cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
637
Views
0
Helpful
3
Replies

Cannot Connect to internet on router through Switch or at client.

Noob_PNA
Level 1
Level 1

Let me begin by saying that i have a test lab and am working to try and better understand networking and configurations. I am, as the name suggests, a novice in networking so i will need help almost a step-by-step walk through of what i have done wrong.

My current configuration on my 1921 router is as follows:

Building configuration...


Current configuration : 9399 bytes
!
! Last configuration change at 07:34:56 CST Wed Jan 11 2023
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service linenumber
!
hostname Router
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.158-3.M7.bin
boot system rom
boot-end-marker
!
!
!
no aaa new-model
clock timezone CST -6 0
clock summer-time CDT recurring
!
no vlan accounting
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.0.2.2 10.0.2.10
ip dhcp excluded-address 10.0.10.2 10.0.10.5
ip dhcp excluded-address 10.0.10.100
ip dhcp excluded-address 10.0.20.2 10.0.20.5
ip dhcp excluded-address 10.0.20.100
ip dhcp excluded-address 10.0.30.2 10.0.30.5
ip dhcp excluded-address 10.0.30.100
ip dhcp excluded-address 10.0.40.2 10.0.40.5
ip dhcp excluded-address 10.0.40.100
ip dhcp excluded-address 10.0.50.1 10.0.50.15
!
ip dhcp pool Data PC Network
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Voice over IP (VoIP) Network
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Security System - Camera Vlan 20
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Server Farm
network 10.0.30.0 255.255.255.0
default-router 10.0.30.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Internet of Thing (IoT) & Entertainment Devices
network 10.0.40.0 255.255.255.0
default-router 10.0.40.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Wireless Access & Guest WiFi
network 10.0.50.0 255.255.255.0
default-router 10.0.50.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Data PC Network Vlan 2 Reservation
host 10.0.2.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.312d.566c.32
!
ip dhcp pool Voice over IP (VoIP) Network Vlan 10 Reservation
host 10.0.10.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.322d.566c.3130
!
ip dhcp pool Security System - Camera Vlan 20 Reservation
host 10.0.20.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.332d.566c.3230
!
ip dhcp pool Server Farm Vlan 30 Reservation
host 10.0.30.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.342d.566c.3330
!
ip dhcp pool Internet of Thing (IoT) & Entertainment Devices Vlan 40 Reservation
host 10.0.40.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.352d.566c.3430
!
ip dhcp pool Wireless Access & Guest WiFi Vlan 50 Reservation
host 10.0.50.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.362d.566c.3530
!
ip dhcp pool Data PC Network Vlan 2 Reservation (WORK)
host 10.0.2.3 255.255.255.0
client-identifier 0019.92b9.a612
!
ip dhcp pool Voice over IP (VoIP) Network Vlan 10 Reservation (WORK)
host 10.0.10.3 255.255.255.0
hardware-address 0019.92b9.a613
!
ip dhcp pool Security System - Camera Vlan 20 Reservation (WORK)
host 10.0.20.3 255.255.255.0
hardware-address 0019.92b9.a612
!
ip dhcp pool Server Farm Vlan 30 Reservation (WORK)
host 10.0.30.3 255.255.255.0
hardware-address 0019.92b9.a615
!
ip dhcp pool Internet of Thing (IoT) & Entertainment Devices Vlan 40 Reservation (WORK)
host 10.0.40.3 255.255.255.0
hardware-address 0019.92b9.a616
!
ip dhcp pool Wireless Access & Guest WiFi Vlan 50 Reservation (WORK)
host 10.0.50.3 255.255.255.0
hardware-address 0019.92b9.a617
!
!
!
