Re: C1111-8PWA Can’t Access the Internet - Page 2

90-Lowrider · ‎10-28-2024

My computer can reach the router, the router can reach the ISP ( Spectrum), the ISP can reach the DNS server but the ISP can’t reach the internet. In the webgui it fails the WAN test.
Here is my configuration

Building configuration...

Current configuration : 6828 bytes
!
! Last configuration change at 21:58:42 UTC Sun Oct 27 2024 by webui
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname Router
!
boot-start-marker
boot system flash bootflash:c1100-universalk9.17.12.04.SPA.bin
boot system flash bootflash:c1100-universalk9.17.06.06.SPA.bin
boot-end-marker
!
!
no aaa new-model
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.5
!
ip dhcp pool WEBUIPool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
vtp version 1
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
hash sha256
!
crypto pki trustpoint TP-self-signed-487901599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-487901599
revocation-check none
rsakeypair TP-self-signed-487901599
hash sha256
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-487901599
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34383739 30313539 39301E17 0D323431 30313831 38333432
325A170D 33343130 31383138 33343232 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3438 37393031
35393930 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02
82010100 BC1A3660 4C67CE05 4BCA68C0 40C0287A FFD5D01E F621E291 943F98B2
172D95F2 EFF3E990 4B62827C 4DC5ADC2 5C63CEDF DBAFB468 056A6F70 9F3490B5
023468F7 99F28E90 0F09AF21 B3ECBD18 D9404ACC 89197980 7468CFA7 D33CACF4
4BBD3A1D 6754745C 4ABB010B 2B6451BE 0F11F3B5 BEA22BDD 6099E8E4 47E8D583
C2E3F19A 744F0616 BD8AD928 3280CCF7 F7CB009E AC446C36 59D21F98 E1405DBE
7C4DCBCB C7FEEA94 47685B0E 3FA7AA61 3AD62822 5DDBABE6 F2CA3D05 D3360867
A82DC892 2704E293 3C676797 CC3DBF48 EDC09961 97101DCB FDC256B7 CEEF6C16
5E69CE5F 69655972 2FF632FB FE5391AB 9081A42D 720776EE E049BA00 2ADE18ED
757DA9D7 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F
0603551D 23041830 1680142E 5BB07FAC 7A2DAA87 8CFDD5A2 6010C901 CCBEDB30
1D060355 1D0E0416 04142E5B B07FAC7A 2DAA878C FDD5A260 10C901CC BEDB300D
06092A86 4886F70D 01010505 00038201 01006D32 30926873 A6C1A230 1455C964
DE3F223F 97498E8B 6387633A 0A7E8069 F2D2A0B6 DC11A913 44A7E055 652E38F3
365934DC 87C7716F 509B52C7 0EF11DAE 7615037B 7640056B 91B3B3C4 C168B8C4
9AF1F7EE 4F5AB124 D756F4D8 540259A3 62A04386 4CB0D6CA D068D01F 127C971B
D8F5D478 D654B248 0BE55CF0 1731BEF1 F63C77AB AC3C9130 0F789F43 6AC182BF
D8BF3718 AA5C3916 4FC3297B CFA33EC2 05B2CBF5 061C1605 F24D627C 746A4B31
0E51E468 1E1D5AE3 AE497AD5 959A2956 246F0BEA 5F85977C 3D40792A D7286825
AF3463A7 3FFDE0CB E3ABC47C B2AEEE17 3DAFD725 47646323 80290763 392831E5
0EAA3F86 AEF897FF F6C9F740 6D98EB77 17B7
quit
!
!
diagnostic bootup level minimal
!
license udi pid C1111-8PWA sn FGL2431LFHE
memory free low-watermark processor 71801
!
spanning-tree extend system-id
!
!
username webui privilege 15 secret 9 $9$BDVYd55Df0uqGU$lw/tQgAVg3YfpcRXE9Re9n8Kx33n1Nem.qXvrEJeyU.
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
switchport
!
interface GigabitEthernet0/1/7
switchport
!
interface Wlan-GigabitEthernet0/1/8
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map track-primary-if interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip ssh bulk-mode 131072
!
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
length 0
transport input ssh
line vty 5 30
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end

Richard Burts · ‎11-24-2024

Arthur

Thanks for the update. Glad to see that the issue with the ACL ahp or ip is resolved. I suggest a couple things to check on:

- the configuration for NAT refers to Inside_Pool. But I do not find that in the config. In the config I see Pool_ACL. Is that what was intended?

- I am wondering if there is some issue about DNS. So if you are connected to the router can you ping 8.8.8.8? If that works can you ping google.com?

- and the same questions if you are on a PC connected to the router?

HTH

Rick

90-Lowrider · ‎11-26-2024

i was using a little trial and error. When setting up the PAT using a pool I tried the WEBUIPool as defined above. I also tried defining a new pool which I called Inside_Pool. In reading on how to set up PAT I learned that one defines a pool of private IP address the system uses to PAT and I was trying to set it up that way. I also tried setting up the inside a an interface and tried VLAN1 but that did not work either.

I cannot ping 8.8.8.8. I've been using the WAN test in the GUI and it tries to ping 8.8.8.8 but I think it fails. It does access the DNS server and provides 2 addresses. Does that mean that it can ping Google's DNS servers?

Richard Burts · ‎11-27-2024

Arthur

Thanks for the additional information. If you are not able to ping 8.8.8.8 then it suggests that there may be issues with NAT. Would you post the current running config (or if you do not want the entire running config then post all the parts that relate to NAT).

Also it might be helpful if you would post the output of traceroute (or tracert or whatever depending on your OS) to 8.8.8.8.

HTH

Rick

90-Lowrider · ‎11-27-2024

Not sure how to post output of traceroute but can research when I am at the machine. I am looking at trying to use the interface when configuring NAT so please examine VLAN 1 in the config. I am assuming one can use a VLAN as an inside interface otherwise I guess I would have to define all 8 L2 Ethernet ports as inside?

Richard Burts · ‎11-27-2024

Arthur

Thanks for posting the config. Looking at the ip nat statement it references an acl named Inside_Pool. But there is not any acl with that name. The acl in the config is Pool_ACL. You need to either change the ip nat statement to point to the acl that does exist or you need to configure an acl that matches what is referenced in the ip nat statement.

Yes using vlan 1 as the inside interface is ok.

Good point about how to post output of traceroute. I assume that there will be only a couple of lines of output and you could just describe response from first hop is x.x.x.x, response from next hop is y.y.y.y, etc to the point where there is no response.

HTH

Rick

90-Lowrider · ‎11-27-2024

In trying so many different configurations I must have deleted the INSIDE_POOL ACL and on the last try not associated with PAT_ACL. I can fix that this weekend. In the meantime, do I have this right? You can configure a PAT using either a pool or an interface? If you use a pool, all private IP addresses in the pool will be translated to a public address (public address of the router plus a port number). If you use an interface then all traffic coming across that interface will have the IP address translated.

Richard Burts · ‎11-27-2024

Arthur

It is easy to mismatch NAT configuration parameters. The good news is that once you identify the mismatch it is pretty easy to correct.

It is possible to configure NAT using a pool or using an interface. I tend to like using the interface but either should work (assuming that parameters do match).

HTH

Rick

90-Lowrider · ‎12-14-2024

Well, new problem. The Modem (Spectrum) assigns ip address 192.168.100.10 when I power cycle the modem with the router on. I try the WAN test (ping 8.8.8.8) and it then fails saying no ip address assigned. When I check the interface status it then says there is no ip address associated with the WAN interface (gig0/0/0). Prior to the latest changes the modem was assigning a public ip address to the router but no longer. Could my PAT configuration be causing the problem? Config is attached

90-Lowrider · ‎12-15-2024

I went back to using the interface option for PAT (VLAN1). External IP address gets assigned but the initial problem persists: the router can access the ISP and the DNS servers but the ISP cannot access the internet. Most recent config is attached. I spoke with Spectrum and they said they can only assist with issues of the modem accessing the ISP which it is doing.

Richard Burts · ‎12-15-2024

Arthur

Thanks for the update. In looking at it I do not understand this part "but the ISP cannot access the internet". Can you help me understand it?

I have a couple of minor points and one more important one.

- Your DHCP pool specifies DNS as the router. But there is not anything in the config about supplying DNS. Perhaps delete that line? Or point DNS to an established server?

- A couple of the G0/1/x interfaces specify switchport and the other do not. I am not sure that it is significant but the inconsistency makes me wonder.

- Your default route specifies only the output interface. In a previous post I identified this as a potential problem. I would suggest that you change it to ip route 0.0.0.0 0.0.0.0 dhcp

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

HTH

Rick

90-Lowrider · ‎12-15-2024

Thanks Rick. The DNS server line came from the instructions in the configuration manual. I'm no sure why ports 6 and 7 are listed as switchport. I didn't specify that. I have been using port 5 with my Mac to access the GUI. I cannot ping 8.8.8.8 or google.com from the router. The WAN test in the GUI shows the router accessing the ISP (with the assigned public IP address) and it accessing the 2 DNS servers but the connection to the internet fails. I also tried a few pings but same result. On the IP route, I think the GUI assigns it and when the WAN port (gig0/0/0) is assigned an IP address that becomes the destination of last resort.

Could there be an issue with port assignment? I noticed there is a section on ports in the GUI

Richard Burts · ‎12-15-2024

Arthur

The DNS server line is a minor point. And I am not sure that it is an issue and suggest that we not worry about it until after we get other things working. Most of my experience is with CLI not GUI, and I find that sometimes GUI assumes things that might not be accurate in the local situation. After we solve the issue with Internet connectivity/routing you can come back and evaluate whether the DNS statement needs to change.

And similarly with the switchport line. I assume that all of the interfaces in G0/1/x function as switch ports. Not sure why only 2 of them explicitly configure that. And suggest that you wait to spend time on this till we have solved the other routing issue.

I am wondering about this "I cannot ping 8.8.8.8 or google.com from the router". I have been assuming that the problem was access from device connected to the Cisco router. If you are in the router management interface and can not ping 8.8.8.8 then we have a different issue to work on.

You ask "Could there be an issue with port assignment?" I am inclined to believe that the issue(s) are not about port assignment. Let's figure out issues using the management interface before we worry about port assignments.

I am puzzled about this "when the WAN port (gig0/0/0) is assigned an IP address that becomes the destination of last resort" The router WAN port is not the destination of last resort. The destination of last resort will be an address in the ISP network.

HTH

Rick