1700 Router with 2950 Switch and Comcast Home ISP

rwmission · ‎02-09-2014

Hello All,

So I have been working on this for weeks and it seems no matter what I do it will not work. Ultimately I am trying to get my 1700 Router to act as a firewall and accept the incoming Comcast Home connection, No Static IP. I have the Cisco WIC4-ESW in the 1700 and that is going into the 2950 Switch. I am trying to get this to work so that all the connections from the switch as you can see will all get internet access. I have a cheap Netgear wireless router that I recently purchased a Cisco 1141 to get rid of the access point part of that Netgear and it is working fine. The issue is when I disconnect it and plug it into the Ethernet0 interface of the router, nothing gets internet anymore. If I connect back to that cheap Netgear it all works again. I have even put a route in my laptop to use the default gateway of the router, but it will still not work. I can ping the public DNS Servers that I used from the switich and the router when the connection is moved to the router, but I cannot access the internet on any of the connected devices. Can those of you more understanding of these configs please tell me where I went wrong on both the switch config and router config please? Any help is apppreciated and if you need any clarification please feel free to ask me. Thank you very much!

Rob

Configs attached as it would not let me paste them in this message...sorry

cadet alain · ‎02-10-2014

Hi,

1° on the router

no ip default-gateway 192.168.101.101

no ip route 0.0.0.0 0.0.0.0 FastEthernet0 permanent

2° on the switch

interface FastEthernet0/2

no switchport mode trunk <<<< not needed as you only have one vlan(as far as i can see)

switchport mode access

interface FastEthernet0/7

switchport mode access

Regards

Alain

Don't forget to rate helpful posts.

rwmission · ‎02-11-2014

Thank you so much Alain for your suggestions. I did make those changes but unfortunately they did not help me getting access to the internet I am still unable to. Any other suggestions? Updated Configs:

Router:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname WRX-STI

!

boot-start-marker

boot system flash:c1700-advsecurityk9-mz.124-25d.bin

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$f3Xd$xLmMcvIj2F1OQBmdoMueg/

enable password 7 0215105E0E020E7440

!

no aaa new-model

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.101.1 192.168.101.109

ip dhcp excluded-address 192.168.101.151 192.168.101.254

!

ip dhcp pool Home

import all

network 192.168.101.0 255.255.255.0

domain-name missioncriticalco.biz

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.101.101

lease 3

!

ip domain name missioncriticalco.biz

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

crypto pki trustpoint TP-self-signed-1035340128

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1035340128

revocation-check none

rsakeypair TP-self-signed-1035340128

!

crypto pki certificate chain TP-self-signed-1035340128

certificate self-signed 01

30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303335 33343031 3238301E 170D3032 30333034 30383134

35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30333533

34303132 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100BBED FD08B77C 6805013F 987243B0 026FDE6E 43A9572A DF1879EE 665D0C3D

A4DAE804 97FBB908 BA313F54 B6344469 0A430454 77DF47FD B5FA2922 9AEC4E5C

7A6546A1 A2EDEE83 04E655C4 6FB1D409 B3DAE99F 9AEFC199 43757837 5906C581

9104504B BEE612E5 E7613D3A A5C014F7 635F82D6 C4B86BBB 83997868 330D2F65

32A90203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603

551D1104 21301F82 1D575258 2D535449 2E6D6973 73696F6E 63726974 6963616C

636F2E62 697A301F 0603551D 23041830 1680143B FA29BBBA DF1F441F 646EB026

C4891F30 8541E930 1D060355 1D0E0416 04143BFA 29BBBADF 1F441F64 6EB026C4

891F3085 41E9300D 06092A86 4886F70D 01010405 00038181 005F5C80 55C7C6E6

26DAA97C 3D255E90 DB6B6235 A3F22FF1 07D08C93 144964BF 3C86BA7F 071EACA4

4A917180 B3D54B69 CE55FE33 D592ECB5 2F4E01E0 26E54A76 7A597110 3F7524B7

5B2CEA71 EAE8EE2A C2C17130 8F562189 29566774 4B2FC88A EC6D874B 44ABFD8A

EF7D514D EEA6CCCB 3E6D2707 259928AF D5740FE8 FAA77AB9 63

quit

username rwmission

username Rob privilege 15 secret 5 $1$cXmF$1vy22vLT2vG6Z5v7.ufyq/

!

interface FastEthernet0

description Comcast$ES_WAN$$ETH-WAN$

ip address dhcp client-id FastEthernet0

ip nat outside

no ip virtual-reassembly

ip route-cache flow

speed auto

full-duplex

!

interface FastEthernet1

description To 2950 Swtich

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface Serial0

no ip address

shutdown

!

interface Vlan1

description $ES_LAN$

ip address 192.168.101.101 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1412

!

interface Vlan2

no ip address

!

interface Dialer0

no ip address

ip mtu 1452

encapsulation ppp

shutdown

dialer pool 1

dialer-group 1

!

ip forward-protocol nd

!

no ip http server

ip http access-class 2

ip http authentication local

ip http secure-server

ip nat inside source list 1 interface FastEthernet0 overload

!

logging trap errors

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.101.0 0.0.0.255

access-list 2 remark Auto generated by SDM Management Access feature

access-list 2 remark SDM_ACL Category=1

access-list 2 permit 192.168.101.4

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 192.168.101.4

access-list 100 remark Auto generated by SDM Management Access feature

access-list 100 remark SDM_ACL Category=1

access-list 100 permit tcp host 192.168.101.4 host 192.168.101.101 eq telnet

access-list 100 permit tcp host 192.168.101.4 host 192.168.101.101 eq 22

access-list 100 permit tcp host 192.168.101.4 host 192.168.101.101 eq www

access-list 100 permit tcp host 192.168.101.4 host 192.168.101.101 eq 443

access-list 100 permit tcp host 192.168.101.4 host 192.168.101.101 eq cmd

access-list 100 deny tcp any host 192.168.101.101 eq telnet

access-list 100 deny tcp any host 192.168.101.101 eq 22

access-list 100 deny tcp any host 192.168.101.101 eq www

access-list 100 deny tcp any host 192.168.101.101 eq 443

access-list 100 deny tcp any host 192.168.101.101 eq cmd

access-list 100 deny udp any host 192.168.101.101 eq snmp

access-list 100 permit ip any any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host 192.168.101.4 any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip host 192.168.101.4 any

dialer-list 1 protocol ip permit

!

control-plane

!

banner motd ^C

Rob's Cisco 1700 Router

^C

!

line con 0

exec-timeout 0 0

password 7 0215105E0E020E7440

logging synchronous

line aux 0

line vty 0 4

access-class 101 in

privilege level 15

password 7 107D1D1C0013135E00

login local

line vty 5 15

access-class 102 in

privilege level 15

password 7 121A0A15000A

login local

!

end

Switch:

version 12.1

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname GT500

!

enable secret 5 $1$PZOf$P1Z0ysQY3/0j7O4ioT7vY/

enable password Steeda

!

username Rob

ip subnet-zero

!

ip domain-name missioncriticalco.biz

ip ssh time-out 120

ip ssh authentication-retries 3

!

spanning-tree mode rapid-pvst

spanning-tree portfast default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

interface FastEthernet0/1

description Netgear

spanning-tree portfast disable

!

interface FastEthernet0/2

description Cisco 1700

switchport mode access

spanning-tree portfast disable

!

interface FastEthernet0/3

description Desktop

!

interface FastEthernet0/4

description Laptop

!

interface FastEthernet0/5

description Printer

!

interface FastEthernet0/6

description Playstation 3

!

interface FastEthernet0/7

description Aironet Access Point

switchport mode access

!

interface FastEthernet0/8

!

interface FastEthernet0/9

!

interface FastEthernet0/10

!

interface FastEthernet0/11

!

interface FastEthernet0/12

!

interface FastEthernet0/13

!

interface FastEthernet0/14

!

interface FastEthernet0/15

!

interface FastEthernet0/16

!

interface FastEthernet0/17

!

interface FastEthernet0/18

!

interface FastEthernet0/19

!

interface FastEthernet0/20

!

interface FastEthernet0/21

!

interface FastEthernet0/22

!

interface FastEthernet0/23

!

interface FastEthernet0/24

!

interface Vlan1

ip address 192.168.101.6 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.101.101

ip http server

banner motd ^C

Rob's Cisco 2950 Switch ^C

!

line con 0

exec-timeout 0 0

line vty 0 4

login local

transport input telnet ssh

line vty 5 15

login local

!

end

cadet alain · ‎02-11-2014

Hi,

post output of following on the 1700:

-show ip interface brief

-show ip route

and following on the switch:

-show interface status | ex notconnect

-show spanning-tree

Also can you ping 8.8.8.8 from the router and from the switch ?

if so can you do this on router:

access-list 199 permit icmp any any

do debug ip nat 199

do debug ip packet 199

then ping 8.8.8.8 from a host and post show log command output

Regards

Alain

Don't forget to rate helpful posts.

rwmission · ‎02-12-2014

Good Morning Alain,

I ran all of those commands. I can ping from the router but it was unsuccessful from the switch and the host. Also never run debug commands and cannot figure out where to run them. tried in configure terminal and just enable prompt and they error out. I also did enter the line "access-list 199 permit icmp any any" you just cant see it in this but it was successful.

Router output:

WRX-STI#sh ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Dialer0                    unassigned      YES NVRAM administratively down down
FastEthernet0              76.119.167.87   YES DHCP   up                    up
FastEthernet1              unassigned      YES unset up                    up
FastEthernet2              unassigned      YES unset up                    down
FastEthernet3              unassigned      YES unset up                    down
FastEthernet4              unassigned      YES unset up                    down
NVI0                       unassigned      NO unset up                    up
Serial0                    unassigned      YES NVRAM administratively down down
Vlan1                      192.168.101.101 YES NVRAM up                    up
Vlan2                      unassigned      YES NVRAM up                    down
WRX-STI#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 76.119.160.1 to network 0.0.0.0

     69.0.0.0/32 is subnetted, 1 subnets
S       69.252.65.132 [254/0] via 76.119.160.1, FastEthernet0
     76.0.0.0/21 is subnetted, 1 subnets
C       76.119.160.0 is directly connected, FastEthernet0
C    192.168.101.0/24 is directly connected, Vlan1
S*   0.0.0.0/0 [254/0] via 76.119.160.1
WRX-STI#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/52/56 ms

Switch Output:

GT500#show interface status | ex notconnect

Port      Name               Status       Vlan       Duplex Speed Type
Fa0/1     Netgear            connected    1          a-full a-100 10/100BaseTX
Fa0/2     Cisco 1700         connected    1          a-full a-100 10/100BaseTX
Fa0/3     Desktop            connected    1          a-full a-100 10/100BaseTX
Fa0/4     Laptop             connected    1          a-full a-100 10/100BaseTX
Fa0/5     Printer            connected    1          a-full a-100 10/100BaseTX
Fa0/7     Aironet Access Poi connected    1          a-full a-100 10/100BaseTX
GT500#show spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID    Priority    32768
             Address     000b.5f71.0f82
             Cost        19
             Port        2 (FastEthernet0/2)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    32769 (priority 32768 sys-id-ext 1)
             Address     000c.ce6d.43c0
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Root FWD 19        128.2    P2p Peer(STP)
Fa0/3            Desg FWD 19        128.3    Edge P2p
Fa0/4            Desg FWD 19        128.4    Edge P2p
Fa0/5            Desg FWD 19        128.5    Edge P2p
Fa0/7            Desg FWD 19        128.7    Edge P2p

GT500#ping 8.8.8.8

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)

Thank you in advance for your continued help.

Rob

cadet alain · ‎02-12-2014

Hi,

conf t

logging buffered 7

logging buffered 100000

logging console 6

logging monitor 6

service timestamp debug uptime

do clear log <<<<< accept

access-list 199 permit icmp any any

do debug ip nat 199

do debug ip packet 199

<>>

then issue following in conf t: do sh log <<

then post output here

Regards

Alain

Don't forget to rate helpful posts.

rwmission · ‎02-13-2014

Good Morning Alain,

Output as you requested:

WRX-STI#config t
Enter configuration commands, one per line. End with CNTL/Z.
WRX-STI(config)#logging buffered 7
WRX-STI(config)#logging buffered 100000
WRX-STI(config)#logging console 6
WRX-STI(config)#logging monitor 6
WRX-STI(config)#service timestamp debug uptime
WRX-STI(config)#do clear log
Clear logging buffer [confirm]
WRX-STI(config)#access-list 199 permit icmp any any
WRX-STI(config)#do debug ip nat 199
debug ip nat 199
^
% Invalid input detected at '^' marker.

WRX-STI(config)#do debug ip packet 199
IP packet debugging is on for access list 199
WRX-STI(config)#do sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level informational, 35 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level informational, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 0 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled

No active filter modules.

Trap logging: level errors, 7 message lines logged

Log Buffer (100000 bytes):
WRX-STI(config)#

cadet alain · ‎02-13-2014

ok so did you do the ping test to see any output ?

Because here the router doesn't see any icmp packet.

Can you post ipconfig of the device that is pinging and the debug output after pinging 8.8.8.8 from the device

Regards

Alain

Don't forget to rate helpful posts.

rwmission · ‎02-14-2014

Alain,

From Computer:

C:\Users\Rob Mission>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : RobMission-PC
   Primary Dns Suffix . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : ASIX AX88772A USB2.0 to Fast Ethernet Ada
pter
   Physical Address. . . . . . . . . : 00-50-B6-58-9E-F0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::f4cf:87b7:4d79:1702%17(Preferred)
   Autoconfiguration IPv4 Address. . : 169.254.23.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 520114358
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-14-DD-09-60-EB-69-4E-21-23

   DNS Servers . . . . . . . . . . . : 216.146.35.35
                                       216.146.36.36
                                       192.168.101.100
   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Intel(R) WiFi Link 1000 BGN
   Physical Address. . . . . . . . . : 00-26-C7-70-58-C6
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 60-EB-69-4E-21-23
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{6FF4B651-9CC8-43DC-AE99-720EF4F7CDB3}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{A8F849FB-11D4-4240-BED8-5E694C4772F4}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{677BB46D-89E1-4727-B12B-0CE94ECFE83E}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Rob Mission>

From Router after ping:

WRX-STI#conf t
Enter configuration commands, one per line. End with CNTL/Z.
WRX-STI(config)#logging buffered 7
WRX-STI(config)#logging buffered 100000
WRX-STI(config)#logging console 6
WRX-STI(config)#logging monitor 6
WRX-STI(config)#service timestamp debug uptime
WRX-STI(config)#do clear log
Clear logging buffer [confirm]
WRX-STI(config)#access-list 199 permit icmp any any
WRX-STI(config)#do debug ip nat 199
debug ip nat 199
^
% Invalid input detected at '^' marker.

WRX-STI(config)#do debug ip packet 199
IP packet debugging is on for access list 199
WRX-STI(config)#do sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level informational, 31 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level informational, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 0 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled

No active filter modules.

Trap logging: level errors, 7 message lines logged

Log Buffer (100000 bytes):
WRX-STI(config)#
*Apr 1 19:30:11.353: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to down
WRX-STI(config)#

cadet alain · ‎02-14-2014

Hi,

Your PC ha got an APIPA address because of DHCP operation not working correctly so it is normal it isn't working.

edit ACL 100 like this to not filter DHCP requests:

ip access-list extended 100

10 permit udp any eq bootpc any eq bootps

Regards

Alain

Don't forget to rate helpful posts.

rwmission · ‎02-14-2014

Alain,

Multiple issues here. Now my computer will not get the address from the netgear on the NIC so I have to use the wifi for it. I still cannot ping when connected to the router and I feel like I hosed everything. Here all all the outputs and thank you for your continued help.

Router Config:

version 12.4

service timestamps debug uptime

service timestamps log datetime msec

no service password-encryption

!

hostname WRX-STI

!

boot-start-marker

boot system flash:c1700-advsecurityk9-mz.124-25d.bin

boot-end-marker

!

logging buffered 100000 debugging

logging console informational

logging monitor informational