Solved: Re: 4331 Internet Access

gherkin12 · ‎01-01-2022

Good morning all.

I'm currently in the process of upgrading from a 2921 to a 4331 (there probably isn't a great deal of difference between the two however I managed to acquire one lol)

anyhow i'm struggling to get a internet connection. I copied the config from the 2921 to the 4331 thinking that might work however although i can ping items on the vlans I have created I can't seem to pickup an IP address from the ISP. Below are the settings from the interface (4331):

interface GigabitEthernet0/0/0
 description **INTERNET CONNECTION**
 ip address dhcp
 ip nat outside
 ip access-group 199 in
 negotiation auto
 ip virtual-reassembly
!

and this one is from the 2921 (which works)

interface GigabitEthernet0/0
 description **INTERNET**
 ip address dhcp
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!

would anyone be able to point me in the right direction please.

TIA

Georg Pauwen · ‎01-01-2022

Hello,

make the changes/additions marked in bold:

Current configuration : 3521 bytes
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname RT4331
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no aaa new-model
clock timezone PST -8 0
clock summer-time PST recurring
!
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.2.100
ip dhcp excluded-address 192.168.2.101
ip dhcp excluded-address 192.168.2.103
ip dhcp excluded-address 192.168.2.2
--> ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool vlan 200
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.4.12
!
ip dhcp pool vlan 300
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.4.12
!
subscriber templating
multilink bundle-name authenticated
!
voice-card 0/4
no watchdog
!
license udi pid ISR4331/K9 sn FDO2130203X
!
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description **INTERNET CONNECTION**
ip address dhcp
ip nat outside
--> no ip access-group 199 in
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description **WIRELESS ACCESS POINT**
switchport access vlan 200
!
interface GigabitEthernet0/1/1
switchport access vlan 300
!
interface GigabitEthernet0/1/2
switchport access vlan 300
!
interface GigabitEthernet0/1/3
description **DELL R710 IDRAC**
switchport access vlan 400
!
interface GigabitEthernet0/1/4
description **DELL R710 GBe INTERFACE**
switchport access vlan 400
!
interface GigabitEthernet0/1/5
description **PI HOLE DNS SERVER**
switchport access vlan 400
!
interface GigabitEthernet0/1/6
description **IRACING RIG**
switchport access vlan 400
!
interface GigabitEthernet0/1/7
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan200
description **WIRELESS NETWORK**
ip address 192.168.2.1 255.255.255.0
ip nat inside
ntp broadcast client
ip virtual-reassembly
!
interface Vlan300
description **NOT SURE YET**
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan400
description **STATIC ADDRESSES**
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
--> no ip route 0.0.0.0 0.0.0.0 192.168.0.1 254
--> ip route 0.0.0.0 0.0.0.0 174.72.148.1 254
--> no ip route 0.0.0.0 0.0.0.0 68.96.211.1 254
--> ip route 0.0.0.0 0.0.0.0 GigabitEThernet0/0/0 dhcp
!
ip access-list extended RESTRICT_ENTRY_INTERNET
deny tcp any any eq 22
deny tcp any any eq telnet
!
--> no access-list 1 permit any
--> access-list 1 permit 192.168.2.0 0.0.0.255 any
--> access-list 1 permit 192.168.3.0 0.0.0.255 any
--> access-list 1 permit 192.168.4.0 0.0.0.255 any
!
--> no access-list 199 deny tcp any any eq 22
--> no access-list 199 deny tcp any any eq telnet
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end

View solution in original post

Georg Pauwen · ‎01-01-2022

Hello,

post the full running configuration of your 4331 router...

gherkin12 · ‎01-01-2022

Current config attached - apologies @Georg Pauwen for not attaching it in the first place

Harold Ritter · ‎01-01-2022

Hi @gherkin12 ,

ACL 199 blocks all traffic coming in on the Internet facing interface. Bear in mind that there is an explicit "deny any any" at the end of an ACL. This is the reason you can't get an IP address from your ISP.

access-list 199 deny tcp any any eq 22
access-list 199 deny tcp any any eq telnet

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Georg Pauwen · ‎01-01-2022

Hello,

make the changes/additions marked in bold:

Current configuration : 3521 bytes
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname RT4331
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no aaa new-model
clock timezone PST -8 0
clock summer-time PST recurring
!
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.2.100
ip dhcp excluded-address 192.168.2.101
ip dhcp excluded-address 192.168.2.103
ip dhcp excluded-address 192.168.2.2
--> ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.3.1
!
ip dhcp pool vlan 200
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.4.12
!
ip dhcp pool vlan 300
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.4.12
!
subscriber templating
multilink bundle-name authenticated
!
voice-card 0/4
no watchdog
!
license udi pid ISR4331/K9 sn FDO2130203X
!
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description **INTERNET CONNECTION**
ip address dhcp
ip nat outside
--> no ip access-group 199 in
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description **WIRELESS ACCESS POINT**
switchport access vlan 200
!
interface GigabitEthernet0/1/1
switchport access vlan 300
!
interface GigabitEthernet0/1/2
switchport access vlan 300
!
interface GigabitEthernet0/1/3
description **DELL R710 IDRAC**
switchport access vlan 400
!
interface GigabitEthernet0/1/4
description **DELL R710 GBe INTERFACE**
switchport access vlan 400
!
interface GigabitEthernet0/1/5
description **PI HOLE DNS SERVER**
switchport access vlan 400
!
interface GigabitEthernet0/1/6
description **IRACING RIG**
switchport access vlan 400
!
interface GigabitEthernet0/1/7
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan200
description **WIRELESS NETWORK**
ip address 192.168.2.1 255.255.255.0
ip nat inside
ntp broadcast client
ip virtual-reassembly
!
interface Vlan300
description **NOT SURE YET**
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan400
description **STATIC ADDRESSES**
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface GigabitEthernet0
--> no ip route 0.0.0.0 0.0.0.0 192.168.0.1 254
--> ip route 0.0.0.0 0.0.0.0 174.72.148.1 254
--> no ip route 0.0.0.0 0.0.0.0 68.96.211.1 254
--> ip route 0.0.0.0 0.0.0.0 GigabitEThernet0/0/0 dhcp
!
ip access-list extended RESTRICT_ENTRY_INTERNET
deny tcp any any eq 22
deny tcp any any eq telnet
!
--> no access-list 1 permit any
--> access-list 1 permit 192.168.2.0 0.0.0.255 any
--> access-list 1 permit 192.168.3.0 0.0.0.255 any
--> access-list 1 permit 192.168.4.0 0.0.0.255 any
!
--> no access-list 199 deny tcp any any eq 22
--> no access-list 199 deny tcp any any eq telnet
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end

paul driver · ‎01-01-2022

Hello

@gherkin12 wrote:

I can't seem to pickup an IP address from the ISP. Below are the settings from the interface (4331):

First of all remove the access list from the 4331 wan interface then test again, if that dosent work, find out the mac addresss of the 2921 wan interface and set that same mac address to the 4331 wan interface and then test.

4331

int gig0/0
mac address (xxxx.xxxx.xxxx) < old mac addresss of 2921>

Lasty remove all the static default routes and append just this -

ip route 0.0.0.0 0.0.0.0 gig0/0 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gherkin12 · ‎01-01-2022

Thank you guys, so removed the acl part and also did the bits in bold from you suggestion @Georg Pauwen . From the router I can now ping 8.8.8.8 which is great (again thanks for that). The only bit I couldn't get to work correctly was the:

access-list 1 permit 192.168.x.0 0.0.0.255 any

I couldn't get it to work by putting any at the end, I ended up with

access-list 1 permit 192.168.x.0 0.0.0.255

Now that leads me onto the next question, would that have issues with that gateway getting access to the internet?

Georg Pauwen · ‎01-01-2022

Hello,

sorry about that, my fault.

Th access list needs to be:

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 permit 192.168.4.0 0.0.0.255

Is Internet access working for your LAN clients ?

paul driver · ‎01-01-2022

Hello

So just to confirm, you rtr now has ip address allocation and can reach the internet?

sh ip int brief

What do you mean by gateway - do you mean your lan clients?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gherkin12 · ‎01-01-2022

No problem @Georg Pauwen managed to get that part sorted and in response for your last part, no the clients can't seem to get to the internet. they can ping the gateway (so in the computer i'm testing it on 192.168.4.1) but can't get to 8.8.8.8 for example.

@paul driver the list of the "int br" command. Please note that the reason GE0/0/0 is down is because it isn't currently connected, however when it is connected it is up (i need to disconnect and reconnect to gain comms to the internet lol). By gateway I mean the VLAN address - so from my client 192.168.4.13 i'm using 192.168.4.1, VLAN400.

RT4331#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   68.224.131.177  YES DHCP   down                  down
GigabitEthernet0/0/1   unassigned      YES NVRAM  administratively down down
GigabitEthernet0/0/2   unassigned      YES NVRAM  administratively down down
GigabitEthernet0/1/0   unassigned      YES unset  down                  down
GigabitEthernet0/1/1   unassigned      YES unset  down                  down
GigabitEthernet0/1/2   unassigned      YES unset  down                  down
GigabitEthernet0/1/3   unassigned      YES unset  down                  down
GigabitEthernet0/1/4   unassigned      YES unset  down                  down
GigabitEthernet0/1/5   unassigned      YES unset  down                  down
GigabitEthernet0/1/6   unassigned      YES unset  up                    up
GigabitEthernet0/1/7   unassigned      YES unset  down                  down
Service-Engine0/4/0    unassigned      YES NVRAM  up                    up
GigabitEthernet0       unassigned      YES NVRAM  administratively down down
Vlan1                  unassigned      YES NVRAM  administratively down down
Vlan200                192.168.2.1     YES NVRAM  up                    down
Vlan300                192.168.3.1     YES NVRAM  up                    down
Vlan400                192.168.4.1     YES NVRAM  up                    up
RT4331#

.

Georg Pauwen · ‎01-01-2022

Hello,

post the current running configuration again with the changes you have implemented...

gherkin12 · ‎01-01-2022

there we go @Georg Pauwen (apologies in the delay)

paul driver · ‎01-01-2022

Hello

How are your clients connecting to the network?
Are they directly connected to the rtr or vis a access switch?
Do your lan clients receive ip address allocation, can they ping their own D/G and the wan ip address of your rtr.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gherkin12 · ‎01-01-2022

Hey Paul

my bad, i was using my DNS server address which currently isn't connected so when changed to 8.8.8.8 it now works. apologies for that, school boy mistake that one. Thank you very much guys for your help

Georg Pauwen · ‎01-01-2022

Hello,

can you ping 8.8.8.8 when sourced from a Vlan interface "

ping 8.8.8.8. source 192.168.2.1

?