07-01-2012 10:52 AM - edited 03-04-2019 04:50 PM
Hey Cisco community, I'm going through the CCNA training and I'm setting up my DHCP server on my 871 router. I have my cable modem into the WAN port on my router and have 1 host plugged directly into Fastethernet 1. I can ping any IP I want from the IOS prompt but I only have local access from the host. I figure I'm missing something very basic and would very much appreciate any help someone has to offer
Thanks!
Steve
Here are my settings and ping results:
!
! Last configuration change at 10:38:23 UTC Sun Jul 1 2012 by steve
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-585681807
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-585681807
revocation-check none
rsakeypair TP-self-signed-585681807
!
!
crypto pki certificate chain TP-self-signed-585681807
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35383536 38313830 37301E17 0D303230 39303632 31323135
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3538 35363831
38303730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AB147A31 E5D67C9F 7D468642 6EBAC39F D74176BC 6AC37029 44C5B9FA F7DBAF51
1CF8B124 DDB72DA3 A45CCC38 12AD7F60 A2541768 5162B139 0606D6AD C31DB065
010789FF C86FF916 A7C5CB0D 7668FCF9 DBDAC009 A2640711 C7200B14 F27FD88B
B4B7F7A3 B0BDF3F6 C3FAC127 FD9EA816 4EBBC039 FD9D335B D2DA1FB9 5EB2D64B
02030100 01A36C30 6A300F06 03551D13 0101FF04 05300301 01FF3017 0603551D
11041030 0E820C52 312E7374 6576652E 636F6D30 1F060355 1D230418 30168014
9D2224CA 9D245BE7 E3192D3C 31737387 9A2A82A6 301D0603 551D0E04 1604149D
2224CA9D 245BE7E3 192D3C31 7373879A 2A82A630 0D06092A 864886F7 0D010104
05000381 81007134 0085B36F 195C884F 965D44ED 3851A29B D0386887 9E92D941
C39A0BE9 F4991889 CBB1B20B 6DDBEAD9 2A5A1931 648F93C6 50B563E1 DD174798
BA9372B1 BA17AD01 F75B5B66 918B5123 21C59D77 513F17E5 48161241 01138F6D
4815B646 0685905A 70ED775C C00F1C5B 0BFC08CC 1B17C625 13073A89 3EBB01D1
30A0160F CEFE
quit
dot11 syslog
ip cef
!
!
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.19
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool SQ_DHCP
import all
network 192.168.1.0 255.255.255.0
domain-name home.local
default-router 192.168.1.1
dns-server 68.105.29.15
lease 3
!
!
ip domain name steve.com
!
multilink bundle-name authenticated
!
!
username steve privilege 15 password 0 cisco
!
!
archive
log config
hidekeys
!
!
ip ssh version 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN PORT
ip address dhcp
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
ip forward-protocol nd
!
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
!
!
!
!
!
control-plane
!
banner motd ^C
***********************************************
CISCO 871 | LOG OUT NOW
***********************************************
^C
alias exec save copy running-config startup-config
!
line con 0
exec-timeout 30 0
password cisco
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 30 0
password cisco
logging synchronous
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
______________________________________
IOS Ping results:
R1#ping google.com
Translating "google.com"...domain server (68.105.28.11) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.224.199, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms
R1#
____________________________________________________
Host Ping Results:
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : home.local
Link-local IPv6 Address . . . . . : fe80::89f0:a7ad:a347:c59c%13
IPv4 Address. . . . . . . . . . . : 192.168.1.22
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\Q1>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Reply from 192.168.1.1: bytes=32 time<1ms TTL=255
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\Users\Q1>ping www.google.com
Ping request could not find host www.google.com. Please check the name and try a
gain.
C:\Users\Q1>ping 4.2.2.2
Pinging 4.2.2.2 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 4.2.2.2:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Solved! Go to Solution.
07-01-2012 12:34 PM
You're missing your nat config. Try adding these lines:
ip nat inside source list 100 inter f4 overload
access-list 100 permit 192.168.1.0 0.0.0.255 any
int vlan 1
ip nat inside
int fa4
ip nat outside
HTH,
John
07-01-2012 12:34 PM
You're missing your nat config. Try adding these lines:
ip nat inside source list 100 inter f4 overload
access-list 100 permit 192.168.1.0 0.0.0.255 any
int vlan 1
ip nat inside
int fa4
ip nat outside
HTH,
John
07-01-2012 05:56 PM
Wow, thank you so much John! It fired right up!
If its not too much to ask, is there any way you could explain each of those commands? It would help out greatly in my quest for the CCNA.
Thanks !
Steve
07-01-2012 06:22 PM
Sure!
ip nat inside source list 100 inter f4 overload
This says to nat from the inside using an acl to match on. It will use the ip address that's applied to interface f4. The overload command enabled port address translation (PAT) which basically allows many thousands of connections. For example, if you have 2 different web sites open, that would be 2 different ip addresses that you'd be connected to but they are both port 80. So, with port translation you will be seen as:
Inside host address: 192.168.1.5
192.168.1.5:45000 -> 4.4.4.4:80
192.168.1.5:45001 -> 5.5.5.5:80
The router will basically keep state information for these connections. When the return traffic comes back from 5.5.5.5:80 -> 192.168.1.5:45001, the router knows where to deliver the traffic.
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
The access-list is referenced in the nat statement. This acl matches all of your internal hosts going to anything on any port. If you want to nat only when going to port 80, then you'd change your acl to reflect that. There are tons of things that you can do with acls. For example with nat, if you wanted to deny 1 person from getting to websites but not deny them from getting to the internet, you could deny them in the above acl and then permit everything else:
access-list 100 deny tcp host 192.168.1.5 any eq 80
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
The 2 entries above would deny host 192.168.1.5 from getting to any standard http websites, but they would be able to get to any secure sites on 443. Basically, if the 1st line doesn't match, they would roll over to the 2nd line, but if the 1st line matches they won't nat out of the router and can't get to websites.
int vlan 1
ip nat inside
int fa4
ip nat outside
These 2 sections enable nat on the interfaces. In order for nat to work, you need to enable at least 1 inside interface and 1 outside interface. You can have multiple inside interfaces using 1 outside interface, you can have multiple outside interfaces with only 1 nat interface, and you can have multiple inside and outside interfaces depending on the situation.
HTH,
John
07-01-2012 09:30 PM
Very much appreciated John!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide