10-14-2015 02:58 PM - edited 03-05-2019 06:58 AM
Hi,
can anyone assist with an issue I have with a Cisco 887VA Router, in that there is no outbound Internet access. I cannot reach the Internet from the router or any workstation connected to vlan1. I know it is a ACL issue but not sure what I am missing.
I don't have the conf at the moment but will add tomorrow but just asking if anyone can assist.
kind regards,
Finbarr
10-14-2015 04:28 PM
Finbarr,
This is a fairly common issue, so if you can post your config I'm sure someone will be able to get you up and running. If you believe it's an acl issue, you may want to remove the acl first to see if that resolves the issue. If not, then it's something else and we'll probably need the config...
HTH,
John
10-15-2015 03:19 AM
Hi John,
Thanks for the reply.
Please see config below and let me know where I have went wrong. I am fairly new to this so please show me corrections on config.
Building configuration...
Current configuration : 5050 bytes
!
! Last configuration change at 13:38:09 UTC Wed Oct 14 2015 by root
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VIS-Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2126057679
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2126057679
revocation-check none
rsakeypair TP-self-signed-2126057679
!
!
crypto pki certificate chain TP-self-signed-2126057679
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313236 30353736 3739301E 170D3134 30393235 32333231
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31323630
35373637 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009424 BA47F451 487B8D87 38F17EE1 E184EB95 2B648AA9 9E830B26 C1A54660
96F2BEEF 87026041 6F8EE765 5E40C92E AC93F66A 08775C98 5E97B6CA 8B84FAE9
02D097EA D37D8A64 50DB7224 36BA9E16 48901D67 E884DCB2 E8E42780 2E11462D
A742D5AE D0E8495F 9831AC54 57F60D4C 910F7A78 0DAC8CDF F2E5405A E9473494
12310203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BA81BF E25DE710 960B8BB4 44718EEB 01A4320E 3E301D06
03551D0E 04160414 BA81BFE2 5DE71096 0B8BB444 718EEB01 A4320E3E 300D0609
2A864886 F70D0101 05050003 8181001E 730F5539 D5331E33 BC0884E5 D8E1A456
39EF7770 A325D8B2 A19AB8F7 7D05B8B9 FCA6CEC1 F6A4EF79 3D0FF8B6 ECE3A708
62249F38 C4FBC170 7A726F25 E1A42488 6753AF0F 48AB774A D06A73D8 173CA8C7
6AF180B9 245DF778 E911DBA7 A031B75A 3DDB8BB8 28651A6A 17A64581 B5307689
02A30E53 367DA225 069CD682 C59C37
quit
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool VIS-Pool
import all
network 192.168.1.0 255.255.255.248
default-router 192.168.1.1
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ183994QX
!
!
username root privilege 15 secret 5 $1$Htty$9WaFJ8JxQa2KvlIbeYyPD0
!
!
!
!
!
controller VDSL 0
no cdp run
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description Eircom
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $ETH_LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address 95.**.***.*** 255.255.255.254
ip access-group 100 in
ip access-group 199 out
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname eircom
ppp chap password 0 **********
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.150 900 interface Dialer0 900
ip nat inside source static tcp 192.168.1.150 21000 interface Dialer0 21000
ip nat inside source static tcp 192.168.1.150 5500 interface Dialer0 5500
ip nat inside source static tcp 192.168.1.21 2020 interface Dialer0 2020
ip nat inside source static tcp 192.168.1.21 12302 interface Dialer0 12302
ip nat inside source static tcp 192.168.1.22 2021 interface Dialer0 2021
ip nat inside source static tcp 192.168.1.22 12312 interface Dialer0 12312
ip nat inside source static tcp 192.168.1.23 2022 interface Dialer0 2022
ip nat inside source static tcp 192.168.1.23 12322 interface Dialer0 12322
ip route 0.0.0.0 0.0.0.0 Dialer0
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
access-list 100 permit ip *.*.*.* 0.0.0.254 any
access-list 100 permit ip *.*.*.* 0.0.0.254 any
access-list 100 permit ip *.*.*.* 0.0.255.255 any
access-list 100 permit ip *.*.*.* 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 permit ip any any
access-list 199 permit ip any any
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Any help would be greatly appreciated.
Kind regards,
Finbarr
10-15-2015 04:08 AM
Finbarr,
On you dialer interface, the acl 100 is blocking all traffic and that includes your return traffic. For testing, remove this acl and see if you can get out. Once you verify that, we can move forward with creating an acl that works for you. You should also change acl 199 to tie to your specific internal addresses instead of "any any". Change this to be:
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
HTH,
John
10-15-2015 04:36 AM
Hi John,
By removing acl100 from diaper 0 in I can ping outside from router but not from a workstation on 192 range. Also , as I am using nat to allow external addresses to reach internal ports by not having the ACL 199 in will this affect connectivity?
thanks again for your assistance.
Finbarr
10-15-2015 05:00 AM
Hi John,
i meant to say by not having ACL 100 IN will this affect external.
Also, since changing ACL199 I cannot reach my internal servers from external anymore from an IP address I have configured on Access-list 100 permit ip external ip any. ??
when I changed back to my original confit for acl199 it worked again.
10-15-2015 09:24 AM
Finbarr,
"when I changed back to my original confit for acl199 it worked again."
This is because your original acl was "permit ip any any." When you changed to "permit ip 192.168.1.0 0.0.0.255 any", it would have stopped working because your ACL 199 is applied outbound on the wan interface. NAT happens before ACLs are checked, so you would have seen your traffic come out as whatever the wan address is and you weren't allowing that by changing from "any any". You need to get to a basic config:
1. Rip all acls off of the interfaces just to get this to work.
2. Change your acl 199 to "permit ip 192.168.1.0 0.0.0.255 any"
3. Test - it should work
You always try to get it to work without additional config. Once it's working, start putting things in one at a time so you can troubleshoot each if it breaks. You know that "A" works, but when you put "B" in, "A" stops working...no need to troubleshoot A if you know B broke it. Make sense?
HTH,
John
10-15-2015 03:22 AM
Config below:
Building configuration...
Current configuration : 5050 bytes
!
! Last configuration change at 13:38:09 UTC Wed Oct 14 2015 by root
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VIS-Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-2126057679
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2126057679
revocation-check none
rsakeypair TP-self-signed-2126057679
!
!
crypto pki certificate chain TP-self-signed-2126057679
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313236 30353736 3739301E 170D3134 30393235 32333231
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31323630
35373637 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009424 BA47F451 487B8D87 38F17EE1 E184EB95 2B648AA9 9E830B26 C1A54660
96F2BEEF 87026041 6F8EE765 5E40C92E AC93F66A 08775C98 5E97B6CA 8B84FAE9
02D097EA D37D8A64 50DB7224 36BA9E16 48901D67 E884DCB2 E8E42780 2E11462D
A742D5AE D0E8495F 9831AC54 57F60D4C 910F7A78 0DAC8CDF F2E5405A E9473494
12310203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BA81BF E25DE710 960B8BB4 44718EEB 01A4320E 3E301D06
03551D0E 04160414 BA81BFE2 5DE71096 0B8BB444 718EEB01 A4320E3E 300D0609
2A864886 F70D0101 05050003 8181001E 730F5539 D5331E33 BC0884E5 D8E1A456
39EF7770 A325D8B2 A19AB8F7 7D05B8B9 FCA6CEC1 F6A4EF79 3D0FF8B6 ECE3A708
62249F38 C4FBC170 7A726F25 E1A42488 6753AF0F 48AB774A D06A73D8 173CA8C7
6AF180B9 245DF778 E911DBA7 A031B75A 3DDB8BB8 28651A6A 17A64581 B5307689
02A30E53 367DA225 069CD682 C59C37
quit
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool VIS-Pool
import all
network 192.168.1.0 255.255.255.248
default-router 192.168.1.1
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ183994QX
!
!
username root privilege 15 secret 5 $1$Htty$9WaFJ8JxQa2KvlIbeYyPD0
!
!
!
!
!
controller VDSL 0
no cdp run
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description Eircom
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
ip address dhcp
ip nat outside
ip virtual-reassembly in
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $ETH_LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address 95.**.***.*** 255.255.255.254
ip access-group 100 in
ip access-group 199 out
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname eircom
ppp chap password 0 **********
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.150 900 interface Dialer0 900
ip nat inside source static tcp 192.168.1.150 21000 interface Dialer0 21000
ip nat inside source static tcp 192.168.1.150 5500 interface Dialer0 5500
ip nat inside source static tcp 192.168.1.21 2020 interface Dialer0 2020
ip nat inside source static tcp 192.168.1.21 12302 interface Dialer0 12302
ip nat inside source static tcp 192.168.1.22 2021 interface Dialer0 2021
ip nat inside source static tcp 192.168.1.22 12312 interface Dialer0 12312
ip nat inside source static tcp 192.168.1.23 2022 interface Dialer0 2022
ip nat inside source static tcp 192.168.1.23 12322 interface Dialer0 12322
ip route 0.0.0.0 0.0.0.0 Dialer0
!
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
access-list 100 permit ip *.*.*.* 0.0.0.254 any
access-list 100 permit ip *.*.*.* 0.0.0.254 any
access-list 100 permit ip *.*.*.* 0.0.255.255 any
access-list 100 permit ip *.*.*.* 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 permit ip any any
access-list 199 permit ip any any
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide