DHCP and Internet Access Issue Cisco 4331 Router

D Blum · ‎06-19-2016

We are upgrading from a 2821 Router to a 4331 router and the commands are a little cryptic to me. Basically we have three vlans that need to have dhcp requests to the switches when individual devices on each vlan request an ip address and for some reason any device on the switchports are not able to receive the proper address. Also, we are unable to see the internet with the connection being broadband on 0/0/0 and setup for dhcp and the show int g0/0/0 does show an ip address being assigned by broadband but unable to access the web or even ping 8.8.8.8. Any help will be appreciated and I have included the config.

David_Che · ‎06-19-2016

You need configure zone-pair security between LAN and Internet explicitly. You should configure all internal interface as zone LAN, and configure zone-pair between them explicitly.

D Blum · ‎06-20-2016

This was in the config (am I missing something):

!
zone security lan
zone security internet
zone-pair security net-self source internet destination self
 service-policy type inspect to-self-pmap
zone-pair security priv-self source lan destination self
 service-policy type inspect to-self-pmap
zone-pair security self-net source self destination internet
 service-policy type inspect from-self-pmap
zone-pair security self-priv source self destination lan
 service-policy type inspect from-self-pmap
!

!
!
interface Loopback1
 ip address 10.10.10.1 255.255.255.252
!
interface GigabitEthernet0/0/0
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 zone-member security internet
 negotiation auto
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 no ip address
 ip nat inside
 zone-member security lan
 ip policy route-map nonat
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1.1
 description Management VLAN
 encapsulation dot1Q 1 native
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 ip nat inside
 zone-member security lan
 ip policy route-map nonat
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1.100
 description Data VLAN100
 encapsulation dot1Q 100
 ip address 192.168.10.1 255.255.255.0
 no ip redirects
 ip nat inside
 zone-member security lan
 ip policy route-map nonat
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1.150
 description Voice VLAN150
 encapsulation dot1Q 150
 ip address 192.168.15.1 255.255.255.0
 ip nat inside
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1.300
 description CAM VLAN300
 encapsulation dot1Q 300
 ip address 192.168.30.1 255.255.255.0
 no ip redirects
 ip nat inside
 zone-member security lan
 ip policy route-map nonat
 no cdp enable
 ip virtual-reassembly
!

Francesco Molino · ‎06-20-2016

Hi

For your routing issue, if you're getting an ip from your isp on your wan interface, try to change the default route as:

Ip route 0.0.0.0 0.0.0.0 dhcp

Your ISP might send you the default route through dhcp.

For the dhcp pool, could you explain a little bit more? Let's take an example.

If your pc is connected on vlan 300 on your layer 2 switch, which ip is getting?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question