07-01-2013 06:44 PM - edited 03-04-2019 08:21 PM
Hi There,
this is the first time I am posting and would greatly appreciate any assistance. I am very new to Cisco but have been forced to setup a router and creat a VPN tunnel for a client. My boss usually does this but he is away. The 1941 router has been setup with a HWIC ADSL POTS card. G0/0 and G0/1 have been connected to a netgear switch. I am able to ping www.google.com when testing the G0/1 which I have setup as the WAN address using the following configuration. However everytime I test the G0/0 which is setup as the LAN connection, an error is generated see the attached jpg. I know that I must be doing something very silly at a basic level due to my lack of experience setting these up. So pleaaaaaaase help. I can get a successful connection using dialer0 as well.
Current configuration : 4390 bytes
!
! Last configuration change at 01:16:16 UTC Tue Jul 2 2013 by xxxxx
! NVRAM config last updated at 01:15:22 UTC Tue Jul 2 2013 by xxxxx
! NVRAM config last updated at 01:15:22 UTC Tue Jul 2 2013 by xxxxx
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 UQ4kLcMLPduKnYFuGjADhK5FbzxkwEeZ574RYMhJgcQ
!
no aaa new-model
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
ip dhcp pool dsl_dhcp
import all
network 10.10.10.0 255.255.255.248
dns-server 203.109.129.67
default-router 10.10.10.1
!
!
ip name-server 203.109.129.67
ip name-server 203.109.129.68
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1185227679
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1185227679
revocation-check none
rsakeypair TP-self-signed-1185227679
!
!
crypto pki certificate chain TP-self-signed-1185227679
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313835 32323736 3739301E 170D3133 30373031 30383435
31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383532
32373637 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810092C8 4F03B1D0 E0D322F7 9E654F27 3A9202AC C5147BCB 2E960500 19922A9E
5185A4D7 A679FD36 6B380E50 44FD549B B959A3DC 4BB24F25 44E4C534 5780BFEE
1768767D E8BFF230 C5A5B8AA 1ADA1F70 72818358 E2107722 2000B1AB CD0D8F97
97159464 41390290 E4114309 496BDDD5 EF9B651C A883C379 ECA424DA 96F4A241
1DA10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 143AA782 3990B3C7 A32947BA 790C44BC E0735FAC 45301D06
03551D0E 04160414 3AA78239 90B3C7A3 2947BA79 0C44BCE0 735FAC45 300D0609
2A864886 F70D0101 05050003 81810060 4581CEBC AE9F8675 B240EECD EC383027
F90B21BE 1F0A2DE5 FD8DC119 E81AE03F 7B9C3C3F 3DD76EFC EBFC53A0 086AD7AF
C968531A AC0BD5EA ABA71AE9 B474ED60 F65C307E C307622C 3CE330B3 A1722979
109930EF 0147F067 CF1D3925 8812EC65 084ADFB8 18C5B55B 03ED870F 50ECB794
E31C5B52 09E32EB3 C3B2B3E6 008B88
quit
license udi pid CISCO1941/K9 sn FGL170220QK
license boot module c1900 technology-package securityk9
!
!
username xxxxx privilege 15 password 7 03326F5A16037319
username xxxxx privilege 15 password 7 13540346181F55393F
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ES_LAN$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description DSL Interface
no ip address
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 0300585F0C0820471A
ppp pap sent-username xxxxx password 7 0300585F0C0820471A
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list dsl_accesslist interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended dsl_accesslist
permit ip 10.10.10.0 0.0.0.255 any
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
07-01-2013 06:54 PM
Already asked in another thread
https://supportforums.cisco.com/thread/2226111?tstart=0
Please avoid posting duplicates.
07-01-2013 06:56 PM
Thanks,
I had accidentally posted the same question twice....have removed it now....sorry.
07-01-2013 07:22 PM
HI Vinodh,
First of all i cannot find the error message which you said to have atached.
One of the configuration suggestion is your current acl for nat is matching access-list number 1 which is wrong..This has to be replaced with acl 100. So correct it as below.
no ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface Dialer0 overload
or
keep your exsisting NAT configuration as such and add a new acl as below.
ip access-list 1 permit 192.168.1.0 0.0.0.255
Hope that should fix the issue.
Hope that helps
Regards
Najaf
Please rate when applicable or helpful !!!
07-01-2013 08:06 PM
Hi Najaf,
thanks very much for your speedy reply. However changing those settings did not make a difference. Further I have attached the error message I receive when I test the connection using Cisco Configuration Professional (PC edition).
Thanks very much for your suggestion.
vinodh
07-01-2013 08:19 PM
Hi,
Could you please share the latest configuration you have applied now? Do you have any PC from which you are testing this internet? If so what ip address/subnet mask/gateway and dns you are using on the pc? Get the output of "show nat trans" from router at the time when you try to access the internet?
Regards
Najaf
Please rate when applicable or helpful !!!
07-01-2013 09:09 PM
HI again Nafaj,
thanks so much for all your help. The internet connection is working now but I am still getting the same error when I test the connection using Cisco Configuration Professional. The first time I made those changes you recommended it made no difference and I had not internet connection. Couple of times taking the dsl cable in and out did the trick - (not to say that this was the solution....hehehe). It would be good to get it sorted I guess and very useful for others watching this thread. Also since I have to setup a site to site VPN tomorrow I want to make sure that my configuration is suitable for this task. What do you think?
My PC - ip address: 192.168.1.10 Mask: 255.255.255.0 Router/ Gateway: 192.168.1.1
I made the change you recommended:
no ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 100 interface Dialer0 overload
Here's the new configuration.
Current configuration : 4493 bytes
!
! Last configuration change at 03:43:45 UTC Tue Jul 2 2013 by xxxx
! NVRAM config last updated at 03:44:16 UTC Tue Jul 2 2013 by xxxx
! NVRAM config last updated at 03:44:16 UTC Tue Jul 2 2013 by xxxx
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname whouseipl
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 UQ4kLcMLPduKnYFuGjADhK5FbzxkwEeZ574RYMhJgcQ
!
no aaa new-model
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
ip dhcp pool dsl_dhcp
import all
network 10.10.10.0 255.255.255.248
dns-server 203.109.129.67
default-router 10.10.10.1
!
ip dhcp pool whouseipl
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
!
!
ip name-server 203.109.129.67
ip name-server 203.109.129.68
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1185227679
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1185227679
revocation-check none
rsakeypair TP-self-signed-1185227679
!
!
crypto pki certificate chain TP-self-signed-1185227679
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313835 32323736 3739301E 170D3133 30373031 30383435
31325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31383532
32373637 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810092C8 4F03B1D0 E0D322F7 9E654F27 3A9202AC C5147BCB 2E960500 19922A9E
5185A4D7 A679FD36 6B380E50 44FD549B B959A3DC 4BB24F25 44E4C534 5780BFEE
1768767D E8BFF230 C5A5B8AA 1ADA1F70 72818358 E2107722 2000B1AB CD0D8F97
97159464 41390290 E4114309 496BDDD5 EF9B651C A883C379 ECA424DA 96F4A241
1DA10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 143AA782 3990B3C7 A32947BA 790C44BC E0735FAC 45301D06
03551D0E 04160414 3AA78239 90B3C7A3 2947BA79 0C44BCE0 735FAC45 300D0609
2A864886 F70D0101 05050003 81810060 4581CEBC AE9F8675 B240EECD EC383027
F90B21BE 1F0A2DE5 FD8DC119 E81AE03F 7B9C3C3F 3DD76EFC EBFC53A0 086AD7AF
C968531A AC0BD5EA ABA71AE9 B474ED60 F65C307E C307622C 3CE330B3 A1722979
109930EF 0147F067 CF1D3925 8812EC65 084ADFB8 18C5B55B 03ED870F 50ECB794
E31C5B52 09E32EB3 C3B2B3E6 008B88
quit
license udi pid CISCO1941/K9 sn FGL170220QK
license boot module c1900 technology-package securityk9
!
