connecting a Cisco router to a cable modem

kevin.vannoy · ‎10-12-2014

I am having a problem I hope someone can help me with. I have a Cisco 2801 router with a 2950 switch. I have the switch configured with 3 VLANs and a trunk established in a router on a stick configuration. The VLANs function perfectly, but I do not have internet access at all. I configured fasteth0/0 to get its IP from the ISP via dhcp using the "IP address dhcp" command. I set up an access list and then enabled nat using that list. I issued the command "ip nat inside" on the interface with the switch attached. I issued the "ip nat outside" on the interface with the cable modem attached. The router is getting a public IP from the ISP and I configured DNS servers in global interface mode as well (8.8.8.8, 8.8.4.4). I have configured a static route via the interface connected to the modem as well. However, I am still not able to get connectivity. I am still learning and I would appreciate any help. Thanks so much!

michael o'nan · ‎10-13-2014

If you post your router config I can help you. Are you able to issue a command like ping 8.8.8.8 source fast 0/0.20 (or any of your subinterfaces)?

kevin.vannoy · ‎10-13-2014

I can ping all of the sub interfaces on fa0/1, for the VLANs that I have configured on the switch. The devices on the VLANs can ping each other as well. I cannot ping the DNS server from anywhere for some reason. I am not home right now to access the routers configuration but I will post it later if that would help. Thanks for taking the time to answer my question. I appreciate it.

michael o'nan · ‎10-13-2014

I understand you can ping internally but I was trying to judge if your NAT was setup correctly. If you can successfully ping an external IP from the router by using source of internal interface then NAT works. From your description it sounds like that is not the case. For any further assistance I would need to see the config.

kevin.vannoy · ‎10-13-2014

Thank you Michael. I am posting the configuration now. I am still learning most of this so if you see something that could be done differently or that could be improved please let me know how to correct it. Again, thank you for the time and answers.

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HomeRouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5
!
no aaa new-model
memory-size iomem 20
dot11 syslog
ip source-route
!
!
!
ip dhcp pool Internal
import all
network 192.168.10.0 255.255.255.0
dns-server 8.8.8.8
!
!
ip cef
ip domain name HOME
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
username Kevin privilege 15 password 7
archive
log config
hidekeys
!
!
!
!
!
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
no cdp enable
!
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
no cdp enable
!
interface FastEthernet0/1.3
encapsulation dot1Q 95 native
ip address 192.168.95.2 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
no cdp enable
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
no ip http server
no ip http secure-server
!
!
ip nat source list 50 interface FastEthernet0/1.1 overload
ip nat source list 51 interface FastEthernet0/1.2 overload
ip nat source list 52 interface FastEthernet0/1.3 overload
ip nat inside source list 50 interface FastEthernet0/1 overload
ip nat inside source list 51 interface FastEthernet0/1 overload
ip nat inside source list 52 interface FastEthernet0/1 overload
!
access-list 50 permit 192.168.10.0 0.0.0.255
access-list 51 permit 192.168.20.0 0.0.0.255
access-list 52 permit 192.168.95.0 0.0.0.255
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password 7
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 55
logging synchronous
login local
transport input ssh
line vty 5 15
exec-timeout 5 55
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
end

michael o'nan · ‎10-14-2014

You should be able to past that in to the CLI as is. I added comments after some things so you know why I did it. If you have any questions or would like more explanation just let me know.

ip dhcp pool Internal
   import all
   network 192.168.10.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4 !(added 8.8.4.4 for secondary DNS on client DHCP)
!
!
no ip name-server 8.8.8.8 !(this is name resolution on the router)
no ip name-server 8.8.4.4 !(this is name resolution on the router)

no ip domain-lookup
!
no ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 !Since your interface is DHCP it will learn default route automatically
!
!
no ip nat source list 50 interface FastEthernet0/1.1 overload
no ip nat source list 51 interface FastEthernet0/1.2 overload
no ip nat source list 52 interface FastEthernet0/1.3 overload
no ip nat inside source list 50 interface FastEthernet0/1 overload
no ip nat inside source list 51 interface FastEthernet0/1 overload
no ip nat inside source list 52 interface FastEthernet0/1 overload
ip nat inside source list NAT interface FastEthernet0/0 overload !NAT overload should be done on the ISP facing interface
!
ip access-list standard NAT
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.95.0 0.0.0.255
!
no access-list 50 permit 192.168.10.0 0.0.0.255
no access-list 51 permit 192.168.20.0 0.0.0.255
no access-list 52 permit 192.168.95.0 0.0.0.255
!
end

kevin.vannoy · ‎10-14-2014

Hey Michael,

Thank you very much for your assistance. Following the changes you posted I can ping addresses out on the internet from the router. However, I still do not have connectivity to my PC or any other device inside the network. I will post my router configuration again for you to review if you don't mind. Thanks again for the help.

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HomeRouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5
!
no aaa new-model
memory-size iomem 20
dot11 syslog
ip source-route
!
!
!
ip dhcp pool Internal
import all
network 192.168.10.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip domain name Home
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
!
!
!
!
username Kevin privilege 15 password 7
archive
log config
hidekeys
!
!
!
!
!
ip ssh version 2
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
no cdp enable
!
interface FastEthernet0/1.2
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
no cdp enable
!
interface FastEthernet0/1.3
encapsulation dot1Q 95
ip address 192.168.95.2 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list standard NAT
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.95.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
password 7
logging synchronous
login
line aux 0
line vty 0 4
exec-timeout 5 55
logging synchronous
login local
transport input ssh
line vty 5 15
exec-timeout 5 55
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
end

michael o'nan · ‎10-14-2014

What kind of switch are you connecting to? If it is a Catalyst model please post the config.

kevin.vannoy · ‎10-14-2014

Michael,

The switch is a Catalyst 2950. Thanks again for the help. The configuration is as follows:

!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HomeNetwork
!
enable secret 5
!
ip subnet-zero
!
no ip domain-lookup
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
!
interface FastEthernet0/2
switchport access vlan 20
switchport mode access
!
interface FastEthernet0/3
shutdown
!
interface FastEthernet0/4
shutdown
!
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
shutdown
!
interface FastEthernet0/8
shutdown
!
interface FastEthernet0/9
shutdown
!
interface FastEthernet0/10
switchport access vlan 95
switchport mode access
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
switchport trunk native vlan 95
switchport trunk allowed vlan 10,20,95
switchport mode trunk
!
interface FastEthernet0/25
!
interface FastEthernet0/26
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan95
ip address 192.168.95.1 255.255.255.0
no ip route-cache
!
ip http server
!
line con 0
exec-timeout 5 55
password 7
logging synchronous
login
line vty 0 4
exec-timeout 5 55
password 7
logging synchronous
login
line vty 5 15
exec-timeout 5 55
password 7
logging synchronous
login
!
!
end

michael o'nan · ‎10-16-2014

What port or VLAN are your devices using? Looks like FastEthernet0/1 would be the only port allowed to pull DHCP. Also just noticed you are missing this from your DHCP config:

ip dhcp pool Internal
default-router 192.168.10.1

kevin.vannoy · ‎10-17-2014

My desktop is on VLAN 10 at the moment. It is able to pull DHCP. The devices on the other VLANs I have configured with static addresses. How do I set it up to pull IP addresses from DHCP for all VLANs? I will try adding the default router command as well. That was an excellent observation. Again, thank you very much for your help. It is very much appreciated. Have a great day.

michael o'nan · ‎10-17-2014

Since they are in different VLANs you will want them in different subnets as well. You just add a DHCP pool for this.

So currently you have:

ip dhcp pool Internal
import all
network 192.168.10.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4

You can just add one like this (name the pool and use whatever subnet whatever you like)

ip dhcp pool VLAN20

network 192.168.20.0 255.255.255.0

default-router 192.168.20.1

dns-server 8.8.8.8 8.8.4.4

lease 7 (if you want to put a lease timer on the address)

Do the same for VLAN 99 or any others you like. As long as the port is in the proper VLAN and you have the subinterfaces setup correctly they should pull an IP address without issues.

Please rate my posts if you find them helpful