Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
519
Views
6
Helpful
4
Replies

Cisco 850 Routing problems

Go to solution
valentin
Level 1
Level 1

‎08-13-2016 10:38 AM - edited ‎03-05-2019 04:29 AM

I'm trying to configure a cisco 850 router but I'm unable to ping the outside world from Vlan1.show running-config looks like follow

Current configuration : 5563 bytes
!
! Last configuration change at 15:33:02 UTC Sat Aug 13 2016 by cisco
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname fw2.myfw.tld
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
wan mode ethernet
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 129.x.x.5
!
ip dhcp pool ccp-pool
 import all
 network 192.168.1.0 255.255.255.0
 dns-server 8.8.8.8 8.8.4.4 
 default-router 192.168.1.1 
 lease 0 2
!         
!         
!         
ip domain name mydomain.tld
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef    
no ipv6 cef
!         
!         
!         
!         
crypto pki trustpoint TP-self-signed-1017650632
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1017650632
 revocation-check none
 rsakeypair TP-self-signed-1017650632
!         
!         
crypto pki certificate chain TP-self-signed-1017650632
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31303137 36353036 3332301E 170D3135 30343037 31303536 
  30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313736 
  35303633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  81008B15 A50BCE53 C1A10611 78247737 97E31A5D 653AF401 024B244B F96B48E0 
  0A1B41EE 16FBFDD1 46F2E1E2 1329D2C6 EEFBCF5B 217DE650 7D2729B0 266008F3 
  AC4565EA 53D7FA5B 35761F14 6FBDCFAC 24994667 CB0311A9 7FE25580 7D9564C3 
  BFE10A4A F5F57C4F C4E18EC9 19874BCA 03127F56 252D04B8 9465A23F FBB9045B 
  D9EF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 146EAE54 B0C95DC2 0561F596 BC47E94B EF80617E F9301D06 
  03551D0E 04160414 6EAE54B0 C95DC205 61F596BC 47E94BEF 80617EF9 300D0609 
  2A864886 F70D0101 05050003 81810014 F5B63E51 AD80D4A0 3230E94D 3D1BE457 
  5D7CF78D 3C911F32 C7238D24 4A8C84D5 D5D4F744 EA2FFD5C 4A40E7A1 A517BFE3 
  10CC6078 5F446A15 F60EA41E 08C688AF A7834485 0991C739 F3CA38FE CFAA31E2 
  C72031C1 BAEFA756 719E4903 705C98A7 E20CB004 6FC82D22 D4E62E0C DBA54481 
  F6A68B3D AA905352 DD76B19F CD4190
        quit
!         
!         
username cisco password 0 somepassword
username admin privilege 15 secret 5 $1$JJZR$kw8yTTHkjUGKIfB8sQiyJ0
!         
!         
controller VDSL 0
 shutdown 
!         
ip telnet source-interface Vlan1
ip ssh port 2222 rotary 1
ip ssh source-interface Vlan1
ip ssh rsa keypair-name 1024
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
interface ATM0
 no ip address
 shutdown 
 no atm ilmi-keepalive
!         
interface Ethernet0
 no ip address
 shutdown 
!         
interface FastEthernet0
 no ip address
!         
interface FastEthernet1
 no ip address
!         
interface FastEthernet2
 no ip address
!         
interface FastEthernet3
 no ip address
!         
interface GigabitEthernet0
 no ip address
!         
interface GigabitEthernet1
 description PrimaryWANDesc_WAN interface
 ip address 129.x.x.5 255.255.255.0
 duplex auto
 speed auto
!         
interface Vlan1
 description $ETH_LAN$
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.1.254
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!         
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!         
!         
ip dns server
ip nat inside source list nat-list interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1
!         
mac-address-table aging-time 15
no cdp run
!         
!         
!         
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.

It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you 
want to use.

-----------------------------------------------------------------------
^C        
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device. 
This feature requires the one-time use of the username "cisco" with the 
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  
PUBLICLY-KNOWN CREDENTIALS


Here are the Cisco IOS commands.


username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco


Replace <myuser> and <mypassword> with the username and password you want 
to use.   


IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL 
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the 
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp 
-----------------------------------------------------------------------
^C        
!         
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!         
scheduler allocate 60000 1000
!         
end

I'm connected via the console port on the router and can ping the outside world only from GigaEthernet1 port which has IP address 129.x.x.5

The clients that connect on VLan1 get IP addresses in the range of 192.168.1.0/24 and these clients can ping each other, the gateway which is 192.168.1.1 and the GigaEthernet1 which has IP 129.x.x.5

What's going wrong in this case?  Any suggestion is most appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Luke Oxley
Level 1
Level 1

‎08-17-2016 08:39 AM

[@valentin@astro.rug.nl],

Thanks for your post. I've had a look at your configuration and it looks great, you are just a few steps short on your NAT which is why this is not working. Please follow the steps below in order to get this working correctly.
1. Firstly, let us remove the old NAT configuration so we are back to a clean slate with the following commands.

no ip nat inside source list nat-list interface GigabitEthernet1 overload
clear ip nat translation *

2. Now we will create an access control list permitting the traffic for NAT and create the new NAT statement to tie this together. *NOTE - If the version of IOS you are running requires mask instead of wildcard then change 0.0.0.255 to 255.255.255.0.
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet1 overload
3. The next step is to specify the logical role of the interfaces in question, whether they are "inside" or "outside".
interface vlan1
 ip nat inside
 exit
interface GigabitEthernet1
 ip nat outside
 exit
4. Lastly, we will save the configuration and reload.
copy run start
reload
After the device comes back up following the reload, please test again. In some cases - depending on IOS version, you need to ping the outside world from a machine on the LAN as opposed to just sourcing it from the VLAN interface. Try this both ways and let me know how you get along. I look forward to hearing back.

Kind regards,
Luke Oxley

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ahmedshoaib
Level 4
Level 4

‎08-13-2016 02:56 PM

Hi;

After review the configuration I found following missing items in your configuration:

 

1 – Nat Ouside is missing on interface GigabitEthernet1.

                interface GigabitEthernet1

                  ip nat outside

 

2 – Missing nat-list

            ip access-list standard nat-list

  permit 192.168.1.0 0.0.0.255

 

Thanks & Best regards;

 

Go to solution
valentin
Level 1
Level 1

‎08-14-2016 05:58 AM

Hi Luke,

Thank you very much.  I followed your instructions and I was able to ping the outside world. It is amazing how a few steps can get things working.

Thanks again and have a nice day.


Best regards,
Valentin

Go to solution
Luke Oxley
Level 1
Level 1
In response to valentin

‎08-14-2016 02:08 PM

[@valentin@astro.rug.nl],

No problem brother - you are more than welcome. I hope you learnt some new bits along the way too!

Warm regards,
Luke

Please rate helpful posts and mark correct answers.
0 Helpful

Go to solution
Luke Oxley
Level 1
Level 1

‎08-17-2016 08:39 AM

[@valentin@astro.rug.nl],

Thanks for your post. I've had a look at your configuration and it looks great, you are just a few steps short on your NAT which is why this is not working. Please follow the steps below in order to get this working correctly.
1. Firstly, let us remove the old NAT configuration so we are back to a clean slate with the following commands.

no ip nat inside source list nat-list interface GigabitEthernet1 overload
clear ip nat translation *

2. Now we will create an access control list permitting the traffic for NAT and create the new NAT statement to tie this together. *NOTE - If the version of IOS you are running requires mask instead of wildcard then change 0.0.0.255 to 255.255.255.0.
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 100 interface GigabitEthernet1 overload
3. The next step is to specify the logical role of the interfaces in question, whether they are "inside" or "outside".
interface vlan1
 ip nat inside
 exit
interface GigabitEthernet1
 ip nat outside
 exit
4. Lastly, we will save the configuration and reload.
copy run start
reload
After the device comes back up following the reload, please test again. In some cases - depending on IOS version, you need to ping the outside world from a machine on the LAN as opposed to just sourcing it from the VLAN interface. Try this both ways and let me know how you get along. I look forward to hearing back.

Kind regards,
Luke Oxley

Please rate helpful posts and mark correct answers.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card