!
username ipladmin privilege 15 password 7 03326F5A16037319
username itassist privilege 15 password 7 13540346181F55393F
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ES_LAN$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description DSL Interface
no ip address
ip nat outside
ip virtual-reassembly in
no ip route-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 0300585F0C0820471A
ppp pap sent-username xxxxx password 7 0300585F0C0820471A
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source list dsl_accesslist interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended dsl_accesslist
permit ip 10.10.10.0 0.0.0.255 any
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Results of "show ip nat trans"
this was performed soon after I tested the connection using CCP.
whouseipl#show ip nat trans
Pro Inside global Inside local Outside local Outside global
udp 27.252.199.19:54353 192.168.1.10:54353 203.109.129.67:53 203.109.129.67:53
tcp 27.252.199.19:60393 192.168.1.10:60393 74.125.237.133:80 74.125.237.133:80
tcp 27.252.199.19:60421 192.168.1.10:60421 77.234.43.52:80 77.234.43.52:80
tcp 27.252.199.19:60815 192.168.1.10:60815 74.125.237.151:443 74.125.237.151:443
tcp 27.252.199.19:60910 192.168.1.10:60910 65.52.245.253:80 65.52.245.253:80
tcp 27.252.199.19:60912 192.168.1.10:60912 203.109.179.11:80 203.109.179.11:80
tcp 27.252.199.19:60913 192.168.1.10:60913 203.109.179.11:80 203.109.179.11:80
tcp 27.252.199.19:60914 192.168.1.10:60914 157.56.29.215:80 157.56.29.215:80
tcp 27.252.199.19:60915 192.168.1.10:60915 65.52.245.253:80 65.52.245.253:80
tcp 27.252.199.19:60919 192.168.1.10:60919 65.52.244.89:80 65.52.244.89:80
tcp 27.252.199.19:60921 192.168.1.10:60921 203.109.179.16:80 203.109.179.16:80
tcp 27.252.199.19:60924 192.168.1.10:60924 65.52.244.89:80 65.52.244.89:80
tcp 27.252.199.19:60925 192.168.1.10:60925 157.56.29.215:80 157.56.29.215:80
tcp 27.252.199.19:60927 192.168.1.10:60927 203.109.179.33:80 203.109.179.33:80
tcp 27.252.199.19:60930 192.168.1.10:60930 157.55.60.55:80 157.55.60.55:80
tcp 27.252.199.19:60932 192.168.1.10:60932 203.109.179.16:80 203.109.179.16:80
tcp 27.252.199.19:60934 192.168.1.10:60934 74.125.237.137:80 74.125.237.137:80
tcp 27.252.199.19:60936 192.168.1.10:60936 74.125.237.143:80 74.125.237.143:80
whouseipl#
Thank you very much
Vinodh
07-01-2013 09:23 PM
Hi Vinod,
Good to hear that internet is working fine. The configurations are fine..
Regarding the error on the CCP, may i know exactly your getting this error? What exactly you are doing on CCP when you see this erro?
Regardd
Najaf
07-01-2013 10:11 PM
Hi Nafaj,
I get this error when I use CCP version 2.7. I go into the interfaces option and check each interface; g0/0, g0/1, dialer0. It does a test ping to cisco servers. I have tried with Google servers as well. when I try this with the g0/0 (the internal Lan interface) then I get the error that can be viewed on the jpd image attached. I will continue to try and figure out why this is. Hopefully somebody from the forum might have an idea why.
Thanks
Vinodh
07-02-2013 12:51 AM
HI Vinod,
Unfortuntly i dont have any option to test this as I have not worked on CCP yet. I think you dont have to worry much about it as long as internet is working fine for clients. I agree with you that it is good to know reason why this is not working from CCP for same :-)
Regards
Najaf
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide