07-31-2014 11:33 AM - edited 03-04-2019 11:27 PM
Hi,
We are using cisco 881 router and managed to configure internet connection for router and a switchport with vlan (plus DHCP) but we can't find a way to have internet on the vlan.
Ping from router to internet is OK
Ping from computer 1 to computer 2 in vlan is OK
Ping from router to vlan is not ok...
Out configuration is attached.
Thanks for help
07-31-2014 11:48 AM
Hi,
It's surely a NAT problem but you omitted to attach the config.
do these commands and post them here:
show ip nat stat
show run | i nat|access-list
Regards
Alain
07-31-2014 12:00 PM
show ip nat stat
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 22, occurred 06:43:08 ago
Outside interfaces:
FastEthernet4
Inside interfaces:
Vlan1
Hits: 355 Misses: 0
CEF Translated packets: 257, CEF Punted packets: 57
Expired translations: 56
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 2 interface FastEthernet4 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
--------------------------------------------------------------------------------------------------------------
show run | i nat |access-list
ip nat outside
ip nat inside
ip nat inside source list 2 interface FastEthernet4 overload
ip access-list extended AAAccess
access-list 1 permit any
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 100 permit tcp any any
07-31-2014 12:00 PM
Hi,
access-list 2 permit 192.168.1.0 0.0.0.255
Regards
Alain
07-31-2014 12:07 PM
Tried this but it doesn't work.
I'm trying for test:
ping google.pl source 192.168.1.1
Strange this is that if I ping from a DHCP (VLAN) computer ping for example google, amazon etc.I see it's IP address but no packets are back.
07-31-2014 12:20 PM
Hi,
you should ping an external IP like 8.8.8.8 to test.
if the test on the router is working then try the same from a PC and if it is ok then do the test on the PC by pinging the name and if it fails then it is a DNS problem.
Regards
Alain
07-31-2014 12:25 PM
Yeah, sure I know. I've tested earlier 8.8.8.8 and it's not ok, and after that tested google.pl and had this small observation that ip address is correctly translated when using a domain name.
07-31-2014 12:29 PM
post sh ip nat tr after pinging 8.8.8.8 to see if NAT is working.
Also remove any ACL from the interfaces, I can't see your config anymore so could you post it in the reply body please.
Regards,
Alain
07-31-2014 12:37 PM
Tried to attach it several times but always an error. Config below
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 AAA
enable password BBB
!
no aaa new-model
memory-size iomem 10
!
!
!
!
!
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool AA
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.1
default-router 192.168.1.1
!
!
ip host ServerGP 223.12.197.123
ip name-server 223.12.192.22
ip name-server 211.121.88.88
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn 11111
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface Loopback1
no ip address
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
switchport mode trunk
no ip address
!
interface FastEthernet2
switchport mode trunk
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface FastEthernet4
ip address 223.12.197.126 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex full
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip access-group AAAccess in
ip access-group AAAccess out
ip nat inside
ip virtual-reassembly in
!
ip default-gateway 223.12.197.121
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 223.12.197.121
!
ip access-list extended GPAccess
permit ip any any
!
!
snmp-server community public RO
access-list 1 permit any
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 100 permit tcp any any
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password aaa
login
transport input all
!
!
end
07-31-2014 12:52 PM
why didn't you post updated config with ACL 2 ?
Anyway what does sh ip nat tr outputs when pinging 8.8.8.8 sourcing from vlan1 ?
if it is empty then do some debugs:
conf t
logging buff 7
do debug ip nat
do ping 8.8.8.8 so Vlan1
do sh log
Then post output
Alain
07-31-2014 11:17 PM
hi
Either change ip nat inside source list 1 interface FastEthernet4 overload
or create access-list 2 permit 192.168.1.0 0.0.0.255
and also change ip route 0.0.0.0 0.0.0.0 Fastethernet4. for safe side.
T.Khan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide