08-18-2018 05:35 AM - edited 03-05-2019 10:51 AM
I have been trying to get the ISR1100 (C1111-8P) connected to the internet, but no luck...
My ISP is UPC Cable.
Modem provides a dynamic IP so DHCP is required to obtain the public IP address.
I do get a public IP address.
When I set
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
Then I can not ping from the Router to the internet
When I delete this route then the gateway of last resort is set.
Gateway of last resort is 62.**.**.** to network 0.0.0.0
Then I can ping 8.8.8.8 from the Router but not out from the local network.
There must be a issue with NAT perhaps?
Below part of the config:
rt01#show run Building configuration... Current configuration : 6990 bytes ! ! Last configuration change at 14:06:47 UTC Sat Aug 18 2018 by paul ! NVRAM config last updated at 12:21:53 UTC Sat Aug 18 2018 by paul ! version 16.8 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption platform qfp utilization monitor load 80 no platform punt-keepalive disable-kernel-core ! hostname rt01 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model clock timezone UTC 2 0 ! ip name-server 91.239.100.100 84.200.70.40 ip domain name home.*************.ch ip dhcp excluded-address 192.168.10.0 192.168.10.101 ! ip dhcp pool Computers network 192.168.10.0 255.255.255.0 default-router 192.168.10.1 dns-server 192.168.10.1 ! ! subscriber templating ! ! multilink bundle-name authenticated ! ! ! diagnostic bootup level minimal ! spanning-tree extend system-id ! ! ! redundancy mode none ! ! ! ! vlan internal allocation policy ascending ! ! ! ! interface GigabitEthernet0/0/0 description WAN ip address dhcp ip nat outside negotiation auto ! interface GigabitEthernet0/0/1 no ip address negotiation auto shutdown ! interface GigabitEthernet0/1/0 description LAN switchport mode trunk ! interface GigabitEthernet0/1/1 shutdown ! interface GigabitEthernet0/1/2 shutdown ! interface GigabitEthernet0/1/3 shutdown ! interface GigabitEthernet0/1/4 shutdown ! interface GigabitEthernet0/1/5 shutdown ! interface GigabitEthernet0/1/6 shutdown ! interface GigabitEthernet0/1/7 switchport access vlan 10 switchport mode access ! interface Vlan1 no ip address ! interface Vlan10 ip address 192.168.10.1 255.255.255.0 ! interface Vlan20 ip address 192.168.20.1 255.255.255.0 ! interface Vlan40 ip address 192.168.40.1 255.255.255.0 ! ip nat inside source list NAT interface GigabitEthernet0/0/0 overload ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ip http secure-port 4456 ip dns server ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip ssh time-out 60 ip ssh authentication-retries 5 ! ! ip access-list standard NAT permit 192.168.10.0 0.0.0.255 ! access-list 101 remark -[Restrict VTY access]- access-list 101 permit ip 192.168.10.0 0.0.0.255 any ! !! ! control-plane ! ! line con 0 exec-timeout 30 0 logging synchronous transport input none stopbits 1 line vty 0 4 access-class 101 in logging synchronous login local length 0 transport input ssh ! wsma agent exec ! wsma agent config ! wsma agent filesys ! wsma agent notify ! ! end rt01#
Interfaces
rt01#show ip int br Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0/0 62.**.**.** YES DHCP up up GigabitEthernet0/0/1 unassigned YES manual down down GigabitEthernet0/1/0 unassigned YES unset up up GigabitEthernet0/1/1 unassigned YES unset administratively down down GigabitEthernet0/1/2 unassigned YES unset administratively down down GigabitEthernet0/1/3 unassigned YES unset administratively down down GigabitEthernet0/1/4 unassigned YES unset administratively down down GigabitEthernet0/1/5 unassigned YES unset administratively down down GigabitEthernet0/1/6 unassigned YES unset administratively down down GigabitEthernet0/1/7 unassigned YES unset down down Vlan1 unassigned YES unset up up Vlan10 192.168.10.1 YES NVRAM up up Vlan20 192.168.20.1 YES NVRAM up up Vlan40 192.168.40.1 YES NVRAM up up rt01# rt01#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR
IP Route
rt01#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override, p - overrides from PfR Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, GigabitEthernet0/0/0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks S 10.0.0.0/8 is directly connected, Null0 S 10.***.***.129/32 [254/0] via 62.**.**.1, GigabitEthernet0/0/0 62.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 62.**.**.0/24 is directly connected, GigabitEthernet0/0/0 L 62.**.**.**/32 is directly connected, GigabitEthernet0/0/0 S 172.16.0.0/12 is directly connected, Null0 S 192.168.0.0/16 is directly connected, Null0 192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.10.0/24 is directly connected, Vlan10 L 192.168.10.1/32 is directly connected, Vlan10 192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.20.0/24 is directly connected, Vlan20 L 192.168.20.1/32 is directly connected, Vlan20 192.168.40.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.40.0/24 is directly connected, Vlan40 L 192.168.40.1/32 is directly connected, Vlan40 rt01#
Solved! Go to Solution.
08-18-2018 10:05 AM
Here is the full working config (important parts marked in bold):
Current configuration : 6990 bytes
!
! Last configuration change at 14:06:47 UTC Sat Aug 18 2018 by paul
! NVRAM config last updated at 12:21:53 UTC Sat Aug 18 2018 by paul
!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname rt01
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone UTC 2 0
!
ip name-server 91.239.100.100 84.200.70.40
ip domain name home.*************.ch
ip dhcp excluded-address 192.168.10.0 192.168.10.101
!
ip dhcp pool Computers
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
!
subscriber templating
!
multilink bundle-name authenticated
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description WAN
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
shutdown
!
interface GigabitEthernet0/1/0
description LAN
switchport mode trunk
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0/1/4
shutdown
!
interface GigabitEthernet0/1/5
shutdown
!
interface GigabitEthernet0/1/6
shutdown
!
interface GigabitEthernet0/1/7
switchport access vlan 10
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4456
ip dns server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
--> no ip route 192.168.0.0 255.255.0.0 Null0
ip ssh time-out 60
ip ssh authentication-retries 5
!
ip access-list standard NAT
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.40.0 0.0.0.255
!
access-list 101 remark -[Restrict VTY access]-
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
control-plane
!
line con 0
exec-timeout 30 0
logging synchronous
transport input none
stopbits 1
line vty 0 4
access-class 101 in
logging synchronous
login local
length 0
transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end
08-18-2018 06:11 AM
08-18-2018 06:13 AM
Hello,
Try and add dhcp to the static route:
Ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
08-18-2018 09:04 AM
Unfortunately that did not solve the problem.
I probably misconfigured something with NAT.
interface GigabitEthernet0/0/0 description WAN ip address dhcp ip nat outside negotiation auto interface GigabitEthernet0/1/0 description LAN switchport mode trunk ip nat inside source list NAT interface GigabitEthernet0/0/0 overload ip access-list standard NAT permit 192.168.10.0 0.0.0.255 ip route 10.0.0.0 255.0.0.0 Null0 ip route 172.16.0.0 255.240.0.0 Null0 ip route 192.168.0.0 255.255.0.0 Null0 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
08-18-2018 09:17 AM
Hello,
Delete the null route to 192.168.0.0, also make sure that all networks you need to be NATted are included in the NAT access list...
08-18-2018 10:05 AM
Here is the full working config (important parts marked in bold):
Current configuration : 6990 bytes
!
! Last configuration change at 14:06:47 UTC Sat Aug 18 2018 by paul
! NVRAM config last updated at 12:21:53 UTC Sat Aug 18 2018 by paul
!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname rt01
!
boot-start-marker
boot-end-marker
!
no aaa new-model
clock timezone UTC 2 0
!
ip name-server 91.239.100.100 84.200.70.40
ip domain name home.*************.ch
ip dhcp excluded-address 192.168.10.0 192.168.10.101
!
ip dhcp pool Computers
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
!
subscriber templating
!
multilink bundle-name authenticated
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description WAN
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
shutdown
!
interface GigabitEthernet0/1/0
description LAN
switchport mode trunk
!
interface GigabitEthernet0/1/1
shutdown
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0/1/4
shutdown
!
interface GigabitEthernet0/1/5
shutdown
!
interface GigabitEthernet0/1/6
shutdown
!
interface GigabitEthernet0/1/7
switchport access vlan 10
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip nat inside
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 4456
ip dns server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
--> no ip route 192.168.0.0 255.255.0.0 Null0
ip ssh time-out 60
ip ssh authentication-retries 5
!
ip access-list standard NAT
permit 192.168.10.0 0.0.0.255
permit 192.168.20.0 0.0.0.255
permit 192.168.40.0 0.0.0.255
!
access-list 101 remark -[Restrict VTY access]-
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
!
control-plane
!
line con 0
exec-timeout 30 0
logging synchronous
transport input none
stopbits 1
line vty 0 4
access-class 101 in
logging synchronous
login local
length 0
transport input ssh
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
end
08-18-2018 10:28 AM
Thanks!!! :)
Earlier I did try to put NAT inside on the interfaces but that didn't work, how silly they need to be configured on the VLAN interfaces of course.
08-18-2018 10:31 AM
Glad that you got it to work in the end..:)
08-18-2018 11:09 AM - edited 08-18-2018 11:09 AM
Hello
Just like to add, I would also suggest to remove the local dns server and addressing and have the router import these settings from the ISP into your own dhcp for your clients, This will save unnecessary resources being used by your router.
no ip dns server
no ip name-server 91.239.100.100 84.200.70.40
ip dhcp pool Computers
no dns-server 192.168.10.1
import all
08-18-2018 11:58 AM
Thank you for the suggestion.
Reason why I did this is security.
I used a Sophos UTM before which acted as a DNS proxy so no clients within the network could ever do DNS requests over port 53 but instead using the UTM.
If this is not a good security practice for the Cisco ISR?
then I will change the DNS setting instead.
08-18-2018 01:42 PM
Hello
The UTM i guess would have performed some sort of filtering on dns requests but this router is acting as just as forwarder, so no additional security is being utilized here.
Personally I would only use the rtr as a router and have additional features such has dns/dhcp firewall/ids/ips etc on to devices that are design to service them, However I do understand it isnt always financially applicable to do.this.
06-17-2020 12:04 AM - edited 06-17-2020 12:05 AM
Hello!
I have a problem similar to the author of the topic, but I’m rather unenlightened in issues with Cisco, exactly as much (this is my first Cisco), I don’t know how to correctly upload the config from the post to my router. Could you help me with some sort of uploading instructions?
06-17-2020 02:17 AM
Hello,
not sure what you can access and see on your router, but if you can issue the command 'show run', just cut and paste the entire output and post it here...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide