06-06-2017 02:14 AM - edited 03-08-2019 10:52 AM
Hi,
i was setting up a new router but it looks impossible to ping outside. Here is my run conf.
Current configuration : 6548 bytes
!
! Last configuration change at 10:05:20 brussel Tue Jun 6 2017 by benny
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ....
enable password 7 ...
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone brussel 1 0
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.200
ip dhcp excluded-address 192.168.1.230 192.168.1.240
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool VZWLEEF
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.251 192.168.1.100
!
!
!
ip domain name leef.local
ip name-server 195.130.130.4
ip name-server 195.130.131.4
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3250918178
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3250918178
revocation-check none
rsakeypair TP-self-signed-3250918178
!
!
crypto pki certificate chain TP-self-signed-3250918178
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323530 39313831 3738301E 170D3137 30363031 31333036
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32353039
31383137 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ADCC 8BD7DB62 3058641D FBD5E8D4 EAC94844 41F6EE51 9F95B435 8E1FB09E
5DF6A7FF 80A25477 40C29EDB AEFCC20F FC96F4A4 0CFE6B6F 3D0058C3 03423957
F5395CDB 9FB55CDC F6B81BDF D153151F 755ADC8C 550D9315 94BE2610 55809EF8
A7693E75 9E49A7D2 A97723F2 1299DD18 B00A16C6 CFDF659C 16112181 E9274BFD
64A70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1487D54B 0E47AA08 164B3349 4A260602 305047AB 88301D06
03551D0E 04160414 87D54B0E 47AA0816 4B33494A 26060230 5047AB88 300D0609
2A864886 F70D0101 05050003 818100A5 A8F6B776 28BAAF23 797723AC B8312942
EBFCC51D 3955875C D0C52DD2 1E557582 20D975A0 6F5D8B1C FDB877A2 06435723
FBBF190D AE471B34 98193118 2A149DEC 99A1DE28 C70B73A2 A5099305 7E4440DD
38434D93 62C222A5 9B10E9B6 43F162C1 10F9505A 8720FF83 7AD66B87 B848D75F
DC4AACEE 796B3727 AF5A0AD0 6EE5CD
quit
license udi pid CISCO1941/K9 sn FCZ2112B0RG
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
!
object-group network vpn_remote_subnets
any
!
username benny privilege 15 password 7
!
redundancy
!
!
!
!
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Web
inspect
class type inspect Others
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
zone-member security LAN
!
interface GigabitEthernet0/1
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip ssh version 2
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended teamviewer
permit tcp any any eq 5938
permit udp any any eq 5938
permit tcp any any eq 443
!
!
!
access-list 1 permit any
!
!
!
control-plane
!
!
!
line con 0
login authentication local_access
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 0 0
privilege level 15
password 7 142717041C082F38047A606572
logging synchronous
login authentication local_access
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
!
end
anyone who have an idea where i'm wrong?
06-08-2017 12:31 AM
Hi,
i tested for 3 days with a laptop getting its IP trough DHCP from ISP. This device keeps having access and can ping to google, etc. i can trace like you see in the message below.
So there must be something i misconfigured i think. I hope that someone find the misconfiguration.
any suggestions?
06-08-2017 03:02 AM
-
06-08-2017 03:18 AM
I know but for resolving the issue i had permit any. I already changed it back. Thank you for the reply!
Benny
06-06-2017 02:25 AM
Hi
Have you got your public ip address on G0/1 off the ISP ? can you ping that ip
I would remove the zone security until you have your internet connection up and running off the g0/1 interface
06-08-2017 01:07 AM
i have disabled the zone security for G0/1 and G0/0.1
i have set a static route to the gateway of the ISP. I can ping outside now but have a successrate of 40% or sometimes 60%. any idea ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: