Hi London,

I think I have NAT set up.  Using CP Express when I first got this router going, I had set the numerous port forwards etc which I hope is what constittues a NAT config.  Not sure if there is anything other than that to do though. 

The IP addressing from the ISP is static. 

Here are the results of show ip route:

[external IP's were changed for this post]

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, FastEthernet8
      66.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        66.28.150.124/30 is directly connected, FastEthernet8
L        66.28.150.126/32 is directly connected, FastEthernet8
      192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.0.0/24 is directly connected, Vlan1
L        192.168.0.1/32 is directly connected, Vlan1

My sh run  produces about 15 or more pages due to all that class-map junk that I guess CP Express put together for the firewall zones and rules and what not.  Is there something spcific to look for? 

Thank you very much so far. 

Hi,

you got a default route but it is pointing towards an multipoint outgoing interface so first you should change this default route and make it point towards the next-hop given by your ISP.

Secondly,can you tell us from where you're trying your ping tests, is it from the router or from  host on the LAN?

also if you've got ZBF it may be a problem with the firewall config.

Can you add this in global config: ip inspect log drop-pkt and enable logging with this command: logging console 7

Then try first to ping the address of the default gateway( next-hop given by ISP) and if it works try pinging 8.8.8.8, all these from the router then do the same but sourcing your ping from a LAN IP address.

Regards.

Alain

Hi again.

I'll reply to both posts in here.  First, with this default gateway setup, not sure how to properly change it.  According to this Cisco article ( http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094374.shtml ) if you have ip routing disabled you use ip default-gateway, but if you have ip routing enabled you use ip default-network.  The latter points to a subnet and not a specific IP which makes sense in routing, yet the ISP provided a specific next-hop IP.  Though I don't expect that this router on the WAN side will ever connect to anything but the ISP's given IP address, can I set ip default-gateway yet just leave routing enabled? 

I'm doing my ping testing from the router console itself. 

To test, I did set ip default-gateway to the ISP's provided IP address.  Now I can ping to it which tells me I'm getting outside of the router now.  However I can't get past that next hop (tried pinging either the ISP's DNS servers by ip address or the Google IP of 8.8.8.8).  It's possible that there's an issue at the ISP end though.  The setup is that they installed their own Cisco 860 router as the device that our router would connect with.  So the chain of devices is Internet > Cable Modem > Their Cisco Router > Our cisco router > switch > internal LAN devices.  The ISP's router is fully transparent I'm told, so it only provides the connection to their cable modem.  I suppose the next hop IP is really just their router' s LAN interface.  I'll have tocontact them to confirm that things are running on their end. 

Perhaps I should do that before going further with the NAT and firewall commands you guys mentioned.  FWIW, I did do sh run | i nat and the result was about 3 screens of info, lots of class-map and such.  If the default gateway stuff checks out, I'll review these nat commands you mentioned again. 

Next update, soon

Hi,

ip default-gateway is only used when not routing so if you've got ip routing enabled it will use the static default route.

The default-gateway should be on same subnet as outside interface of router so directly connected so a ping to it only proves you've got L2/L3 functioning between your router and this device.

The ISP's router is fully transparent I'm told   Can you ask more precision about this, what do they mean ?

Regards.

Alain.

Hi Alain,

By fully transparent I think they mean that it has no interference or impact on our network at all - it's got no security or anything.  In other words, as long as I set the static IP address they gave me (and DNS servers) for my perimeter device (router in this case, though it could just be a single PC even), then connectivity works. 

If I'm able to ping from my router WAN interface which does only have a direct cable to the LAN interface on the ISP's on-premises router, my assumption would normally be that my router is ok, at least the basic connection for L2/L3 like you said.  Both are on the same /30 subnet. 

But regarding this ip default-gateway.  I am assuming ip routing is enabled by default on a router but perhaps I'm wrong? 

Or perhaps another way to ask this is, if I have my router that will only connect (via WAN port) directly to the LAN port on the ISP's router and I"m using NAT, should I disable ip routing?  Will anyting else on the router stop working properly by doing that?  This is the only router (for now) in the office so it will be the perimeter gateway device to the Internet basically.  No route discovery needs to be done that I know of. 

Thanks. 

Hi,

yes  routing is enabled by default and so it will not use your ip default-gateway command.

if you disable routing then the hosts on your LAN won't be able to access the internet.

Regards.

Alain

I have used an 800 series router before and it is notorious of having only one wan interface. all the other interfaces will not work as WAN interfaces. So I would suggest that you use that 1 interface labelled WAN.

Secondly I would suggest you post the "sh run" withouth the class map stuff maybe just for the interfaces and the routing.

can you give the following

sh ip int br

sh run | i gig x

Thanks Alain and others so far for the help. 

It was only after putting in the ip default-gateway command that I was able to ping the ISP's device.  There doesn't seem to be any logic in disabling ip routing if the LAN devices won't be able to connect after that, so I guess I'll leave that enabled.  But then, what do I need to input to make this all work?  ip default-network?  If so, I don't see a place within that command t input a specific IP, just a subnet. 

Output from sh ip int br:

nterface                  IP-Address      OK? Method Status                Prot
ocol
Async1                     unassigned      YES NVRAM  down                  down

FastEthernet0              unassigned      YES unset  down                  down

FastEthernet1              unassigned      YES unset  down                  down

FastEthernet2              unassigned      YES unset  down                  down

FastEthernet3              unassigned      YES unset  down                  down

FastEthernet4              unassigned      YES unset  down                  down

FastEthernet5              unassigned      YES unset  down                  down

FastEthernet6              unassigned      YES unset  down                  down

FastEthernet7              unassigned      YES unset  down                  down

FastEthernet8              66.28.150.126   YES NVRAM  up                    up

GigabitEthernet0           unassigned      YES NVRAM  administratively down down

NVI0                       66.28.150.126   YES unset  up                    up

Vlan1                      192.168.0.1     YES NVRAM  up                    up

Wlan-GigabitEthernet0      unassigned      YES unset  up                    up

wlan-ap0                   192.168.0.1     YES TFTP   up                    up

(the IP of the AP I thought was going to be 192.168.0.2, not sure why it says 0.1 but anyway)

Output from sh run | i gig x:

Nothing.  Also nothing if I put a zero instead of the x, also nothing if I just put the | i gig . 

Hi,

ip default-network is for putting a default route into RIP or EIGRP so it will be of no use for your problem.

the show commands with the output modifiers like include are case sensitive and need an exact match so it should have been

sh run | i Gig0 but the easier is sh run interface Gig0

maybe you should try this WAN interface instead of fa8 as of now like someone proposed.

Regards.

Alain

This device will only be configued on GigabitEthernet0 for the WAN.

So configure all your WAN stuff on this interface. The FE ports will not work, that I am 100% sure.

FastEthernet8              66.28.150.126   YES NVRAM  up                    up  <<-- The config on this port should be moved to the GigabitEthernet0

Hope this helps.

Hi all.  I will set the gig0 port for the WAN as suggested.  I don't really have the option to use CP Express unless I go onsite, hook up a machine of some sort to the router and use the LAN connection, so I am hoping ti can remotely do this via console cable and the CLI.  I looked through the full sh run - it seems to me I should be able to simply replicate the exact config that fa8 has to the gig0 port.  Here's what fa8 and gig0 have right now:

interface FastEthernet8

description $ES_WAN$$FW_OUTSIDE$

ip address 66.28.150.126 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

!

interface GigabitEthernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

I figure if I can put those settings in, as long as the ip nat and zone member stuff match then the gig0 port will tie into the security setup properly.  I"ll re-check the whole sh run for other unique references to gig0/fa8 but otherwise it seems I'll manage simply by duplicating what fa8 has.  What do you guys think?

I'll deal with the ip default-gateway situation after completing the above.  Though I do not believe anybody has confirmed yet - if I should not use ip default-gateway, shoudl I instead use ip default-network?  And if so, does that mean I do not need to specify the specific static IP address of the next hop that the ISP provided me, but instead specify just that subnet?

Alain:  thanks for the tip on the show command syntax as well.   

Update:  a thorough review of running-config showed a bunch of entries,  ip nat inside source static [tcp or udp] [ip address] [port] FastEthernet8 [port].  My assumption is I'll need to add equivalent lines for the GigabitEthernet0 port.  I'll do the "no ip nat inside...." thing to remove the fa8 entries.  So far for the fa8 port itself, i left it intact but just did a shutdown on it. 

So to summarize the questions asked in this post: 

- Is the process i'm using within the CLI enough to transfer things from fa8 to gig0?

- Do I use ip default-network instead of ip default-gateway, considering the ISP gave me a specific static IP as the next hop?

Thank you again.