Solved: Cannot access internet from the LAN interface 2911 Router

Jonathan Nali · ‎10-14-2020

Hi everyone,

I have read the many discussions on this topic but I cannot seem to find an answer for my problem.

My router can reach 8.8.8.8 and the public IP. but it cannot do that from the LAN interface

i.e. "traceroute 8.8.8.8 source 192.168.8.3"

I tried the DHCP, it's working fine.

Below is my running config

!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp relay information option
ip dhcp relay information trust-all
ip dhcp excluded-address 192.168.11.253
ip dhcp excluded-address 192.168.11.252
ip dhcp excluded-address 192.168.8.1 192.168.8.50
!
ip dhcp pool CAIR-POOL
network 192.168.8.0 255.255.255.0
default-router 192.168.8.3
dns-server 10.10.1.4
domain-name repro.local
!
!
!
no ip domain lookup
ip name-server 8.8.8.8
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2911/K9 sn FGL171911RN
!
!
!
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internet
ip address 192.168.124.6 255.255.255.252
ip helper-address 192.168.124.6
ip directed-broadcast
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip dhcp relay information option-insert
ip address 192.168.8.3 255.255.255.0
ip helper-address 192.168.8.3
ip directed-broadcast
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
ip forward-protocol udp talk
!
no ip http server
no ip http secure-server
!
ip nat source list 111 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.124.5
ip route 192.168.8.0 255.255.255.0 192.168.8.1
ip route 192.168.124.0 255.255.255.252 192.168.124.5
ip route 192.168.124.0 255.255.255.252 192.168.124.2 254
ip route 192.168.124.4 255.255.255.252 192.168.124.5
!
access-list 111 permit ip 192.168.8.0 0.0.0.255 any
!
!

Aref Alsouqi · ‎10-14-2020

Change this:

ip nat source list 111 interface GigabitEthernet0/0 overload

to this:

ip nat inside source list 111 interface GigabitEthernet0/0 overload

View solution in original post

balaji.bandi · ‎10-14-2020

From the device you able to ping 8.8.8.8 ?

what is the out come of - traceroute 8.8.8.8 source 192.168.8.3 ? is this works ?

on your DHCP - i see dns-server 10.10.1.4 is this DNS is in your network ? if not change this to 8.8.8.8

Also explain this route : ip route 192.168.8.0 255.255.255.0 192.168.8.1 ( where is 192.168.8.1 ? located ) - if you remove this route did you see good ?

can you also post below output to understand the issue :

show ip nat statistics

Show IP nat translation

Show ip route

show ip access-list

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jonathan Nali · ‎10-14-2020

Hi Balaji,

Thank you for you quick response.

Question 1:

#traceroute 8.8.8.8 source 192.168.8.3
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 192.168.124.5 0 msec 0 msec 4 msec THIS IS THE GW FOR MY 124.6 INTERFACE
2 192.168.124.1 0 msec 4 msec 0 msec THIS IS THE VLAN GW OF OUR ISP
3 192.168.124.2 0 msec 4 msec 0 msec THIS IS THE VLAN IP ADD THAT IS LINKED TO MY 10.10.1.0 NETWORK AT HQ
4 * * *
5

QUESTION 2:

10.10.1.4 is the DNS on the LAN network at HQ

Question 3:

192.168.8.1 is an internet MIFI where I have also put static routes lead to and through the Cisco router.

Basically, the intention is to one day remove it completely once the internet from HQ can reach the LAN at the branch office.

Output 1

#sh ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Outside Destination
[Id: 2] access-list 111 interface GigabitEthernet0/0 refcount 0

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Output 2:

Nothing

Output 3

#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.124.5 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.124.5
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
192.168.8.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.8.0/24 is directly connected, GigabitEthernet0/1
L 192.168.8.3/32 is directly connected, GigabitEthernet0/1
192.168.124.0/24 is variably subnetted, 3 subnets, 2 masks
S 192.168.124.0/30 [1/0] via 192.168.124.5
C 192.168.124.4/30 is directly connected, GigabitEthernet0/0
L 192.168.124.6/32 is directly connected, GigabitEthernet0/0

Output 4:

#sh ip access-list
Extended IP access list 111
10 permit ip 192.168.8.0 0.0.0.255 any

I hope this helps

balaji.bandi · ‎10-14-2020

Thanks we can see that source of internal interface going out using ISP network.

I have suggested some Route ? 192.168.8.1 - what is this IP address ?

ip route 192.168.8.0 255.255.255.0 192.168.8.1 ( where is 192.168.8.1 ? located ) - if you remove this route did you see good ?

do you have any device in 192.168.8.X do same traceroute to 8.8.8.8 ?

HQ DNS can not be reached for now, until there is VPN between you and HQ ? (or are this router in HQ ?)

for testing change to 8.8.8.8 once all working you can use HQ DNS

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jonathan Nali · ‎10-14-2020

Hi again,

192.168.8.1 is an internet MIFI where I have also put static routes lead to and through the Cisco router.

Basically, the intention is to one day remove it completely once the internet from HQ can reach the LAN at the branch office.

192.168.8.0 is the LAN network behind interface g0/1192.168.8.3

Devices at HQ can ping and access devices at Branch and vice verse.

I will go ahead and change my DNS and report the results.

Also, my HQ has a firewall which is 10.10.1.1

Aref Alsouqi · ‎10-14-2020

Change this:

ip nat source list 111 interface GigabitEthernet0/0 overload

to this:

ip nat inside source list 111 interface GigabitEthernet0/0 overload

balaji.bandi · ‎10-14-2020

Good catch "ip nat inside source list 111 interface GigabitEthernet0/0 overload"

Missed in Long config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Jonathan Nali · ‎10-14-2020

Wow Aref,

And it worked just like that. I've been on this for days.

Thank you so much.

I will test to see if the LAN device can access internet as well.

Jonathan Nali · ‎10-14-2020

Hi Aref and @balaji.bandi ,

I have another small problem.

when I do "ip nat outside" on g0/0, my branch office can no longer ping the HQ. how do I resolve that?

Georg Pauwen · ‎10-14-2020

Hello,

what is the IP address of the HQ ?

Aref Alsouqi · ‎10-14-2020

How the traffic between the branch and HQ should be in terms of NAT? NAT'ed or over a VPN tunnel?