07-07-2015 11:06 AM - edited 03-05-2019 01:49 AM
Hello
I am novice to Cisco and I am asking for your help
I have a Cisco 887VA
I configured it two years ago with adsl line and worked fine
Now I configured again with vdsl line .It syncs ,connects with ISP (took IP Address) but I can't reach internet
Please have a look at the running configuration and tell me what to do
Current configuration : 7122 bytes
!
! Last configuration change at 17:34:00 Athens Tue Jul 7 2015
! NVRAM config last updated at 13:16:27 Athens Tue Jul 7 2015
! NVRAM config last updated at 13:16:27 Athens Tue Jul 7 2015
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco887
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5
enable password
!
no aaa new-model
memory-size iomem 10
clock timezone Athens 2 0
clock summer-time Athens date Mar 30 2003 3:00 Oct 26 2003 4:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1627569428
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1627569428
revocation-check none
rsakeypair TP-self-signed-1627569428
!
!
quit
ip source-route
!
!
!
!
!
ip cef
ip name-server 193.92.150.3
ip name-server 194.219.227.2
ip port-map user-protocol--1 port tcp 26430
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1715948E
!
!
!
!
!
!
controller VDSL 0
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zo
ne
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface Ethernet0
description none
ip address dhcp
!
interface Ethernet0.835
encapsulation dot1Q 835
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pppoe-client dial-pool-number 1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
mtu 1492
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username password
ppp ipcp dns request
!
interface Dialer6
no ip address
shutdown
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 199 interface Dialer6 overload
ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 99 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.10.10.3
access-list 199 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
dialer-list 4 protocol ip permit
dialer-list 5 protocol ip permit
dialer-list 6 protocol ip permit
dialer-list 7 protocol ip permit
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password
login
transport input all
!
end
Thank you Very Much
Solved! Go to Solution.
07-07-2015 10:24 PM
George,
You may want to check your NAT statements. You have two statements one for using NAT to map TCP traffic to a specific port and the other one is just for regular NATing of general traffic.
The following command basically tells the router that any packet received in the inside interface with a source IP address of 10.10.10.90 on port 26430 should be translated to whatever IP address you have on Dialer0 using port 26430 as well. This will only work for 10.10.10.90 on port 26430 but not for the rest of your traffic.
ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430
You have a second command which seems to be the one intended for the general traffic. You have the extended 199 ACL which is looking out for any traffic sourced from the 10.10.10.0/24 network which is on VLAN1. This is fine but you are telling the router to use Dialer6 to translate which is not active so to the router and for the use of NAT, it does not even exist. You may want to change the command to Dialer0 where you are getting your internet connection from.
Currently configured
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
mtu 1492
ip address negotiated
ip mtu 1452
ip nat outside
interface Dialer6
no ip address
shutdown
ip nat inside source list 199 interface Dialer6 overload
ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430
access-list 199 permit ip 10.10.10.0 0.0.0.255 any
Try using
ip nat inside source list 199 interface Dialer0 overload
If this does not work try removing the zone-member command from your vlan1.
NOTE:
If you ever come across a problem where your users are not able to get out to the internet then you should try checking to see if the router itself is able to get out to the internet by just pinging an external IP from the router itself. If it works then it means that the router is able to get out to the internet and your problem may be elsewhere and will most likely be a NATing issue. If you are not able to ping the external address sourced from any of your internal interfaces then your chances of having a NAT problem will be 99%.
ping 8.8.8.8
ping 8.8.8.8 source vlan1
07-07-2015 10:24 PM
George,
You may want to check your NAT statements. You have two statements one for using NAT to map TCP traffic to a specific port and the other one is just for regular NATing of general traffic.
The following command basically tells the router that any packet received in the inside interface with a source IP address of 10.10.10.90 on port 26430 should be translated to whatever IP address you have on Dialer0 using port 26430 as well. This will only work for 10.10.10.90 on port 26430 but not for the rest of your traffic.
ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430
You have a second command which seems to be the one intended for the general traffic. You have the extended 199 ACL which is looking out for any traffic sourced from the 10.10.10.0/24 network which is on VLAN1. This is fine but you are telling the router to use Dialer6 to translate which is not active so to the router and for the use of NAT, it does not even exist. You may want to change the command to Dialer0 where you are getting your internet connection from.
Currently configured
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
mtu 1492
ip address negotiated
ip mtu 1452
ip nat outside
interface Dialer6
no ip address
shutdown
ip nat inside source list 199 interface Dialer6 overload
ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430
access-list 199 permit ip 10.10.10.0 0.0.0.255 any
Try using
ip nat inside source list 199 interface Dialer0 overload
If this does not work try removing the zone-member command from your vlan1.
NOTE:
If you ever come across a problem where your users are not able to get out to the internet then you should try checking to see if the router itself is able to get out to the internet by just pinging an external IP from the router itself. If it works then it means that the router is able to get out to the internet and your problem may be elsewhere and will most likely be a NATing issue. If you are not able to ping the external address sourced from any of your internal interfaces then your chances of having a NAT problem will be 99%.
ping 8.8.8.8
ping 8.8.8.8 source vlan1
07-08-2015 06:48 AM
I used
ip nat inside source list 199 interface Dialer0 overload
Then I was able to ping DNS Servers but still no internet on my network
I removed zone-member command from vlan1 like you said and everything worked
Thank you Very Much for your time and valuable help
07-08-2015 08:47 AM
Your welcome George.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide