Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco router config issue

Hello,

Can anyone help me with this configuration. I can reach internet  directly from router (ping Google or else) but I can't reach internet  from local network (PC).

tnx

  • LAN Switching and Routing
3 REPLIES
Purple

Cisco router config issue

Hi,

first remove your ACLs from the WAN and LAN interface and add this global config command: ip inspect log drop-pkt

do your ping test by IP  again and post the output of the log if any.

Regards.

Alain

Don't forget to rate helpful posts.

Cisco router config issue

Hi,

Do you need access-list for any reason under the WAN and LAN interfaces? If yes observe the below required changes and replace the same on your router.
You denied whole network to any how you can reach internet? (access-list 101 deny   ip any any log)


interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 192.168.1.2 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.254.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 192.168.1.1 permanent
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.31 any
OR
access-list 1 permit ip any any

access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.207.42.0 0.0.1.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 permit ip host 92.xx.xxx.x5 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any


access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 permit udp host 81.xx.xx.x eq domain any
access-list 101 permit ip host 92.xx.xxx.xx any
access-list 101 permit ip 92.xx.xxx.104 0.0.0.7 any
access-list 101 permit udp host 81.xx.xx.x eq domain any
access-list 101 permit ip any any


Please rate the helpfull posts.
Regards,
Naidu.

New Member

Cisco router config issue

Your internal IP space doesn't match your access-list 1.

access-list 1 permit 10.10.10.0 0.0.0.31 any (/27 mask)

interface Vlan1

ip address 10.10.10.1 255.255.254.0 (/23 mask)

This should need an ACL entry of 10.10.10.0 0.0.1.255 to allow all hosts. If all your hosts are between .1 and .30, it would work. If they are above .30, it won't work.

Your dhcp scope is excluding .1-.99 and .151-.254 so the client addresses don't match the statement.

Or you can use the permit any any like Naidu said above.

264
Views
0
Helpful
3
Replies