cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8482
Views
15
Helpful
12
Replies

ISR 1100 no internet access

Osirison
Level 1
Level 1

I have been trying to get the ISR1100 (C1111-8P) connected to the internet, but no luck...

 

My ISP is UPC Cable.

Modem provides a dynamic IP so DHCP is required to obtain the public IP address.

I do get a public IP address.

 

When I set

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

Then I can not ping from the Router to the internet

 

When I delete this route then the gateway of last resort is set.

Gateway of last resort is 62.**.**.** to network 0.0.0.0

Then I can ping 8.8.8.8 from the Router but not out from the local network.

 

There must be a issue with NAT perhaps?

 

Below part of the config:

rt01#show run
Building configuration...


Current configuration : 6990 bytes
!
! Last configuration change at 14:06:47 UTC Sat Aug 18 2018 by paul
! NVRAM config last updated at 12:21:53 UTC Sat Aug 18 2018 by paul
!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname rt01
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
clock timezone UTC 2 0
!
ip name-server 91.239.100.100 84.200.70.40
ip domain name home.*************.ch
ip dhcp excluded-address 192.168.10.0 192.168.10.101
!
ip dhcp pool Computers
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1 
 dns-server 192.168.10.1 
!
!
subscriber templating
! 
!
multilink bundle-name authenticated
!
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
 mode none
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
interface GigabitEthernet0/0/0
 description WAN
 ip address dhcp
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
 shutdown
!
interface GigabitEthernet0/1/0
 description LAN
 switchport mode trunk
!
interface GigabitEthernet0/1/1
 shutdown
!
interface GigabitEthernet0/1/2
 shutdown
!
interface GigabitEthernet0/1/3
 shutdown
!
interface GigabitEthernet0/1/4
 shutdown
!
interface GigabitEthernet0/1/5
 shutdown
!
interface GigabitEthernet0/1/6
 shutdown
!
interface GigabitEthernet0/1/7
 switchport access vlan 10
 switchport mode access
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
!
interface Vlan40
 ip address 192.168.40.1 255.255.255.0
!
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4456
ip dns server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
ip access-list standard NAT
 permit 192.168.10.0 0.0.0.255
!
access-list 101 remark -[Restrict VTY access]-
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
!!
!
control-plane
!
!
line con 0
 exec-timeout 30 0
 logging synchronous
 transport input none
 stopbits 1
line vty 0 4
 access-class 101 in
 logging synchronous
 login local
 length 0
 transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

rt01#

Interfaces

rt01#show ip int br
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   62.**.**.**     YES DHCP   up                    up      
GigabitEthernet0/0/1   unassigned      YES manual down                  down    
GigabitEthernet0/1/0   unassigned      YES unset  up                    up      
GigabitEthernet0/1/1   unassigned      YES unset  administratively down down    
GigabitEthernet0/1/2   unassigned      YES unset  administratively down down    
GigabitEthernet0/1/3   unassigned      YES unset  administratively down down    
GigabitEthernet0/1/4   unassigned      YES unset  administratively down down    
GigabitEthernet0/1/5   unassigned      YES unset  administratively down down    
GigabitEthernet0/1/6   unassigned      YES unset  administratively down down    
GigabitEthernet0/1/7   unassigned      YES unset  down                  down    
Vlan1                  unassigned      YES unset  up                    up      
Vlan10                 192.168.10.1    YES NVRAM  up                    up      
Vlan20                 192.168.20.1    YES NVRAM  up                    up      
Vlan40                 192.168.40.1    YES NVRAM  up                    up      
rt01#

rt01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

IP Route

rt01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0/0/0
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
S        10.0.0.0/8 is directly connected, Null0
S        10.***.***.129/32 [254/0] via 62.**.**.1, GigabitEthernet0/0/0
      62.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        62.**.**.0/24  is directly connected, GigabitEthernet0/0/0
L        62.**.**.**/32   is directly connected, GigabitEthernet0/0/0
S     172.16.0.0/12 is directly connected, Null0
S     192.168.0.0/16 is directly connected, Null0
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, Vlan10
L        192.168.10.1/32 is directly connected, Vlan10
      192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, Vlan20
L        192.168.20.1/32 is directly connected, Vlan20
      192.168.40.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.40.0/24 is directly connected, Vlan40
L        192.168.40.1/32 is directly connected, Vlan40
rt01#
1 Accepted Solution

Accepted Solutions

Here is the full working config (important parts marked in bold):

 

Current configuration : 6990 bytes
!
! Last configuration change at 14:06:47 UTC Sat Aug 18 2018 by paul
! NVRAM config last updated at 12:21:53 UTC Sat Aug 18 2018 by paul
!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname rt01
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone UTC 2 0
!
ip name-server 91.239.100.100 84.200.70.40
ip domain name home.*************.ch
ip dhcp excluded-address 192.168.10.0 192.168.10.101
!
ip dhcp pool Computers
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
!
subscriber templating
!
multilink bundle-name authenticated
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description WAN
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
shutdown
!
interface GigabitEthernet0/1/0
description LAN
switchport mode trunk
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0/1/4
shutdown
!
interface GigabitEthernet0/1/5
shutdown
!
interface GigabitEthernet0/1/6
shutdown
!
interface GigabitEthernet0/1/7
switchport access vlan 10
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4456
ip dns server

!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
--> no ip route 192.168.0.0 255.255.0.0 Null0
ip ssh time-out 60
ip ssh authentication-retries 5
!
ip access-list standard NAT
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.40.0 0.0.0.255
!
access-list 101 remark -[Restrict VTY access]-
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
control-plane
!
line con 0
exec-timeout 30 0
logging synchronous
transport input none
stopbits 1
line vty 0 4
access-class 101 in
logging synchronous
login local
length 0
transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

View solution in original post

12 Replies 12

 

Hello,

 

Try and add dhcp to the static route:

 

Ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

Unfortunately that did not solve the problem.

 

I probably misconfigured something with NAT.

Schermafbeelding 2018-08-18 om 17.53.27.png

interface GigabitEthernet0/0/0
 description WAN
 ip address dhcp
 ip nat outside
 negotiation auto


interface GigabitEthernet0/1/0
 description LAN
 switchport mode trunk

ip nat inside source list NAT interface GigabitEthernet0/0/0 overload

ip access-list standard NAT
 permit 192.168.10.0 0.0.0.255

ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route 192.168.0.0 255.255.0.0 Null0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp

Hello, 

 

Delete the null route to 192.168.0.0, also make sure that all networks you need to be NATted are included in the NAT access list...

Here is the full working config (important parts marked in bold):

 

Current configuration : 6990 bytes
!
! Last configuration change at 14:06:47 UTC Sat Aug 18 2018 by paul
! NVRAM config last updated at 12:21:53 UTC Sat Aug 18 2018 by paul
!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname rt01
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone UTC 2 0
!
ip name-server 91.239.100.100 84.200.70.40
ip domain name home.*************.ch
ip dhcp excluded-address 192.168.10.0 192.168.10.101
!
ip dhcp pool Computers
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
!
subscriber templating
!
multilink bundle-name authenticated
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description WAN
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
shutdown
!
interface GigabitEthernet0/1/0
description LAN
switchport mode trunk
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0/1/4
shutdown
!
interface GigabitEthernet0/1/5
shutdown
!
interface GigabitEthernet0/1/6
shutdown
!
interface GigabitEthernet0/1/7
switchport access vlan 10
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4456
ip dns server

!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
--> no ip route 192.168.0.0 255.255.0.0 Null0
ip ssh time-out 60
ip ssh authentication-retries 5
!
ip access-list standard NAT
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.40.0 0.0.0.255
!
access-list 101 remark -[Restrict VTY access]-
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
control-plane
!
line con 0
exec-timeout 30 0
logging synchronous
transport input none
stopbits 1
line vty 0 4
access-class 101 in
logging synchronous
login local
length 0
transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end

Thanks!!! :) 

 

Earlier I did try to put NAT inside on the interfaces but that didn't work, how silly they need to be configured on the VLAN interfaces of course.

 

 

Glad that you got it to work in the end..:)

Hello

Just like to add, I would also suggest to remove the local dns server and addressing and have the router import these settings from the ISP into your own dhcp for your clients, This will save unnecessary resources being used by your router.

 

no ip dns server
no ip name-server 91.239.100.100 84.200.70.40


ip dhcp pool Computers
no  dns-server 192.168.10.1
import all

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you for the suggestion.

 

Reason why I did this is security.

 

I used a Sophos UTM before which acted as a DNS proxy so no clients within the network could ever do DNS requests over port 53 but instead using the UTM.

 

If this is not a good security practice for the Cisco ISR?

then I will change the DNS setting instead.

Hello

The UTM i guess would have performed some sort of filtering on dns requests but this router is acting as just as forwarder, so no additional security is being utilized here.

 

Personally I would only use the rtr as a router and have additional features such has dns/dhcp firewall/ids/ips etc on to devices that are design to service them, However I do understand it isnt always financially applicable to do.this.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello!

I have a problem similar to the author of the topic, but I’m rather unenlightened in issues with Cisco, exactly as much (this is my first Cisco), I don’t know how to correctly upload the config from the post to my router. Could you help me with some sort of uploading instructions?

Hello,

 

not sure what you can access and see on your router, but if you can issue the command 'show run', just cut and paste the entire output and post it here...