04-08-2010 06:39 PM - edited 03-04-2019 08:04 AM
Please ignore my ignorance. I'm new to this and am trying to work my way through. I have a router with 1 lan, and 3 wan prots. On the wan side I have a dsl connected with DHCP from the ISP on the wan port. I have gateway of last resort set to that interface. When I change my pc to use the lan ip of the router as my gateway address I cannot get a web page.
How can I troubleshoot this? And or can you point me in the right direction. I don't have much setup. Just a lan IP, security license installed and the dsl connect to the wan port.
Thanks in advance.
Solved! Go to Solution.
04-12-2010 05:00 AM
Excellent!
1. ip nat inside will allow inside ip address range to NAT to outside whenever you are communicating. This will be defined by the access list of source interfaces as clarified in the example link provided
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml
2. IP overload also term as PAT i.e. using one ip address (may be interface ip) for multiple communcation using different ports.. One of the example will clarify you in detail
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00809bd825.shtml
Please remember to rate if this post useful to you..
Cheers!
Shailesh
04-08-2010 07:17 PM
Hi,
If the 2921 has the public IP address, you should configure NAT on the router.
If the 2921 does not have the public IP, then all you need is the default gateway configured for Internet access.
Do the following test:
From the router itself, send a PING to 4.2.2.2
router# ping 4.2.2.2
And check if you get a reply. If you do, it means you have connectivity with the Internet.
Federico.
04-08-2010 08:05 PM
Thanks for the reply.
The wan interface on the router is getting it's IP from the dsl modem. The dsl moden has the ip from the isp. On the router I can can ping both the wan interface and the lan interface. So am I right in assuming I don't need nat enabled on that interfae?
Is there a way to see how or what is happening to the traffice between the lan and the wan interface?
Thanks.
Here is my config.
!
! Last configuration change at 01:20:07 UTC Fri Apr 9 2010 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxrtr1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$chdV$R7/1YzNlBPodrtvBMCOVU.
!
no aaa new-model
!
!
!
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name w3k.xxxltd.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1058945512
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1058945512
revocation-check none
rsakeypair TP-self-signed-1058945512
!
!
crypto pki certificate chain TP-self-signed-1058945512
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303538 39343535 3132301E 170D3130 30343035 31333038
32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353839
34353531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DCE2 45A4C549 019CB875 EEFDB498 48D22C8B E87D0B92 2C84E367 80E43E6E
6287BFAC 5A216BDF 978E6C65 F3B8887E 8D30B5A8 43091F62 F09F198C 57FC3640
33D4C8DF A0921246 3D06FAB3 14F9C65F 1B752154 1DC84878 7191B087 F7CF2179
434FEF56 F9F052D9 D97FBC4C 62547FB9 537287C5 D4E61A3F EF4DCFF0 EDE12175
2E150203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 16776673 72747231 2E77336B 2E776673 6C74642E 636F6D30
1F060355 1D230418 30168014 E8E96EB1 D0936BB8 875DEDF1 45FF4148 2EF22A72
301D0603 551D0E04 160414E8 E96EB1D0 936BB887 5DEDF145 FF41482E F22A7230
0D06092A 864886F7 0D010104 05000381 8100D050 CCC45B08 4B0D4C10 6C5A0577
4AFC9484 4BC80E2C 135C8037 C29AB1DE 48574E80 8B39CD6F 5166588D A86E5BF1
B1EF6ECB 34AC83D6 CFBEB9F8 BC2A247A 5B7995E7 9D5DDFC4 3B45386D 6F20C77B
D6149579 5F58AE62 B6FB6013 85718268 59CE273F 6DE3DA11 1D4B2AA4 4790FC70
B4F510B4 574B2BB8 87087211 67BCD90E 9CEA
quit
license udi pid CISCO2921/K9 sn FTX1350AHE7
!
!
username admin privilege 15 secret 5 $1$9fd4$O1UOvROcMhgSGkd7GJmih/
!
redundancy
!
!
ip tcp synwait-time 10
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$
ip address 172.24.201.190 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/1
description $ES_WAN$
ip address 172.25.0.100 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/2
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
!
!
interface FastEthernet0/0/0
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0
!
logging trap debugging
!
no cdp run
!
!
!
!
!
control-plane
!
!
banner exec
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
banner login
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
04-08-2010 08:24 PM
1. Where's your NAT statment???
2. Correct me if I'm wrong but isn't the Fast0/0/0 of a 2900 ISR G2 used for OoBM (similar to the F0 of a 3560E/3750E)?
04-08-2010 08:33 PM
Do I put nat on the outside interface?
The fastethernet0/0/0 was a new card that we got.
When all is said and done, we will have.
gb0/0 ==> lan.
gb0/1 ==> asa5505==>internet
gb0/2 == wan dsl
fe/0/0/0 ==> wan dsl
04-08-2010 08:27 PM
Your fastethernet 0/0/0 interface is your outside interface (where the default gateway is).
Let's check which IP address are you receiving from your ISP on that interface.
Please check with the command: ''sh ip interface brief''
Federico.
04-08-2010 08:31 PM
The sh ip interface shows:
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 172.24.201.190 YES manual up up
GigabitEthernet0/1 unassigned YES NVRAM administratively down down
GigabitEthernet0/2 unassigned YES NVRAM administratively down down
FastEthernet0/0/0 192.168.254.3 YES DHCP up up
the gigabitEthernet0/1 and 0/2 will not be used unitl I get this working. Then I will be adding a second dsl like the first, and then an asa5505 with nat. That's why we have 4 interfaces. The 3 that came with the router, and a new fastethernet card for the other dsl.
04-08-2010 08:38 PM
You have no public IPs on the router and the IP getting via DHCP is a private one also.
This means your dsl modem should be doing NAT.
Can you verify this by doing a ping from the 2921 to the internet (i always use 4.2.2.2) to see if you get the replies?
Federico.
04-08-2010 08:40 PM
Hi Frederico,
No replies 0/5. How do I enable nat on that particular interface.
Thanks.
04-08-2010 08:44 PM
You don't need to enable NAT on the router since there are no public IPs on the router. The public IP is in your dsl modem.
If you cannot PING from the router to the Internet, I would say that the problem is either with your dsl model or the internet connection with your provider.
Can you do a test?
Can you connect a computer directly to the dsl modem and see if it gets an IP and if it can browse the Internet?
If it does not work, you need to check your dsl link with your provider.
Federico.
04-08-2010 08:47 PM
That's Federico. I'm at home so I will give it a try in the morning.
Thank you so much for your patient and all the help you have been providing me.
--Bobby.
04-09-2010 03:59 AM
Hi Frederico,
I connected a laptop directly to the modem has you suggested, and it connects to the internet within seconds.
04-08-2010 11:07 PM
Hi Fred,
Ismail
04-09-2010 02:13 AM
Would really recommend you enage a reputable consultant or certfied partner for the setup.
As you have seen, things quickly become confusing and frustrating when trying to do by yourself.
04-09-2010 08:20 AM
Appreciate your efforts and appears that there is no problem from ISP end..to progress further you may
follow few simple steps.
1.. Please share the output of ipconfig/all when u r laptop connected to dsl modem
2. develop the topology what you want to achieve (share the ip addresses of the LAN)
3.. share the ip address / dns setting of the laptop when u trying to reach to web site
4. share the traceroute output as well (trace yahoo.com etc..)
based on this i can suggest something...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide