Solved: Re: Cisco SR520 - No outbound access

wendellschools · ‎08-21-2009

Below is the running config of the router. Can someone tell me why my clients (192.168.x.x) cannot access the internet through this router?

show run
Building configuration...

Current configuration : 10699 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SR520
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$K5vy$E90Ebf679MAMz.wglbYsJ.
!
no aaa new-model
clock timezone MST -7
clock summer-time MDT recurring
!
crypto pki trustpoint TP-self-signed-1548662293
enrollment selfsigned
--More--                            subject-name cn=IOS-Self-Signed-Certificate-1548662293
revocation-check none
rsakeypair TP-self-signed-1548662293
!
!
crypto pki certificate chain TP-self-signed-1548662293
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353438 36363232 3933301E 170D3039 30383231 31393030
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35343836
36323239 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9BC 7D728F83 49210310 7D6059FD F04FB968 4440ACD0 B16C927B 8AA215C2
ADAADACE 79F9CF75 166FC829 97292EA9 3C7DAFF6 EA5F6B8C 1FD00813 144DB9E8
344B268B 613744D4 47D1BCEF CBDA8579 A8B3D367 480CD3E0 687ACBF1 3E578E7A
5583BE8C 9DD04F27 0F212CF5 4060299E 50F1F237 BDFC3CE6 87385AD8 D403A9E1
36510203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 16535235 32302E64 6F6D6169 6E2E6163 7464736C 746D7030
1F060355 1D230418 30168014 DB9949FB 24128D3B 7528E6F3 8DBE4409 D4342BAF
301D0603 551D0E04 160414DB 9949FB24 128D3B75 28E6F38D BE4409D4 342BAF30
0D06092A 864886F7 0D010104 05000381 8100B95F C4A4AC82 57974A6D 181D601F
A2189179 25D9764A FBA8513B 538B0296 94FC17E4 34F2D097 C40DD507 F0595CB5
--More--                           39866542 F1DA78C0 A09B469F 739C2FB0 A54B1367 DA88ECFF D51FE907 56E8E06D
33412A9D C9A57B60 2DAF85E1 B5A84E60 C740962B 525D72B3 883BBBC1 47A5AD4A
F8F25292 813AEC2B BD37B55A 96A2A177 666E
   quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip name-server 209.161.4.218
!
no ipv6 cef
multilink bundle-name authenticated

parameter-map type urlfilter SDM_URLFILTER_MAP
exclusive-domain permit wendell.k12.id.us
exclusive-domain permit mail.wendellschools.com
exclusive-domain permit k12.id.us
exclusive-domain permit www.teenbiz3000.com
exclusive-domain permit mail.safelink.net
exclusive-domain permit www.sd232.k12.id.us
--More-- exclusive-domain permit mail.wendellschools.org
exclusive-domain permit bing.com
exclusive-domain permit google.com
exclusive-domain permit yahoo.com
parameter-map type regex sdm-regex-nonascii
pattern [^\x00-\x80]

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
--More-- server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

!
!
username admin privilege 15 secret 5 $1$9EbE$21QHkuUvg3blkmWNXibqM1
!
!
--More--                           !
archive
log config
hidekeys
!
!
!
class-map type inspect smtp match-any sdm-app-smtp
match data-length gt 5000000
class-map type inspect http match-any sdm-app-nonascii
match req-resp header regex sdm-regex-nonascii
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
--More--                           class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any sdm-cls-insp-traffic
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
--More--                            match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
--More--                            match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
--More--                            match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-protocol-smtp
match protocol smtp
class-map type inspect match-all sdm-protocol-imap
match protocol imap
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
pass
class type inspect sdm-cls-icmp-access
inspect
class class-default
pass
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
--More--                           reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-app-nonascii
log
reset
policy-map type inspect smtp sdm-action-smtp
class type inspect smtp sdm-app-smtp
reset
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
reset
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
reset
policy-map type inspect sdm-inspect
class type inspect sdm-cls-insp-traffic
inspect
class type inspect SDM-Voice-permit
pass
--More--                            class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-smtp
inspect
service-policy smtp sdm-action-smtp
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
drop log
class type inspect sdm-protocol-im
drop log
class class-default
drop
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-Voice-permit
pass
--More--                            class class-default
drop
policy-map type inspect sdm-permit
class type inspect dhcp_out_self
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0
switchport access vlan 75
--More--                           !
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address dhcp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan75
--More--                            description $FW_INSIDE$
ip address 192.168.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
!
access-list 1 permit 192.168.0.0 0.0.0.255
--More--                           access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
--More--
SR520#

Steven DiStefano · ‎08-21-2009

OK, I heard of this once before, where the base default configuration was changed early in the life cycle of this product and WAN access problems were solved using a newer base starting config. Depending on your router, I have attached the default config you can start with (or compare to yours).

I am not sure what the change was (I am sorry)

https://www.myciscocommunity.com/docs/DOC-5167

View solution in original post

Steven DiStefano · ‎08-21-2009

Do the inside clients get DHCP addresses since I dont see the DHCP address pool?

ip dhcp pool inside
   import all
   network 192.168.x.x 255.255.255.0
   default-router 192.168.x.x

Sorry if I am missing it if it was there....

wendellschools · ‎08-21-2009

All inside clients are staticically addresses.

Steven DiStefano · ‎08-21-2009

OK, I heard of this once before, where the base default configuration was changed early in the life cycle of this product and WAN access problems were solved using a newer base starting config. Depending on your router, I have attached the default config you can start with (or compare to yours).

I am not sure what the change was (I am sorry)

https://www.myciscocommunity.com/docs/DOC-5167

wendellschools · ‎08-21-2009

Thank you - I will check it out Monday and let you know the results.

wendellschools · ‎08-24-2009

Thank you - after using that new config and some more tweaking it is now working.

Steven DiStefano · ‎08-24-2009

Great!!!!. If you think you know what tweeking fixed it, feel free to share it, if you have time at some point.

Don Pitchford · ‎03-24-2011

I know we should be doing CCA for configuration, but, frankly, I cannot get my SR520 working either. I cannot access the internet from a static configured IP Address. I am unable to ping anything external or even browse out side. I know there is something really simple. I even went back to the default VLAN 1.

Router: SR520W-FE-K9 (Software version listed below)

Configuration:

!

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$VlH.$coSqu9yeRmmbhjlHIV2R!WM5S/
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.30
!
ip dhcp pool vlan1pool
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 68.105.28.16 68.105.29.16
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 184.xxx.xxx.13x 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit any
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end

------------

Router#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     184.xxx.0.0/27 is subnetted, 1 subnets
C       184.xxx.xxx.128 is directly connected, FastEthernet4
C    192.168.1.0/24 is directly connected, Vlan1
S*   0.0.0.0/0 is directly connected, FastEthernet4

Router#show ver
Cisco IOS Software, SR520 Software (SR520-ADVIPSERVICESK9-M), Version 12.4(20)T5, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 08-Mar-10 16:54 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI5, RELEASE SOFTWARE

Vlan Database:

Router(vlan)#show
VLAN ISL Id: 1
    Name: default
    Media Type: Ethernet
    VLAN 802.10 Id: 100001
    State: Operational
    MTU: 1500
    Translational Bridged VLAN: 1002
    Translational Bridged VLAN: 1003

VLAN ISL Id: 75
    Name: VLAN0075
    Media Type: Ethernet
    VLAN 802.10 Id: 100075
    State: Operational
    MTU: 1500

VLAN ISL Id: 1002
    Name: fddi-default
    Media Type: FDDI
    VLAN 802.10 Id: 101002
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1003

VLAN ISL Id: 1003
    Name: token-ring-default
    Media Type: Token Ring
    VLAN 802.10 Id: 101003
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Ring Number: 0
    Bridge Number: 1
    Parent VLAN: 1005
    Maximum ARE Hop Count: 7
    Maximum STE Hop Count: 7
    Backup CRF Mode: Disabled
    Translational Bridged VLAN: 1
    Translational Bridged VLAN: 1002

VLAN ISL Id: 1004
    Name: fddinet-default
    Media Type: FDDI Net
    VLAN 802.10 Id: 101004
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM

VLAN ISL Id: 1005
    Name: trnet-default
    Media Type: Token Ring Net
    VLAN 802.10 Id: 101005
    State: Operational
    MTU: 1500
    Bridge Type: SRB
    Bridge Number: 1
    STP Type: IBM

Router#show ip arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 184.xxx.xx.129         2   0014.f1ea.65e2 ARPA   FastEthernet4
Internet 184.xxx.xxx.xx3         -   e804.622c.c788 ARPA   FastEthernet4
Internet 184.xxx.xxx.xx4         9   0015.5886.ba13 ARPA   FastEthernet4
Internet 192.168.1.1             -   e804.622c.c77e ARPA   Vlan1
Internet 192.168.1.31            1   0024.e8c4.4bfc ARPA   Vlan1

Router#show ip nat trans