cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
885
Views
45
Helpful
8
Replies

3925 basic config

kram106
Level 1
Level 1

I am trying to get this thing to have internet from GE0/0 available in the LAN connected to GE0/2 and am probably missing something stupid. I am able to ping google from the router but not from a computer on the LAN.

 

version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.10.1
!
ip dhcp pool default
import all
network 192.168.0.0 255.255.0.0
dns-server 192.168.1.1
default-router 192.168.1.1
!
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
!

no ip ftp passive
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-WAN$
ip address dhcp client-id GigabitEthernet0/0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 192.168.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end

 

Thanks!

1 Accepted Solution

Accepted Solutions

kram106
Level 1
Level 1

Hi all, Thank you for your help. I ended up changing the local ip range to 172.16.0.0 255.255.0.0, internet modem plugs into G0/1, and the LAN switch plugs to G0/2. The range 172.16.1.2 172.16.1.254 is excluded for servers with a static ip. For future reference, here is my working config:


version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.1 172.16.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.16.0.0 255.255.0.0
default-router 172.16.1.1
!
!
!
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0/1
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
access-list 1 permit 172.16.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

View solution in original post

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

Quick Look

 

your interface address referring :

 

interface GigabitEthernet0/2
ip address 192.168.1.1 255.255.0.0

 

ACL referring :

 

access-list 1 permit 192.168.0.0 0.0.255.255

 

This is not matched.

 

to match your interface IP range change the acl as below and test and advice

 

config t

!

no access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 192.168.1.0 0.0.255.255

!

 

 

change DHCP reservation pool also

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

luis_cordova
VIP Alumni
VIP Alumni

Hi @kram106,

 

I think you are missing two things:

 

1- A default route

ip route 0.0.0.0 0.0.0.0 g0/0

 

2- If you are going to use the DNS of Google, you must indicate in your DHCP pool that this will be the dns:

ip dhcp pool default 

dns-server 8.8.8.8

 

Regards

 

@balaji.bandi - think again about your suggestion to use this

access-list 1 permit 192.168.1.0 0.0.255.255

when the mask is 0.0.255.255 then IOS will ignore the third octet and the config will become

access-list 1 permit 192.168.0.0 0.0.255.255

 

I believe that @luis_cordova has identified the issue correctly as relating to the default route. But I do not agree with his suggested solution

ip route 0.0.0.0 0.0.0.0 g0/0

instead I suggest this

ip route 0.0.0.0 0.0.0.0 dhcp

A static route specifying only the outbound interface, where that interface is Ethernet, is problematic. A better solution is to configure the default route as originating from DHCP.

 

HTH

 

Rick

 

HTH

Rick

@Richard Burts  good catch may be my typo...

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello Richard,

very good notes rated as it deserves.

a default static route like

ip route 0.0.0.0 0.0.0.0 gi0/0

 

relies on proxy ARP enabled on the upstream router (that can be enabled or not)

and creates scalability issues as it will cause an ARP request for each internet destination address making the ARP table to grow over time.

 

Edit:

Balaji is correct about the need to resize the DHCP pool to reflect the effective subnet on the gi0/2 interface.

 

Hope to help

Giuseppe

@balaji.bandi easy mistake to make. And frankly I wonder whether the original config of the interface

interface GigabitEthernet0/2
ip address 192.168.1.1 255.255.0.0

really intended to use the /16 mask or if that was a typo. But if that is the mask of the interface then 0.0.255.255 needs to be the mask of the acl.

 

@Giuseppe Larosa yes those were some of the aspects I had in mind when I said that static route specifying only the outbound interface was problematic. I see more and more frequently networks which disable proxy arp because of the potential security issues. Thanks for the rating.

 

HTH

 

Rick

 

HTH

Rick

cheers and noted both notes..

 

waiting for the orginal poster feedback.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kram106
Level 1
Level 1

Hi all, Thank you for your help. I ended up changing the local ip range to 172.16.0.0 255.255.0.0, internet modem plugs into G0/1, and the LAN switch plugs to G0/2. The range 172.16.1.2 172.16.1.254 is excluded for servers with a static ip. For future reference, here is my working config:


version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.1 172.16.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.16.0.0 255.255.0.0
default-router 172.16.1.1
!
!
!
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id GigabitEthernet0/1
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 172.16.1.1 255.255.0.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
!
access-list 1 permit 172.16.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco