01-29-2012 06:19 PM - edited 03-04-2019 03:03 PM
I would like to configure cisco 891 behind an ADSL Router(ISP one).
The Details are:
ADSL Router:
- DSL Connection: dynamic IP
- LAN: 10.153.66.1/255.255.255.128
CISCO 891
- WAN: 10.153.66.5/255.255.255.128
- LAN: 10.153.64.1/255.255.255.128
- Configuration:
WAN
interface FastEthernet8
description Singtel Line$ETH-WAN$$FW_OUTSIDE$
ip address 10.153.66.5 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
LAN
interface Vlan1
description LAN Connection$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
ip address 10.153.64.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
Routing and NAT
ip nat inside source route-map A interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet8
route-map A permit 10
match ip address 110
match interface FastEthernet8
access-list 110 permit ip 10.153.64.0 0.0.0.127 any
DNS
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.153.66.1
Please advise.
I could ping to 10.153.66.1(ADSL Router), but I cannot connect to the internet
01-29-2012 11:47 PM
Hi,
first change your default static route:
no ip route 0.0.0.0 0.0.0.0 fastethernet8
ip route 0.0.0.0 0.0.0.0 10.153.66.1
then add this global config command if it ain't already there: ip inspect log drop-pkt
Then tell us if you still got problems where you are pinging from and post following outputs:
-sh policy-map
-sh class-map
-sh access-list
- sh run | s zone
Regards.
Alain
01-30-2012 09:37 PM
ip route 0.0.0.0 0.0.0.0 10.153.66.1
I have tried that configuration and it was not working.
I will add the
"ip inspect log drop-pkt"
command
I will post some logs this week and the other configuration
It would be great to know the possible cause of this matter
Thanks
01-30-2012 04:06 AM
Hi Andy,
although your configuration looks correct and the outputs suggested by Alain would help in narrowing down the issue, still I am stating couple of points which might help:
- Ping 4.2.2.2 sitting on this router and check if Internet reachability is up or not
- If the above ping works fine then instead of using route-map in the NAT command, simply use the ACL: ip nat inside source list 110 interface fa8 overload
apart from this, you need to check if IOS firewall is allowing traffic or not and also issue "sh ip nat tran" when you ping internet ip or 4.2.2.2
Hope it helps
Neeraj
01-30-2012 09:39 PM
I was planning to use 2 ISP connection in the near future and failover connection. that was the reason I use route map.
Is it possible to disable the firewall?
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.153.64.0 0.0.0.127
access-list 110 permit ip 10.153.64.0 0.0.0.127 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide