09-04-2009 02:39 PM - edited 03-06-2019 07:36 AM
I have a new 1811 and have configured for internet access using SDM. I can't access the internet from any of my internal ports. From my WAn port I can ping my gateway but not the internet. From my internal ports, I can ping the WAn on the router, but not the next hop gateway (my ISP router).
I just need it to work as a router, no firewall options, as it sits behind the ISP router.
I have 4 VLANS as well as the native.
It may seem obvious, I am not great on Cisco, I followed the tech notes and SDM to the letter, the damn thing just wont work (I have spent all day on it).
There may be some obvious things I didn't do, there you go, Cisco is so user friendly, I must have missed it...:>)
If anyone has any "oh, you just need to add this line and it will wor" moments, then pleae let me know...
If anyone is prepared to have a look at my config, please let me know, I will upload it tomorrow (CET).
Thanks,
NM
09-05-2009 09:25 AM
Hello Neil,
You're welcome. Please post the configuration here, as it is the starting point to have a look what the SDM has (or hasn't) done.
Best regards,
Peter
09-05-2009 12:29 PM
09-05-2009 01:13 PM
Hello Neil,
I am having a look at your configuration.
Your switch ports do not seem to be assigned into VLANs - or more properly, the switchports are placed into VLAN1 except the switchport Fa5 which is configured as a trunk port. Is this how you want to have your ports assigned to VLANs? Also, do you need the Fa5 to be a trunk port?
The access-list 105 placed on the Fa0 interface does not permit receiving DHCP messages. It seems to me that if you connect to your ISP via Fa0, the router is not even able to get an IP address. Correctly, the access-list 105 should contain the following line anywhere before its last line:
access-list 105 permit udp any eq 67 any eq 68
I suppose you are going to correct the ACL using the SDM so take care to exactly copy the source and destination port (source is 67, destination is 68). The source and destination IP address must be "any" and the protocol is UDP. The action must be PERMIT. Once again, this entry must be placed before the last line, preferably under the "permit" lines with the ICMP protocol.
On your Fa1 port, you also have a DHCP client configured. Is that necessary? Are you using that port to connect to outside world? If not I suggest removing the "ip address dhcp client-id FastEthernet1" from the interface. Note that even if you do use it for outside connectivity, the NAT configuration still references the Fa0 interface so it would need to be modified as well.
Apart from this, your configuration seems to be OK. I suggest sticking with the VLAN1 for now and trying to get it running. Most certainly, the ACL 105 must be corrected as suggested earlier.
Please give it a try and let us know if it worked. If it did not help please post your actual configuration again.
Thanks!
Best regards,
Peter
09-13-2009 04:20 AM
Hi, Peter.
Apologies for the late reply, I had to take a trip away for a week.
I have cleaned up the access lists, the entry you sepcify on 105 shows:
access-list 105 permit udp any eq bootps any eq bootpc
This is the line you asked me to add, but was already there I think.
I have attached the latest show run, and a jpeg of the network set up. This router will sit behind an ISP router, so for now we don't need any firewalling, we just need it to route the vlans to the internet.
In this config, FA0 is picking up an IP address, however anything on the LAN can ping the WAN IP Address but goes no further.
Please have a look at the new show run and please advise.
In this updated config, FA9 is the trunk port, used to connect to the LAN.
Many thanks,
Neil
09-13-2009 05:26 AM
Hello Neil,
Thanks for adding the line to the ACL 105. I believe it was not there, at least according to your earlier configuration you have posted here. Nevertheles, it is there now as it should.
Neil, currently you are using the ACL 2 to select the inside networks eligible for NAT. That ACL does not contain the network 192.168.1.0/24. Is that intentional?
As your configuration looks basically OK, I believe that there is only some glitch in the existing ACLs and firewalls. I suggest removing all the ACLs from your interfaces. You may do it in SDM but personally I suggest doing it by hand. You may paste the following commands into your router, they will do it:
configure terminal
interface fa0
no ip access-group 105 in
no ip inspect SDM_LOW out
int vlan1
no ip access-group 100 in
int vlan20
no ip access-group 101 in
int vlan 30
no ip access-group 102 in
int vlan40
no ip access-group 103 in
int vlan50
no ip access-group 104 in
end
Then give it a try. What I am suspecting is that the outside network is the 192.168.0.0/16. As you can see in ACL 105, it drops packets from such sources, as an outside interface does not expect to receive privately-addresses packets (what is "outside" is largely based upon what the administrator says, while the SDM has its own ideas here). That might be the cause why the outside network does not appear to respond.
In any case, when you do the experiment and it still does not work, please again enclose your current running configuration and also the output of these commands:
show ip route
show ip nat translation
Best regards,
Peter
09-13-2009 11:15 AM
Hi Peter.
All done, I also removed the deny entries for the non routable addresses.
From the router FA0 (WAN) I can ping the gateway and the internet. From the LAN I can ping the WAN, but not the ISP gateway, not anything beyond.
Please find attached Show run and show ip details. My test environment is currently using 192.168.100.x on the WAN, just to not confuse with 192.168.0.x, which will be the live dhcp on site.
Many thanks for the help, it's greatly appreciated.
Neil
09-13-2009 11:26 AM
Hi Neil,
Your routing table currently contains only the network 192.168.1.0/24 on the Vlan1 - presumably the inside network - and the 192.168.100.0/24 on the Fa0 which is probably the outside network. Have you been doing the tests from the PC in the VLAN1?
Also, please note again that you are currently using the ACL 2 to determine the local addresses eligible for NAT translation, however, that ACL is missing the line:
access-list 2 permit 192.168.1.0 0.0.0.255
You need to add that line into the ACL 2, otherwise, the network 192.168.1.0/24 will not be subject to NAT translation.
Best regards,
Peter
09-13-2009 11:36 AM
Hi Peter.
All done, I also removed the deny entries for the non routable addresses.
From the router FA0 (WAN) I can ping the gateway and the internet. From the LAN I can ping the WAN, but not the ISP gateway, not anything beyond.
Please find attached Show run and show ip details. My test environment is currently using 192.168.100.x on the WAN, just to not confuse with 192.168.0.x, which will be the live dhcp on site.
Many thanks for the help, it's greatly appreciated.
Neil
09-13-2009 11:42 AM
09-13-2009 12:11 PM
Neil,
You seem to have reposted the same configuration and experiment without correcting the ACL 2 as I suggested in my previous post. Can you please have a look at it?
Best regards,
Peter
09-13-2009 03:26 PM
09-13-2009 03:31 PM
Hi Neil,
I stand by my observation. This is what I see in your "show run" output:
ip nat inside source list 2 interface FastEthernet0 overload
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.5.0 0.0.0.255
The network 192.168.1.0/24 is missing from the ACL 2 and you are using the ACL 2 for NAT in the indicated "ip nat inside source" command. If your routing table hasn't changed from the last time, it will still contain only the network 192.168.1.0/24 so I assume that if you are doing any tests from a PC behind your router, it absolutely must be a member of the 192.168.1.0/24 network. So in order to test it properly, it must be present in the ACL 2.
Best regards,
Peter
09-13-2009 04:51 PM
Thanks, Peter.
I will add:
access-list 2 permit 192.168.1.0 0.0.0.255
and see how it goes.
I'll post back with info.
Neil
09-15-2009 06:41 AM
Hi, Peter.
There are 2 nat access lists, 1 and 2. Neither had 192.168.1.0 on it now they both do (as shown below). The latest show run is attached, I can't test this until tonight when I get the router home as the ip conflicts with my office network.
BTW, can you forsee any DNS problems with this ?
Neil
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide