Solved: Thank you!

kyle.jones1 · ‎11-24-2015

Hello,

I am having some trouble with a new router. I can ping everywhere from the console, but clients on the inside cannot ping the internet! I have attached the configuration. Any help would be greatly appreciated.

Right now the WAN port is GigabitEthernet0/1 and is physically connected to 192.168.10.1 (Cisco switch routed to the internet) for testing purposes.

(pinging core switch)

Router#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

(pinging current router)

Router#ping 192.168.10.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.254, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

(pinging net)

Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/17/28 ms

Here's the configuration.

Router#show run
Building configuration...

Current configuration : 3487 bytes
!
! Last configuration change at 22:43:32 UTC Tue Nov 24 2015 by cisco
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$cRHD$o4VuoYeBJD2/X/U/uADQD.
enable password end
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 172.16.10.254
!
ip dhcp pool Pool
network 172.16.10.0 255.255.255.0
dns-server 192.168.10.2 68.105.28.16
default-router 172.16.10.254
!
!
!
ip name-server 192.168.10.2
ip name-server 68.105.28.16
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-3386730847
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3386730847
revocation-check none
rsakeypair TP-self-signed-3386730847
!
!
crypto pki certificate chain TP-self-signed-3386730847
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333836 37333038 3437301E 170D3135 31313234 31383539
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33383637
33303834 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A171 AC4C3272 C099FAC1 E2BFAE87 6AE98FC6 501F8762 6854A568 E5468FC4
6C0C9CE2 92803015 E1CD271E E8BBA718 D5854377 AD8A42FC A5254A78 7EB08C41
FA2F85BE 22FB5F86 6B3737E4 69ADAC05 86DAC773 68C43FAA E02277D3 36692AB1
F3241936 5F117F48 7BC2AEDF 718064C6 1137CAF9 4E4E472F 93478198 74AD89D9
F6AB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14949237 F6105BA9 0C1EC0D4 77875AEF 24470162 8E301D06
03551D0E 04160414 949237F6 105BA90C 1EC0D477 875AEF24 4701628E 300D0609
2A864886 F70D0101 05050003 81810020 51D914B3 C3312154 310905F7 8717287A
9BAA8E24 3335AF40 4CB58722 586EEBE8 B8BDC6AA A9D0DE2D C13B439D F98208AA
04A7FC55 84C7D5C5 808DA403 4BBA976A 0946091F 42694150 B5253088 068D563A
A36696E6 34F1EDBC F9E7888B 58C4B0C0 7A328F1E E30C1A8F 74633CC2 6DA76599
1FBC7767 B39CEF8D 1B079D1E A0507C
quit
license udi pid CISCO1921/K9 sn FJC1942E0Y7
!
!
username cisco privilege 15 password 0 **********
!
redundancy
!
no cdp run
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet0/0
description LAN
ip address 172.16.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description PrimaryWANDesc_WAN
ip address 192.168.10.8 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list nat-list interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 192.168.10.1
!
no service-routing capabilities-manager
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password *********
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

paul driver · ‎11-25-2015

Hello

Your mssing an access control list (acl) to identify your LAN taffic

no ip nat inside source list nat-list interface GigabitEthernet0/1 overload

access-list 10 permit 172.16.10.0 0.0.0.255
Ip nat inside source list 10 interface GigabitEthernet0/1 overload

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Masoud Pourshabanian · ‎12-02-2015

Hello,

You do not need the keyword "extendable" in NAT statement. The problem is not ACL. Can you ping 192.168.10.5 from your router?

"IP http server" Do you access your router by HTTP? if not, remove it.

no ip http server.

Try it and give me feedback.

Masoud

View solution in original post

paul driver · ‎11-25-2015

Hello

Your mssing an access control list (acl) to identify your LAN taffic

no ip nat inside source list nat-list interface GigabitEthernet0/1 overload

access-list 10 permit 172.16.10.0 0.0.0.255
Ip nat inside source list 10 interface GigabitEthernet0/1 overload

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

kyle.jones1 · ‎12-02-2015

Thank you!

I am also having an issue with port forwarding if you could take a look. I belive it is also an acl issue.

Here is the config:

Router#show run
Building configuration...

Current configuration : 6886 bytes
!
! Last configuration change at 14:38:49 PCTime Wed Dec 2 2015 by cisco
! NVRAM config last updated at 14:38:50 PCTime Wed Dec 2 2015 by cisco
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
clock timezone PCTime -6 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip domain name ******.com
ip name-server ***.***.***.***
ip name-server ***.***.***.***
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-3583770892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3583770892
revocation-check none
rsakeypair TP-self-signed-3583770892
!
!
crypto pki certificate chain TP-self-signed-3583770892
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353833 37373038 3932301E 170D3135 31303330 31373539
35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35383337
37303839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C946 A6CADF74 6C741A1C 34359B1A FCDF1ABB 603C687D 2932FFD8 E8F734AD
AD39CD93 9D3ECAAF 6655AC48 78610B0D 54D65806 1059671A F65A968F 45D2CC1A
A4DA7FFE 70EA36AD 025402AA 68C1A223 579F440F 25A1B5C3 47E5594A 531C717F
98D82D31 89AEA45D C713E636 C25016C1 0FAAA7B8 64AFCB1D CA3809C9 F09B17DB
C3690203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1424A539 06C4E3E7 00EA8E14 320BD278 2B383B04 38301D06
03551D0E 04160414 24A53906 C4E3E700 EA8E1432 0BD2782B 383B0438 300D0609
2A864886 F70D0101 05050003 81810021 DE30CBDE 312E40C3 D8593040 7CE8CF57
E0099256 5F13D7A5 A4072A5F 2AC75448 D25E8CC4 F904CC9A CCC5E19E EE35A6A3
06D17838 ED96EDB9 9991451D 2734B7B5 D5029C1C DA1CE601 F0B90FA2 23BC92F8
7CB674EF D4588840 8F3864BB 04C247B9 B97724B2 2DF7170E 2C82C272 B28D5D0D
541E338A B7B739A7 05C52AB0 7553B0
        quit
license udi pid CISCO1921/K9 sn FJC1944E4QY
!
!
username cisco privilege 15 secret 5 $1$qrmr$bu2q8oj3CMV6EKtVwwzB50
username ***** secret 5 $1$KMoY$P332dtVBLLO9k3a/PPkNo/
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ******
key *******
dns ***.***.***.***
domain ******.com
pool SDM_POOL_1
acl 100
max-users 50
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group ******
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 1 native
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description WAN$ETH-WAN$
ip address ***.***.***.*** 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 172.16.100.101 172.16.100.150
ip forward-protocol nd
!
no ip http server
ip http access-class 10
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip nat inside source list 20 interface GigabitEthernet0/1 overload
ip nat inside source list 30 interface GigabitEthernet0/1 overload
ip nat inside source list 110 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.10.5 80 (WAN IP) 80 extendable
ip nat inside source static tcp 192.168.10.5 443 (WAN IP) 443 extendable
ip nat inside source static tcp 192.168.10.5 8080 (WAN IP) 8080 extendable
ip nat inside source static tcp 192.168.10.7 9675 (WAN IP) 9675 extendable
ip route 0.0.0.0 0.0.0.0 (WAN GATEWAY IP)
ip route 192.168.20.0 255.255.255.0 (WAN GATEWAY IP)
ip route 192.168.30.0 255.255.255.0 (WAN GATEWAY IP)
!
!
!
access-list 10 remark CCP_ACL Category=18
access-list 10 permit 192.168.10.0 0.0.0.255
access-list 20 permit 192.168.20.0 0.0.0.255
access-list 30 permit 192.168.30.0 0.0.0.255
access-list 110 permit tcp any host (WAN IP) eq www
access-list 110 permit tcp any host (WAN IP) eq 8080
access-list 110 permit tcp any host (WAN IP) eq 443
access-list 110 permit ip any any
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Router#

Masoud Pourshabanian · ‎12-02-2015

Hello,

You do not need the keyword "extendable" in NAT statement. The problem is not ACL. Can you ping 192.168.10.5 from your router?

"IP http server" Do you access your router by HTTP? if not, remove it.

no ip http server.

Try it and give me feedback.

Masoud

kyle.jones1 · ‎12-02-2015

For some reason every time I add the command, it adds extendable automatically. I have also removed ip http server with no luck. I can ping 192.168.10.5 from the router.

Masoud Pourshabanian · ‎12-02-2015

Are you trying to connct to thehttp server from the internet of from a VPN client?

Does the http server with the IP of 192.168.10.5 have default gateway?

Try both of these commands on the router,

1- telnet 192.168.10.5 80

2-telnet 192.168.10.5 80 /source-interface GigabitEthernet0/1

What is the output?

Masoud

kyle.jones1 · ‎12-02-2015

Here is the output:

Router#telnet 192.168.10.5 80
Trying 192.168.10.5, 80 ... Open

^[
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Thu, 03 Dec 2015 03:51:44 GMT
Connection: close

0

[Connection to 192.168.10.5 closed by foreign host]
Router#telnet 192.168.10.5 80 /source-interface GigabitEthernet0/1
Trying 192.168.10.5, 80 ... Open

[Connection to 192.168.10.5 closed by foreign host]

I will let you know, the forwarding is currently working with a Cisco Small Business RV 325 router.

Masoud Pourshabanian · ‎12-02-2015

I do not see any problem in static nat configuration in your router.

Check the client which you are testing from. make sure it is not a VPN client.

Masoud

kyle.jones1 · ‎12-03-2015

Masoud, thank you for the help. You were right, configuration was correct. The error was trying to access it from the inside. The configuraton is working from the outside. I am working on a domain less NAT now to access the internal server from inside by using the external IP.

Thanks for all your help.

Masoud Pourshabanian · ‎12-03-2015

Glad it works. Just you need to do a little clean up on your router configuration. There are a bunch of extra commands you can remove or combine. I suggest you making a new post about cleanning up your configuration later.

As an example, these two commands are unnecessary.

ip route 192.168.20.0 255.255.255.0 (WAN GATEWAY IP)
ip route 192.168.30.0 255.255.255.0 (WAN GATEWAY IP)

Masoud.

Cisco 1921 Router Cannot Ping From LAN to Internet