cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1067
Views
1
Helpful
8
Replies

891FW Configuration Not Working

lyonadmiral
Level 1
Level 1

The Verizon Fiber connection is not offered with a static IP, which is fine, so I've configured the WAN Gig8 interface to use DHCP.  I can ping by IP or DNS externally from the router.

I'm having trouble configuring the internal interfaces; in my tinkering with the dhcp pool devices connected to Gig0-7 either get an IP or they don't, but when they do get an IP they can't connect to devices outside.

Am I forgetting a step? NAT pool?

Would appreciate any help... Thank you.

8 Replies 8

TheGoob
VIP
VIP

Not sure this is of any relevance but this was my 891F config… I did have a block of 6 usable IPS and was using PPPoE but maybe the NAT and what not will be of assistance. 


891f

 

hostname CiscoHOM
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip cef
no ipv6 cef
!
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
!
license udi pid C891F-K9 sn FGL212791GJ
!
username <username> privilege 15 password 0 <password>
!
class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description Home Wireless
no ip address
zone-member security INSIDE
!
interface GigabitEthernet1
description Email Server
no ip address
zone-member security INSIDE
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description PPPoE xDSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
ip address 207.108.121.182 255.255.255.248
ip virtual-reassembly in
zone-member security INSIDE
!
interface Async3
no ip address
encapsulation slip
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <hostname>
ppp chap password 0 <password>
ppp pap sent-username <username> password 0 <password>
ppp ipcp route default
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INSIDE-TO-OUTSIDE
permit ip host 207.108.121.176 any
permit ip host 207.108.121.177 any
permit ip host 207.108.121.178 any
permit ip host 207.108.121.179 any
permit ip host 207.108.121.180 any
permit ip host 207.108.121.181 any
permit ip host 207.108.121.182 any
permit tcp host 207.108.121.180 any
permit tcp host 207.108.121.180 any eq smtp
permit tcp host 207.108.121.180 any eq 993
permit udp host 207.108.121.177 any eq domain
permit udp host 207.108.121.180 any eq domain
permit udp host 207.108.121.182 any eq domain
ip access-list extended OUTSIDE-TO-INSIDE
permit icmp any host 207.108.121.176
permit icmp any host 207.108.121.177
permit icmp any host 207.108.121.178
permit icmp any host 207.108.121.179
permit icmp any host 207.108.121.180
permit icmp any host 207.108.121.181
permit icmp any host 207.108.121.182
permit udp any host 207.108.121.180 eq domain
permit udp any host 207.108.121.177 eq domain
permit udp any host 207.108.121.182 eq domain
permit tcp any host 207.108.121.180 eq 993
permit tcp any host 207.108.121.180 eq smtp
!
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!

 

I didn't spot the section in the config where it shows your NAT?

share the config you test

MHM

lyonadmiral
Level 1
Level 1

LMC#show run
Building configuration...

Current configuration : 2170 bytes
!
version 15.4
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname LMC
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$S8mF$rYL3N5NzVHTUnDirzJPD..
enable password Ku3c9xfr1981!
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
ip dhcp pool internal-pool
network 192.168.254.0 255.255.255.0
default-router 192.168.254.1
dns-server 8.8.8.8 8.8.4.4
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C891FW-A-K9 sn FJC2016L1ZM
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip dhcp client lease 1 0 0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
description Uplink to Verizon FIOS
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
no ip address
!
interface Vlan1
description Internal Connections
ip address dhcp
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
snmp-server community public RO
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
password Republic1!
login
transport input none
!
scheduler allocate 20000 1000
!
end

Ip nat outside under interface connect to ISP that OK 

But where is ""ip nat inside""

Also vlan1 must be the gw for use' and you dont assign IP to it? 

You need to assign IP to vlan (same IP you use in dhcp pool as defualt router) and add ip nat inside under vlan1 

And config NAT pool' you sure missing it.

MHM

TheGoob
VIP
VIP

It appears you have no ZONES configured, INSIDE or OUTSIDE

Seeing as you have no 'dialer1' you may have to use your GE8... But more so, I wonder, do you need 'ip nat inside' on your VLAN1?

I would try that first.. 'ip nat inside' on vlan1

class-map type inspect match-all INSIDE-TO-OUTSIDE-CLASS
match access-group name INSIDE-TO-OUTSIDE
class-map type inspect match-all OUTSIDE-TO-INSIDE-CLASS
match access-group name OUTSIDE-TO-INSIDE
!
policy-map type inspect INSIDE-TO-OUTSIDE-POLICY
class type inspect INSIDE-TO-OUTSIDE-CLASS
inspect
class class-default
drop
policy-map type inspect OUTSIDE-TO-INSIDE-POLICY
class type inspect OUTSIDE-TO-INSIDE-CLASS
pass
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-TO-OUTSIDE-POLICY
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE-TO-INSIDE-POLICY
interface GigabitEthernet0
description Home Wireless
no ip address
zone-member security INSIDE
!
interface GigabitEthernet1
description Email Server
no ip address
zone-member security INSIDE
!
interface Vlan1
ip address 207.108.121.182 255.255.255.248
ip virtual-reassembly in
zone-member security INSIDE
!
interface Dialer1
description PPPoE xDSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1460
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <hostname>
ppp chap password 0 <password>
ppp pap sent-username <username> password 0 <password>
ppp ipcp route default
no cdp enable

 

 

Friend the router work without add zone' it all traffic between interface by defualt.

We add later zone for more security 

MHM

Max Jobs
Level 1
Level 1

Hi there,

It sounds like you might be missing a configuration step for Network Address Translation (NAT) on your router. NAT is essential for allowing devices on your internal network (connected to Gig0-7) to communicate with devices outside your network, such as the internet.

Here's a general outline of steps you might need to take:

Configure DHCP on internal interfaces (Gig0-7): Ensure that your router is correctly assigning IP addresses to devices connected to Gig0-7.

Configure NAT (Network Address Translation): This is crucial for allowing devices on your internal network to communicate with devices outside. You typically configure NAT to translate private IP addresses (used internally) to a single public IP address (used externally). This is often referred to as NAT overload or PAT (Port Address Translation).

Example configuration for NAT overload on a Cisco router:


ip nat inside source list <ACL> interface Gig8 overload
Replace <ACL> with the name or number of an access control list that identifies the internal IP addresses you want to translate.

Set up an Access Control List (ACL): This is to identify which traffic should be translated by NAT. You may want to permit traffic from your internal network to the outside world.

Example ACL configuration:


access-list <ACL> permit ip <internal-network> <subnet-mask> any
Replace <internal-network> with the IP address range of your internal network and <subnet-mask> with the appropriate subnet mask.

Apply the ACL to the NAT configuration:


ip nat inside source list <ACL> interface Gig8 overload
This command associates the ACL with the NAT configuration, ensuring that traffic matching the ACL is subjected to NAT.

Verify configuration: After making these changes, ensure that devices on your internal network can now access devices outside (e.g., internet resources). You can also check NAT translations using the command show ip nat translations.