after IOS upgrade internal machines can not get to the internet

agent2007 · ‎11-05-2007

Hi,

I upgrade the IOS on my cisco 837 router to use the IDS function and after completing machines from the inside can not go to the internet. from the router I can ping out to the internet. can anyone see anything in this config that would be preventing it working?

thanks

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec show-timezone

service timestamps log datetime msec show-timezone

service password-encryption

!

hostname router

!

boot-start-marker

boot system flash c837-k9o3sy6-mz.124-17.bin

boot-end-marker

!

logging buffered 16000 debugging

enable secret xxxxxxxxxx

!

no aaa new-model

clock timezone GMT 0

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 1:00

ip source-route

no ip gratuitous-arps

!

ip cef

no ip domain lookup

ip name-server 159.134.248.17

no ip bootp server

ip inspect max-incomplete low 10

ip inspect max-incomplete high 20

ip inspect one-minute low 10

ip inspect one-minute high 20

ip inspect udp idle-time 15

ip inspect tcp idle-time 1800

ip inspect tcp finwait-time 1

ip inspect tcp synwait-time 10

ip inspect name MYFW udp alert on audit-trail on

ip inspect name MYFW tcp alert on audit-trail on

vpdn enable

!

username user password xxxxxxxxx

!

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface Ethernet0

ip address x.x.x.x(public address) 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

ip tcp adjust-mss 1452

no cdp enable

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

pvc 8/35

encapsulation aal5snap

pppoe-client dial-pool-number 1 dial-on-demand

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Dialer0

no ip address

no cdp enable

!

interface Dialer1

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer idle-timeout 14400

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname user

ppp chap password password

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no ip http server

no ip http secure-server

!

ip access-list extended INTERNET-IN

deny ip any any log

access-list 100 permit ip any any

access-list 100 permit tcp host 1.2.3.4 any log

access-list 100 deny ip any any log

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

line con 0

exec-timeout 0 0

login local

no modem enable

transport preferred none

transport output none

stopbits 1

line aux 0

login local

no exec

transport preferred none

transport output none

line vty 0 4

access-class TELNET in

exec-timeout 0 0

login local

length 0

transport preferred none

transport input telnet

transport output none

!

scheduler max-task-time 5000

end

spremkumar · ‎11-05-2007

hi

can you do a trace and find out where the packets are getting dropped ?

can you also do a extended ping with source ip address as your ethernet ip ?

do try tracing from router as well as from pc.

from router with extended trace with source ip address as your ethernet ip.

regds

agent2007 · ‎11-05-2007

Hi,

the packets are being dropped on the ethernet interface on the router which connects to the inside hosts.

I can not ping the IP on that interface.

everything was working fine until I performed the upgrade.