Solved: Re: LAN can't access internet - Page 2

juhaniheino · ‎05-07-2015

Good evening

I recently got almost brand new Cisco 2911 router and Cisco 2960 switch for free from school. I've been configuring both a little bit in school so I can handle the basic stuff. I currently live in an older apartment where a coaxial cable comes into ISP's provided router. The router also happens to be a Cisco device (Cisco EPC3825). This router is wireless with four ethernet ports. Now, 2911 does not have a coaxial input so I have to put ISP's router before Cisco 2911 in my setup. This setup will be a temporary one and I am just testing how things work out. I am moving sooner to a newer apartment where there will be ethernet ports in the walls so I can move my ISP's router behind 2911.

I know my public IP address and ISP's provided gateway and DNS-servers. Currently ISP's router's LAN IP is 192.168.1.1. I connected from first ethernet port of the ISP's router into 2911's GigabitEthernet0/0 port. I gave an IP address of 192.168.1.2 to the 2911's 0/0 port. From GigabitEthernet0/1 goes ethernet cable into my 2960 switch and from there on it goes to my desktop machine and server machine. In the future I connect the ISP's router into the 2960. Currently I haven't made any changes into ISP's router's settings. They are pretty much factory defaults.

The network I have given to my LAN devices behind 2911 is 172.17.1.0/24. The 2911's 0/1 port has IP address of 172.17.1.1. The 2960 switch has IP address of 172.17.1.2. I installed a DHCP server on the 2911 router and when I connect my laptop into the switch it gives me an IP address from 172.17.1.10-172.17.1.250 area. Now I can ping from laptop the 2960 switch, 2911 router's both ports and the ISP's router. But then I cannot ping google's public DNS (8.8.8.8) nor ISP's provided gateway for example. I have desktop computer plugged straight into ISP's router, and internet works very well from there. Also if I connect my laptop via wireless into the ISP's router, internet works very well. But from either setup (desktop into ISP router or laptop via wireless into ISP router) I can only ping Cisco 2911's 0/0 port but not behind that. From the 2911 itself I cannot ping to either laptop nor desktop machine even when they have their firewalls off.

Here is the config of the 2911 router:

    Current configuration : 1528 bytes
    !
    version 15.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip dhcp excluded-address 172.17.1.1 172.17.1.10
    !
    ip dhcp pool LAN_POOL
     network 172.17.1.0 255.255.255.0
     default-router 172.17.1.1
     dns-server 8.8.8.8 8.8.4.4
     lease 7
    !
    !
    !
    ip cef
    no ipv6 cef
    multilink bundle-name authenticated
    !
    !
    cts logging verbose
    !
    !
    !
    !
    !
    redundancy
    !
    !
    !
    !
    !
    !
    interface Embedded-Service-Engine0/0
     no ip address
     shutdown
    !
    interface GigabitEthernet0/0
     ip address 192.168.1.2 255.255.255.0
     ip nat outside
     ip virtual-reassembly in
     duplex auto
     speed auto
    !
    interface GigabitEthernet0/1
     ip address 172.17.1.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
     duplex auto
     speed auto
    !
    interface GigabitEthernet0/2
     no ip address
     shutdown
     duplex auto
     speed auto
    !
    ip forward-protocol nd
    !
    no ip http server
    no ip http secure-server
    !
    ip nat inside source list 23 interface GigabitEthernet0/0 overload
    ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
    !
    !
    !
    access-list 23 permit 172.17.1.0 0.0.0.25
    !
    control-plane
    !
    !
    !
    line con 0
     password 7 091D1C5A4A11141E
     login
    line aux 0
    line 2
     no activation-character
     no exec
     transport preferred none
     transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
     stopbits 1
    line vty 0 4
     password 7 0257560858120C2D
     login
     transport input none
    !
    scheduler allocate 20000 1000
    !
    end

As you can see from the configs I have tried to add static routing and playing with the NAT, neither one giving any results. What I am trying to achieve here is to connect to internet behind 2911 router, and to connect from internet to my server machine behind 2911 router. The solution may be simple but I just can't see it. Thanks in advance.

Regards

Georg Pauwen · ‎11-02-2017

Hello,

since your Cisco is now not the Internet edge device anymore, you can take all the ZBF configuration out. Also, do you still need to get remote VPN access ?

ghyacin · ‎11-02-2017

I removed all ZBF configs and all is well, thank you. So that means I can just use the acl's for additional security then? and yes I will be using VPN but I'm not sure if it's configured properly, did you notice something off?

Georg Pauwen · ‎11-02-2017

Hello,

to be honest I don't think your VPN clients will be able to connect to your Cisco anymore, since you are effectively double NATting (first from the Cisco, then from the ISP router). What brand/type is your ISP router ?

ghyacin · ‎11-02-2017

My current config is ISP modem(SBXXXX) to consumer level router(Netgear R6100) to Cisco 2921 ISR. I'm sure with some help and complicated configuration I can get it up. The VPN wasn't tested or running previously but I know it will need to be functional in the near future.

Georg Pauwen · ‎11-03-2017

Hello,

below is the simplified configuration of your Cisco, which should get you Internet connectivity for all networks connected. If you are still having trouble after implementing this, try to set the DNS servers in your DHCP pools to 8.8.8.8 and 8.8.4.4.

ip dhcp excluded-address 10.10.91.254
ip dhcp excluded-address 10.10.130.254
ip dhcp excluded-address 10.10.230.254
ip dhcp excluded-address 10.10.80.254
ip dhcp excluded-address 172.16.230.254
ip dhcp excluded-address 10.10.30.12
ip dhcp excluded-address 10.10.10.254
ip dhcp excluded-address 10.10.99.254
ip dhcp excluded-address 10.10.150.254
ip dhcp excluded-address 172.16.180.254
ip dhcp excluded-address 10.10.180.254
ip dhcp excluded-address 10.10.30.254
!
ip dhcp pool Servers
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.254
dns-server 10.10.10.10
!
ip dhcp pool Data
network 10.10.30.0 255.255.255.0
default-router 10.10.30.254
dns-server 75.114.81.1
!
ip dhcp pool Voice
import all
network 10.10.150.0 255.255.255.0
default-router 10.10.150.254
dns-server 10.10.10.10
option 150 ip 10.10.150.100
option 66 ip 10.10.150.100
option 60 ip 10.10.150.100
!
ip dhcp pool Network_Infrastructure_Management
import all
network 10.10.99.0 255.255.255.0
default-router 10.10.99.254
dns-server 10.10.10.10
!
ip dhcp pool Security
import all
network 10.10.91.0 255.255.255.0
dns-server 10.10.10.10
default-router 10.10.91.254
!
ip dhcp pool Gues_Wi-Fi
network 10.10.180.0 255.255.255.0
default-router 10.10.180.254
dns-server 75.114.81.1 75.114.81.2
!
ip dhcp pool Employee_Wi-Fi
import all
network 10.10.130.0 255.255.255.0
dns-server 10.10.10.10
default-router 10.10.130.254
!
ip dhcp pool VPN_Clients
network 10.10.230.0 255.255.255.0
default-router 10.10.230.254
dns-server 10.10.10.10
!
ip dhcp pool DMZ_Clients
network 172.16.180.0 255.255.255.0
default-router 172.16.180.254
dns-server 75.114.81.1 75.114.81.2
!
ip domain name sitename.com
ip name-server 10.10.10.10
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
interface GigabitEthernet0/0
description PrimaryWANDesc_
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 10.10.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 10.10.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface GigabitEthernet0/1.99
encapsulation dot1Q 99
ip address 10.10.99.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface GigabitEthernet0/1.130
encapsulation dot1Q 130
ip address 10.10.130.254 255.255.255.0
ip helper-address 10.10.10.10
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface GigabitEthernet0/1.150
encapsulation dot1Q 150
ip address 10.10.150.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface GigabitEthernet0/2
no ip address
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
!
interface GigabitEthernet0/2.80
encapsulation dot1Q 80 native
ip address 10.10.80.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface GigabitEthernet0/2.91
encapsulation dot1Q 91
ip address 10.10.91.254 255.255.255.0
ip tcp adjust-mss 1412
!
interface GigabitEthernet0/2.120
encapsulation dot1Q 120
ip address 10.10.120.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface GigabitEthernet0/2.180
encapsulation dot1Q 180
ip address 10.10.180.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface GigabitEthernet0/2.181
encapsulation dot1Q 280
ip address 172.16.180.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Serial0/2/0
no ip address
shutdown
!
ip forward-protocol nd
!
ip nat source list 10 interface GigabitEthernet0/0 overload
!
ip route 0.0.0.0 0.0.0.0 192.168.1.10
!
access-list 10 permit 10.10.0.0 0.0.255.255
access-list 10 permit 172.16.180.0 0.0.0.255
!
dialer-list 1 protocol ip permit
!
end

Connecting Cisco 2911 into internet through ISP's router