cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2920
Views
0
Helpful
7
Replies

.Cisco 887VA Router no outbound Internet access.

Finbarr Rogers
Level 1
Level 1

Hi,

 

can anyone assist with an issue I have with a Cisco 887VA Router, in that there is no outbound Internet access. I cannot reach the Internet from the router or any workstation connected to vlan1. I know it is a ACL issue but not sure what I am missing.

I don't have the conf at the moment but will add tomorrow but just asking if anyone can assist.

 

kind regards,

 

Finbarr

 

 

7 Replies 7

John Blakley
VIP Alumni
VIP Alumni

Finbarr,

This is a fairly common issue, so if you can post your config I'm sure someone will be able to get you up and running. If you believe it's an acl issue, you may want to remove the acl first to see if that resolves the issue. If not, then it's something else and we'll probably need the config...

HTH,

John

HTH, John *** Please rate all useful posts ***

Hi John,

 

Thanks for the reply.

 

Please see config below and let me know where I have went wrong. I am fairly new to this so please show me corrections on config.

 

Building configuration...

Current configuration : 5050 bytes
!
! Last configuration change at 13:38:09 UTC Wed Oct 14 2015 by root
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VIS-Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2126057679
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2126057679
 revocation-check none
 rsakeypair TP-self-signed-2126057679
!
!
crypto pki certificate chain TP-self-signed-2126057679
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313236 30353736 3739301E 170D3134 30393235 32333231
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31323630
  35373637 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009424 BA47F451 487B8D87 38F17EE1 E184EB95 2B648AA9 9E830B26 C1A54660
  96F2BEEF 87026041 6F8EE765 5E40C92E AC93F66A 08775C98 5E97B6CA 8B84FAE9
  02D097EA D37D8A64 50DB7224 36BA9E16 48901D67 E884DCB2 E8E42780 2E11462D
  A742D5AE D0E8495F 9831AC54 57F60D4C 910F7A78 0DAC8CDF F2E5405A E9473494
  12310203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14BA81BF E25DE710 960B8BB4 44718EEB 01A4320E 3E301D06
  03551D0E 04160414 BA81BFE2 5DE71096 0B8BB444 718EEB01 A4320E3E 300D0609
  2A864886 F70D0101 05050003 8181001E 730F5539 D5331E33 BC0884E5 D8E1A456
  39EF7770 A325D8B2 A19AB8F7 7D05B8B9 FCA6CEC1 F6A4EF79 3D0FF8B6 ECE3A708
  62249F38 C4FBC170 7A726F25 E1A42488 6753AF0F 48AB774A D06A73D8 173CA8C7
  6AF180B9 245DF778 E911DBA7 A031B75A 3DDB8BB8 28651A6A 17A64581 B5307689
  02A30E53 367DA225 069CD682 C59C37
        quit
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool VIS-Pool
 import all
 network 192.168.1.0 255.255.255.248
 default-router 192.168.1.1
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ183994QX
!
!
username root privilege 15 secret 5 $1$Htty$9WaFJ8JxQa2KvlIbeYyPD0
!
!
!
!
!
controller VDSL 0
no cdp run
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description Eircom
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 description $ETH_LAN$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address 95.**.***.*** 255.255.255.254
 ip access-group 100 in
 ip access-group 199 out
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname eircom
 ppp chap password 0 **********
 ppp ipcp dns request
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.150 900 interface Dialer0 900
ip nat inside source static tcp 192.168.1.150 21000 interface Dialer0 21000
ip nat inside source static tcp 192.168.1.150 5500 interface Dialer0 5500
ip nat inside source static tcp 192.168.1.21 2020 interface Dialer0 2020
ip nat inside source static tcp 192.168.1.21 12302 interface Dialer0 12302
ip nat inside source static tcp 192.168.1.22 2021 interface Dialer0 2021
ip nat inside source static tcp 192.168.1.22 12312 interface Dialer0 12312
ip nat inside source static tcp 192.168.1.23 2022 interface Dialer0 2022
ip nat inside source static tcp 192.168.1.23 12322 interface Dialer0 12322
ip route 0.0.0.0 0.0.0.0 Dialer0
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
access-list 100 permit ip *.*.*.* 0.0.0.254 any
access-list 100 permit ip *.*.*.* 0.0.0.254 any
access-list 100 permit ip *.*.*.* 0.0.255.255 any
access-list 100 permit ip *.*.*.* 0.0.0.255 any
access-list 100 deny   ip any any
access-list 101 permit ip any any
access-list 199 permit ip any any
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 

Any help would be greatly appreciated.

 

Kind regards,

 

Finbarr

Finbarr,

On you dialer interface, the acl 100 is blocking all traffic and that includes your return traffic. For testing, remove this acl and see if you can get out. Once you verify that, we can move forward with creating an acl that works for you. You should also change acl 199 to tie to your specific internal addresses instead of "any any". Change this to be:

access-list 199 permit ip 192.168.1.0 0.0.0.255 any

HTH,

John

HTH, John *** Please rate all useful posts ***

Hi John,

 

By removing acl100 from diaper 0 in I can ping outside from router but not from a workstation on 192 range. Also , as I am using nat to allow external addresses to reach internal ports by not having the ACL 199 in will this affect connectivity?

 

thanks again for your assistance.

 

Finbarr 

Hi John,

 

i meant to say by not having ACL 100 IN will this affect external. 

 

Also, since changing ACL199 I cannot reach my internal servers from external anymore from an IP address I have configured on Access-list 100 permit ip external ip any. ??

when I changed back to my original confit for acl199 it worked again.

Finbarr,

"when I changed back to my original confit for acl199 it worked again."

This is because your original acl was "permit ip any any." When you changed to "permit ip 192.168.1.0 0.0.0.255 any", it would have stopped working because your ACL 199 is applied outbound on the wan interface. NAT happens before ACLs are checked, so you would have seen your traffic come out as whatever the wan address is and you weren't allowing that by changing from "any any". You need to get to a basic config:

1. Rip all acls off of the interfaces just to get this to work.

2. Change your acl 199 to "permit ip 192.168.1.0 0.0.0.255 any"

3. Test - it should work

You always try to get it to work without additional config. Once it's working, start putting things in one at a time so you can troubleshoot each if it breaks. You know that "A" works, but when you put "B" in, "A" stops working...no need to troubleshoot A if you know B broke it. Make sense?

HTH,

John

HTH, John *** Please rate all useful posts ***

Finbarr Rogers
Level 1
Level 1

Config below:

 

Building configuration...

Current configuration : 5050 bytes
!
! Last configuration change at 13:38:09 UTC Wed Oct 14 2015 by root
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VIS-Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2126057679
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2126057679
 revocation-check none
 rsakeypair TP-self-signed-2126057679
!
!
crypto pki certificate chain TP-self-signed-2126057679
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313236 30353736 3739301E 170D3134 30393235 32333231
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31323630
  35373637 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009424 BA47F451 487B8D87 38F17EE1 E184EB95 2B648AA9 9E830B26 C1A54660
  96F2BEEF 87026041 6F8EE765 5E40C92E AC93F66A 08775C98 5E97B6CA 8B84FAE9
  02D097EA D37D8A64 50DB7224 36BA9E16 48901D67 E884DCB2 E8E42780 2E11462D
  A742D5AE D0E8495F 9831AC54 57F60D4C 910F7A78 0DAC8CDF F2E5405A E9473494
  12310203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14BA81BF E25DE710 960B8BB4 44718EEB 01A4320E 3E301D06
  03551D0E 04160414 BA81BFE2 5DE71096 0B8BB444 718EEB01 A4320E3E 300D0609
  2A864886 F70D0101 05050003 8181001E 730F5539 D5331E33 BC0884E5 D8E1A456
  39EF7770 A325D8B2 A19AB8F7 7D05B8B9 FCA6CEC1 F6A4EF79 3D0FF8B6 ECE3A708
  62249F38 C4FBC170 7A726F25 E1A42488 6753AF0F 48AB774A D06A73D8 173CA8C7
  6AF180B9 245DF778 E911DBA7 A031B75A 3DDB8BB8 28651A6A 17A64581 B5307689
  02A30E53 367DA225 069CD682 C59C37
        quit
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool VIS-Pool
 import all
 network 192.168.1.0 255.255.255.248
 default-router 192.168.1.1
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ183994QX
!
!
username root privilege 15 secret 5 $1$Htty$9WaFJ8JxQa2KvlIbeYyPD0
!
!
!
!
!
controller VDSL 0
no cdp run
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description Eircom
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 description $ETH_LAN$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1412
!
interface Dialer0
 ip address 95.**.***.*** 255.255.255.254
 ip access-group 100 in
 ip access-group 199 out
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname eircom
 ppp chap password 0 **********
 ppp ipcp dns request
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.150 900 interface Dialer0 900
ip nat inside source static tcp 192.168.1.150 21000 interface Dialer0 21000
ip nat inside source static tcp 192.168.1.150 5500 interface Dialer0 5500
ip nat inside source static tcp 192.168.1.21 2020 interface Dialer0 2020
ip nat inside source static tcp 192.168.1.21 12302 interface Dialer0 12302
ip nat inside source static tcp 192.168.1.22 2021 interface Dialer0 2021
ip nat inside source static tcp 192.168.1.22 12312 interface Dialer0 12312
ip nat inside source static tcp 192.168.1.23 2022 interface Dialer0 2022
ip nat inside source static tcp 192.168.1.23 12322 interface Dialer0 12322
ip route 0.0.0.0 0.0.0.0 Dialer0
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
access-list 100 permit ip *.*.*.* 0.0.0.254 any
access-list 100 permit ip *.*.*.* 0.0.0.254 any
access-list 100 permit ip *.*.*.* 0.0.255.255 any
access-list 100 permit ip *.*.*.* 0.0.0.255 any
access-list 100 deny   ip any any
access-list 101 permit ip any any
access-list 199 permit ip any any
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Review Cisco Networking for a $25 gift card