cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1559
Views
0
Helpful
13
Replies

Cisco 887 I can ping to 4.2.2.2 but can't connect to Internet

sivaalthi85
Level 1
Level 1

.

Hi Below is the configuration on my new cisco 887 router.

I can ping from my internal host to public dns 4.2.2.2 but can't acces the internet.

Guys please help me

Current configuration : 5040 bytes

!

! Last configuration change at 13:19:50 UTC Wed Apr 4 2012 by admin

! NVRAM config last updated at 13:25:17 UTC Wed Apr 4 2012 by admin

! NVRAM config last updated at 13:25:17 UTC Wed Apr 4 2012 by admin

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 5 $1$MvfE$dweq2!23Lrh9l1g.EoQCsni3xd8/

enable password express1

!

no aaa new-model

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-216041018

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-216041018

revocation-check none

rsakeypair TP-self-signed-216041018

!

!

crypto pki certificate chain TP-self-signed-216041018

certificate self-signed 01

  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32313630 34313031 38301E17 0D303230 33303130 30303830

  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3231 36303431

  30313830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  90441F05 769662FF 3E439033 9CB7BCE5 9D630EC9 F3CB8794 11CB4D4D ABAEC846

  3D52610E 51A39B44 A3CDB718 491B53DD 5A1A9E60 5D8F946F 24EF595A C31590E2

  B41611EC 1316C908 542CF0CF FA6C3C37 2D88FDE2 327CCE69 9A3B987A 005C9E44

  A276707A D6DA42D7 08442E22 31D9B94A 3E3D091C D8E39470 0991BF12 919E6E3B

  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D

  11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F

  0603551D 23041830 16801445 135F19B6 283BD624 00ED8FF4 C3EEAF2D 05265F30

  1D060355 1D0E0416 04144513 5F19B628 3BD62400 ED8FF4C3 EEAF2D05 265F300D

  06092A86 4886F70D 01010405 00038181 00286907 ED271A2F C5E2D7BB B6070EEB

  43D4D836 CD16D747 DCBB488B 0F4AB0EA 4DC1967A 70C7FA0C 4DC0F59B E393093B

  8A27DDF4 7AE6086D 437DCB7A 2500D832 212F8BEB 24EE9DE5 916A4FFD 4B031958

  F6AA7610 51AC053E 8DDE331E 4D7E67CE 73B8BBC8 45B43D47 FF7E84EF A2C09DDC

  2594E1C9 B8E432CA FD5A3562 1629D883 55

        quit

no ip source-route

!

!

!

ip dhcp excluded-address 10.121.128.1 10.121.128.100

!

ip dhcp pool CSIntLan

network 10.121.128.0 255.255.255.0

default-router 10.121.128.4

dns-server 10.121.140.25 10.121.140.28

!

!

ip cef

no ip domain lookup

ip domain name vin.gin

no ipv6 cef

!

!

license udi pid CISCO887VA-M-K9 sn FCZ160493E5

!

!

archive

log config

  hidekeys

username admin privilege 15 password 7 045E131674541D245F5D58

!

!

!

!

controller VDSL 0

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key vizag address 193.32.111.X

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description tunnel to Siva

set peer 193.32.111.X

set transform-set ESP-AES-128-SHA

match address 100

!

!

!

!

!

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.121.128.4 255.255.255.0

ip nat inside

no ip virtual-reassembly in

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname lsdfjosafodsafosfn

ppp chap password 7 01312B030sdfsdf54F234234423412

ppp ipcp route default

no cdp enable

crypto map SDM_CMAP_1

!

ip forward-protocol nd

no ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 193.32.111.250 255.255.255.255 Dialer0

!

access-list 1 permit 10.121.128.0 0.0.0.255

access-list 23 permit 62.232.X.133

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 permit ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.0.255

access-list 100 permit ip 10.121.128.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 101 permit ip 10.121.128.0 0.0.0.255 any

access-list 101 deny   ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

password 7 00010Bsdfsdfsad16165E18155E

login

transport input ssh

!

scheduler max-task-time 5000

end

------------------------------------------------------------------

2 Accepted Solutions

Accepted Solutions

Sure:

ip access-list ext 101

no 10

no 20

10 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255

20 permit ip 10.121.128.0 0.0.0.255 any

end

Try that...

John

HTH, John *** Please rate all useful posts ***

View solution in original post

I showed you in my previous post...copy what I posted and paste in the router...it will do the work for you.

Copy between the ! lines:

!

!

!

ip access-list ext 101

no 10

no 20

10 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255

20 permit ip 10.121.128.0 0.0.0.255 any

end

!

!

!

HTH, John *** Please rate all useful posts ***

View solution in original post

13 Replies 13

John Blakley
VIP Alumni
VIP Alumni

It looks like your DNS server is located at:

10.121.140.25 10.121.140.28

You're nat acl 101 is:

  10 permit ip 10.121.128.0 0.0.0.255 any (1973 matches)

    20 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255

Change lines 10 and 20 around and you should be able to get on the internet.

HTH,

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***

hi blakley,

thanks for your response could u please give  what commands to remove and issue exactly on the router.

Sure:

ip access-list ext 101

no 10

no 20

10 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255

20 permit ip 10.121.128.0 0.0.0.255 any

end

Try that...

John

HTH, John *** Please rate all useful posts ***

This is what I given on the router could please tell me what access-list are to be removed and what commands i need to issue on it please

access-list 1 permit 10.121.128.0 0.0.0.255

access-list 23 permit 62.232.78.133

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 permit ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.0.255

access-list 100 permit ip 10.121.128.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 101 permit ip 10.121.128.0 0.0.0.255 any

access-list 101 deny   ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255

I showed you in my previous post...copy what I posted and paste in the router...it will do the work for you.

Copy between the ! lines:

!

!

!

ip access-list ext 101

no 10

no 20

10 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255

20 permit ip 10.121.128.0 0.0.0.255 any

end

!

!

!

HTH, John *** Please rate all useful posts ***

HI John,

Thank You so much for responsding and your help.

I ll issue this commands tommorow when i go back to office n i will get back to you soon

Regards

Siva

Sure...let us know if it helped..

John

Please rate all useful posts...

HTH, John *** Please rate all useful posts ***

John

How about my natting is it ok?

Your natting looks fine. The reason that I suggested the change is because acls are read top down. Your very first line says to nat to everywhere, but your dns server is going over the vpn. You don't want to nat that traffic, so you have to move your deny statement above your permit. If you're not going to anything over the vpn, then your normal traffic will nat out. If you're able to ping 4.2.2.1 from a host, then natting is working.

HTH,

John

HTH, John *** Please rate all useful posts ***

HI john,

I really appreciate for your explanation. Now i got a clear idea its just because of you.

Thank you soo much for your time and patience.

HI John,

I couldn't get a chance to configure yesterday what you have suggested.

Hopefully I will be implementing on next tuesday and I will get back to you soon.

Once again thank u so much for your response and help.

Hi John,

Thank You so much for your help.

As you said i just copied and pasted those commands and now everything started working fine.

Once again Many many thanks John.

Regards,

Siva

HI John,

Im having a problem with the new cisco 887.

Users can connect to the main office and they can access all the servers and even getting on the internet.

But users are complaning the network is very very slow.

My ISP has increased the speed from their side so do I need to change any settings on my New router 887.

Please help me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: