Re: Cisco 891 behind ADSL router

andyspranata · ‎01-29-2012

I would like to configure cisco 891 behind an ADSL Router(ISP one).

The Details are:

ADSL Router:

- DSL Connection: dynamic IP

- LAN: 10.153.66.1/255.255.255.128

CISCO 891

- WAN: 10.153.66.5/255.255.255.128

- LAN: 10.153.64.1/255.255.255.128

- Configuration:

WAN

interface FastEthernet8

description Singtel Line$ETH-WAN$$FW_OUTSIDE$

ip address 10.153.66.5 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

LAN

interface Vlan1

description LAN Connection$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$

ip address 10.153.64.1 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

Routing and NAT

ip nat inside source route-map A interface FastEthernet8 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet8

route-map A permit 10

match ip address 110

match interface FastEthernet8

access-list 110 permit ip 10.153.64.0 0.0.0.127 any

DNS

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 10.153.66.1

Please advise.

I could ping to 10.153.66.1(ADSL Router), but I cannot connect to the internet

cadet alain · ‎01-29-2012

Hi,

first change your default static route:

no ip route 0.0.0.0 0.0.0.0 fastethernet8

ip route 0.0.0.0 0.0.0.0 10.153.66.1

then add this global config command if it ain't already there: ip inspect log drop-pkt

Then tell us if you still got problems where you are pinging from and post following outputs:

-sh policy-map

-sh class-map

-sh access-list

- sh run | s zone

Regards.

Alain

Don't forget to rate helpful posts.

andyspranata · ‎01-30-2012

ip route 0.0.0.0 0.0.0.0 10.153.66.1

I have tried that configuration and it was not working.

I will add the

"ip inspect log drop-pkt"

command

I will post some logs this week and the other configuration

It would be great to know the possible cause of this matter

Thanks

Neeraj Arora · ‎01-30-2012

Hi Andy,

although your configuration looks correct and the outputs suggested by Alain would help in narrowing down the issue, still I am stating couple of points which might help:

- Ping 4.2.2.2 sitting on this router and check if Internet reachability is up or not

- If the above ping works fine then instead of using route-map in the NAT command, simply use the ACL: ip nat inside source list 110 interface fa8 overload

apart from this, you need to check if IOS firewall is allowing traffic or not and also issue "sh ip nat tran" when you ping internet ip or 4.2.2.2

Hope it helps

Neeraj

andyspranata · ‎01-30-2012

I was planning to use 2 ISP connection in the near future and failover connection. that was the reason I use route map.

Is it possible to disable the firewall?

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.153.64.0 0.0.0.127

access-list 110 permit ip 10.153.64.0 0.0.0.127 any