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3717087716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3717087716
revocation-check none
rsakeypair TP-self-signed-3717087716
!
!
crypto pki certificate chain TP-self-signed-3717087716
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373137 30383737 3136301E 170D3232 30393231 31313437
34345A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313730
38373731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ACF9 1B0BA53A D05D475C C0B15948 94B7640E 2E8B0645 54701383 BE9A25E0
0D465121 59E19404 5AD48220 495D530C A04D9929 A687F3A1 90360D0F 0C69538E
011571A5 602AD8B6 2091F26F C3E638DC D1E0079D 603926AE 08ADA68E 53C737EB
10E443D0 8DC702FC 4C17DEA7 8C4CC060 5FB73D2B 236B72ED 5F8B7552 278B420F
A1390203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1480BE39 7E12DE48 02797C38 1F7FB795 F9F624A5 B1301D06
03551D0E 04160414 80BE397E 12DE4802 797C381F 7FB795F9 F624A5B1 300D0609
2A864886 F70D0101 05050003 81810038 B535D2EB CF66A08A FE9832A9 A3A775CA
B4E718D5 C39FE7C9 7E9DBF80 419EBAA0 A4B1AF60 0D38FBC8 E594EC62 9867DCDA
875A24CE 8F2A6752 02883158 7E6B45BE 605F9466 A7DAA1B9 FD7ECE7A 2A63D059
7118D7EF 1AEDE58E 5DF2C206 7F5F9027 9874A45B 0B43C6ED A3F92E1B 2280E30B
1114F80E D833816A 4CFC921F BD8A79
quit
license udi pid CISCO1921/K9 sn FTX1520037Y
!
!
vtp version 2
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description "Outside Internet"
ip address dhcp
ip access-group MY_WAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip access-group Internal_ACL out
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
description Data \ PC Network
encapsulation dot1Q 2 native
ip address 10.0.2.1 255.255.255.0
ip access-group Internal_ACL out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.10
description Voice over IP (VoIP) Network
encapsulation dot1Q 10
ip address 10.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
description Security System - Camera Vlan 20
encapsulation dot1Q 20
ip address 10.0.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.30
description Server Farm
encapsulation dot1Q 30
ip address 10.0.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.40
description Internet
encapsulation dot1Q 40
ip address 10.0.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.50
description Wireless Access
encapsulation dot1Q 50
ip address 10.0.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
switchport access vlan 2
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 10
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2
description Data \ PC Network
no ip address
ip access-group Internal_ACL out
ip nat inside
ip nat enable
ip virtual-reassembly in
vlan-id dot1q 2
description Data \ PC Network
exit-vlan-config
!
!
interface Vlan10
description Voice over IP (VoIP) Network
no ip address
ip nat inside
ip virtual-reassembly in
vlan-id dot1q 10
description Voice over IP (VoIP) Network
exit-vlan-config
!
!
interface Vlan20
description Security System - Camera Vlan 20
no ip address
vlan-id dot1q 20
description Security System - Camera
exit-vlan-config
!
!
interface Vlan30
no ip address
!
interface Vlan40
no ip address
!
interface Vlan50
no ip address
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended External_ACL
deny udp any any eq 80
deny udp any any eq 8080
deny ip any any
ip access-list extended MY_WAN
ip access-list extended internal_ACL
permit tcp any any eq www
permit ip 10.0.2.0 0.0.0.255 any
permit ip 10.0.10.0 0.0.0.255 any
permit ip 10.0.20.0 0.0.0.255 any
permit ip 10.0.30.0 0.0.0.255 any
permit ip 10.0.40.0 0.0.0.255 any
permit ip 10.0.50.0 0.0.0.255 any
!
!
!
access-list 4 permit 0.0.0.0 255.255.255.0
access-list 5 permit 0.0.0.0 255.255.255.0
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

The problem is I can ping the DNS with success, but i cannot ping any website by name. I get an ip address on the client, but the client has no internet access.

I would appreciate any help that i could get to understand what i am missing.

 

1 Accepted Solution

Accepted Solutions

Hello,

make the changes/additions marked in bold:

Current configuration : 9399 bytes
!
! Last configuration change at 07:34:56 CST Wed Jan 11 2023
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service linenumber
!
hostname Router
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.158-3.M7.bin
boot system rom
boot-end-marker
!
no aaa new-model
clock timezone CST -6 0
clock summer-time CDT recurring
!
no vlan accounting
!
ip dhcp excluded-address 10.0.2.2 10.0.2.10
ip dhcp excluded-address 10.0.10.2 10.0.10.5
ip dhcp excluded-address 10.0.10.100
ip dhcp excluded-address 10.0.20.2 10.0.20.5
ip dhcp excluded-address 10.0.20.100
ip dhcp excluded-address 10.0.30.2 10.0.30.5
ip dhcp excluded-address 10.0.30.100
ip dhcp excluded-address 10.0.40.2 10.0.40.5
ip dhcp excluded-address 10.0.40.100
ip dhcp excluded-address 10.0.50.1 10.0.50.15
!
ip dhcp pool Data PC Network
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Voice over IP (VoIP) Network
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Security System - Camera Vlan 20
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Server Farm
network 10.0.30.0 255.255.255.0
default-router 10.0.30.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Internet of Thing (IoT) & Entertainment Devices
network 10.0.40.0 255.255.255.0
default-router 10.0.40.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Wireless Access & Guest WiFi
network 10.0.50.0 255.255.255.0
default-router 10.0.50.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Data PC Network Vlan 2 Reservation
host 10.0.2.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.312d.566c.32
!
ip dhcp pool Voice over IP (VoIP) Network Vlan 10 Reservation
host 10.0.10.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.322d.566c.3130
!
ip dhcp pool Security System - Camera Vlan 20 Reservation
host 10.0.20.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.332d.566c.3230
!
ip dhcp pool Server Farm Vlan 30 Reservation
host 10.0.30.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.342d.566c.3330
!
ip dhcp pool Internet of Thing (IoT) & Entertainment Devices Vlan 40 Reservation
host 10.0.40.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.352d.566c.3430
!
ip dhcp pool Wireless Access & Guest WiFi Vlan 50 Reservation
host 10.0.50.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.362d.566c.3530
!
ip dhcp pool Data PC Network Vlan 2 Reservation (WORK)
host 10.0.2.3 255.255.255.0
client-identifier 0019.92b9.a612
!
ip dhcp pool Voice over IP (VoIP) Network Vlan 10 Reservation (WORK)
host 10.0.10.3 255.255.255.0
hardware-address 0019.92b9.a613
!
ip dhcp pool Security System - Camera Vlan 20 Reservation (WORK)
host 10.0.20.3 255.255.255.0
hardware-address 0019.92b9.a612
!
ip dhcp pool Server Farm Vlan 30 Reservation (WORK)
host 10.0.30.3 255.255.255.0
hardware-address 0019.92b9.a615
!
ip dhcp pool Internet of Thing (IoT) & Entertainment Devices Vlan 40 Reservation (WORK)
host 10.0.40.3 255.255.255.0
hardware-address 0019.92b9.a616
!
ip dhcp pool Wireless Access & Guest WiFi Vlan 50 Reservation (WORK)
host 10.0.50.3 255.255.255.0
hardware-address 0019.92b9.a617
!
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3717087716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3717087716
revocation-check none
rsakeypair TP-self-signed-3717087716
!
crypto pki certificate chain TP-self-signed-3717087716
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373137 30383737 3136301E 170D3232 30393231 31313437
34345A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313730
38373731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ACF9 1B0BA53A D05D475C C0B15948 94B7640E 2E8B0645 54701383 BE9A25E0
0D465121 59E19404 5AD48220 495D530C A04D9929 A687F3A1 90360D0F 0C69538E
011571A5 602AD8B6 2091F26F C3E638DC D1E0079D 603926AE 08ADA68E 53C737EB
10E443D0 8DC702FC 4C17DEA7 8C4CC060 5FB73D2B 236B72ED 5F8B7552 278B420F
A1390203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1480BE39 7E12DE48 02797C38 1F7FB795 F9F624A5 B1301D06
03551D0E 04160414 80BE397E 12DE4802 797C381F 7FB795F9 F624A5B1 300D0609
2A864886 F70D0101 05050003 81810038 B535D2EB CF66A08A FE9832A9 A3A775CA
B4E718D5 C39FE7C9 7E9DBF80 419EBAA0 A4B1AF60 0D38FBC8 E594EC62 9867DCDA
875A24CE 8F2A6752 02883158 7E6B45BE 605F9466 A7DAA1B9 FD7ECE7A 2A63D059
7118D7EF 1AEDE58E 5DF2C206 7F5F9027 9874A45B 0B43C6ED A3F92E1B 2280E30B
1114F80E D833816A 4CFC921F BD8A79
quit
license udi pid CISCO1921/K9 sn FTX1520037Y
!
vtp version 2
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description "Outside Internet"
ip address dhcp
--> no ip access-group MY_WAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
--> no ip access-group Internal_ACL out
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
description Data \ PC Network
encapsulation dot1Q 2 native
ip address 10.0.2.1 255.255.255.0
--> no ip access-group Internal_ACL out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.10
description Voice over IP (VoIP) Network
encapsulation dot1Q 10
ip address 10.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
description Security System - Camera Vlan 20
encapsulation dot1Q 20
ip address 10.0.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.30
description Server Farm
encapsulation dot1Q 30
ip address 10.0.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.40
description Internet
encapsulation dot1Q 40
ip address 10.0.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.50
description Wireless Access
encapsulation dot1Q 50
ip address 10.0.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
switchport access vlan 2
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 10
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2
description Data \ PC Network
no ip address
ip access-group Internal_ACL out
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
vlan-id dot1q 2
description Data \ PC Network
exit-vlan-config
!
interface Vlan10
description Voice over IP (VoIP) Network
no ip address
ip nat inside
ip virtual-reassembly in
vlan-id dot1q 10
description Voice over IP (VoIP) Network
exit-vlan-config
!
interface Vlan20
description Security System - Camera Vlan 20
no ip address
vlan-id dot1q 20
description Security System - Camera
exit-vlan-config
!
interface Vlan30
no ip address
!
interface Vlan40
no ip address
!
interface Vlan50
no ip address
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended External_ACL
deny udp any any eq 80
deny udp any any eq 8080
deny ip any any
ip access-list extended MY_WAN
ip access-list extended internal_ACL
permit tcp any any eq www
permit ip 10.0.2.0 0.0.0.255 any
permit ip 10.0.10.0 0.0.0.255 any
permit ip 10.0.20.0 0.0.0.255 any
permit ip 10.0.30.0 0.0.0.255 any
permit ip 10.0.40.0 0.0.0.255 any
permit ip 10.0.50.0 0.0.0.255 any
!
--> access-list 1 permit 10.0.2.0 0.0.0.255
--> access-list 1 permit 10.0.10.0 0.0.0.255
--> access-list 1 permit 10.0.20.0 0.0.0.255
--> access-list 1 permit 10.0.30.0 0.0.0.255
--> access-list 1 permit 10.0.40.0 0.0.0.255
--> access-list 1 permit 10.0.50.0 0.0.0.255
!
--> no access-list 4 permit 0.0.0.0 255.255.255.0
--> no access-list 5 permit 0.0.0.0 255.255.255.0
!
control-plane
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

View solution in original post

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

There are several things about your environment that I am not clear about. But let me start some explanation from this statement " I get an ip address on the client, but the client has no internet access". I see that the interface uses this acl

ip access-group Internal_ACL out

There are permit statements for addresses inside the network. The only permit for any external address is

permit tcp any any eq www

 I am puzzled why www  would be defined as the destination port. I would think that it would be better if it were the source port. As it stands the config would deny any traffic from outside to the client network that was not an http request to an inside address. So no ping, no https etc.

HTH

Rick

Hello,

make the changes/additions marked in bold:

Current configuration : 9399 bytes
!
! Last configuration change at 07:34:56 CST Wed Jan 11 2023
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service linenumber
!
hostname Router
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.158-3.M7.bin
boot system rom
boot-end-marker
!
no aaa new-model
clock timezone CST -6 0
clock summer-time CDT recurring
!
no vlan accounting
!
ip dhcp excluded-address 10.0.2.2 10.0.2.10
ip dhcp excluded-address 10.0.10.2 10.0.10.5
ip dhcp excluded-address 10.0.10.100
ip dhcp excluded-address 10.0.20.2 10.0.20.5
ip dhcp excluded-address 10.0.20.100
ip dhcp excluded-address 10.0.30.2 10.0.30.5
ip dhcp excluded-address 10.0.30.100
ip dhcp excluded-address 10.0.40.2 10.0.40.5
ip dhcp excluded-address 10.0.40.100
ip dhcp excluded-address 10.0.50.1 10.0.50.15
!
ip dhcp pool Data PC Network
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Voice over IP (VoIP) Network
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Security System - Camera Vlan 20
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Server Farm
network 10.0.30.0 255.255.255.0
default-router 10.0.30.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Internet of Thing (IoT) & Entertainment Devices
network 10.0.40.0 255.255.255.0
default-router 10.0.40.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Wireless Access & Guest WiFi
network 10.0.50.0 255.255.255.0
default-router 10.0.50.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
!
ip dhcp pool Data PC Network Vlan 2 Reservation
host 10.0.2.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.312d.566c.32
!
ip dhcp pool Voice over IP (VoIP) Network Vlan 10 Reservation
host 10.0.10.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.322d.566c.3130
!
ip dhcp pool Security System - Camera Vlan 20 Reservation
host 10.0.20.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.332d.566c.3230
!
ip dhcp pool Server Farm Vlan 30 Reservation
host 10.0.30.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.342d.566c.3330
!
ip dhcp pool Internet of Thing (IoT) & Entertainment Devices Vlan 40 Reservation
host 10.0.40.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.352d.566c.3430
!
ip dhcp pool Wireless Access & Guest WiFi Vlan 50 Reservation
host 10.0.50.2 255.255.255.0
client-identifier 0063.6973.636f.2d30.3031.382e.6261.3536.2e31.6634.362d.566c.3530
!
ip dhcp pool Data PC Network Vlan 2 Reservation (WORK)
host 10.0.2.3 255.255.255.0
client-identifier 0019.92b9.a612
!
ip dhcp pool Voice over IP (VoIP) Network Vlan 10 Reservation (WORK)
host 10.0.10.3 255.255.255.0
hardware-address 0019.92b9.a613
!
ip dhcp pool Security System - Camera Vlan 20 Reservation (WORK)
host 10.0.20.3 255.255.255.0
hardware-address 0019.92b9.a612
!
ip dhcp pool Server Farm Vlan 30 Reservation (WORK)
host 10.0.30.3 255.255.255.0
hardware-address 0019.92b9.a615
!
ip dhcp pool Internet of Thing (IoT) & Entertainment Devices Vlan 40 Reservation (WORK)
host 10.0.40.3 255.255.255.0
hardware-address 0019.92b9.a616
!
ip dhcp pool Wireless Access & Guest WiFi Vlan 50 Reservation (WORK)
host 10.0.50.3 255.255.255.0
hardware-address 0019.92b9.a617
!
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3717087716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3717087716
revocation-check none
rsakeypair TP-self-signed-3717087716
!
crypto pki certificate chain TP-self-signed-3717087716
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373137 30383737 3136301E 170D3232 30393231 31313437
34345A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37313730
38373731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ACF9 1B0BA53A D05D475C C0B15948 94B7640E 2E8B0645 54701383 BE9A25E0
0D465121 59E19404 5AD48220 495D530C A04D9929 A687F3A1 90360D0F 0C69538E
011571A5 602AD8B6 2091F26F C3E638DC D1E0079D 603926AE 08ADA68E 53C737EB
10E443D0 8DC702FC 4C17DEA7 8C4CC060 5FB73D2B 236B72ED 5F8B7552 278B420F
A1390203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1480BE39 7E12DE48 02797C38 1F7FB795 F9F624A5 B1301D06
03551D0E 04160414 80BE397E 12DE4802 797C381F 7FB795F9 F624A5B1 300D0609
2A864886 F70D0101 05050003 81810038 B535D2EB CF66A08A FE9832A9 A3A775CA
B4E718D5 C39FE7C9 7E9DBF80 419EBAA0 A4B1AF60 0D38FBC8 E594EC62 9867DCDA
875A24CE 8F2A6752 02883158 7E6B45BE 605F9466 A7DAA1B9 FD7ECE7A 2A63D059
7118D7EF 1AEDE58E 5DF2C206 7F5F9027 9874A45B 0B43C6ED A3F92E1B 2280E30B
1114F80E D833816A 4CFC921F BD8A79
quit
license udi pid CISCO1921/K9 sn FTX1520037Y
!
vtp version 2
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description "Outside Internet"
ip address dhcp
--> no ip access-group MY_WAN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
--> no ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
--> no ip access-group Internal_ACL out
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.2
description Data \ PC Network
encapsulation dot1Q 2 native
ip address 10.0.2.1 255.255.255.0
--> no ip access-group Internal_ACL out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
!
interface GigabitEthernet0/1.10
description Voice over IP (VoIP) Network
encapsulation dot1Q 10
ip address 10.0.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.20
description Security System - Camera Vlan 20
encapsulation dot1Q 20
ip address 10.0.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.30
description Server Farm
encapsulation dot1Q 30
ip address 10.0.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.40
description Internet
encapsulation dot1Q 40
ip address 10.0.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.50
description Wireless Access
encapsulation dot1Q 50
ip address 10.0.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
switchport access vlan 2
switchport trunk native vlan 2
switchport mode trunk
switchport voice vlan 10
no ip address
!
interface Vlan1
no ip address
!
interface Vlan2
description Data \ PC Network
no ip address
ip access-group Internal_ACL out
ip nat inside
--> no ip nat enable
ip virtual-reassembly in
vlan-id dot1q 2
description Data \ PC Network
exit-vlan-config
!
interface Vlan10
description Voice over IP (VoIP) Network
no ip address
ip nat inside
ip virtual-reassembly in
vlan-id dot1q 10
description Voice over IP (VoIP) Network
exit-vlan-config
!
interface Vlan20
description Security System - Camera Vlan 20
no ip address
vlan-id dot1q 20
description Security System - Camera
exit-vlan-config
!
interface Vlan30
no ip address
!
interface Vlan40
no ip address
!
interface Vlan50
no ip address
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended External_ACL
deny udp any any eq 80
deny udp any any eq 8080
deny ip any any
ip access-list extended MY_WAN
ip access-list extended internal_ACL
permit tcp any any eq www
permit ip 10.0.2.0 0.0.0.255 any
permit ip 10.0.10.0 0.0.0.255 any
permit ip 10.0.20.0 0.0.0.255 any
permit ip 10.0.30.0 0.0.0.255 any
permit ip 10.0.40.0 0.0.0.255 any
permit ip 10.0.50.0 0.0.0.255 any
!
--> access-list 1 permit 10.0.2.0 0.0.0.255
--> access-list 1 permit 10.0.10.0 0.0.0.255
--> access-list 1 permit 10.0.20.0 0.0.0.255
--> access-list 1 permit 10.0.30.0 0.0.0.255
--> access-list 1 permit 10.0.40.0 0.0.0.255
--> access-list 1 permit 10.0.50.0 0.0.0.255
!
--> no access-list 4 permit 0.0.0.0 255.255.255.0
--> no access-list 5 permit 0.0.0.0 255.255.255.0
!
control-plane
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

Hello
Change the DHCP scopes to use the local rtr for dns, also remove the acl from the wan interface and test again


ip dhcp pool Data PC Network
no dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns-server 10.0.2.1

ip dhcp pool Voice over IP (VoIP) Network
no dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns-server 10.0.10.1

ip dhcp pool Security System - Camera Vlan 20
no dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns-server 10.0.20.1

ip dhcp pool Server Farm
no dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns-server 10.0.30.1

ip dhcp pool Internet of Thing (IoT) & Entertainment Devices
no dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns-server 10.0.40.1

ip dhcp pool Wireless Access & Guest WiFi
no dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220
dns-server 10.0.50.1

no ip name-server 8.8.8.8
no ip name-server 8.8.4.4
no ip name-server 208.67.222.222
no ip name-server 208.67.220.220

ip dns server

interface GigabitEthernet0/0
no ip nat enable
no ip access-group MY_WAN in

interface GigabitEthernet0/1
no ip nat enable


interface GigabitEthernet0/1.2
no ip access-group Internal_ACL out
no ip nat enable

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Review Cisco Networking for a $25 gift card