cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4244
Views
0
Helpful
13
Replies

New router. Can't get out to the Internet.

Router model: C819-HWD-A-K9

IOS ver. 15.2(4)

Public IP address: 12.34.56.78 255.255.255.252 (interface GigabitEthernet0)

Gateway: 12.34.56.77

Private network address: 10.1.1.0 255.255.255.0

Inside interface: 10.1.1.1 (interface FastEthernet0)

From inside of the network, I can ping the inside interface, outside WAN interface and gateway address but nothing beyond that.

From outside the network, I can ping the gateway address but not the outside WAN interface.

My ISP can see my router in their ARP table. But they cannot ping my outside WAN interface. There is probably either a NAT issue, an ACL issue, or both.

I have a minimal configuration. Basically default settings except for DNS, DHCP, and interface settings.

I am a newb. And am sure I am missing something obvious. Any help would be greatly appreciated.

Config is:

ip cef

!

!

ip dhcp pool dpool1

import all

network 10.1.1.0 255.255.255.0

dns-server 24.196.64.53 68.115.71.53

default-router 10.1.1.1

!

!

ip domain name chrisconway.net

ip name-server 24.196.64.53

ip name-server 68.115.71.53

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid C819HWD-A-K9 sn FTX174380LX

!

!

username conway privilege 15 password 0 zeroaccess

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface GigabitEthernet0

ip address 12.34.56.78 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Serial0

no ip address

shutdown

clock rate 2000000

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 199 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

!

access-list 199 permit ip any any

no cdp run

!

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

stopbits 1

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

7 Accepted Solutions

Accepted Solutions

John Blakley
VIP Alumni
VIP Alumni

The first thing I would do is tighten up the acl 199 from:

permit ip any any

to:

permit ip 10.1.1.0 0.0.0.255 any

You said they can't ping your wan address on g0? You don't have acls on the interface, so they should be able to. If they can't do that, it's not a natting issue. That's for things going through the router. Can you ping your gateway from the router? Is there anything in front of this router?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

cadet alain
VIP Alumni
VIP Alumni

Hi,

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 12.34.56.77

no access-list 199 permit ip any any

access-list 199 permit ip  10.1.1.0 0.0.0.255 any

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

When router receives the packet from inside host, it looks in a routing table for a match based on a destination IP address. It finds the only route (0.0.0.0/0) with next hop interface gigabit0/1. Because this not a point to point link like xDSL router does't know where to send the packet.
So you need to reconfigure the router as you've been already instructed (no ip route...., ip route.....).

Regarding ACL: you should always define the most restrictive ACL rules as you can to harden the device, network, data.

View solution in original post

Hi,

1) setting a static route with an ougoing multipoint interface( like ethernet ) can only work if the next-hop is doing proxy-arp and even if it did it is highly discouraged for performance issues.

2)  NAT ACLs permitting any can cause problems on some IOS versions/platforms

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

The default route should point to the next hop IP if at all possible and not out of an interface. With ethernet pointing the default route out of an interface means it ARPs for every remote address which is ineffecient as it only needs to know the mac address of the next hop.

Using the source as "any" in a NAT acl can cause issue. Certainly if you used a standard acl with just "any" that can stop NAT working.

So i would change it to the one Alain suggested where you specify the source subnet(s). Using "any" for the destination is fine and is in fact needed for internet access.

Jon

View solution in original post

Sorry Alain, didn't realise you were online, otherwise i wouldn't have responded.

Jon

View solution in original post

Hi Jon,

No problem 

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

13 Replies 13

John Blakley
VIP Alumni
VIP Alumni

The first thing I would do is tighten up the acl 199 from:

permit ip any any

to:

permit ip 10.1.1.0 0.0.0.255 any

You said they can't ping your wan address on g0? You don't have acls on the interface, so they should be able to. If they can't do that, it's not a natting issue. That's for things going through the router. Can you ping your gateway from the router? Is there anything in front of this router?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

I understand the concern about tightening up the ACL. I am just trying to use the most permissive statement to get online first. Then I will harden. Also "permit ip any any" is the default setting of this IOS.

Yes, I can ping the gateway from the router.

Not exactly sure what you mean about anything in front of the router. I just have an ISP modem. Nothing between that and the single router we are discussing.

I too, wonder why I cannot ping my WAN interface from an outside network.

Thanks for your reply.

cadet alain
VIP Alumni
VIP Alumni

Hi,

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 12.34.56.77

no access-list 199 permit ip any any

access-list 199 permit ip  10.1.1.0 0.0.0.255 any

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

From my limited knowledge, it appears that you are recommending setting a "gateway of last resort" with the ip route statement (ip route 0.0.0.0 0.0.0.0 12.34.56.77).

I thought about this. Did not set this as I am not having any issue pinging the gateway from either the inside or outside.

Also, you are recommending "access-list 199 permit ip  10.1.1.0 0.0.0.255 any".

I thought about this as well. But isn't my existing "access-list 199 permit ip any any" more permissive?

I am very willing and able to try your suggestions. And I really appreciate your help.

I am just curious why my existing config is not working.

When router receives the packet from inside host, it looks in a routing table for a match based on a destination IP address. It finds the only route (0.0.0.0/0) with next hop interface gigabit0/1. Because this not a point to point link like xDSL router does't know where to send the packet.
So you need to reconfigure the router as you've been already instructed (no ip route...., ip route.....).

Regarding ACL: you should always define the most restrictive ACL rules as you can to harden the device, network, data.

Hi,

1) setting a static route with an ougoing multipoint interface( like ethernet ) can only work if the next-hop is doing proxy-arp and even if it did it is highly discouraged for performance issues.

2)  NAT ACLs permitting any can cause problems on some IOS versions/platforms

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Sorry Alain, didn't realise you were online, otherwise i wouldn't have responded.

Jon

Hi Jon,

No problem 

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

That was it!

Thanks Cadet!

Thanks for the explaination.

I never doubted for a moment that your original response was valid, I just needed for it to make sense to me. Hope you understand.

I am very grateful for your help.

I will apply the fix and let you know the outcome. I will also give you proper credit for your fast and courteous response.

Thank you!!!

Thanks for the explaination.

I never doubted for a moment that your original response was valid, I just needed for it to make sense to me. Hope you understand.

I am very grateful for your help.

I will apply the fix and let you know the outcome. I will also give you proper credit for your fast and courteous response.

Thank you!!!

The default route should point to the next hop IP if at all possible and not out of an interface. With ethernet pointing the default route out of an interface means it ARPs for every remote address which is ineffecient as it only needs to know the mac address of the next hop.

Using the source as "any" in a NAT acl can cause issue. Certainly if you used a standard acl with just "any" that can stop NAT working.

So i would change it to the one Alain suggested where you specify the source subnet(s). Using "any" for the destination is fine and is in fact needed for internet access.

Jon

That was it!

Thanks Jon!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco