04-04-2012 10:43 AM - edited 03-04-2019 03:55 PM
.
Hi Below is the configuration on my new cisco 887 router.
I can ping from my internal host to public dns 4.2.2.2 but can't acces the internet.
Guys please help me
Current configuration : 5040 bytes
!
! Last configuration change at 13:19:50 UTC Wed Apr 4 2012 by admin
! NVRAM config last updated at 13:25:17 UTC Wed Apr 4 2012 by admin
! NVRAM config last updated at 13:25:17 UTC Wed Apr 4 2012 by admin
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$MvfE$dweq2!23Lrh9l1g.EoQCsni3xd8/
enable password express1
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-216041018
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-216041018
revocation-check none
rsakeypair TP-self-signed-216041018
!
!
crypto pki certificate chain TP-self-signed-216041018
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313630 34313031 38301E17 0D303230 33303130 30303830
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3231 36303431
30313830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
90441F05 769662FF 3E439033 9CB7BCE5 9D630EC9 F3CB8794 11CB4D4D ABAEC846
3D52610E 51A39B44 A3CDB718 491B53DD 5A1A9E60 5D8F946F 24EF595A C31590E2
B41611EC 1316C908 542CF0CF FA6C3C37 2D88FDE2 327CCE69 9A3B987A 005C9E44
A276707A D6DA42D7 08442E22 31D9B94A 3E3D091C D8E39470 0991BF12 919E6E3B
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821779 6F75726E 616D652E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 16801445 135F19B6 283BD624 00ED8FF4 C3EEAF2D 05265F30
1D060355 1D0E0416 04144513 5F19B628 3BD62400 ED8FF4C3 EEAF2D05 265F300D
06092A86 4886F70D 01010405 00038181 00286907 ED271A2F C5E2D7BB B6070EEB
43D4D836 CD16D747 DCBB488B 0F4AB0EA 4DC1967A 70C7FA0C 4DC0F59B E393093B
8A27DDF4 7AE6086D 437DCB7A 2500D832 212F8BEB 24EE9DE5 916A4FFD 4B031958
F6AA7610 51AC053E 8DDE331E 4D7E67CE 73B8BBC8 45B43D47 FF7E84EF A2C09DDC
2594E1C9 B8E432CA FD5A3562 1629D883 55
quit
no ip source-route
!
!
!
ip dhcp excluded-address 10.121.128.1 10.121.128.100
!
ip dhcp pool CSIntLan
network 10.121.128.0 255.255.255.0
default-router 10.121.128.4
dns-server 10.121.140.25 10.121.140.28
!
!
ip cef
no ip domain lookup
ip domain name vin.gin
no ipv6 cef
!
!
license udi pid CISCO887VA-M-K9 sn FCZ160493E5
!
!
archive
log config
hidekeys
username admin privilege 15 password 7 045E131674541D245F5D58
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key vizag address 193.32.111.X
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description tunnel to Siva
set peer 193.32.111.X
set transform-set ESP-AES-128-SHA
match address 100
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.121.128.4 255.255.255.0
ip nat inside
no ip virtual-reassembly in
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname lsdfjosafodsafosfn
ppp chap password 7 01312B030sdfsdf54F234234423412
ppp ipcp route default
no cdp enable
crypto map SDM_CMAP_1
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 193.32.111.250 255.255.255.255 Dialer0
!
access-list 1 permit 10.121.128.0 0.0.0.255
access-list 23 permit 62.232.X.133
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.0.255
access-list 100 permit ip 10.121.128.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 101 permit ip 10.121.128.0 0.0.0.255 any
access-list 101 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 00010Bsdfsdfsad16165E18155E
login
transport input ssh
!
scheduler max-task-time 5000
end
------------------------------------------------------------------
Solved! Go to Solution.
04-04-2012 11:29 AM
Sure:
ip access-list ext 101
no 10
no 20
10 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255
20 permit ip 10.121.128.0 0.0.0.255 any
end
Try that...
John
04-04-2012 11:45 AM
I showed you in my previous post...copy what I posted and paste in the router...it will do the work for you.
Copy between the ! lines:
!
!
!
ip access-list ext 101
no 10
no 20
10 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255
20 permit ip 10.121.128.0 0.0.0.255 any
end
!
!
!
04-04-2012 11:08 AM
It looks like your DNS server is located at:
10.121.140.25 10.121.140.28
You're nat acl 101 is:
10 permit ip 10.121.128.0 0.0.0.255 any (1973 matches)
20 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255
Change lines 10 and 20 around and you should be able to get on the internet.
HTH,
John
Please rate useful posts...
04-04-2012 11:27 AM
hi blakley,
thanks for your response could u please give what commands to remove and issue exactly on the router.
04-04-2012 11:29 AM
Sure:
ip access-list ext 101
no 10
no 20
10 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255
20 permit ip 10.121.128.0 0.0.0.255 any
end
Try that...
John
04-04-2012 11:31 AM
This is what I given on the router could please tell me what access-list are to be removed and what commands i need to issue on it please
access-list 1 permit 10.121.128.0 0.0.0.255
access-list 23 permit 62.232.78.133
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.0.255
access-list 100 permit ip 10.121.128.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 101 permit ip 10.121.128.0 0.0.0.255 any
access-list 101 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255
04-04-2012 11:45 AM
I showed you in my previous post...copy what I posted and paste in the router...it will do the work for you.
Copy between the ! lines:
!
!
!
ip access-list ext 101
no 10
no 20
10 deny ip 10.121.128.0 0.0.0.255 10.121.140.0 0.0.3.255
20 permit ip 10.121.128.0 0.0.0.255 any
end
!
!
!
04-04-2012 12:09 PM
HI John,
Thank You so much for responsding and your help.
I ll issue this commands tommorow when i go back to office n i will get back to you soon
Regards
Siva
04-04-2012 01:51 PM
Sure...let us know if it helped..
John
Please rate all useful posts...
04-04-2012 01:53 PM
John
How about my natting is it ok?
04-04-2012 02:01 PM
Your natting looks fine. The reason that I suggested the change is because acls are read top down. Your very first line says to nat to everywhere, but your dns server is going over the vpn. You don't want to nat that traffic, so you have to move your deny statement above your permit. If you're not going to anything over the vpn, then your normal traffic will nat out. If you're able to ping 4.2.2.1 from a host, then natting is working.
HTH,
John
04-04-2012 02:08 PM
HI john,
I really appreciate for your explanation. Now i got a clear idea its just because of you.
Thank you soo much for your time and patience.
04-06-2012 07:39 AM
HI John,
I couldn't get a chance to configure yesterday what you have suggested.
Hopefully I will be implementing on next tuesday and I will get back to you soon.
Once again thank u so much for your response and help.
04-10-2012 12:19 AM
Hi John,
Thank You so much for your help.
As you said i just copied and pasted those commands and now everything started working fine.
Once again Many many thanks John.
Regards,
Siva
04-11-2012 09:33 AM
HI John,
Im having a problem with the new cisco 887.
Users can connect to the main office and they can access all the servers and even getting on the internet.
But users are complaning the network is very very slow.
My ISP has increased the speed from their side so do I need to change any settings on my New router 887.
Please help me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: