Solved: Clients attached to an 881 can't get to internet

jsandau · ‎01-15-2015

I have a Cisco 881 oruter that is configured, but clients aren't getting to the internet. The router can ping google.com and 8.8.8.8 without any problems, but the client can't ping them. Here is the running config:

Building configuration...

Current configuration : 6757 bytes
!
! Last configuration change at 20:09:29 UTC Thu Jan 15 2015
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$65g/$nYYStZ2aFbOj0hm.
enable password **************
!
no aaa new-model
!
!
no ip routing
!
!
!
!
!
!
!
!

!
!
!
!
ip domain name Domain
ip name-server 192.168.6.5
ip name-server 192.168.2.2
no ip cef
no ipv6 cef
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com

parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com

!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FGL1844203L
!
!
username ******* privilege 15 secret 5 $1$Kq3BHc01ahZxXkFOFds1
!
!
!
!
!
!
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
!
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
pass
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address 184.xx.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
no ip route-cache
duplex auto
speed auto
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.7.253 255.255.254.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
no ip route-cache
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 184.xx.xxx.xxx
ip route 192.168.2.0 255.255.254.0 Vlan1 192.168.7.254
ip route 192.168.4.0 255.255.254.0 Vlan1 192.168.7.254
ip route 192.168.8.0 255.255.254.0 Vlan1 192.168.7.254
ip route 192.168.10.0 255.255.254.0 Vlan1 192.168.7.254
ip route 192.168.12.0 255.255.254.0 Vlan1 192.168.7.254
ip route 192.168.14.0 255.255.254.0 Vlan1 192.168.7.254
ip route 192.168.16.0 255.255.254.0 Vlan1 192.168.7.254
!
dialer-list 1 protocol ip permit
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 184.xx.xxx.xxx 0.0.0.3 any
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password **************
login
transport input none
!
scheduler allocate 20000 1000
!
!
end

I'm probably missing something obvious but I can't figure out what it is. Any help is greatly appreciated.

Thanks,

Jon Marshall · ‎01-15-2015

It may be your firewall but a far more basic thing I have just noticed is you have "no ip routing" in your configuration.

I think you need to enable this :-) ie.

"ip routing"

Jon

View solution in original post

Jon Marshall · ‎01-15-2015

If you use an "any" in your acl for NAT it usually doesn't work.

I generally use an extended acl but you can use a standard one if you want, you just need to specific the source network eg.

access-list 1 permit ip 192.168.6.0 0.0.1.255

if that doesn't work try an extended acl ie.

access-list 101 permit ip 192.168.6.0 0.0.1.255 any

and then modify your NAT statement to use acl 101.

Jon

jsandau · ‎01-15-2015

Thanks for the suggestions Jon, but after trying both commands and reconfiguring the NAT, clients still can't access the Internet.

Jon Marshall · ‎01-15-2015

It may be your firewall but a far more basic thing I have just noticed is you have "no ip routing" in your configuration.

I think you need to enable this :-) ie.

"ip routing"

Jon

jsandau · ‎01-15-2015

Can I modify that via CCP? I'm managing this router remotely, and can't seem to telnet into it, the only way I can access it is via CCP.

Jon Marshall · ‎01-15-2015

I have never used CCP but if you are managing it remotely I would have thought it would be routing already unless by remotely you mean you are on the internal subnet.

Don't know is the short answer unfortunately but how did you modify the NAT configuration ?

I would have thought if you could do that you could do this as well.

Jon

jsandau · ‎01-15-2015

Yes, I'm on the internal subnet.

CCP has a spot where I can add/delete NAT rules, so that is where I was able to configure the NAT rules you gave me.

Jon Marshall · ‎01-15-2015

Just had a quick look at the manual and it doesn't seem to mention where to actually enable routing.

There should be a routing window available where you can add static routes, setup dynamic routing etc.

Can you try that and see if there is an option to actually enable routing.

Seems such a basic thing to do I would have thought it would be relatively easy thing to find :-)

I'll do a bit more searching but if you can't find anything you may have to setup telnet access so you can get to the CLI.

Jon

jsandau · ‎01-15-2015

How would I enable telnet on the cisco? When I try to telent into it I get "could not open connection to host on port 23: connect failed"

Jon Marshall · ‎01-15-2015

I think there are windows you can use within CCP to enable it.

What version of CCP are you running ?

Jon

jsandau · ‎01-15-2015

Thank you so much for your help! I was able to enable telnet and then I removed the "no ip routing" command and now everything works.

Thanks again.

Jon Marshall · ‎01-15-2015

No problem, glad we got there in the end.

Jon

Jon Marshall · ‎01-15-2015

Had a quick look at CCP user guide but there is no mention of actually enabling routing which seems a bit strange.

Can you check in the routing window if there is a checkbox or something to turn routing on.

I'll do a bit more searching but you may have to setup telnet access so you can get to the CLI.

Jon