cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
581
Views
0
Helpful
4
Replies

Cisco 2911 initial setup

billseymour
Level 1
Level 1

I know it's an oldie, but I needed something that could route to multiple subnets here at home... I started the basic setup to do what should be a simple job of getting a lease from my ISP using DHCP, then putting two subnets on my LAN side with all clients able to access the internet. Next up will be to deal with incoming traffic, but I'm just going to get the outgoing working first. I'm connected to the console on the 2911 and configuring it from there. With it setup as I expected to work I can ping pretty much anywhere in the Internet from the console, both with IP addresses and URLs. On the LAN side of things my clients get leases and have the correct DNS servers, but they can't ping anything on the internet and can't browse the web. Here's my config, less the personal stuff:

Using 4533 out of 262136 bytes
!
! Last configuration change at 21:10:36 UTC Sun Apr 28 2024 by billsey
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <router>
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip dhcp excluded-address 172.20.0.1
ip dhcp excluded-address 172.20.1.1
ip dhcp excluded-address 172.20.0.248
ip dhcp excluded-address 172.20.0.1 172.20.0.20
!
ip dhcp pool mail-web-pool
import all
network 172.20.0.0 255.255.255.0
default-router 172.20.0.248
dns-server 71.10.216.1 71.10.216.2
lease 0 2
!
ip dhcp pool local-pool
import all
network 172.20.1.0 255.255.255.0
default-router 172.20.1.1
dns-server 71.10.216.1 71.10.216.2
lease 0 2
!
ip domain name mydomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-806451679
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-806451679
revocation-check none
rsakeypair TP-self-signed-806451679
!
!
crypto pki certificate chain TP-self-signed-806451679
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO2911/K9 sn FJC2010A1TJ
!
!
username billsey privilege 15 secret 5 $<password>
!
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNET_UPLINK
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description INTRANET_MAIL_WEB
ip address 172.20.0.248 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/2
description INTRANET_ACCESS
ip address 172.20.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
load-interval 30
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
!
!
access-list 1 permit 172.20.0.0 0.0.0.255
access-list 2 permit 172.20.1.0 0.0.0.255
!
control-plane
!
!
banner exec ^C
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Can anyone explain what I'm doing wrong with the LAN setup, or is it something with the WAN?

1 Accepted Solution

Accepted Solutions

M02@rt37
VIP
VIP

Hello @billseymour 

There's no explicit NAT configuration in your provided configuration. Add NAT configuration to enable your LAN clients to access the internet. 

Create ACL matching the 2 LAN subnet and add NAT command: 

ip access-list extended LAN_SUBNETS
permit ip 172.20.0.0 0.0.0.255 any
permit ip 172.20.1.0 0.0.0.255 any

ip nat inside source list LAN_SUBNETS interface GigabitEthernet0/0 overload


This configuration will enable NAT overload (PAT) using the IP address assigned to the Gi0/0 interface (your WAN interface). It will translate the private IP addresses of your LAN clients to the public IP address assigned by your ISP.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

When I read that the symptom was that clients were not able to access Internet resources but the router was able to access I wanted to check for issues with network address translation. 

- I found an interface configured with ip nat outside, that is a good start.

- I found 2 interfaces with ip nat inside. that is good.

- I did not find any command to actually do the translation. That is your problem.

HTH

Rick

M02@rt37
VIP
VIP

Hello @billseymour 

There's no explicit NAT configuration in your provided configuration. Add NAT configuration to enable your LAN clients to access the internet. 

Create ACL matching the 2 LAN subnet and add NAT command: 

ip access-list extended LAN_SUBNETS
permit ip 172.20.0.0 0.0.0.255 any
permit ip 172.20.1.0 0.0.0.255 any

ip nat inside source list LAN_SUBNETS interface GigabitEthernet0/0 overload


This configuration will enable NAT overload (PAT) using the IP address assigned to the Gi0/0 interface (your WAN interface). It will translate the private IP addresses of your LAN clients to the public IP address assigned by your ISP.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Thanks, that did it! Now to start allowing incoming traffic to some machines... And allow routing between the two local subnets.

noahaarthur
Level 1
Level 1

Your LAN setup appears to have correct configurations. However, ensure that your NAT translations are functioning correctly and that your access lists permit traffic appropriately. Check if your WAN interface (GigabitEthernet0/0) is receiving an IP address from your ISP via DHCP. Also, verify if any firewall or filtering rules on the WAN interface are blocking outgoing traffic. Troubleshoot by testing connectivity from LAN devices to WAN destinations and inspecting NAT translations and access lists.

Review Cisco Networking for a $25 gift card