- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2008 06:02 AM - edited 03-03-2019 11:40 PM
Hi every body! It's nice to know that I can connect to a network of professionals such as this one who are always ready to offer solutions to problems.
I recently posted a conversation on configuring cisco 871 for internet access and I got my problem resolved because my company LAN can now browse the internet.
The next challenge facing me now is how to get our remote branches to access the internet.
From the configuration I have, I can ping my ISP gateway (Router) from the remote branch. I can even ping public ip addresses such as www.yahoo.com & www.google.com. But yet no system from the branch office can access the internet. All the systems in the branch office however can access all the systems in the head office, and they are joined to the same domain with the head office systems.
Since I can reach my isp from the router (by ping command), could it be that this problem is a window related one or is it a configuration problem.
Below is the config of my branch office router.
show run
Building configuration...
Current configuration : 3272 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Oliverouter
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
aaa new-model
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
resource policy
clock timezone PCTime 1
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip cef
no ip bootp server
ip domain name olivemfb.com
ip name-server 172.20.x.y
ip name-server 172.20.x.z
ip name-server 77.220.x.y
ip name-server 77.220.y.x
interface Null0
no ip unreachables
interface FastEthernet0/0
description $LAN Interface$
ip address 172.25.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface FastEthernet0/1
description $WAN FW_OUTSIDE$
ip address 172.30.1.2 255.255.255.0
ip access-group sdm_fastethernet0/1_in in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
no mop enabled
ip classless
ip route 0.0.0.0 0.0.0.0 172.30.1.1 permanent
ip route 172.20.1.0 255.255.255.0 172.30.1.1 permanent
ip route 172.25.0.0 255.255.0.0 172.30.1.1 permanent
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip access-list extended sdm_fastethernet0/1_in
remark SDM_ACL Category=1
permit ip 172.20.1.0 0.0.0.255 172.25.2.0 0.0.0.255 log
permit ip 172.25.0.0 0.0.255.255 172.25.2.0 0.0.0.255 log
deny ip any 172.25.2.0 0.0.0.255 log
logging trap debugging
access-list 100 remark mile12toho
access-list 100 remark SDM_ACL Category=4
access-list 100 remark Traffic from mile 12 to headoffice
access-list 100 permit ip 172.25.2.0 0.0.0.255 172.20.1.0 0.0.0.255 log
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 172.25.0.0 0.0.255.255 172.20.1.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 172.20.1.0 0.0.0.255 172.25.0.0 0.0.255.255 log
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 172.25.0.0 0.0.255.255 172.25.2.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 deny ip any 172.25.2.0 0.0.0.255 log
no cdp run
control-plane
n authorized user!^C
line con 0
login authentication local_authen
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet
scheduler allocate 20000 1000
end
Solved! Go to Solution.
- Labels:
-
Other Routing
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 12:05 PM
Tom
If you change John's suggestion from
permit tcp any any eq established
to
permit tcp any any established
then it should work. And the line as you added it should work for normal HTTP (but not HTTPS).
If you can ping public addresses from the rotuer but not from end systems it suggests that the problem is that outside does not have a route back to the source. One thing that would cause this symptom is if the source addresses (from the branch LAN) were not being translated when they go out to the Internet. If the network was not previously set for Internet access then it is likely that there is no translation for the branch addresses.
Can you check and see if there is any address translation for the branch addresses as they go to the Internet?
HTH
Rick
Rick

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2008 06:04 AM
What are you getting when you try to browse? What are your DNS settings on the workstation? Are you using DHCP?
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2008 09:30 AM
Thomas
I believe that your problem is in your inbound access list:
ip access-list extended sdm_fastethernet0/1_in
remark SDM_ACL Category=1
permit ip 172.20.1.0 0.0.0.255 172.25.2.0 0.0.0.255 log
permit ip 172.25.0.0 0.0.255.255 172.25.2.0 0.0.0.255 log
deny ip any 172.25.2.0 0.0.0.255 log
There is not anything in this access list that would permit incoming traffic that originated in the Internet. You can not browse the Internet if no response can get back to you. I suggest that the access list needs to be re-written to permit traffic originating from the Internet.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2008 09:59 AM
Hi Rick
Thanks for your contribution.
Please can you write a sample access-list statements i can add to permit traffic originating from the internet.
I appreciate your time to attend to me.
Tom
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2008 10:48 AM
Tom
Before I can suggest a good sample access-list statement there is an issue that must be resolved. An access list is configured to implement some policy. Some policies are relatively broad in what they permit and some are quite restrictive. Your current access list rreflects a very restrictive policy. The policy restricts access to the local subnet (172.25.2.0/24) to only 2 specific subnets (172.20.1.0/24 and 172.25.0.0/16) and denies any other access. That policy does not include any Internet access. So if you are going to add Internet access then the policy must change. But what should the new policy be? Will it be a broad permit any Internet traffic? Or will it be somewhat restrictive in what is to be permitted? Once we know what they new policy should be then we can produce sample access-list statements.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 04:32 AM
Hi Rick,
Thanks for your response. You are right, our policy is very restrictive due to our job nature. But we intend to loosen up a bit and allow for Internet access. For now we want a broad permit any Internet traffic. With time we will monitor the nature of traffic we are having and know if to disallow access to specific sites and what to allow.
I will appreciate it if I will have access list statements that will help me achieve that.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 04:48 AM
Tom
If you want to loosen up a bit the first thing that you need to do is to remove this line from the access list:
deny ip any 172.25.2.0 0.0.0.255 log
since it denies traffic from anywhere to destinations in the local LAN.
Beyond that it is a bit difficult to know what you should do. The suggestion from John about permit tcp any any established would allow responses incoming for tcp sessions established by users on the local LAN without permitting traffic initiated from the Internet. But it does not do anything for ICMP or for UDP. So perhaps the thing to do would be to add this line to the access list which will permit everything:
permit ip any any
And one could then ask that since everything is permitted whether you need the access list on the interface at all since it is not denying any traffic.
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2008 09:50 AM
when i try to browse the system will show that server cannot be found. The DNS settings iam using on the work station are the dns server we have at our head office LAN, i even tried to add the dns address of our isp directly to the system but still no improvement.
i am not using DHCP.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-24-2008 10:02 AM
Try to put this in your existing acl:
permit tcp any any eq established
Put it before your deny statement.
Let me know if that helps!
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 04:37 AM
Hi John,
I added that but got an error message, so i added this:
permit tcp any any eq www established log
But still i could not browse from any of the systems. (NB I can ping any public address on the Internet from the router but not from the end systems)
Thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 05:37 AM
Do you get any hits on the line when you try to go out? You may want to try Rick's suggestion about adding "permit ip any any log" to your public acl, and then I would remove your acl that's applied to the internal interface (if there is one). also, can you do a "sh xlate" and post a few lines from that?
--John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2008 12:05 PM
Tom
If you change John's suggestion from
permit tcp any any eq established
to
permit tcp any any established
then it should work. And the line as you added it should work for normal HTTP (but not HTTPS).
If you can ping public addresses from the rotuer but not from end systems it suggests that the problem is that outside does not have a route back to the source. One thing that would cause this symptom is if the source addresses (from the branch LAN) were not being translated when they go out to the Internet. If the network was not previously set for Internet access then it is likely that there is no translation for the branch addresses.
Can you check and see if there is any address translation for the branch addresses as they go to the Internet?
HTH
Rick
Rick
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2008 11:15 AM
Hi Rick
Thanks so much.
I will try this out and I will get back to you when it works.
Tom
