cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco 2921 Router - Troubleshooting

bhicks
Beginner
Beginner

Please ignore my ignorance.  I'm new to this and am trying to work my way through.  I have a router with 1 lan, and 3 wan prots. On the wan side I have a dsl connected with DHCP from the ISP on the wan port.  I have gateway of last resort set to that interface.  When I change my pc to use the lan ip of the router as my gateway address I cannot get a web page.

How can I troubleshoot this? And or can you point me in the right direction.  I don't have much setup.  Just a lan IP, security license installed and the dsl connect to the wan port.

Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Excellent!

1. ip nat inside will allow inside ip address range to NAT to outside whenever you are communicating. This will be defined by the access list of source interfaces as clarified in the example link provided

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml

2. IP overload also term as PAT i.e. using one ip address (may be interface ip) for multiple communcation using different ports.. One of the example will clarify you in detail

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00809bd825.shtml

Please remember to rate if this post useful to you..

Cheers!

Shailesh

View solution in original post

21 REPLIES 21

Hi,

If the 2921 has the public IP address, you should configure NAT on the router.

If the 2921 does not have the public IP, then all you need is the default gateway configured for Internet access.

Do the following test:

From the router itself, send a PING to 4.2.2.2

router# ping 4.2.2.2

And check if you get a reply. If you do, it means you have connectivity with the Internet.

Federico.

Thanks for the reply.

The wan interface on the router is getting it's IP from the dsl modem.  The dsl moden has the ip from the isp.  On the router I can can ping both the wan interface and the lan interface.  So am I right in assuming I don't need nat enabled on that interfae?

Is there a way to see how or what is happening to the traffice between the lan and the wan interface?

Thanks.

Here is my config.

!

! Last configuration change at 01:20:07 UTC Fri Apr 9 2010 by admin

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname xxxrtr1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$chdV$R7/1YzNlBPodrtvBMCOVU.

!

no aaa new-model

!

!

!

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

!

no ip bootp server

no ip domain lookup

ip domain name w3k.xxxltd.com

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1058945512

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1058945512

revocation-check none

rsakeypair TP-self-signed-1058945512

!

!

crypto pki certificate chain TP-self-signed-1058945512

certificate self-signed 01

3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303538 39343535 3132301E 170D3130 30343035 31333038

32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30353839

34353531 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100DCE2 45A4C549 019CB875 EEFDB498 48D22C8B E87D0B92 2C84E367 80E43E6E

6287BFAC 5A216BDF 978E6C65 F3B8887E 8D30B5A8 43091F62 F09F198C 57FC3640

33D4C8DF A0921246 3D06FAB3 14F9C65F 1B752154 1DC84878 7191B087 F7CF2179

434FEF56 F9F052D9 D97FBC4C 62547FB9 537287C5 D4E61A3F EF4DCFF0 EDE12175

2E150203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603

551D1104 1A301882 16776673 72747231 2E77336B 2E776673 6C74642E 636F6D30

1F060355 1D230418 30168014 E8E96EB1 D0936BB8 875DEDF1 45FF4148 2EF22A72

301D0603 551D0E04 160414E8 E96EB1D0 936BB887 5DEDF145 FF41482E F22A7230

0D06092A 864886F7 0D010104 05000381 8100D050 CCC45B08 4B0D4C10 6C5A0577

4AFC9484 4BC80E2C 135C8037 C29AB1DE 48574E80 8B39CD6F 5166588D A86E5BF1

B1EF6ECB 34AC83D6 CFBEB9F8 BC2A247A 5B7995E7 9D5DDFC4 3B45386D 6F20C77B

D6149579 5F58AE62 B6FB6013 85718268 59CE273F 6DE3DA11 1D4B2AA4 4790FC70

B4F510B4 574B2BB8 87087211 67BCD90E 9CEA

quit

license udi pid CISCO2921/K9 sn FTX1350AHE7

!

!

username admin privilege 15 secret 5 $1$9fd4$O1UOvROcMhgSGkd7GJmih/

!

redundancy

!

!

ip tcp synwait-time 10

!

!

!

!

!

!

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$

ip address 172.24.201.190 255.255.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

!

interface GigabitEthernet0/1

description $ES_WAN$

ip address 172.25.0.100 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

!

interface GigabitEthernet0/2

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

!

interface FastEthernet0/0/0

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0

!

logging trap debugging

!

no cdp run

!

!

!

!

!

control-plane

!

!

banner exec 

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

banner login 

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend

1.  Where's your NAT statment???
2.  Correct me if I'm wrong but isn't the Fast0/0/0 of a 2900 ISR G2 used for OoBM (similar to the F0 of a 3560E/3750E)?

Do I put nat on the outside interface?

The fastethernet0/0/0 was a new card that we got.

When all is said and done, we will have.

gb0/0 ==> lan.

gb0/1 ==> asa5505==>internet

gb0/2 == wan dsl

fe/0/0/0 ==> wan dsl

Your fastethernet 0/0/0 interface is your outside interface (where the default gateway is).

Let's check which IP address are you receiving from your ISP on that interface.

Please check with the command: ''sh ip interface brief''

Federico.

The sh ip interface shows:

Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         172.24.201.190  YES manual up                    up
GigabitEthernet0/1         unassigned    YES NVRAM  administratively down down
GigabitEthernet0/2         unassigned      YES NVRAM  administratively down down
FastEthernet0/0/0          192.168.254.3   YES DHCP   up                    up

the gigabitEthernet0/1 and 0/2 will not be used unitl I get this working. Then I will be adding a second dsl like the first, and then an asa5505 with nat.  That's why we have 4 interfaces.  The 3 that came with the router, and a new fastethernet card for the other dsl.

You have no public IPs on the router and the IP getting via DHCP is a private one also.

This means your dsl modem should be doing NAT.

Can you verify this by doing a ping from the 2921 to the internet (i always use 4.2.2.2) to see if you get the replies?

Federico.

Hi Frederico,

No replies 0/5.  How do I enable nat on that particular interface.

Thanks.

You don't need to enable NAT on the router since there are no public IPs on the router. The public IP is in your dsl modem.

If you cannot PING from the router to the Internet, I would say that the problem is either with your dsl model or the internet connection with your provider.

Can you do a test?

Can you connect a computer directly to the dsl modem and see if it gets an IP and if it can browse the Internet?

If it does not work, you need to check your dsl link with your provider.

Federico.

That's Federico.  I'm at home so I will give it a try in the morning.

Thank you so much for  your patient and all the help you have been providing me.

--Bobby.

Hi  Frederico,

I connected a laptop directly to the modem has you suggested, and it connects to the internet within seconds.

Hi Fred,

Why would you want to enable the NAT for Public IP address on the WAN interface, isnt it should run without NAT as well right ?

Ismail

paolo bevilacqua
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Would really recommend you enage a reputable consultant or certfied partner for the setup.

As you have seen, things quickly become confusing and frustrating when trying to do by yourself.

shailesh.h
Beginner
Beginner

Appreciate your efforts and appears that there is no problem from ISP end..to progress further you may

follow few simple steps.

1.. Please share the output of ipconfig/all when u r laptop connected to dsl modem

2. develop the topology what you want to achieve (share the ip addresses of the LAN)

3.. share the ip address / dns setting of the laptop when u trying to reach to web site

4. share the traceroute output as well (trace yahoo.com etc..)

based on this i can suggest something...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: