Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

891W: Basic WAN setup? (IP and DNS)

Hi all.  I"m not much of a Cisco tech as yet but I am trying to configure the FE8 (WAN port) to connect to the Internet.  We're swtiching ISP'ssoon so this router was set up at my office and has since been deployed at the client site.  So far it is just plugged in and powered, with a console cable attached but no LAN cabling since this router will replace an existing one using the same addressing (except the WAN settings of course).  So for now I am just focused on working on the WAN side since I have the ISP's cable modem attached .  I had intiially used CP Express to config the wan port with an IP and mask and the various port forwarding options I intend to use. 

Now, connected via console cable, I tried pinging the IP of the wan port, which works.  Beyond that, can't ping anyting (8.8.8.8 - a Google IP), also can't resovle any DNS names which makes sense with no apparent connectivity. 

Likely my config is just imcomplete.  Nowhere in sh run do I see a Default Gateway, yet this ISP did specify one so I assume I need to enter it.  Not sure what's the right way - I get confusing results on searches telling me either to use ip default-gateway or ip default-network.  I want to think that it's as simple as entering in the IP but so far I've learned with the IOS that you never do anythign without knowing all the possible implications, which I don't.  Can anybody advise? 

Also while I am at it, I don't know what I should have for DNS entries.  This router will not be a DNS server for any internal systems that function will be managed by the two Windows 2008 R2 DNS machines.  The ISP has also provided two IP's for their DNS servers.  I thought it would be a simple matter of just adding two entrires via ip name-server command, which I did.  So now I have four entries, first the two internal servers (inaccessible currently due to no LAN cabing to this router), and the two ISP servers.  Can't ping those either, but again there's no default gateway. 

Just abouteverything is an out of the box config, CP Express being the only method I used to get most things done.  Please help!

39 REPLIES
New Member

891W: Basic WAN setup? (IP and DNS)

Do you have nat setup?

If so do you have a default route 0.0.0.0 0.0.0.0 pointing to your wan interface?

Your ISP, you said you were conneted to a modem so i assume that you are getting a dhcp from that modem or is it static?

"Nowhere in sh run do I see a Default Gateway" You would see that in your routing table if it is dhcp. if it static you would have to do the manual default route listed above. Try show ip route and look for a *(this shows a default route)

Could you post a copy of your running config, and routing table

New Member

891W: Basic WAN setup? (IP and DNS)

Hi London,

I think I have NAT set up.  Using CP Express when I first got this router going, I had set the numerous port forwards etc which I hope is what constittues a NAT config.  Not sure if there is anything other than that to do though. 

The IP addressing from the ISP is static. 

Here are the results of show ip route:

[external IP's were changed for this post]

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, FastEthernet8
      66.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        66.28.150.124/30 is directly connected, FastEthernet8
L        66.28.150.126/32 is directly connected, FastEthernet8
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, Vlan1
L        192.168.0.1/32 is directly connected, Vlan1

My sh run  produces about 15 or more pages due to all that class-map junk that I guess CP Express put together for the firewall zones and rules and what not.  Is there something spcific to look for? 

Thank you very much so far. 

Purple

891W: Basic WAN setup? (IP and DNS)

Hi,

you got a default route but it is pointing towards an multipoint outgoing interface so first you should change this default route and make it point towards the next-hop given by your ISP.

Secondly,can you tell us from where you're trying your ping tests, is it from the router or from  host on the LAN?

also if you've got ZBF it may be a problem with the firewall config.

Can you add this in global config: ip inspect log drop-pkt and enable logging with this command: logging console 7

Then try first to ping the address of the default gateway( next-hop given by ISP) and if it works try pinging 8.8.8.8, all these from the router then do the same but sourcing your ping from a LAN IP address.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: 891W: Basic WAN setup? (IP and DNS)

show run | include nat

this should show you your main nat command

ip nat inside source list (ip access list) interface fastethernet 8 overload

if you see this then do

show ip access (ip access list number or name)

make sure that your access list includes your private network your 192.168.......

also "try pinging 8.8.8.8" and if it works like Cadet said and then if it works do

Show ip nat translations and see if anything is there.

make sure your ip information is correct

if the above does not work try below.

I was looking at my 891W and I have my nat set up on the giga0 port right underneath my fa8 port. I had a issue setting it up on the fa8. The config was right and i never did figure out what the problem was but the same config worked on the giga0.

let me know what you see with the commands and if you try and or if the giga0 port works.

Uploading a txt file that shows my interface config and dhcp config

as well as my nat config

New Member

891W: Basic WAN setup? (IP and DNS)

Hi again.

I'll reply to both posts in here.  First, with this default gateway setup, not sure how to properly change it.  According to this Cisco article ( http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml ) if you have ip routing disabled you use ip default-gateway, but if you have ip routing enabled you use ip default-network.  The latter points to a subnet and not a specific IP which makes sense in routing, yet the ISP provided a specific next-hop IP.  Though I don't expect that this router on the WAN side will ever connect to anything but the ISP's given IP address, can I set ip default-gateway yet just leave routing enabled? 

I'm doing my ping testing from the router console itself. 

To test, I did set ip default-gateway to the ISP's provided IP address.  Now I can ping to it which tells me I'm getting outside of the router now.  However I can't get past that next hop (tried pinging either the ISP's DNS servers by ip address or the Google IP of 8.8.8.8).  It's possible that there's an issue at the ISP end though.  The setup is that they installed their own Cisco 860 router as the device that our router would connect with.  So the chain of devices is Internet > Cable Modem > Their Cisco Router > Our cisco router > switch > internal LAN devices.  The ISP's router is fully transparent I'm told, so it only provides the connection to their cable modem.  I suppose the next hop IP is really just their router' s LAN interface.  I'll have tocontact them to confirm that things are running on their end. 

Perhaps I should do that before going further with the NAT and firewall commands you guys mentioned.  FWIW, I did do sh run | i nat and the result was about 3 screens of info, lots of class-map and such.  If the default gateway stuff checks out, I'll review these nat commands you mentioned again. 

Next update, soon

Purple

891W: Basic WAN setup? (IP and DNS)

Hi,

ip default-gateway is only used when not routing so if you've got ip routing enabled it will use the static default route.

The default-gateway should be on same subnet as outside interface of router so directly connected so a ping to it only proves you've got L2/L3 functioning between your router and this device.

The ISP's router is fully transparent I'm told   Can you ask more precision about this, what do they mean ?

Regards.

Alain.

Don't forget to rate helpful posts.
New Member

891W: Basic WAN setup? (IP and DNS)

Hi Alain,

By fully transparent I think they mean that it has no interference or impact on our network at all - it's got no security or anything.  In other words, as long as I set the static IP address they gave me (and DNS servers) for my perimeter device (router in this case, though it could just be a single PC even), then connectivity works. 

If I'm able to ping from my router WAN interface which does only have a direct cable to the LAN interface on the ISP's on-premises router, my assumption would normally be that my router is ok, at least the basic connection for L2/L3 like you said.  Both are on the same /30 subnet. 

But regarding this ip default-gateway.  I am assuming ip routing is enabled by default on a router but perhaps I'm wrong? 

Or perhaps another way to ask this is, if I have my router that will only connect (via WAN port) directly to the LAN port on the ISP's router and I"m using NAT, should I disable ip routing?  Will anyting else on the router stop working properly by doing that?  This is the only router (for now) in the office so it will be the perimeter gateway device to the Internet basically.  No route discovery needs to be done that I know of. 

Thanks. 

Purple

891W: Basic WAN setup? (IP and DNS)

Hi,

yes  routing is enabled by default and so it will not use your ip default-gateway command.

if you disable routing then the hosts on your LAN won't be able to access the internet.

Regards.

Alain

Don't forget to rate helpful posts.

891W: Basic WAN setup? (IP and DNS)

I have used an 800 series router before and it is notorious of having only one wan interface. all the other interfaces will not work as WAN interfaces. So I would suggest that you use that 1 interface labelled WAN.

Secondly I would suggest you post the "sh run" withouth the class map stuff maybe just for the interfaces and the routing.

can you give the following

sh ip int br

sh run | i gig x

New Member

891W: Basic WAN setup? (IP and DNS)

Thanks Alain and others so far for the help. 

It was only after putting in the ip default-gateway command that I was able to ping the ISP's device.  There doesn't seem to be any logic in disabling ip routing if the LAN devices won't be able to connect after that, so I guess I'll leave that enabled.  But then, what do I need to input to make this all work?  ip default-network?  If so, I don't see a place within that command t input a specific IP, just a subnet. 

Output from sh ip int br:

nterface                  IP-Address      OK? Method Status                Prot
ocol
Async1                     unassigned      YES NVRAM  down                  down

FastEthernet0              unassigned      YES unset  down                  down

FastEthernet1              unassigned      YES unset  down                  down

FastEthernet2              unassigned      YES unset  down                  down

FastEthernet3              unassigned      YES unset  down                  down

FastEthernet4              unassigned      YES unset  down                  down

FastEthernet5              unassigned      YES unset  down                  down

FastEthernet6              unassigned      YES unset  down                  down

FastEthernet7              unassigned      YES unset  down                  down

FastEthernet8              66.28.150.126   YES NVRAM  up                    up

GigabitEthernet0           unassigned      YES NVRAM  administratively down down

NVI0                       66.28.150.126   YES unset  up                    up

Vlan1                      192.168.0.1     YES NVRAM  up                    up

Wlan-GigabitEthernet0      unassigned      YES unset  up                    up

wlan-ap0                   192.168.0.1     YES TFTP   up                    up

(the IP of the AP I thought was going to be 192.168.0.2, not sure why it says 0.1 but anyway)

Output from sh run | i gig x:

Nothing.  Also nothing if I put a zero instead of the x, also nothing if I just put the | i gig . 

Purple

891W: Basic WAN setup? (IP and DNS)

Hi,

ip default-network is for putting a default route into RIP or EIGRP so it will be of no use for your problem.

the show commands with the output modifiers like include are case sensitive and need an exact match so it should have been

sh run | i Gig0 but the easier is sh run interface Gig0

maybe you should try this WAN interface instead of fa8 as of now like someone proposed.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: 891W: Basic WAN setup? (IP and DNS)

Just as I was saying before the giga0 port is the main wan port for this device. So I would try using cp express and config your giga0 as your Internet facing interface and see if that works. That is how I solved the issue with my 891w

Sent from Cisco Technical Support iPhone App

891W: Basic WAN setup? (IP and DNS)

This device will only be configued on GigabitEthernet0 for the WAN.

So configure all your WAN stuff on this interface. The FE ports will not work, that I am 100% sure.

FastEthernet8              66.28.150.126   YES NVRAM  up                    up  <<-- The config on this port should be moved to the GigabitEthernet0

Hope this helps.

New Member

Re: 891W: Basic WAN setup? (IP and DNS)

Hi all.  I will set the gig0 port for the WAN as suggested.  I don't really have the option to use CP Express unless I go onsite, hook up a machine of some sort to the router and use the LAN connection, so I am hoping ti can remotely do this via console cable and the CLI.  I looked through the full sh run - it seems to me I should be able to simply replicate the exact config that fa8 has to the gig0 port.  Here's what fa8 and gig0 have right now:

interface FastEthernet8

description $ES_WAN$$FW_OUTSIDE$

ip address 66.28.150.126 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

!

interface GigabitEthernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

I figure if I can put those settings in, as long as the ip nat and zone member stuff match then the gig0 port will tie into the security setup properly.  I"ll re-check the whole sh run for other unique references to gig0/fa8 but otherwise it seems I'll manage simply by duplicating what fa8 has.  What do you guys think?

I'll deal with the ip default-gateway situation after completing the above.  Though I do not believe anybody has confirmed yet - if I should not use ip default-gateway, shoudl I instead use ip default-network?  And if so, does that mean I do not need to specify the specific static IP address of the next hop that the ISP provided me, but instead specify just that subnet?

Alain:  thanks for the tip on the show command syntax as well.   

Update:  a thorough review of running-config showed a bunch of entries,  ip nat inside source static [tcp or udp] [ip address] [port] FastEthernet8 [port].  My assumption is I'll need to add equivalent lines for the GigabitEthernet0 port.  I'll do the "no ip nat inside...." thing to remove the fa8 entries.  So far for the fa8 port itself, i left it intact but just did a shutdown on it. 

So to summarize the questions asked in this post: 

- Is the process i'm using within the CLI enough to transfer things from fa8 to gig0?

- Do I use ip default-network instead of ip default-gateway, considering the ISP gave me a specific static IP as the next hop?

Thank you again. 

New Member

Re: 891W: Basic WAN setup? (IP and DNS)

You won't have to worry about the ip default command because you have a default route. You can use your show run and move your nat commands over any where you see your fa8 configured with something( like ip nat outside). but make sure you Change your default route. Enter

No ip route 0.0.0.0 0.0.0.0 fa8 the enter

Ip route 0.0.0.0 0.0.0.0 giga0 and move your ips to giga 0

And it should work. Let us know how it goes.

Sent from Cisco Technical Support iPhone App

Purple

891W: Basic WAN setup? (IP and DNS)

Hi,

you should always put the IP next hop on a static route with a multipoint outgoing interface which is the case here so don't

configure it with the interface BUT with either the next-hop or both because when you configure a static route with a multipoint  outgoing interface the router is gonna do the L3-L2 mapping for the destination IP which is not on the local subnet( but the router thinks it is as it is a multipoint interface) and so if the next hop is not implementing proxy ARP (in ethernet case) the router won't be able to encapsulate the packet and for performance reasons even if proxy ARP is enabled it is not a good idea to do this because for each destination IP you'll have an ARP request and the arp cache is gonna get very large.

Now if you are routing you won't use the ip default-gateway( only used when not routing) but the static default route or any other default route.

As I said before  ip default-network is for advertising a default route into RIP and EIGRP but it is not the preferred way of doing this.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

891W: Basic WAN setup? (IP and DNS)

What I have seen very nuisance in the config is "Gateway of last resort is 0.0.0.0 to network 0.0.0.0".

Second, I dont think that a router can limit you to send wan traffic to a particular interface only.

Change the default route properly and it should work.

Your default route should point to the next hop ip and not towards your own interface, it may lead to several other issues.

Waiting for further findings.!!

----

Parvesh    

New Member

Re: 891W: Basic WAN setup? (IP and DNS)

Alright I do believe I am confused now Sorry guys.  It seems like there are differing suggestions on what to use for this default route (or ip route, or gateway, or whatever it is referred to as).  Also Alain sorry for my mistake, you were indeed saying not to use default-network but when I re-read your original post I realized I thought you were saying default-gateway, my mistake Your most recent post sounds like you know your stuff but it confusd the hell out of me to be honest (due mainly to my lack of knowledge).  I understand ARP basics though so did sort of understand what you were getting at.  Also the references to a multipoint interface confuse me - isn't my wan port just a single point, single IP? 

I have completed the changes to the ip nat lines and to the "ip route 0.0.0.0 0.0.0.0..." that London mentioned. 

Now, if I do a sh run | i FastEthernet8 I get only the actual interface config section for that interface so all other references are now set to GigabitEthernet0. 

No change to the problem with pinging though.  I can ping the ISP's device (my WAN IP on gig0 is 66.28.150.126/30, the ISP's next hop IP is 66.28.150.125/30), but nothing outside that (8.8.8.8 for example) replies. 

I've attached a sh run here but will edit for privacy and exclude what I can to reduce the output size. 

Thanks again everyone. 

Purple

891W: Basic WAN setup? (IP and DNS)

Hi Colin,

1) change the static defaul route to point to netx-hop like I explained above, even if you only have one device connected directly to an ethernet interface for the router it is still a multipoint interface because it could very well be linked to a switch with other devices in the same LAN.

2) looking at your previous post I remembered you had ZBF enabled and I had asked you in the beginning to include this global config command: ip inspect log drop-pkt and logging console 7 Can you do it please.

But I can tell you that from the router your pings won't succeed:

policy-map type inspect ccp-permit

class class-default

  drop

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

So first do :

zone-pair security ccp-zp-out-self source out-zone destination self

no service-policy type inspect ccp-permit

then you'll tell me which traffic you want to filter for your router and we'll modify this policy.

after doing these 2 changes then ping 8.8.8.8 from the router and if successful then ping 8.8.8.8 source 192.168.0.2

if still unsuccessful then do this debug and post results:

debug  ip packet detail 199

with access-list 199 permit icmp any any

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: 891W: Basic WAN setup? (IP and DNS)

Hi Alain,

Responses to the items you mentioned:

1.  I get the error:  %inconsistent ip address and mask" when I enter Router(config)#ip route 66.28.150.125 255.255.255.252 GigabigEtherhet 0 .  Am I doing this incorrectly? 

2.  Done (ip inspect and logging console 7 commands)

Also, I did the two ZPF commands you mentioned. 

Unfortunately the result is I still cannot ping 8.8.8.8 - however since I could not properly enter a default route this may be why.  Since 66.28.150.125/30 is the next hop IP itself, should I instead enter 66.28.150.124/30 which is the subnet identifier instead? 

In terms of your final command for the debugging, I assume we should wait to pursue that until I have the default route part completed.  Also just to refresh in case it's useful, here is the result for sh ip route:

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0
      66.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        66.28.150.124/30 is directly connected, GigabitEthernet0
L        66.28.150.126/32 is directly connected, GigabitEthernet0
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, Vlan1
L        192.168.0.1/32 is directly connected, Vlan1

Thank you, again! 

891W: Basic WAN setup? (IP and DNS)

Can you please provide your current sh run?

New Member

891W: Basic WAN setup? (IP and DNS)

Mandlenkosi Nkiwane wrote:

Can you please provide your current sh run?


I have a sh run attached in a couple of posts back - nothing has changed except the commands that I've run at Alain's suggestion. 

Purple

891W: Basic WAN setup? (IP and DNS)

Hi,

have you read my previous post? how is it behaving now ?

Regards.

Alain

Don't forget to rate helpful posts.
Purple

891W: Basic WAN setup? (IP and DNS)

Hi Colin,

1.  I get the error:  %inconsistent ip address and mask" when I enter

Router(config)#ip route 66.28.150.125 255.255.255.252 GigabigEtherhet 0

.  Am I doing this incorrectly?

the IP is a host IP and you configure a subnet mask for a subnet not a host

So either use netmask 255.255.255.255 or use IP 66.28.150.124 with the mask you used

BUT this is not a default route and you need a default route not use a static route to a directly connected network.

So it should be ip route 0.0.0.0 0.0.0.0 66.28.150.125

Remember: never configure a static route with an outgoing interface if this interface is multipoint which is the case for ethernet or Frame-relay.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

891W: Basic WAN setup? (IP and DNS)

Hi Alain,

I hadn't heard back from you - did I scare you off with too many posts?

Purple

891W: Basic WAN setup? (IP and DNS)

Hi Colin,

no you didn't scare me but I was busy and as your post were not in the first page anymore and you had some others help, I thought your  problem was solved but apprently it isn't , is it?

Let me know and I'll review all thre thread to where we're at and we'll try to get it going.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Re: 891W: Basic WAN setup? (IP and DNS)

Hi Alain,

I really do appreciate you taking the time with this.  The issue is not resolved yet.  I'ts not entirely consistent though either.  For example, my bottom 4 posts in this thread show the current status of things.  Yet that was last week - this week, right now if I ping 8.8.8.8 I get 0% success.  I am still suspecting the ISP's line being down so I will call them again now.  But the issue is still outstanding just the same.

Also I am wondering, that firewall policy item we turned off - what was it for?  It may just be coincidence but sometime after doing that, I was getting random TCP connction attempts from IP's and random port #'s from all over the world - sometimes 3 or 4 per minute sometimes less. 

Hope to hear from you soon, and thanks again!

Purple

891W: Basic WAN setup? (IP and DNS)

Hi Colin,

I'll try to review the thread this evening or tommorrow if I've got time and I'll let you know.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

891W: Basic WAN setup? (IP and DNS)

Hi Alain, havne't heard from you When you do get a chance, I was also wondering if I can or should re-enable that firewall policy change we made - and wondering what the change did as well.  The thread is very wordy with all my posts but the situation itself is pretty basic overall I think, so hopefully we can get it sorted out easily Also I"m not sure whether it's best to reply to your post, which seems embedded halfway into this thread, or reply to the most recent post at the bottom of thread os it's all linear.  Anyway as long as you get the email notice I suppose. 

13234
Views
0
Helpful
39
Replies
CreatePlease to create content