Solved: Cisco 1811 Config issue

Chris Barron · ‎02-27-2015

For some reason I can not get the config correct on my 1811.

I have been banging my head against this for a week now.

I can not ping 8.8.8.8 from the FE0 interface.

FE1 is the wan interface which goes to a cable modem(dynamic)

FE0 goes to a patchpanel and switch for the LAN

What am I missing? Probably something so obvious its not funny, but I could use some help.

Thanks in advance

Below is my conf

Building configuration...

Current configuration : 1483 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router1.*********************
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 *******************************
enable password **********
!
no aaa new-model
!
!
dot11 syslog
no ip routing
!
!
no ip cef
!
!
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
description LAN Interface
ip address 10.10.2.42 255.255.0.0
ip helper-address 10.10.2.99
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet1
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Vlan1
no ip address
no ip route-cache
!
interface Async1
no ip address
encapsulation slip
no ip route-cache
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet1 overload
!
access-list 1 permit any
snmp-server community public RO
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
line aux 0
line vty 0 4
password *****************
login
!
end

router1.*****************#

Jon Marshall · ‎02-27-2015

So your clients are getting an IP but no internet access is that correct ?

If so you need to update your router configuration.

I always use extended acls for NAT as they have always worked for me but if you want you can just modify your existing acl. You cannot use "any" as the source network, you need to specify the network(s).

So -

access-list 101 permit ip 10.10.0.0 0.0.255.255 any

ip nat inside source list 101 interface fa1 overload <-- if you have modified your existing acl no need for this.

Jon

View solution in original post

Jon Marshall · ‎02-27-2015

Actually before you do there is a far more fundamental problem I have just noticed.

You have "no ip routing" configured which you obviously need to change ie.

"ip routing"

the other configuration change might be needed but first do the above and see if it works.

Jon

View solution in original post

Jon Marshall · ‎02-27-2015

Do you have a switch connected to fa0 ?

You don't need an ip helper-address for that interface as the IP address of the DHCP server is in the same subnet as the interface IP address eg. 10.10.0.0 255.255.0.0.

So any device would simply go direct to the DHCP server, no need to go via the router interface.

As for fa1 i assume you are not talking about a DHCP address from your internal DHCP server ?

This interface is presumably connected to a modem for internet access is it ?

Finally your NAT statement may well not work but there is no real point in looking at that until we sort out the basic connectivity.

Can you explain exactly how you have it setup in terms of any devices, what your DHCP server is and where is it etc.

Jon

Chris Barron · ‎02-27-2015

Here is the planned network setup

WAN>FE1 (dynamic cable)

FE0>PatchPanel(switch)

everything goes to the patch panel dhcp server is on the patch panel

I am thinking about moving the dhcp server and 2 other servers to the 1811.

DHCP server is ubuntu server using dhcpd

I would like to use 10.10.0.0/16 ip scheme

Jon Marshall · ‎02-27-2015

Is this for internet access ?

Where are you expecting to get a DHCP address from on your WAN interface ?

Jon

Chris Barron · ‎02-27-2015

Yes this is for Internet access, and the dhcp for WAN comes from the cable modem. Already tested that and it works. A sh int f1 shows the dynamic ip assigned to the fe1 interface.

Jon Marshall · ‎02-27-2015

Okay, it's just you said in your first post it wasn't working.

So the issue is at the moment you cannot get your internal clients to get a DHCP address ?

Are there any vlans on the switch or is everything in the same vlan ?

If it is the same vlan with same IP subnet then the issue is not your router it is your DHCP server.

Jon

Chris Barron · ‎02-27-2015

Sorry if I confused you. So when I have FE1 hooked up to the WAN which gets a dynamic IP from the ISP and I have my LAN hooked up to FE0, nothing LAN side can go to the internet. I will edit the original post to reflect this.

The DHCP server at this point is doing what it needs to it appears.

I was trying to test on the existing network before bringing the wan interface down for the whole network. There is only one vlan on the router.

As best I can tell right now FE0 and FE1 do not know that they need to "talk" to each other. Hope this clears somethings up.

Jon Marshall · ‎02-27-2015

So your clients are getting an IP but no internet access is that correct ?

If so you need to update your router configuration.

I always use extended acls for NAT as they have always worked for me but if you want you can just modify your existing acl. You cannot use "any" as the source network, you need to specify the network(s).

So -

access-list 101 permit ip 10.10.0.0 0.0.255.255 any

ip nat inside source list 101 interface fa1 overload <-- if you have modified your existing acl no need for this.

Jon

Chris Barron · ‎02-27-2015

Thanks for your help. I will make those changes and see what happens. I will report back here with the results.

Jon Marshall · ‎02-27-2015

Actually before you do there is a far more fundamental problem I have just noticed.

You have "no ip routing" configured which you obviously need to change ie.

"ip routing"

the other configuration change might be needed but first do the above and see if it works.

Jon

Chris Barron · ‎02-27-2015

Thanks Jon, didnt even see that LOL

I have made those changes and will "go live" later tonight and post results here.

Thanks Again

Chris Barron · ‎03-01-2015

Well after putting the router "in service" I have the same issue as before. FA1 and FA0 dont seem to be "talking" to each other. I have local access but no WAN access.

Any more Ideas?

johnlloyd_13 · ‎03-02-2015

Hi,

Could you the below?

ip cef

ip nat inside source list 1 interface FastEthernet1 overload

access-list 1 permit 10.10.2.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 dhcp

Chris Barron · ‎03-02-2015

Still no glory :(

Here is the current Conf

Building configuration...

Current configuration : 1429 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router1.clmamo.cjcomputers.net
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$sO.Y$LvPpLLLEko4P3u3z9Z46s/
enable password ********
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
! 
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description LAN Interface
 ip address 10.10.2.109 255.255.0.0
 ip helper-address 10.10.2.99
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet1 overload
!
access-list 101 permit ip 10.10.0.0 0.0.5.255 any
snmp-server community public RO
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password **********
 login
!
end

Jon Marshall · ‎03-02-2015

The wildcard mask in your acl is wrong. It should be -

access-list 101 permit ip 10.10.0.0 0.0.255.255 any

Jon