cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
839
Views
5
Helpful
10
Replies

Cisco 837 Ethernet Int cannot see internet

justin6051
Level 1
Level 1

I have recently setup a pair of 837 routers and created a vpn between our main site a and site b.

The tunnel works perfectly and both company lans can ping each other. The problem that I am having is that site b can only ping site a's lan and cannot ping the internet.

From the router I can resolve and ping internet addresses ok. (eg ping http://www.google.com)

If I try pinging the internet from the router and telling the router to send it from its ethernet interface I get 0 replys. Originally I throught that the problem would be acl related so I tried using loose acl restrictions with no luck and am currently not tieing my interfaces to the acls. Any idea what I can try next.

Thanks Justin

Here is my current config

no aaa new-model

ip subnet-zero

ip name-server 139.x.x.4

ip dhcp excluded-address 172.16.3.142

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key 0 iwm04vpnkey1 address 165.x.x.201 no-xauth

!

!

crypto ipsec transform-set motorsvpna esp-3des esp-sha-hmac

!

crypto map iwmmap client authentication list default

crypto map iwmmap 10 ipsec-isakmp

set peer 165.228.233.201

set transform-set motorsvpna

match address 110

!

!

!

!

interface Ethernet0

ip address 172.16.3.142 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/35

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface FastEthernet1

no ip address

speed auto

half-duplex

!

interface FastEthernet2

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet3

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet4

no ip address

shutdown

duplex auto

speed auto

!

interface Dialer1

ip address 165.228.x.x.255.0.0

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname keppel20@xx.telstra.net

ppp chap password xxx

ppp pap sent-username kep@xxx.telstra.net password xxx

crypto map iwmmap

!

router rip

redistribute connected

network 172.16.0.0

!

ip nat inside source list 150 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 172.16.1.0 255.255.255.0 165.228.233.201

ip http server

no ip http secure-server

!

access-list 101 permit ahp host 165.228.98.236 any

access-list 101 permit esp host 165.228.98.236 any

access-list 101 permit udp host 165.228.98.236 any

access-list 101 permit icmp host 165.228.98.236 any

access-list 101 permit ip host 165.228.98.236 any

access-list 101 permit ip host 165.228.233.201 any

access-list 101 permit ip 172.16.0.0 0.0.255.255 any

access-list 101 permit udp host 165.228.233.201 any eq isakmp

access-list 101 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 102 permit ip 172.16.1.0 0.0.0.255 any

access-list 102 permit ip 172.16.2.0 0.0.0.255 any

access-list 102 permit ip 172.16.3.0 0.0.0.255 any

access-list 110 permit ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 110 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 150 deny ip 172.16.1.0 0.0.0.255 any

access-list 150 deny ip 172.16.2.0 0.0.0.255 any

access-list 150 deny ip 172.16.3.0 0.0.0.255 any

access-list 150 permit ip any any

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

transport input all

line vty 0 4

exec-timeout 120 0

password xxx

login local

length 0

!

scheduler max-task-time 5000

!

end

10 Replies 10

Richard Burts
Hall of Fame
Hall of Fame

Justin

The problem is that you are not translating the addresses of the subnet of Ethernet 0. You do have it set up for address translation:

interface Ethernet0

ip address 172.16.3.142 255.255.255.0

ip nat inside

but the access list that controls address translation denies that subnet:

access-list 150 deny ip 172.16.3.0 0.0.0.255 any

access-list 150 permit ip any any

Since the interface is using private address space but the addresses are not translated the packets get sent out but outside devices do not have a route to the addresses to send the response.

HTH

Rick

HTH

Rick

Rick,

Thankyou for your advise I now understand exactly why it is not working, However

If I remove the access-list 150 deny ip 172.16.3.0 0.0.0.255 any

The routers eth interface (and pc's) can now ping and access the internet but I can no longer ping my private vpn subnets. eg ping 172.16.1.1 will stop working

I look forward to hearing your ideas

Thanks

Justin

Justin

I am not clear where 172.16.1.1 is but if translating addresses where that is the destination causes a problem then the solution is to put a line into the access list that denies traffic with that as the destination (or destination subnet).

In this case it is less useful to have the access list deny based on source address (as your original access list did) and more useful to have the access list deny for certain destinations (especially destinations within your own network).

HTH

Rick

HTH

Rick

All fixed thanks rick.

The 172.16.1.0 is a subnet at our main site.

instead of haveing access-list 150 deny ip 172.16.3.0 0.0.0.255 any I needed to have 150 deny ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255

Once again thanks for your help

Justin

Justin

I am glad that I was able to help you get your problem resolved. And thanks for posting back to the forum to indicate what resolved your problem. It makes the forum more useful when people can read about a problem and read what resolved the problem. It would make this thread even more useful if you would use the check mark to indicate that the problem was resolved so people would clearly see the indication that there was a solution.

HTH

Rick

HTH

Rick

I have a similar problem. Below the bare config with just the ADSL stuff in it. I can ping IP addresses from the workstation and router but cannot resolve DNS or browse internet from the workstation.

Here config:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip subnet-zero

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 172.18.46.1 172.18.46.128

!

ip dhcp pool nha-brad-test

import all

network 172.18.46.0 255.255.255.0

domain-name something.com

default-router 172.18.46.1

netbios-name-server 172.18.18.65 172.18.16.65

dns-server 196.x.x.206

!

!

ip cef

ip name-server 196.x.x.13

ip name-server 196.x.x.206

!

!

!

!

!

!

!

!

!

!

interface Ethernet0

ip address 172.18.46.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

pvc 8/35

pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

speed auto

half-duplex

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname

ppp chap password 7

ppp pap sent-username password 7

!

interface Dialer0

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer1 overload

!

access-list 1 permit 172.18.46.0 0.0.0.255

dialer-list 1 protocol ip permit

!

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

password 7

login

transport input telnet ssh

!

scheduler max-task-time 5000

ntp clock-period 17179767

ntp source Dialer1

ntp peer 196.x.x.17 prefer

end

Brad

I am not sure that I really understand your problem. I believe that you are saying that from both the router and from workstations connected on its Ethernet you can ping destinations in the Internet if you specify their IP address but if you ping them by name it fails. If you use your web browser and put in the IP address does it work?

The original post was clearly a problem with address translation. I do not believe that your problem is the same. I have looked at your configuration and do not see significant problems with address translation in it. And if it were a problem with address translation you would not be able to ping anything in the Internet. The symptoms that you describe sound like a problem with DNS. Are the workstations configured with the same name server information that is in the router config? Are the addresses configured in the router for name servers correct? Is there any access list anywhere that could be interfering with DNS?

HTH

Rick

HTH

Rick

Hi Rick,

After looking at the problem again, it appears to be DNS. I do a nslookup for www.cisco.com, it does not resolve BUT if I do:

nslookup www.cisco com 196.7.0.138(DNS SERVER)

....this resolves. From the config I have DNS server entries added, should the router not be able to do the DNS lookups and reverse lookups on behalf of the workstations?

Should I have an access list to permit this out?

eg. access list 101 permit ip any any eq 53

If the access list does need amendment do we need to NAT this out as well?

How do I get DNS resolution to work?

Do I configure DNS manually on every workstation to use that of the ISP?

Lots of FAQ's I know ...but I am really stuck and the bosses are getting bit annoyed. Once this fixed, I need to get this router to VPN to our CO as at a remote location via internet.

OK .... making progress. I got DNS to work via the router. enabled dns nsap. Not really sure what it does but it works. Will look it up in a minute. Able to get to the internet now.

Now the tricky part ....VPN to my office network from the router.

Enabled VPN stuff on the router. when i do a "show crypto isakmp sa" i see nothing on the router.

what could be wrong now?

Hi Brad,

Can you post the cfg with the crypto lines in it?

Thanks

Nick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: