cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2451
Views
0
Helpful
15
Replies

Clients unable to browse the internet on Cisco 871 K9 Router

tosino489
Level 1
Level 1

Hi Everyone,

i just purchased my Cisco Router 871 K9 Version running this System image flash:c870-advsecurityk9-mz.124-4.T8.bin"

I am trying to configure this Router for Home use so that i can block some Web traffic (Porn sites, Movie sites because of Children) but i realised i was unable to apply the Access list Match-class version url (http host).

My major problem is even the basic config on the router. The WAN has a DHCP IP assignment with Network 192.168.1.0

The Lan is expected to have 192.168.3.0 Network. The IPs appears to be correctly assigned but not able to ping the internet on the Router. Local client also cannot resolve DNS. here is my cofig file. 

Please assist.


Richard#sh run
Building configuration...

Current configuration : 1727 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Richard
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool Richard-Pool
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
domain-name richardedet.com
dns-server 192.168.1.1
lease 0 2
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
!
interface Vlan1
description Local Network VLAN
ip address 192.168.3.1 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 192.168.3.0 255.255.255.0 FastEthernet4
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source route-map RMAP-NAT interface FastEthernet4 overload
ip dns server
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 100 permit tcp any any
access-list 100 permit icmp any any
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
!
control-plane
!
!
line con 0
password richard
login
no modem enable
transport output telnet
line aux 0
password richard
login
transport output telnet
line vty 0 3
password richard
login
transport input ssh
line vty 4
password richard
login
!
scheduler max-task-time 5000
end

2 Accepted Solutions

Accepted Solutions

Hi,

problem is that you changed IP address of VLAN 1 interface from 192.168.1.254 to 192.168.1.1
So you must change default-router in dhcp pool:
enableconf t
ip dhcp pool Richard-Edet
no default-router
default-router 192.168.1.1
end

Also NAT is missing:
enable
conf t
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
exit
ip nat inside source list NAT interface Fa4 overload
end

Also maybe you cannot ping PC from console of router because firewall of computer blocks ICMP protocol. In windows I am sure that it is blocked by firewall. So you can try ping 192.168.1.1 from PC and it should work.

Try above changes and then write me if it work, or then we can make another changes.
You can also post output of commands (if it will not work):
router: show ip route
router: ping 8.8.8.8 (this should work if your internet provider doesn´t block ICMP protocol)
PC: ipconfig/all

View solution in original post

Hello,


interface FastEthernet4
ip address dhcp
i
ip nat outside

!
interface Vlan1
description Local Network VLAN
ip address 192.168.3.1 255.255.255.0

IP nat inside
!

ip route 0.0.0.0 0.0.0.0 FastEthernet4 DHCP


ip nat inside source list 101 interface FastEthernet4 overload

access-list 101 permit ip 192.168.3.0 0.0.0.255 any

Masoud

View solution in original post

15 Replies 15

Milos Megis
Level 3
Level 3

Hi,
at first I don´t see command "ip nat inside" on Vlan1 interface.

Next:
command "ip route 192.168.3.0 255.255.255.0 FastEthernet4" is wrong, because network 192.168.3.0/24 is directly connected to interface Vlan1 - remove it
(but this shouldn´t affect routing table because AD of directly conected network is 1 and static route has AD=5)

command "ip nat inside source route-map RMAP-NAT interface FastEthernet4 overload" is unnecessary, because you don´t have defined route-map RMAP-NAT and implicit behaviour is deny.

And also I am not sure if interfaces Fa1 - 4 is routed or switched.
If you want to add them IP address try type command no switchport.
If it is not possible, then put them into different vlans and create VLAN interfaces for each vlan to ensure routing.

Hi Milos Megis,

Thank you so much. I will make your mentioned adjustment and revert shortly.

The Fa0-Fa3 are switch Ports and do not accept a direct IP configured on them except mapping an interface Vlan on them.

Thanks again

And also you have disabled ARP-Proxy so probably default route will not work.

Try use "ip route 0.0.0.0 0.0.0.0 Fa4 next_hop_ip_address"

or just remove default route and you should get it from ISP´s DHCP server (check it with show ip route command)

Hi Milos,

Sorry i did not respond all these while. I have included the line as you advised but still not working.

The Router did not accept "next_hop_ip_address" but does accept uptil this line "ip route 0.0.0.0 0.0.0.0 Fa4"

When i played around with the Config, i am able to ping the internet and but unable to ping the Local Computer connected via the Fa0-fa3. They are also unable to get access to the internet

Here is the WAN IP from my IPS Modem 192.168.3.0/24 (A small router)

DNS Servers 197.255.160.101 and 197.242.125.200

My Lan is 192.168.1.0. My Fa4 got 192.168.3.9 DHCP from the ISP router.

My present Config is below. I am unable to ping both Internet and intranet with my present Config but DNS is resolving when i send a Ping

hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip cef
ip ips po max-events 100
no ftp-server write-enable
!

interface FastEthernet0
spanning-tree portfast
switchport access Vlan 1
no shutdown
!
interface FastEthernet1
switchport access Vlan 1
no shutdown
!
interface FastEthernet2
switchport access Vlan 1
no shutdown
!
interface FastEthernet3
switchport access Vlan 1
no shutdown
!
interface FastEthernet4
ip address dhcp
ip verify unicast source reachable-via rx allow-default 100
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
no shut
!

ip dhcp pool Richard-Edet
import all
network 192.168.1.0 255.255.255.0
domain-name richardedet.com
dns-server 192.168.3.1 197.255.160.101 197.242.125.200
default-router 192.168.1.1

ip domain name richardedet.com

interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!

ip classless
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
no ip http server
no ip http secure-server

Router rip
version 2
network 192.168.3.1
network 192.168.1.1
no auto-summary
!
ip name-server 197.242.125.200
ip name-server 197.255.160.101


interface Loopback 0
ip address 192.168.3.9 255.255.255.0
ip nat outside
!
control-plane
!


!

Hi tosino489,

I hope that you didn´t write exactly "next_hop_ip_address" in command :-)
It must be classic IP address.
It can be most probably 192.168.3.1 or 192.168.3.254.
You can get this information, if you connect PC directly to cable instead of router and then run command line and write command "ipconfig".
In long list you will see line with text "Default Gateway.........IP_address".
This IP address you must write into command "ip route 0.0.0.0 0.0.0.0 Fa4 ip_address"

And also try do following changes in config:

Do not filter traffic until you have working configuration - so remove following command from Fa4 interface:
no ip verify unicast source reachable-via rx allow-default 100

You don´t need loopback interface (and not with this IP address - this address must be on Fa4 interface according to your description above) - so type commands:
enable
conf t
no interface Loobback 0

You don´t need RIP routing protocol because your provider probably doesn´t run routing protocol to you - so type commands:
enable
conf t
no router rip

You have wrong DHCP pool with actual configuration - so type:
enable
conf t
no ip dhcp pool Richard-Edet
ip dhcp pool Richard-Edet
network 192.168.1.0 /24
default-router 192.168.1.254
dns-server 197.255.160.101 197.242.125.200
exit

Try type command:
switchport mode access
on Fa0 - Fa3 interfaces

But most important:
enable
conf t
no ip route 0.0.0.0 0.0.0.0 Fa4
ip route 0.0.0.0 0.0.0.0 Fa4 ip_address_as_described_above

When you make these changes send me your configuration and we can try make another changes if it will not work.

Hi Milos,

Thanks a lot for your assistance. I have made the corrections and the i am able ping the internet. The only challenge at the moment is that, the Computer Plugged on fa1 does have IP/DNS but does not have internet access. I am unable to ping the IP of the Computer from the Console.

Below is the Present Config on the router.


Router#sh run
Building configuration...

Current configuration : 1229 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool Richard-Edet
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 197.255.160.101 197.242.125.200 192.168.2.1
!
!
ip name-server 197.255.160.101
ip name-server 197.242.125.200
!
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4 192.168.2.1
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
password richard
login
no modem enable
transport output telnet
line aux 0
password richard
login
transport output telnet
line vty 0 3
password richard
login
transport input ssh
line vty 4
password richard
login
!
scheduler max-task-time 5000
end

Router#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 192.168.2.6 YES DHCP up up
Vlan1 192.168.1.1 YES NVRAM up up
NVI0 unassigned YES unset up up
Router#

Hi,

problem is that you changed IP address of VLAN 1 interface from 192.168.1.254 to 192.168.1.1
So you must change default-router in dhcp pool:
enableconf t
ip dhcp pool Richard-Edet
no default-router
default-router 192.168.1.1
end

Also NAT is missing:
enable
conf t
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
exit
ip nat inside source list NAT interface Fa4 overload
end

Also maybe you cannot ping PC from console of router because firewall of computer blocks ICMP protocol. In windows I am sure that it is blocked by firewall. So you can try ping 192.168.1.1 from PC and it should work.

Try above changes and then write me if it work, or then we can make another changes.
You can also post output of commands (if it will not work):
router: show ip route
router: ping 8.8.8.8 (this should work if your internet provider doesn´t block ICMP protocol)
PC: ipconfig/all

Thank you so much Milos,

I appreciate your time and resourced efforts. Thanks a lot.

Here is the working config. I am able to browse on the Lan and Pings are vise versa.


Router#sh run
Building configuration...

Current configuration : 1355 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool Richard-Edet
network 192.168.3.0 255.255.255.0
dns-server 197.255.160.101 197.242.125.200
default-router 192.168.3.1
!
!
ip name-server 197.255.160.101
ip name-server 197.242.125.200
!
!
!
!
!
!
!
!
interface FastEthernet0
switchport mode access
!
interface FastEthernet1
switchport mode access
!
interface FastEthernet2
switchport mode access
!
interface FastEthernet3
switchport mode access
!
interface FastEthernet4
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
description Local Network VLAN
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet4 overload
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
!
control-plane
!
!
line con 0
password richard
login
no modem enable
transport output telnet
line aux 0
password richard
login
transport output telnet
line vty 0 3
password richard
login
transport input ssh
line vty 4
password richard
login
!
scheduler max-task-time 5000
end

Router#

you´re welcome :-)

Hello,


interface FastEthernet4
ip address dhcp
i
ip nat outside

!
interface Vlan1
description Local Network VLAN
ip address 192.168.3.1 255.255.255.0

IP nat inside
!

ip route 0.0.0.0 0.0.0.0 FastEthernet4 DHCP


ip nat inside source list 101 interface FastEthernet4 overload

access-list 101 permit ip 192.168.3.0 0.0.0.255 any

Masoud

Thanks Masoud. Your input was remarkable.

I appreciate your effort. Thanks a lot.

it is working now. I posted the Working config down below.

Thanks again!

Your are most welcome. Happy to help.

Masoud

Hi Masoud / Milos,

One last thing please. So sorry to bother you on the same topic again.

The Computers on the LAN are unable to communicate. I am unable to reach the clients connected to fa0-fa3 from the Console, neither can the clients communicate with one another.

The Clients ont the Lan can ping the Gateway and can also reach the internet.

Do have an idea on what line of command that can resolve this?

Hello,

If you don't change anything in config, then it will be probably caused by enabled firewall on PCs. Do you use windows?

If yes then try to turn off FW.

Review Cisco Networking for a $25 gift card