08-12-2019 04:12 PM
I am trying to get this thing to have internet from GE0/0 available in the LAN connected to GE0/2 and am probably missing something stupid. I am able to ping google from the router but not from a computer on the LAN.
version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.10.1
!
ip dhcp pool default
import all
network 192.168.0.0 255.255.0.0
dns-server 192.168.1.1
default-router 192.168.1.1
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
!
no ip ftp passive
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-WAN$
ip address dhcp client-id GigabitEthernet0/0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.168.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
Thanks!
Solved! Go to Solution.
08-13-2019 04:58 PM
Hi all, Thank you for your help. I ended up changing the local ip range to 172.16.0.0 255.255.0.0, internet modem plugs into G0/1, and the LAN switch plugs to G0/2. The range 172.16.1.2 172.16.1.254 is excluded for servers with a static ip. For future reference, here is my working config:
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.1 172.16.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.16.0.0 255.255.0.0
default-router 172.16.1.1
!
!
!
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0/1
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
access-list 1 permit 172.16.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end
08-12-2019 05:18 PM
Quick Look
your interface address referring :
interface GigabitEthernet0/2
ip address 192.168.1.1 255.255.0.0
ACL referring :
access-list 1 permit 192.168.0.0 0.0.255.255
This is not matched.
to match your interface IP range change the acl as below and test and advice
config t
!
no access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 192.168.1.0 0.0.255.255
!
change DHCP reservation pool also
08-12-2019 06:31 PM
Hi @kram106,
I think you are missing two things:
1- A default route
ip route 0.0.0.0 0.0.0.0 g0/0
2- If you are going to use the DNS of Google, you must indicate in your DHCP pool that this will be the dns:
ip dhcp pool default
dns-server 8.8.8.8
Regards
08-13-2019 12:56 PM
@balaji.bandi - think again about your suggestion to use this
access-list 1 permit 192.168.1.0 0.0.255.255
when the mask is 0.0.255.255 then IOS will ignore the third octet and the config will become
access-list 1 permit 192.168.0.0 0.0.255.255
I believe that @luis_cordova has identified the issue correctly as relating to the default route. But I do not agree with his suggested solution
ip route 0.0.0.0 0.0.0.0 g0/0
instead I suggest this
ip route 0.0.0.0 0.0.0.0 dhcp
A static route specifying only the outbound interface, where that interface is Ethernet, is problematic. A better solution is to configure the default route as originating from DHCP.
HTH
Rick
08-13-2019 01:06 PM
@Richard Burts good catch may be my typo...
08-13-2019 01:14 PM - edited 08-13-2019 01:18 PM
Hello Richard,
very good notes rated as it deserves.
a default static route like
ip route 0.0.0.0 0.0.0.0 gi0/0
relies on proxy ARP enabled on the upstream router (that can be enabled or not)
and creates scalability issues as it will cause an ARP request for each internet destination address making the ARP table to grow over time.
Edit:
Balaji is correct about the need to resize the DHCP pool to reflect the effective subnet on the gi0/2 interface.
Hope to help
Giuseppe
08-13-2019 01:26 PM
@balaji.bandi easy mistake to make. And frankly I wonder whether the original config of the interface
interface GigabitEthernet0/2
ip address 192.168.1.1 255.255.0.0
really intended to use the /16 mask or if that was a typo. But if that is the mask of the interface then 0.0.255.255 needs to be the mask of the acl.
@Giuseppe Larosa yes those were some of the aspects I had in mind when I said that static route specifying only the outbound interface was problematic. I see more and more frequently networks which disable proxy arp because of the potential security issues. Thanks for the rating.
HTH
Rick
08-13-2019 02:35 PM - edited 08-13-2019 02:35 PM
cheers and noted both notes..
waiting for the orginal poster feedback.
08-13-2019 04:58 PM
Hi all, Thank you for your help. I ended up changing the local ip range to 172.16.0.0 255.255.0.0, internet modem plugs into G0/1, and the LAN switch plugs to G0/2. The range 172.16.1.2 172.16.1.254 is excluded for servers with a static ip. For future reference, here is my working config:
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.1 172.16.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.16.0.0 255.255.0.0
default-router 172.16.1.1
!
!
!
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0/1
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
access-list 1 permit 172.16.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide