Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2421
Views
0
Helpful
8
Replies

little problem with C887

Go to solution
Abdelilah Benrida
Level 1
Level 1

‎06-17-2015 04:30 AM - edited ‎03-05-2019 01:41 AM

Hi 

 

i work in a company and i have to change a modem router f@st 3304 by cisco c887w

 

i put this configuration in the cisco router and i can navigate to internet when im directly connected to the C887w

 

but when i put it with the firwall fortigate i can't navigate from the inside

 

----dialer0-C887W-(192.168.1.1)-------192.168.1.50 PC    ITWORKS

 

---dialer0-C887W--(192.168.1.1)-----192.168.1.50-Fortigate-10.10.10.2-----10.10.10.4-TMG-172.16.0.1------172.16.1.2-PC Doesn't work

 

here is my config

 

Routeur#sh run
Building configuration...
 
Current configuration : 6114 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Routeur
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3037307739
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3037307739
 revocation-check none
 rsakeypair TP-self-signed-3037307739
!
!
crypto pki certificate chain TP-self-signed-3037307739
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303337 33303737 3339301E 170D3135 30363135 31333133
  31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30333733
  30373733 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B732 BA8A3E18 2657828F 0F539EA2 2F721FF4 5C679938 9F0744C0 2EDB2249
  F85CE3B4 59854650 CB42DC26 C6B072AC 664AA0C2 A63197C0 082F3226 DF51DE2D
  6B5BD55F EF7395D8 B616F0CF 937E2FB7 FF00084C C96A4909 96EA682A 5E0B148E
  C495ED4F 68E2F512 518402C7 8E486962 DA50B748 6F58D070 07B99EDE 47FCD6FB
  618B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14D42CC5 E792ED0C 1DDA2203 EFF7BFA7 EA8804B7 CE301D06
  03551D0E 04160414 D42CC5E7 92ED0C1D DA2203EF F7BFA7EA 8804B7CE 300D0609
  2A864886 F70D0101 05050003 81810092 E9DF07B6 700FD965 1ECA6B67 9255FAFB
  01FC6F2C 9E65107B C61348BF 424FEE6A 7CA0793D 8A642456 4858DD43 1EE07E89
  C8605A98 4A3378B3 F4268B88 85A66653 BA61450D C354C70E 632C23F8 E3C83E39
  75B21C0E 62F358F1 32428B64 B18C7B83 27076FF2 A8024CD1 6A7B94C3 D1751417
  4132BAB3 3EE8AED2 86B4950A 2A804E
        quit
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool Wifi
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 lease 50
!
!
!
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
license udi pid C887VA-W-E-K9 sn FCZ191491CB
!
!
username admin privilege 15 secret 5 $1$clan$Kgjq7Y5v6m4.e0Jm.vEXx1
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Ethernet0
 no ip address
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 no ip address
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface Dialer0
 ip address negotiated
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 ip mtu 1492
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp chap hostname XXXXXXXX
 ppp chap password 0 XXXXXXX
 ppp pap sent-username XXXXX password 0 XXXXXXX
 ppp ipcp dns request
 ppp ipcp wins request
 ppp ipcp route default
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any any packet-too-big
access-list 102 deny   icmp any any
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
 
!
line con 0
 login local
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Abdelilah Benrida

‎06-19-2015 11:57 AM

Hi,

If Fortigate is natting and there is a permit policy then everything should be working.

You should be able to ping 8.8.8.8 from a PC in the inside interface of the Fortigate.

If you can do this but can't ping www.google.com then indeed you have a DNS problem.

Is the Fortigate the DHCP server for inside machines ? If so what are the dns servers they are getting from dhcp ?

 

Regards,

 

Alain

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎06-18-2015 01:28 PM

Hi,

Are you natting on the Fortigate ? if not then the traffic from inside interface of fortigate won't be natted on the Cisco router and won't get routed on the Internet.

You could edit your ACL 101 to permit this ip subnet too.

You'll also have to put a static route towards this subnet on the Cisco router pointing towards the Fortigate.

Also on the Fortigate you have to create a policy for permitting traffic from inside to outside.

 

Regards,

 

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Abdelilah Benrida
Level 1
Level 1
In response to cadet alain

‎06-19-2015 03:29 AM

Yes  the fortigate is Natting outgoing trafic

 

In this case shall i add the static route ? or not ?

 

Yes in th fortigate there is a policy which allow trafic to go from the inside to outside actually theere is a Sagem modem router which is working fine with the fortigate and i want to replace this sagem router by the cisco c887

Can you explain please how i must configure the policy?

 

Best regards and thanks again.

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Abdelilah Benrida

‎06-19-2015 11:57 AM

Hi,

If Fortigate is natting and there is a permit policy then everything should be working.

You should be able to ping 8.8.8.8 from a PC in the inside interface of the Fortigate.

If you can do this but can't ping www.google.com then indeed you have a DNS problem.

Is the Fortigate the DHCP server for inside machines ? If so what are the dns servers they are getting from dhcp ?

 

Regards,

 

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Abdelilah Benrida
Level 1
Level 1
In response to cadet alain

‎06-19-2015 04:00 PM

Hi Alain

C887----Fortigate----TMG----PC

 

before the fortigate there is a TMG proxy which is the gatway and this TMG is natting also the trafic.

the machines take IP from windows DHCP server behind the TMG and there is a windows DNS server behind the TMG

I will test the ping  and navigation to give you the results about DNS.

 

thank you Alain

0 Helpful

Go to solution
Abdelilah Benrida
Level 1
Level 1
In response to cadet alain

‎06-22-2015 02:46 PM

Hi 

 

I'm finaly connected to the internet from the inside but still have slow connection any suggestions ?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to Abdelilah Benrida

‎06-24-2015 11:22 AM

Hi,

Are you doing webfiltering or application control on the Fortigate ?

What happens if you take out the Proxy out of the equation ?

 

Regards,

 

Alain

Don't forget to rate helpful posts.
0 Helpful

Go to solution
Abdelilah Benrida
Level 1
Level 1
In response to cadet alain

‎06-19-2015 05:13 AM

i think i have a DNS problem when i connect the cisco router with the fortigate

0 Helpful

Go to solution
Abdelilah Benrida
Level 1
Level 1

‎06-19-2015 02:58 AM

Yes  the fortigate is Natting outgoing trafic

 

In this case shall i add the static route ? or not ?

 

Yes in th fortigate there is a policy which allow trafic to go from the inside to outside actually theere is a Sagem modem router which is working fine with the fortigate and i want to replace this sagem router by the cisco c887

Can you explain please how i must configure the policy?

 

Best regards and thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card