キャンセル
次の結果を表示 
次の代わりに検索 
もしかして: 
cancel
告知

 AMATopBanner2021.4.JPG

 2021Apr.TopBanner.JPG

 

6080
閲覧回数
5
いいね!
7
返信
tomo456
Beginner

インターネット接続 設定 CISCO 891F

CISCO 891Fを使用してインターネット接続を試みたのですが、どうもうまくいきません。そのコンフィグを貼り付けますので、間違っている点があれば、ご指摘願います。

WANポート:interface GigabitEthernet8

プロバイダID:test@test.com

プロバイダパス:PASSWORD

 

 

7件の返信7
shimenoy
Beginner

tomo456 さん、こんにちは :)

ぱっと見た限りですと、

> ip nat inside source list 1 interface Dialer1 overload

で指定している list 1 が無いように見受けられます。

LAN側セグメント変更いたしました。(DHCP設定もそれに合わせる)

変更前:192.168.111.0/24

変更後:192.168.1.0/24

 

指摘された通り、「access-list 1 permit 192.168.1.0 0.0.0.255」を追加も、結果は変わらず、

通信できません。

間違っている点が他にあると思われます。

 

以下、そのコンフィグ

-------------------------------------------------------------------------------

 

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisrt
!
boot-start-marker
boot-end-marker
!
!
enable password test
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
!
!
!
!
!
!
!
!
!
!


!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool dhcp-pool
dns-server 192.168.1.1
lease 0 2
!
ip dhcp pool 1
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
!
no ip domain lookup
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C891FJ-K9 sn FGL222995KP
!
!
!
!
!
!
no cdp run
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
no cdp enable
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0
no ip address
no cdp enable
!
interface GigabitEthernet1
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet2
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet3
switchport access vlan 30
no ip address
no cdp enable
!
interface GigabitEthernet4
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet5
switchport access vlan 111
no ip address
no cdp enable
!
interface GigabitEthernet6
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet7
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet8
description to_ISP
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan111
ip address 192.168.111.1 255.255.255.0
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description to_ISP
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname test@test.com
ppp chap password 0 PASSWORD
ppp ipcp dns request accept
ppp ipcp route default
no cdp enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
ip http path flash:
!
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no service-routing capabilities-manager
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
telephony-service
max-conferences 4 gain -6
web admin system name test password test
transfer-system full-consult
!
!
vstack
!
line con 0
exec-timeout 0 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
password test
login
transport input all
!
scheduler allocate 20000 1000
!
!
!
end

別パターンを作成してみましたが、やはり通信できず。

WANポート:G8

LANポート:G1

 

LANから当ルータへのPINGは到達するので、WAN側にエラーがあるかと思います。

ルーターから、外部のアドレスへはPINGが飛ばない状態でした。

 

 

 

 

 

 

--------------------------------------------------------

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable password test
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!


!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.10.1 192.168.10.100
!
ip dhcp pool DHCP_pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
lease 0 2
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C891FJ-K9 sn FGL222995KP
!
!
vtp domain rt1
vtp mode transparent
!
!
!
!
!
vlan 2-4,8-10,20,30,111
no cdp run
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 10
no ip address
!
interface GigabitEthernet2
no ip address
shutdown
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
shutdown
!
interface GigabitEthernet5
no ip address
shutdown
!
interface GigabitEthernet6
no ip address
shutdown
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
mtu 1454
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1414
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname test@test.com
ppp chap password 0 password
ppp ipcp dns request accept
no cdp enable
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list acl_NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard acl_NAT
permit 192.168.10.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
vstack
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
password test
login
transport input none
!
scheduler allocate 20000 1000
!
!
!
end

追加です。

Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 192.168.11.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.11.1
is directly connected, GigabitEthernet8
192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.11.0/24 is directly connected, GigabitEthernet8
L 192.168.11.10/32 is directly connected, GigabitEthernet8
192.168.99.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.99.0/24 is directly connected, Vlan5
L 192.168.99.1/32 is directly connected, Vlan5

 

Gi0側からは PingがGi8であるWANまでは 通ります。 さらにTELNETで接続した状態では LAn側のGi0にも WANがわのGi8にもPingは通ります。 そのようなわけで、 Gigaetherのばあい L3にするためにVlanを経由すると なんかの理由で NATがうまく動作しないような気がします

Ip ROUTEでは 上のようにちゃんと Vlan5に割り振られています。 昔のタイプのFastetherなら Vlanの部分がF0/0に代わるだけで 動いていたのに、 なんか GigaetherとFastetherは根本的に何か違う

別パターンを作成してみましたが、やはり通信できず。

WANポート:G8

LANポート:G1

 

LANから当ルータへのPINGは到達するので、WAN側にエラーがあるかと思います。

ルーターから、外部のアドレスへはPINGが飛ばない状態でした。

 

 

 

 

 

 

--------------------------------------------------------

version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable password test
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!


!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.10.1 192.168.10.100
!
ip dhcp pool DHCP_pool
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
lease 0 2
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C891FJ-K9 sn FGL222995KP
!
!
vtp domain rt1
vtp mode transparent
!
!
!
!
!
vlan 2-4,8-10,20,30,111
no cdp run
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 10
no ip address
!
interface GigabitEthernet2
no ip address
shutdown
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
shutdown
!
interface GigabitEthernet5
no ip address
shutdown
!
interface GigabitEthernet6
no ip address
shutdown
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
mtu 1454
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1414
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname test@test.com
ppp chap password 0 password
ppp ipcp dns request accept
no cdp enable
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list acl_NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list standard acl_NAT
permit 192.168.10.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
vstack
!
line con 0
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
password test
login
transport input none
!
scheduler allocate 20000 1000
!
!
!
end

まず、アップロードされたコンフィグのいくつかに

> no ip domain lookup

があるものがありますが、これがあると、ルーターのコマンドラインの

ミスタイプ時だけでなく、内蔵の DNS サーバーも名前解決しなくなる

ので入れては駄目です。

 

>no ip forward-protocol nd

うちでは no をつけず

ip forward-protocol nd

になってます。

 

> ip route 0.0.0.0 0.0.0.0 Dialer1

私の場合は

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent としています

 

> dialer-list 1 protocol ip permit

これも設定していません。

 

また interface Dialer1 には

 ip inspect INTERNET out

 

ip inspect name INTERNET ftp
ip inspect name INTERNET ssh timeout 43200
ip inspect name INTERNET ntp
ip inspect name INTERNET tcp
ip inspect name INTERNET udp
ip inspect name INTERNET icmp

を設定してステートフルインスペクションを有効化しています。

 

で、ログにはなんと出ているのです? PPPoE の接続はうまくいっているのでしょうか?

上位 DNS サーバーの情報は正しく引けているのでしょうか?

いろいろなサイトを見て回り 決定的な違いがFastEthernet ではなく Gigabitetherなので Lan側のInterfaceに直接はIPを割り振れない。そこで Vlan 5 というのを作り そこに Gi0を割り振りました。

conf#>int Vlan 5 

conf#>int vlan 5 

ip address 192.168.99.1 255.255.255.0

これに 

conf#> int Gi0

switchport mode access

switchport access vlan 5

そして 

int vlan 5

ip nat inside

 

891では Gi8がWANなので(192.168.11.10) Gateway192.168.11.1としました。これを

ip nat outside

さらにDHCPを構成して このようにしましたが、DHCPは動きます。CCのWEBにも TELNETもすべていけますが 肝心のPingが内側から通りません。 Vlan5から Gatewayにもつながります。 ただただ Gi0から つながりません。

 

CONFを添付します。 助けてください。

Building configuration...


Current configuration : 17595 bytes
!
! Last configuration change at 13:18:41 UTC Thu Jul 23 2020 by taka
! NVRAM config last updated at 12:56:59 UTC Thu Jul 23 2020 by taka
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$drCB$xyoQ34A93IYIDO4PSOiwa/
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3729201383
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3729201383
revocation-check none
rsakeypair TP-self-signed-3729201383
!
!


!
ip dhcp excluded-address 192.168.99.0 192.168.99.30
!
ip dhcp pool lan
network 192.168.99.0 255.255.255.0
default-router 192.168.99.1
dns-server 75.75.75.75
!
!
!
ip name-server 192.168.11.1
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
!
!
!
!
multilink bundle-name authenticated
!

!
license udi pid C891FJ-K9 sn FGL202820G9
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.99.0 255.255.255.0
!
object-group network test1_dst_net
any
!
object-group network test1_src_net
any
!
object-group service test1_svc
ip
!
object-group network vpn_remote_subnets
any
!
username taka privilege 15 secret 5 $1$fHz1$ryb67RP251Dgc6UdLIAAt/
username cisco secret 5 $1$oC8B$Q4reQ5lT5.RM428po9vCv/
!
redundancy
!
!
!
!
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-all test1
match access-group name test1_acl
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect test1
inspect
class type inspect Web
inspect
class type inspect Others
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
!
crypto isakmp policy 1
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
switchport access vlan 5
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan5
ip address 192.168.99.1 255.255.255.0
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
load-interval 30
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet8 overload
ip nat inside source list nat-list interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 192.168.11.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended test1_acl
permit object-group test1_svc object-group test1_src_net object-group test1_dst_net
!
ipv6 ioam timestamp
!
access-list 1 permit 192.168.99.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
banner login ^Cdahahahaha^C
!
line con 0
login authentication local_access
no modem enable
line aux 0
line 3
speed 115200
line vty 0 4
access-class 23 in
privilege level 15
login authentication local_access
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
!
!
pnp profile pnp_cco_profile
transport https ipv4 52.203.231.173 port 443
end

 

Content for Community-Ad



このウィジェットは表示できません。