Solved: Re: Cisco 871w cannot ping outside WAN

CoryParsnipson · ‎01-16-2013

Hello, I have a cisco 871w router that I'm trying to incorporate into an existing network. I have FastEthernet4 (WAN port) plugged into an ISP device, which I don't have access to. I have the address set to use dhcp, which is successfully recognized and I see that the interface gets a valid ip address that I can ping with other computers on the same network.

Problems:

I am logged into the router via the serial port and I cannot ping websites on the internet. I am able to ping sites that are hosted inside the WAN, but when I try "google.com" for instance, I see it sending out packets, but none are received. It resolves the hostname from the local DNS server, but there are no packets received.

Configuration:

I'm really new at this, so I was wondering if you guys could take a look at the commands that I type into the console to set up the router. I'm missing a lot of stuff. This is what I've been able to piece together using google and the software manuals:

enable

config t

hostname [hostname]

interface FastEthernet 4

ip address dhcp

ip nat outside

no shutdown

interface loopback 0

ip address 192.168.0.1 255.255.255.248

no shutdown

interface Vlan 1

ip dhcp pool vlan1

network 192.168.1.0 255.255.255.0

domain-name [domain]

default-router 192.168.0.1

dns-server 10.195.57.1

ip address 192.168.1.1 255.255.255.0

ip helper-address 10.195.57.2

ip virtual-reassembly

ip nat inside

no shutdown

interface FastEthernet 0

switchport access vlan 1

no shutdown

interface FastEthernet 1

switchport access vlan 1

no shutdown

interface FastEthernet 2

switchport access vlan 1

no shutdown

interface FastEthernet 3

switchport access vlan 1

no shutdown

interface FastEthernet 4

switchport access vlan 1

no shutdown

ip nat inside source list 100 interface FastEthernet4 overload

access-list 100 permit ip 192.168.1.1 0.0.0.255 any

Thank you very much for your help!

Richard Burts · ‎01-16-2013

I see several issues. First I do not see any default route configured. Probably it should be something like

ip route 0.0.0.0 0.0.0.0 dhcp

Also I believe that there is a problem in the DHCP configuration. It has the default route as 192.168.0.1. But the default route needs to be in the same subnet as the client addresses. So the default router should probably be 192.168.1.1.

Also the address translation is using an extended access list. But I do not see anything that justifies the extended list. I suggest that it would be better to use a standard access list like this

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 100 interface FastEthernet4 overload

HTH

Rick

HTH

Rick

View solution in original post

Jose Bogantes · ‎01-16-2013

Hello Cory,

I do not see the "ip nat inside" command in the interface vlan 1. You can try and check if there are translations:

show ip nat translations
show ip nat stat

I also see that the ACL 100 could be removed. You can use a standard one like this one:

access-list 1 permit 192.168.1.0 0.0.0.255

The NAT statement should be also modified to match the new ACL:

ip nat inside source list 1 interface FastEthernet4 overload

Finally, you could also add a static to be able to go out:

ip route 0.0.0.0 0.0.0.0 fastEthernet 4

Regards.

Richard Burts · ‎01-16-2013

I see several issues. First I do not see any default route configured. Probably it should be something like

ip route 0.0.0.0 0.0.0.0 dhcp

Also I believe that there is a problem in the DHCP configuration. It has the default route as 192.168.0.1. But the default route needs to be in the same subnet as the client addresses. So the default router should probably be 192.168.1.1.

Also the address translation is using an extended access list. But I do not see anything that justifies the extended list. I suggest that it would be better to use a standard access list like this

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 100 interface FastEthernet4 overload

HTH

Rick

HTH

Rick

CoryParsnipson · ‎01-16-2013

Ok. I changed the default router to be 192.168.1.1, and I added the following two lines as you and Jose said:

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface FastEthernet4 overload

Note, I changed it to "...source list 1 interface FastEther..." from "...source list 100 interface FastEther...", assuming you meant to reference the number after access-list?

I also went with ip route 0.0.0.0 0.0.0.0 dhcp instead of ip route 0.0.0.0 0.0.0.0 FastEthernet 4...

Results:

So, just now I have my laptop connected via Ethernet to FastEthernet0, and it looks like everything is fine! I can access the internal WAN as well as outside websites.

An odd thing is that from the router, I still can't ping outside the WAN. Do you think this is because I have not configured the router correctly to accept packets? I'm willing to mark this as answered, after hearing whether or not it is normal behavior for client computers to be able to ping but the router itself being unable...

Thanks again, guys!

EDIT:

Actually, what I am seeing is that my laptop is also not able to ping ANYTHING, but I can use a web browser to browse to webpages I've never been to before just fine... Very odd...

Jose Bogantes · ‎01-16-2013

Hello Cory,

What is the result if you try pinging 4.2.2.2 while using the DHCP IP address of the WAN interface as the source?

ping 4.2.2.2 source X.X.X.X ---> Public IP address.

Regards.

CoryParsnipson · ‎01-16-2013

router#ping 4.2.2.2 source 10.x.x.x

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

Packet sent with a source address of 10.x.x.x

.....

Success rate is 0 percent (0/5)

EDIT: Heh, thanks... Slipped my mind...

Jose Bogantes · ‎01-16-2013

Hi Cory,

Please edit the last reply for you are showing your public IP address. You can use 10.x.x.x in both cases.

Please try with the other static and let us know if you get the same results.

I have a question:

1- Do you have a firewall that could be blocking ICMP traffic?

CoryParsnipson · ‎01-16-2013

Sorry, I don't understand what you mean when you say "the other static". Could you please clarify? Thanks!

Jose Bogantes · ‎01-16-2013

Hi,

ip route 0.0.0.0 0.0.0.0 fastEthernet 4

Just for testing...

CoryParsnipson · ‎01-16-2013

Jose,

I tried it just now. Ping to google.com and to 4.2.2.2 using public ip address are the same...

Jose Bogantes · ‎01-16-2013

Hi Cory,

I see something pretty odd. The IP address I told you to edit seems to be a private IP address (10.0.0.0 to 10.255.255.255 are part of the private range). Where is that IP address coming from?

CoryParsnipson · ‎01-16-2013

Er... My IP is probably fine; I'm at work right now...

Also, I realized that I missed your earlier question. I'm not sure if there is a firewall in place to block ICMP traffic, but I can look into it if you think it is important.

ALIAOF_ · ‎01-16-2013

Can you post your latest config since you made all these changes?

ip dhcp pool vlan1 (If you are pointing at a different DHCP server then you don't need this, what is 10.195.57.2?)

network 192.168.1.0 255.255.255.0

domain-name [domain]

default-router 192.168.0.1 (you don't need this)

dns-server 10.195.57.1

!

interface Vlan 1

ip address 192.168.1.1 255.255.255.0

ip helper-address 10.195.57.2

ip virtual-reassembly

ip nat inside

no shutdown

Now looks like there is another network in the mix 10.195.57.x/xx? So that might require trunk ports.

CoryParsnipson · ‎01-16-2013

I am actually wondering about that myself. I am pointing to a different dhcp server, but I'm not sure how to handle assigning ip addresses to the fast ethernet ports. Do I need to make an internet dhcp pool to assign addresses out of my vlan? (That is what I'm trying to do with the ip dhcp pool vlan1 command...)

That other address is my local dns-server.

Sure. Here is my current config:

enable

config t

hostname [hostname]

interface FastEthernet 4

ip address dhcp

ip nat outside

no shutdown

interface loopback 0

ip address 192.168.0.1 255.255.255.248

no shutdown

interface Vlan 1

ip dhcp pool vlan1

network 192.168.1.0 255.255.255.0

domain-name [domain]

default-router 192.168.0.1

dns-server 10.195.57.1

ip address 192.168.1.1 255.255.255.0

ip helper-address 10.195.57.2

ip virtual-reassembly

ip nat inside

no shutdown

interface FastEthernet 0

switchport access vlan 1

no shutdown

interface FastEthernet 1

switchport access vlan 1

no shutdown

interface FastEthernet 2

switchport access vlan 1

no shutdown

interface FastEthernet 3

switchport access vlan 1

no shutdown

interface FastEthernet 4

switchport access vlan 1

no shutdown

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 1 interface FastEthernet4 overload

Jose Bogantes · ‎01-16-2013

Hi,

You can use something like this:

ip dhcp pool LAN

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

DNs-server X.X.X.X

This Pool will assign the IP address in the LAN segment.

As Mohammad mentioned, you do not need "default-router 192.168.0.1" under SVI1. "Ip helper-address 10.195.57.2" can also be removed as well as "ip dhcp pool vlan1" if you want to configure pool LAN, as I mentioned. Now, check if:

1- you are able to ping the internal dns-server from your router.

2- you should use static IP addressing in the WAN interface instead of using DHCP.

Regards,

Cisco 871w cannot ping outside WAN

Cisco Catalyst SD-WAN How To

XE SD-WAN: WAN インタフェースの IP アドレスに ping すると NAT pool の IP アドレスに変換されてしまう

【原创】Cisco Vipteal SD-WAN实验

Cisco SD-WAN IPoE BBIX編

Doc - Cisco Catalyst SD-WAN: La evolución de las redes de comunicación WAN