.8 from the router and if successful then ping 8.8.8.8 source 192.168.0.2

if still unsuccessful then do this debug and post results:

debug  ip packet detail 199

with access-list 199 permit icmp any any

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

Responses to the items you mentioned:

1.  I get the error:  %inconsistent ip address and mask" when I enter Router(config)#ip route 66.28.150.125 255.255.255.252 GigabigEtherhet 0 .  Am I doing this incorrectly? 

2.  Done (ip inspect and logging console 7 commands)

Also, I did the two ZPF commands you mentioned. 

Unfortunately the result is I still cannot ping 8.8.8.8 - however since I could not properly enter a default route this may be why.  Since 66.28.150.125/30 is the next hop IP itself, should I instead enter 66.28.150.124/30 which is the subnet identifier instead? 

In terms of your final command for the debugging, I assume we should wait to pursue that until I have the default route part completed.  Also just to refresh in case it's useful, here is the result for sh ip route:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0
      66.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        66.28.150.124/30 is directly connected, GigabitEthernet0
L        66.28.150.126/32 is directly connected, GigabitEthernet0
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, Vlan1
L        192.168.0.1/32 is directly connected, Vlan1

Thank you, again! 

Can you please provide your current sh run?

Mandlenkosi Nkiwane wrote:

Can you please provide your current sh run?


I have a sh run attached in a couple of posts back - nothing has changed except the commands that I've run at Alain's suggestion. 

Hi,

have you read my previous post? how is it behaving now ?

Regards.

Alain

Don't forget to rate helpful posts.

Hi Colin,

1.  I get the error:  %inconsistent ip address and mask" when I enter

Router(config)#ip route 66.28.150.125 255.255.255.252 GigabigEtherhet 0

.  Am I doing this incorrectly?

the IP is a host IP and you configure a subnet mask for a subnet not a host

So either use netmask 255.255.255.255 or use IP 66.28.150.124 with the mask you used

BUT this is not a default route and you need a default route not use a static route to a directly connected network.

So it should be ip route 0.0.0.0 0.0.0.0 66.28.150.125

Remember: never configure a static route with an outgoing interface if this interface is multipoint which is the case for ethernet or Frame-relay.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

I hadn't heard back from you - did I scare you off with too many posts?

Hi Colin,

no you didn't scare me but I was busy and as your post were not in the first page anymore and you had some others help, I thought your  problem was solved but apprently it isn't , is it?

Let me know and I'll review all thre thread to where we're at and we'll try to get it going.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain,

I really do appreciate you taking the time with this.  The issue is not resolved yet.  I'ts not entirely consistent though either.  For example, my bottom 4 posts in this thread show the current status of things.  Yet that was last week - this week, right now if I ping 8.8.8.8 I get 0% success.  I am still suspecting the ISP's line being down so I will call them again now.  But the issue is still outstanding just the same.

Also I am wondering, that firewall policy item we turned off - what was it for?  It may just be coincidence but sometime after doing that, I was getting random TCP connction attempts from IP's and random port #'s from all over the world - sometimes 3 or 4 per minute sometimes less. 

Hope to hear from you soon, and thanks again!

Hi Colin,

I'll try to review the thread this evening or tommorrow if I've got time and I'll let you know.

Regards.

Alain

Don't forget to rate helpful posts.

Hi Alain, havne't heard from you When you do get a chance, I was also wondering if I can or should re-enable that firewall policy change we made - and wondering what the change did as well.  The thread is very wordy with all my posts but the situation itself is pretty basic overall I think, so hopefully we can get it sorted out easily Also I"m not sure whether it's best to reply to your post, which seems embedded halfway into this thread, or reply to the most recent post at the bottom of thread os it's all linear.  Anyway as long as you get the email notice I suppose. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco