Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
869
Views
0
Helpful
3
Replies

Cannot connect to the internet -cisco 887

Go to solution
GEORGE POLYZOS
Level 1
Level 1

‎07-07-2015 11:06 AM - edited ‎03-05-2019 01:49 AM

Hello

I am novice to Cisco and I am asking for your help

I have a Cisco 887VA

I configured  it two years ago with adsl line and worked fine

Now I configured again with vdsl line .It syncs ,connects with ISP (took IP Address) but I can't reach internet

 

Please have a look at the running configuration and tell me what to do

 


Current configuration : 7122 bytes
!
! Last configuration change at 17:34:00 Athens Tue Jul 7 2015
! NVRAM config last updated at 13:16:27 Athens Tue Jul 7 2015
! NVRAM config last updated at 13:16:27 Athens Tue Jul 7 2015
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco887
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5
enable password
!
no aaa new-model
memory-size iomem 10
clock timezone Athens 2 0
clock summer-time Athens date Mar 30 2003 3:00 Oct 26 2003 4:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1627569428
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1627569428
 revocation-check none
 rsakeypair TP-self-signed-1627569428
!
!

        quit
ip source-route
!
!
!
!
!
ip cef
ip name-server 193.92.150.3
ip name-server 194.219.227.2
ip port-map user-protocol--1 port tcp 26430
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1715948E
!
!
!
!
!
!
controller VDSL 0
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zo
ne
 service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface Ethernet0
 description none
 ip address dhcp
!
interface Ethernet0.835
 encapsulation dot1Q 835
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 pppoe-client dial-pool-number 1
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 description $FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username  password
 ppp ipcp dns request
!
interface Dialer6
 no ip address
 shutdown
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 199 interface Dialer6 overload
ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 99 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.10.10.3
access-list 199 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
dialer-list 4 protocol ip permit
dialer-list 5 protocol ip permit
dialer-list 6 protocol ip permit
dialer-list 7 protocol ip permit
!
!
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password
 login
 transport input all
!
end

 

Thank you Very Much

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Glennmar Milliner
Level 1
Level 1

‎07-07-2015 10:24 PM

George,

You may want to check your NAT statements. You have two statements one for using NAT to map TCP traffic to a specific port and the other one is just for regular NATing of general traffic.


The following command basically tells the router that any packet received in the inside interface with a source IP address of 10.10.10.90 on port 26430 should be translated to whatever IP address you have on Dialer0 using port 26430 as well. This will only work for 10.10.10.90 on port 26430 but not for the rest of your traffic.

ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430

 

You have a second command which seems to be the one intended for the general traffic. You have the extended 199 ACL which is looking out for any traffic sourced from the 10.10.10.0/24 network which is on VLAN1. This is fine but you are telling the router to use Dialer6 to translate which is not active so to the router and for the use of NAT, it does not even exist. You may want to change the command to Dialer0 where you are getting your internet connection from.

Currently configured

interface Vlan1
 description $FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone

interface Dialer0
 mtu 1492
 ip address negotiated
 ip mtu 1452
 ip nat outside

interface Dialer6
 no ip address
 shutdown

ip nat inside source list 199 interface Dialer6 overload
ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430

access-list 199 permit ip 10.10.10.0 0.0.0.255 any

Try using
 ip nat inside source list 199 interface Dialer0 overload


If this does not work try removing the zone-member command from your vlan1.

NOTE:
If you ever come across a problem where your users are not able to get out to the internet then you should try checking to see if the router itself is able to get out to the internet by just pinging an external IP from the router itself. If it works then it means that the router is able to get out to the internet and your problem may be elsewhere and will most likely be a NATing issue. If you are not able to ping the external address sourced from any of your internal interfaces then your chances of having a NAT problem will be 99%.

ping 8.8.8.8
ping 8.8.8.8 source vlan1

 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Glennmar Milliner
Level 1
Level 1

‎07-07-2015 10:24 PM

George,

You may want to check your NAT statements. You have two statements one for using NAT to map TCP traffic to a specific port and the other one is just for regular NATing of general traffic.


The following command basically tells the router that any packet received in the inside interface with a source IP address of 10.10.10.90 on port 26430 should be translated to whatever IP address you have on Dialer0 using port 26430 as well. This will only work for 10.10.10.90 on port 26430 but not for the rest of your traffic.

ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430

 

You have a second command which seems to be the one intended for the general traffic. You have the extended 199 ACL which is looking out for any traffic sourced from the 10.10.10.0/24 network which is on VLAN1. This is fine but you are telling the router to use Dialer6 to translate which is not active so to the router and for the use of NAT, it does not even exist. You may want to change the command to Dialer0 where you are getting your internet connection from.

Currently configured

interface Vlan1
 description $FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone

interface Dialer0
 mtu 1492
 ip address negotiated
 ip mtu 1452
 ip nat outside

interface Dialer6
 no ip address
 shutdown

ip nat inside source list 199 interface Dialer6 overload
ip nat inside source static tcp 10.10.10.90 26430 interface Dialer0 26430

access-list 199 permit ip 10.10.10.0 0.0.0.255 any

Try using
 ip nat inside source list 199 interface Dialer0 overload


If this does not work try removing the zone-member command from your vlan1.

NOTE:
If you ever come across a problem where your users are not able to get out to the internet then you should try checking to see if the router itself is able to get out to the internet by just pinging an external IP from the router itself. If it works then it means that the router is able to get out to the internet and your problem may be elsewhere and will most likely be a NATing issue. If you are not able to ping the external address sourced from any of your internal interfaces then your chances of having a NAT problem will be 99%.

ping 8.8.8.8
ping 8.8.8.8 source vlan1

 

 

0 Helpful

Go to solution
GEORGE POLYZOS
Level 1
Level 1
In response to Glennmar Milliner

‎07-08-2015 06:48 AM

Glennmar it worked

 

I used

 ip nat inside source list 199 interface Dialer0 overload

Then I was able to ping DNS Servers but still no internet on my network

I removed zone-member command from vlan1 like you said and everything worked

 

Thank you Very Much for your time and valuable help

 

 

0 Helpful

Go to solution
Glennmar Milliner
Level 1
Level 1
In response to GEORGE POLYZOS

‎07-08-2015 08:47 AM

Your welcome George.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card