01-22-2018 01:22 PM - edited 03-05-2019 09:48 AM
I hope someone here can help me. I have setup a cisco router 2911 to study for canna, and I am unable in any for or fashion to get anything to communicate out.
Can someone please give me some advice?
Current configuration : 4174 bytes
!
! Last configuration change at 21:47:24 UTC Mon Jan 22 2018 by semi
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cishome
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.154-2.T1.bin
boot-end-marker
!
!
enable secret 5 __________.
enable password_________
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
no ip routing
!
!
!
!
!
ip dhcp excluded-address 10.0.100.1 10.0.100.30
!
ip dhcp pool MAIN
network 10.0.100.0 255.255.255.0
default-router 10.0.100.1
dns-server 84.200.------ 84.200.--------
domain-name ----------------
lease 7
!
!
!
no ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-
!
!
crypto pki certificate chain TP-A800CC D450AB15 593D495E
quit
license udi pid CISCO2911/K9 sn FTX1503AL35
!
!
username semi privilege 15 secret 5 $1$IKdz$c1GdjEOAUV6ZupnSyjulG/
!
redundancy
!
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip route-cache
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.0.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.1.1
!
ip access-list extended allowedservices
permit tcp any any eq www
permit tcp any any eq 443
permit tcp any any eq 445
permit tcp any any eq 143
permit tcp any any eq pop3
permit tcp any any eq 997
permit tcp any any eq 995
permit tcp any any eq smtp
permit tcp any any eq telnet
permit tcp any any eq 22
permit tcp any any eq domain
permit udp any any eq domain
permit icmp any any echo-reply
permit tcp any any eq 3389
permit tcp any any eq 69
!
!
!
snmp-server community public RO
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0
exec-timeout 40 0
password Blackbox47$
transport input ssh
line vty 1 4
exec-timeout 5 0
password Blackbox47$
transport input ssh
!
scheduler allocate 20000 1000
!
end
cishome#
Solved! Go to Solution.
01-22-2018 01:43 PM - edited 01-22-2018 01:44 PM
Hi, You've got the following defined "ip nat inside source list 10 interface GigabitEthernet0/0 overload", where "10" would be the standard ACL listing all of the internal subnets, but I don't see the output of this in the config you supplied. Do you have that ACL defined? If not, that could be the issue.
I assume this router behind another ISP router? which is why the default route next hop is 10.0.1.1 and not a public IP address.
HTH
01-22-2018 02:04 PM
You haven't got that ACL applied anywhere (not that I can see), so it won't be doing anything yet. You'd want to apply it to the Gi0/1 interface.
interface GigabitEthernet0/1
ip access-group allowedservices in
\\ To confirm the ACL is working, make sure there are hits
show ip access-list
01-22-2018 01:43 PM - edited 01-22-2018 01:44 PM
Hi, You've got the following defined "ip nat inside source list 10 interface GigabitEthernet0/0 overload", where "10" would be the standard ACL listing all of the internal subnets, but I don't see the output of this in the config you supplied. Do you have that ACL defined? If not, that could be the issue.
I assume this router behind another ISP router? which is why the default route next hop is 10.0.1.1 and not a public IP address.
HTH
01-22-2018 01:59 PM
Thanks for the help only other issue im having now is that I can view ever webpage, just some I assume its because of my extended access-list
01-22-2018 02:04 PM
You haven't got that ACL applied anywhere (not that I can see), so it won't be doing anything yet. You'd want to apply it to the Gi0/1 interface.
interface GigabitEthernet0/1
ip access-group allowedservices in
\\ To confirm the ACL is working, make sure there are hits
show ip access-list
01-22-2018 02:08 PM
thanks I appreciate the help, and yes I wasn't going to move away from the router until I knew it worked. Thanks a bunch, that was dumb on my part.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide