11-13-2013 12:00 PM - edited 03-04-2019 09:34 PM
Hi Everyone,
I'm having trouble configuring a Cisco 1921 router to provide internet access through our Comcast Business modem. From the console I can ping www.google.com, I can ping the google dns 8.8.8.8, and I can ping other devices that are plugged into the comcast modem (which is connected via the GigabitEthernet 0/1), but I can't ping the comcast dns servers 75.75.75.75 or 75.75.76.76
When trying to configure it throught the CPP application, I tried running a "test connection" on the 'outside' interface which is successful, but running a ping test on the 'inside' interface fails on the "Checking exit interface" and suggests: "Selecte 'User-specified' option or add a 'host specific/network specific/default' route through this interface and retest connection".
Any help is Greatly appreciated and I'll be sure and rate any/all helpful posts!
Here's my running config:
Building configuration...
Current configuration : 8664 bytes
!
! Last configuration change at 19:09:44 UTC Wed Nov 13 2013 by admin
! NVRAM config last updated at 19:00:30 UTC Wed Nov 13 2013 by admin
! NVRAM config last updated at 19:00:30 UTC Wed Nov 13 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco1921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name yourdomain.com
ip name-server 50.*.*.126
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3493286146
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3493286146
revocation-check none
rsakeypair TP-self-signed-3493286146
!
!
crypto pki certificate chain TP-self-signed-3493286146
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343933 32383631 3436301E 170D3133 31313132 32313538
35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34393332
38363134 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A035 6535C8CE D3D8AAC8 3EF62D40 A959747B 3EAE4254 B043F333 39DE9A3A
C8A6CE75 FB637218 E228A2AF B590CC52 D058A449 7AD9CF5F 8B16A7FA EE118335
5D6DB996 71C5B10C A3D1EDA6 71EB8EBF F35BDA97 E9A1FAC9 52E63898 0BBA1C02
3AB4EB18 68CDB957 A03B6EE8 9BC0897D 432053B5 9C5DE96F CFA9D634 9AADB3FE
AA6D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 144CCBCB 206F65C5 C5D03E32 52520352 AEA6CA13 83301D06
03551D0E 04160414 4CCBCB20 6F65C5C5 D03E3252 520352AE A6CA1383 300D0609
2A864886 F70D0101 05050003 81810036 A9530BFB 4EB1AAA2 B80CC4D2 4F5201B3
938F6BC9 46A50B9D 52BF8890 CB35D131 637D16A0 58CDDE40 B2BBB99A 960FCDE0
209207AF A414CBA8 0E706F9D 0B694AC7 1EC9BF19 D9EE5F96 C1871FCE 2C385389
538137F8 DEE25686 9D8BA891 7DDC5360 460CCEF9 E5168F2F D67AA44C 4F2ADA6F
E133AAA6 05DC8C68 FC09B229 E84C51
quit
license udi pid CISCO1921/K9 sn FTX1637810Q
!
!
username admin privilege 15 secret 4 O93TqN1DZfLJEmVUW78Kx961yfx/6d6NqkHjYA8I4iA
username jost privilege 15 secret 4 S3GgPN01m4oSTi7Usr/wj4mf58eOZAUeIOCuyy7rc7c
!
redundancy
!
!
!
!
!
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class class-default
drop log
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.129 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address 50.*.*.124 255.255.255.240
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 50.193.37.126
!
ip access-list standard FOR_NAT
permit 10.10.10.0 0.0.0.255
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 50.*.*.112 0.0.0.15 any
!
!
!
!
!
!
control-plane
!
!
banner exec ^C
Solved! Go to Solution.
11-13-2013 08:07 PM
Hi,
You should NAT rule to translate internal subnet 10.10.10.0/24 to public IP address.
Just add this:
ip nat inside source list FOR_NAT interface g0/1 overload
Hope it will help.
Best regards,
Abzal
11-13-2013 08:07 PM
Hi,
You should NAT rule to translate internal subnet 10.10.10.0/24 to public IP address.
Just add this:
ip nat inside source list FOR_NAT interface g0/1 overload
Hope it will help.
Best regards,
Abzal
11-14-2013 09:51 AM
Abzal, YOU ARE MY CISCO HERO!!!
That was exactly what I needed!
I'm still having a strange issue of not being able to ping the comcast dns servers though (75.75.75.75 and 75.75.76.76). But I have internet now which is WAY more than I had yesterday! Now I to sort out port forwarding... Don't suppose you have the easy answer for that too? I think I just need to do this:
ip nat inside source static tcp
Does that look about right?
Thanks!
11-14-2013 10:14 AM
Hi,
yes this is correct syntax for static PAT aka port forwarding.
Regards
Alain
Don't forget to rate helpful posts.
11-14-2013 02:12 PM
Thanks for confirming that Alain, worked like a charm
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: