Mark

There are a couple of things that I would like to understand better which might point us toward understanding the issue. You have a DHCP scope configured for 192.168.3.0 but I do not see where that network is being used. Can you clarify this?

Also you have two vlans configured (10.10.30.0 and 10.10.50.0). Which vlan are you connected to when you are trying to ping?

The interface descriptions mention FW. Is there a firewall in your environment? If so where is it and what is its security policy? This might well be the cause of your issue.

When people have a problem with a router which can ping from the router but not ping from connected PC the most common cause of the problem is failure to nat. I see that you do have nat configured for 10.10.30.0 but not for 10.10.50.0. Is this intentional?

HTH

Rick

Thanks for the quick reply Rick. 

Both the 2nd DHCP pool and the second network are for guest access to the WAP after I get up and running. I've slimmed things down trying to eliminate potential problems to no avail yet. 

When im able to ping out I'm connected to 10.10.30.0, Vlan1. 

I've removed the firewall configuration, again in order to simplify and eliminate issues until it's working. I figure  I can add things back in once I can connect.   There is no external firewall. 

As for NAT, again I'm not using the second Vlan yet so I didn't configure NAT for it. I'm connected to the other Vlan, 10.10.30.0. 

I've been thinking I have something wrong in the routing or am missing a command to direct the internal traffic out. 

Would it help if I cleaned up the configuration to remove the parts I'm not using for now like I've done with the firewall and second Vlan and such?

Thanks again  I really appreciate the time and response  

Mark

Mark

Thank you for the clarifications. Sometimes when troubleshooting an issue it is helpful to remove parts that you are not using. It makes it easier to focus on the parts that do matter.

I have looked at your routing and wonder if that is indeed the issue. You have this default route:

ip route 0.0.0.0 0.0.0.0 209.254.254.254

Where did the 209.254.254.254 come from? Since you are using DHCP to get the address on the outside interface I wonder if a default route like this would be better:

ip route 0.0.0.0 0.0.0.0 dhcp

HTH

Rick

Rick,

the 209.254.254.254 (actually correct in this configuration) is the gateway that my old router showed from my ISP.  If I change it to DHCP I can no long ping out from the router to any IP addresses or domain names.  When I change back to the Gateway, I can again access out from the router.

It still feels like its an access issue.  Do I have something messed up in the access list?  Seems it about has to be that or the NAT?

Here is a cleaned up configuration.  Thanks again for the help!

Current configuration : 3032 bytes
!
! Last configuration change at 13:17:01 GMT Wed Aug 19 2015
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$PnAk$m9FlGd5loi3txxPzW.xyQ/
enable password xxxxxx
!
no aaa new-model
clock timezone GMT -9 0
clock summer-time Alaska date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
ip cef
!
!
!
ip dhcp excluded-address 10.10.30.1 10.10.30.25
ip dhcp excluded-address 10.10.30.150 10.10.30.254
!
ip dhcp pool Router-LAN
 import all
 network 10.10.30.0 255.255.255.0
 default-router 10.10.30.1
 dns-server 216.67.0.2 209.193.0.2
!
ip dhcp pool ccp-pool
 dns-server 216.67.0.2 209.193.0.2
!
!
!
ip domain name Router.net
ip name-server 216.67.0.2
ip name-server 209.193.0.2
no ipv6 cef
!
!
license udi pid C881W-A-K9 sn FTX192680JP
!
!
username xxxx privilege 15 secret 5 $1$FONj$c9D6CuWkKYSltux1l8Bz4/
username xxxx privilege 15 secret 5 $1$NKFi$.PeiSRGm2153rGZIdWFwg1
username xxxx privilege 15 secret 5 $1$5BIz$XWRUCnrUZ5k3mEaNOvIU./
username xxxx privilege 15 secret 5 $1$uMq6$E1GrPuZneUGVez1rJZj0J1
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 switchport mode trunk
 no ip address
!
interface wlan-ap0
 description Embedded Service module interface to manage the embedded AP
 ip address 10.10.20.1 255.255.255.0
 shutdown
!
interface Vlan1
 description LAN-Access$FW_INSIDE$
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer1
 mtu 1492
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1412
 dialer pool 1
 dialer-group 1
 ppp mtu adaptive
 ppp authentication pap callin
 ppp pap sent-username xxxxxx@xxxx.net password 0 xxxxxx
 ppp ipcp dns request
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip nat inside source list 23 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 209.193.63.232
!
access-list 23 permit 10.10.30.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
!
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 password xxxx
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

Awesome Rick!  That did the trick and it's working fine now.

Thanks for all your help.

Mark

Mark

It has been an interesting process trying to figure this out. I am glad that we did find a solution that works. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify posts that have helpful information. I hope to see you continue your participation in the forum.

HTH

Rick