Solved: Re: Cannot reach outside world on C1111-8PW

Spork Schivago · ‎01-16-2019

Hi. I took CCNA courses over 15 years ago. I have a Cisco C1111-8PW router and cannot reach the outside world. Interface GigabitEthernet 0/0/0 is connected to an ONT and I've temporarily enabled DHCP, as a client, on the interface. The interface pulls in an IP address, the name servers, etc. I can ping the gateway that it pulls in, I cannot ping the name servers or anything else.

I believe this is a routing issue. I only have internet access via my cell phone currently and it's very hard to post logs. This is what show IP route looks like:

Router01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 66.115.74.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 66.115.74.1, GigabitEthernet0/0/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/24 is directly connected, Loopback0
L        10.10.10.100/32 is directly connected, Loopback0
      66.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        66.115.74.0/25 is directly connected, GigabitEthernet0/0/0
L        <my static IP>/32 is directly connected, GigabitEthernet0/0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan1
L        192.168.1.1/32 is directly connected, Vlan1

There are currently three wireless APs (Cisco Aironet 1832) connected to interface GigabitEthernet0/1/0, 0/1/1, and 0/1/2. The idea is to keep those APs all on one subnet.

There is an HPE 5900AF series switch connected via the fibre optic port.

I have not attempted to configure any of those yet, I am just trying to reach the outside world right now.

I have tried config t

IP routing

However, show running-config does not show that the command is enabled.

Any ideas how to reach the outside world?

Thank you!!

Spork Schivago · ‎01-16-2019

I figured it out.

This line:

 ip verify unicast source reachable-via rx 100

was causing the issues. It's to enable Unicast Reverse Path Forwarding. I wanted Unicast Reverse Path Forwarding. My understanding was it would help prevent spoofed IP addresses. However, if setup incorrectly (as in my case), it can drop legitimate packets. I guess I'll have to do a lot more reading to figure out what I did wrong there. Anyway, I can now reach the outside world and I think I will work on setting up the rest of the network devices.

Thanks guys!

View solution in original post

Spork Schivago · ‎01-16-2019

Okay,

I had my ISP temporarily enable another port on the ONT (Optical Network Termination) device, to allow me to use a computer while I try configuring the router. They called earlier and said they had fixed the static IP address I had the other day and said to use the static IP now.

So I undid all the DHCP client stuff on the router and went through trying to set the various IP addresses and static route, but I still cannot reach the outside world on the router.

Here's a copy of my running-config, in case someone sees something wrong.

Current configuration : 5401 bytes
!
! Last configuration change at 23:19:58 UTC Wed Jan 16 2019 by admin
!
version 16.8
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router01
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
enable secret 5 <masked>
enable password 7 <masked>
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
no ip source-route
no ip gratuitous-arps
!
no ip bootp server
ip name-server 72.18.48.120 72.18.56.250
no ip domain lookup
!
!
!
login block-for 360 attempts 5 within 360
!
!
!
!
!
!
!
subscriber templating
no routing-default-optimize
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2716140574
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2716140574
 revocation-check none
 rsakeypair TP-self-signed-2716140574
!
!
crypto pki certificate chain TP-self-signed-2716140574
 certificate self-signed 01
<masked>
        quit
!
license udi pid C1111-8PWB sn <masked>
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
username admin privilege 15 password 7 <masked>
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
no cdp run
!
!
!
!
!
!
interface Loopback0
 ip address 10.10.10.100 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/0/0
 ip address <my public IP> 255.255.255.128
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip verify unicast source reachable-via rx 100
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Wlan-GigabitEthernet0/1/8
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 66.115.74.1
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
!
!
!
!
!
!
control-plane
!
banner motd ^C This system is the property of Corning Electronics, LLC.
 UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED.
 You must have explicit permission to access this
 device.  All activities performed on this device
 are logged.  Any violations of access policy will result
 in disciplinary action.^C
!
line con 0
 location S101.AZ04-26-DC
 login authentication local_auth
 transport input none
 transport output telnet
 stopbits 1
 speed 115200
line vty 0 4
 password <masked>
 login authentication local_auth
 transport input telnet ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

And here is a more properly formatted display of show ip route:

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 66.115.74.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 66.115.74.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.0/24 is directly connected, Loopback0
L        10.10.10.100/32 is directly connected, Loopback0
      66.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        66.115.74.0/25 is directly connected, GigabitEthernet0/0/0
L       <my public IP>/32 is directly connected, GigabitEthernet0/0/0
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, Vlan1
L        192.168.1.1/32 is directly connected, Vlan1

Here's what my show ip name-servers looks like:

72.18.48.120
72.18.56.250

I am not sure what I am doing wrong.

The GigabitEthernet 0/0/0 is what's connected to the ONT. show running-config interface GigabitEthernet 0/0/0 looks like this:

interface GigabitEthernet0/0/0
 ip address <my static IP> 255.255.255.128
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip verify unicast source reachable-via rx 100
 negotiation auto
end

I can ping their default gateway of 66.115.74.1. That is it though. I cannot ping their name-servers, I cannot ping 8.8.8.8, I cannot perform DNS queries.

Spork Schivago · ‎01-16-2019

I figured it out.

This line:

 ip verify unicast source reachable-via rx 100

was causing the issues. It's to enable Unicast Reverse Path Forwarding. I wanted Unicast Reverse Path Forwarding. My understanding was it would help prevent spoofed IP addresses. However, if setup incorrectly (as in my case), it can drop legitimate packets. I guess I'll have to do a lot more reading to figure out what I did wrong there. Anyway, I can now reach the outside world and I think I will work on setting up the rest of the network devices.

Thanks guys!