I currently replaced my Cisco 831 with a Cisco 2901 running 15.1 (4) M1. On the LAN side, I can ping google and yahoo as well as others but I can't HTTP or FTP to them using IE. Is there something that I'm doing wrong? The config is the same as it was on the Cisco 831 and it worked fine.
!
! Last configuration change at 15:06:04 PCTime Mon Feb 20 2012
! NVRAM config last updated at 15:06:08 PCTime Mon Feb 20 2012
! NVRAM config last updated at 15:06:08 PCTime Mon Feb 20 2012
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$O3zs$8FK2nk1UL6qWNHigdl5GX.
!
aaa new-model
!
!
aaa authentication login vpnclientauth local
aaa authorization network vpngroupauth local
!
!
!
!
!
aaa session-id common
!
clock timezone PCTime -5 0
clock summer-time EDT recurring
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.189
!
ip dhcp pool sdm-pool1
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
!
ip flow-cache timeout active 5
no ip bootp server
ip name-server 24.92.226.11
ip name-server 24.92.226.12
!
!
!
interface GigabitEthernet0/0
description Elimra Outside GigabitEthernet0/0
ip address dhcp client-id GigabitEthernet0/0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description Elimra Inside GigabitEthernet0/1 Default Gateway
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
!
logging trap debugging
logging source-interface GigabitEthernet0/1
!
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 permit udp host 64.90.182.55 eq ntp any eq ntp
access-list 103 permit udp host 206.246.122.250 eq ntp any eq ntp
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit udp any eq bootps any eq bootpc
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip any any log
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
scheduler max-task-time 5000
no scheduler allocate
ntp update-calendar
ntp server 64.90.182.55 prefer source GigabitEthernet0/0
ntp server 206.246.122.250 prefer source GigabitEthernet0/0
end
When I run "debug ip nat detailed", I see the following below. The client is 192.168.2.151. It is using a static IP and static default gateway (which is the Cisco 2901 router) and static DNS (which is the Cisco 2901 router). The router is acting as the DNS server for the clients.
001080: Mar 12 21:34:36.089 EDT: NAT: map match SDM_RMAP_1
001081: Mar 12 21:34:36.089 EDT: mapping pointer available mapping:0
001082: Mar 12 21:34:36.089 EDT: NAT: [0] Allocated Port for 192.168.2.151 -> 208.105.101.191: wanted 51603 got 51603
001083: Mar 12 21:34:36.089 EDT: NAT*: i: tcp (192.168.2.151, 51603) -> (204.160.125.126, 80) [20305]
001084: Mar 12 21:34:36.089 EDT: NAT*: i: tcp (192.168.2.151, 51603) -> (204.160.125.126, 80) [20305]
001085: Mar 12 21:34:36.089 EDT: NAT*: s=192.168.2.151->208.105.101.191, d=204.160.125.126 [20305]
001086: Mar 12 21:34:36.117 EDT: %SEC-6-IPACCESSLOGP: list 103 denied tcp 204.160.125.126(80) -> 208.105.101.191(51603), 1 packet
001087: Mar 12 21:34:36.341 EDT: NAT: map match SDM_RMAP_1
001088: Mar 12 21:34:36.341 EDT: mapping pointer available mapping:0
001089: Mar 12 21:34:36.341 EDT: NAT: [0] Allocated Port for 192.168.2.151 -> 208.105.101.191: wanted 51604 got 51604
001090: Mar 12 21:34:36.341 EDT: NAT*: i: tcp (192.168.2.151, 51604) -> (98.139.127.62, 80) [20308]
001091: Mar 12 21:34:36.341 EDT: NAT*: i: tcp (192.168.2.151, 51604) -> (98.139.127.62, 80) [20308]
001092: Mar 12 21:34:36.341 EDT: NAT*: s=192.168.2.151->208.105.101.191, d=98.139.127.62 [20308]
001093: Mar 12 21:34:37.333 EDT: NAT: expiring 208.105.101.191 (192.168.2.151) tcp 51585 (51585)
001094: Mar 12 21:34:37.333 EDT: NAT-SymDB: DB is either not enabled or not initiated.
001095: Mar 12 21:34:37.453 EDT: %SEC-6-IPACCESSLOGP: list 103 denied tcp 199.7.50.72(80) -> 208.105.101.191(51571), 1 packet
001096: Mar 12 21:34:38.357 EDT: NAT: expiring 208.105.101.191 (192.168.2.151) tcp 51586 (51586)
001097: Mar 12 21:34:38.357 EDT: NAT-SymDB: DB is either not enabled or not initiated.
001098: Mar 12 21:34:38.869 EDT: NAT: expiring 208.105.101.191 (192.168.2.191) tcp 743 (743)
001099: Mar 12 21:34:38.869 EDT: NAT-SymDB: DB is either not enabled or not initiated.
001100: Mar 12 21:34:38.869 EDT: %SEC-6-IPACCESSLOGP: list 103 denied tcp 217.156.169.160(80) -> 208.105.101.191(51578), 1 packet
What is "NAT-SymDB: DB is either not enabled or not initiated." and why is NAT: expiring?
