Cisco 2901 set as DHCP unable to ping to internet

j.pewarski · ‎01-10-2013

Hello,

I need another set of eyes on my config. I am trying to set up my router for a basic connection for the time being. I set my gig 0/0 port to dhcp I see traffic being sent and recieved but I can not ping 8.8.8.8. I am connected to a basic comcast modem from 0/0 I have also tried setting gig 0/0 to 100 full. I do have IP routing enabled. I believe I have my acl's configured correctly. I am wondering at this point if I need a static block of IP's from comcast. Can someone help me please. Thanks!

hostname vpn-router-2901

username ****** password *****

enable secret *****

login block-for 45 attempts 2 within 45

login on-failure log

login on-success log

***********************************

SSH CONFIGURATION

***********************************

ip domain name yourdomain.com

crypto key gen rsa gen mod 1024

ip ssh version 2

line vty 0 4

login local

logging synchronous

transport input telnet ssh

line vty 5 15

login local

logging synchronous

transport input telnet ssh

line con 0

login local

logging synchronous

***********************************

SERVICES CONFIGURATION

***********************************

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

***********************************

IP ROUTING CONFIGURATION

***********************************

ip route 0.0.0.0 0.0.0.0 dhcp

ip name-server 75.75.75.75 75.75.76.76

***********************************

INTERFACE CONFIGURATION

***********************************

int g0/0

ip address dhcp

ip nat outside

ip access group 110 in

ip access group 110 out

speed auto

duplex auto

logging event link-status

int0/1

ip address 10.38.241.160 255.255.255.0

logging event link-status

***********************************

SNMP CONFIGURATION

***********************************

access-list 110 permit icmp any any echo

access-list 110 permit icmp any any echo-reply

access-list 110 permit udp any any eq domain

access-list 110 permit udp any eq domain any

access-list 110 permit tcp any any eq domain

access-list 110 permit tcp any eq domain any

access-list 110 permit ip any any

!

johnlloyd_13 · ‎01-10-2013

hi jeffrey,

you'll need to specify your inside NAT interface and ACL.

could you post show run and show ip route output?

j.pewarski · ‎01-10-2013

I will I am not connected now I will post it tomorrow. Shouldent I still be able to ping even though I don't have anything connected to g 0/1? I did put ip nat inside on my running config. As for show IP route nothing is in the routing table. Do I still need dynamic routing protocols? I wouldent assume so if im just trying to ping out from the router?

johnlloyd_13 · ‎01-10-2013

yes, you should be able to ping IP address or hostname from your 2901.

as for the blank routing table, make sure your 2901 can ping the ISP modem/router and ISP device has a similar route back.

j.pewarski · ‎01-10-2013

I tried that as well I could not get to the public IP. I tried two different IP's as my gateway one from whatismyip.com, another from when I connected the laptop directly to the modem, and used the public gateway address that showed into my laptop and then I finally did 0.0.0.0 0.0.0.0 dhcp and still was not able to ping 8.8.8.8 or the modem. If it helps my cisco 0/0 interface is directly connected to my ISP modem. Are you telling me Comcast has to do something on their end to have a route back to me. Would a static ip block from my ISP eliminate these issues?

johnlloyd_13 · ‎01-10-2013

you'll need to contact your ISP to check your link if it's working and what kind connectivity you've got (static or dynamic IP).

paul driver · ‎01-11-2013

Hello Jeffery,

Just let the interface gig0/0 negotiate with the modem ( providing the modem is dhcp enabled) without acl's or NAT applied and then if successful the apply your restrictions on top.

FYI- your acl is allowing everything in /out anyway and the nat statement hasn’t any inside interface or acl to work with.

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

j.pewarski · ‎01-11-2013

here is my running config.

Current configuration : 4753 bytes

!

! Last configuration change at 18:02:31 EST-DST Fri Jan 11 2013 by sunkaras

version 15.1

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname vpn01.srisun.com

!

boot-start-marker

boot-end-marker

!

no shell processing

!

logging buffered 51200 warnings

enable secret 4 Z6EYME8qXPkweZS1QX2UmrWLnfGrG0PYug0iNqpUDD.

!

no aaa new-model

clock timezone EST-DST -5 0

clock summer-time EST-DST recurring

!

no ipv6 cef

ip source-route

ip cef

!

no ip domain lookup

ip domain name yourdomain.com

ip name-server 75.75.75.75

ip name-server 75.75.76.76

login block-for 45 attempts 2 within 45

login on-failure log

login on-success log

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2351994672

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2351994672

revocation-check none

rsakeypair TP-self-signed-2351994672

!

crypto pki certificate chain TP-self-signed-2351994672

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32333531 39393436 3732301E 170D3132 30373238 30343239

34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33353139

39343637 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

81009247 E73A291D 82AD0583 477BCD74 3F7B441C 8B614EF1 9B89E99E BD770CEE

D1308901 C36B3AB2 5DCCEB78 D479E052 9B2F177B 7EAC02D3 674AAAE8 617E7139

26EF0C91 D7B20295 CE0D7AB3 2A9FF14E CFE72224 92C010F8 A86427CF 0A8DB204

7914F1FC 467A6D11 956F2306 2A48C711 B5326979 755D37C7 EF53F4D6 5F7A862D

D0970203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 1429F302 88B5FBE3 725FEA26 44957A4E 683E4955 A0301D06

03551D0E 04160414 29F30288 B5FBE372 5FEA2644 957A4E68 3E4955A0 300D0609

2A864886 F70D0101 05050003 81810026 48B07A7F 70BDCAAC E84B1445 ADC1A5D1

89D9747E D32C2974 BF65836C 641EDF30 97DD6EE0 63312B78 B4527F9D CF7D8B40

451DE82A 9D481AC3 E4E69B79 2CF884D5 35A7D5BB 8A5EA9A9 ABAEB304 77AF4244

AF6381F3 ECB44792 5F9DB0CE A79DF572 7E12913F 4DDD733D 76CAA229 CC4EC17F

20391483 2E005DCB A0D6926C 052A02

quit

license udi pid CISCO2901/K9 sn FGL163026HF

!

username sunkaras password 7 05070704241D175E41

!

ip ssh version 2

!

interface Embedded-Service-Engine0/0

ip address dhcp client-id GigabitEthernet0/0

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address dhcp

ip access-group 110 in

ip access-group 110 out

ip information-reply

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

!

interface GigabitEthernet0/1

ip address 10.38.241.160 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 dhcp

!

access-list 110 permit icmp any any echo

access-list 110 permit icmp any any echo-reply

access-list 110 permit udp any any eq domain

access-list 110 permit udp any eq domain any

access-list 110 permit tcp any any eq domain

access-list 110 permit tcp any eq domain any

access-list 110 permit ip any any

!

control-plane

!

banner motd ^C

======================================

= =

= UNAUTHORIZED ACCESS PROHIBITED =

= =

======================================

You have reached a confidential and proprietary computing

network. Unauthorized access is unlawful and may result in

disciplinary action and / or legal proceedings. Any access

to this system may be monitored.

^C

!

line con 0

logging synchronous

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

logging synchronous

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

logging synchronous

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 128.102.16.2

ntp server 192.43.244.18

end

j.pewarski · ‎01-11-2013

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.38.241.0/24 is directly connected, GigabitEthernet0/1

L 10.38.241.160/32 is directly connected, GigabitEthernet0/1

j.pewarski · ‎01-11-2013

the connection is DHCP, and I removed my acl and nat just to test. I still can not get any pings accross. Would this be a ISP Problem at this point?

paul driver · ‎01-12-2013

I would check with your ISP to see if that modem is set as a dhcp server, and also query what mode it currenty running.at.

bridged = layer2- - PPoE settings are controlled by modem
router. -Layer 3 - need to configured PPoE settings on your router

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cadet alain · ‎01-12-2013

Hi,

can you do this on G0/0:

ip address dhcp client-id G0/0

shut

no shut

then verify you got infos from DHCP: sh ip int br and sh ip route

if it still ain't working then shut/no shut the interface while having this debug on: debug dhcp detail

send the logs to the buffer before no shutting the interface:

logging on

logging buffered 1000000 debug

do clear log

then do sh log to see the debug output

Regards.

Alain

Don't forget to rate helpful posts.

Jeff Van Houten · ‎01-12-2013

You have defined which interfaces to NAT in which direction but have not defined which traffic TO NAT.

Sent from Cisco Technical Support iPad App

Jeff Van Houten · ‎01-12-2013

Also, make sure the access list is removed from gi0/0. That acl is blocking dhcp.

Sent from Cisco Technical Support iPad App

j.pewarski · ‎01-12-2013

hi everyone. I dont have access to the router until moday night, so I will do all of the above you guys listed last night and look into the PPoe that pdiver suggested. When I plug a laptop into the modem I can get a dhcp address. I also see packets being sent and recieved on my g 0/0 when I look at the interface.