Solved: 1941 router Cannot get to internet from PC on LAN

William Becker · ‎03-13-2012

I am having an issue accessing the internet from a PC on the LAN. I have configured the PC with the gateway of the router infront of the ISP to test. I can ping from the router to google or any other internet IP. From the PC I can ping to the GIG0/1 (Inside LAN IP) and the GIG0/0 (Outside WAN IP going to ISP) but I can't ping the Next Hop IP of the ISP or anything past that. If I do a trace route from the PC to the google IP address it hits the GIG0/1 Inside LAN IP Address but fails from there. Here is a cut down snap shot of the router config, any help would be appreciated. Thank you.

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router-1941

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password 7 erty65512312343532q

!

aaa new-model

!

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

!

aaa session-id common

!

clock timezone CST -6 0

clock summer-time cdt recurring

!

no ipv6 cef

ip source-route

ip cef

!

no ip domain lookup

ip domain name ourdomain.local

ip name-server 10.10.11.15

ip name-server 10.10.11.50

!

multilink bundle-name authenticated

!

crypto stuff bluh bluh bluh

!

username user1 privilege 15 secret 5 erhzxcghkjtyrsztreweryhre

username user2 secret 5 wertdjusyae54567uyytrtaretsydd

!

redundancy

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

interface Loopback0

no ip address

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Outside WAN

ip address 68.68.68.68 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Inide LAN

ip address 10.10.35.10 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http authentication aaa

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip nat source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 <ISP Next hop>

ip route 10.0.0.0 255.255.0.0 10.10.35.1(Gateway Router)

!

access-list 1 permit 10.10.35.0 0.0.0.255

!

snmp-server community strategic RW

snmp-server enable traps tty

tacacs-server host 10.10.11.41

tacacs-server key 7 123435465789123456

!

control-plane

!

line con 0

rizwanr74 · ‎03-14-2012

Hi William,

Please do this, on the config mode.

no access-list 1 permit 10.10.35.0 0.0.0.255

ip access-list extended PAT_ACL
permit ip 10.10.35.0 0.0.0.255 any

ip nat inside source list PAT_ACL interface GigabitEthernet0/0 overload

Please let me know, if this helps.

thanks

View solution in original post

Richard Burts · ‎03-13-2012

William

When someone describes a problem where a PC on the LAN can ping the router interfaces but not the ISP my first guess at the problem is a failure to configure address translation. But the ip nat inside and ip nat outside look ok. And the ip nat source list seems to be correct. The default route seems ok, and you say that the router can access outside addresses so that seems to confirm that routing is ok. So right now I am a bit puzzled at what the problem might be. If you try to ping outside to google or whatever using an extended ping and specifying the address of gig0/1 does it still work ok?

HTH

Rick

HTH

Rick

William Becker · ‎03-13-2012

I did the ping using the gig0/1 IP address to the google IP address 74.125.225.78 it does time out. If I do a traceroute from that interface IP address it fails as well.

mfurnival · ‎03-14-2012

Hi William,

You could configure "debug ip packet" and "debug ip nat" on the router and try the ping from you PC. Record the output displayed on the router console and post it. Remember to use "terminal monitor" if you are telnetted to the router.

rizwanr74 · ‎03-14-2012

Hi William,

Please do this, on the config mode.

no access-list 1 permit 10.10.35.0 0.0.0.255

ip access-list extended PAT_ACL
permit ip 10.10.35.0 0.0.0.255 any

ip nat inside source list PAT_ACL interface GigabitEthernet0/0 overload

Please let me know, if this helps.

thanks

William Becker · ‎03-14-2012

Someone posted to this with what corrected the issue but it is gone off the discussion. What was suggested was to remove the "ip nat source list 1 interface GigabitEthernet0/0 overload" and add "ip nat inside source list 1 interface GigabitEthernet0/0 overload" and that fixed the issue. Not sure what happened to his posting though. Thank you everyone that has been replying, it has been very helpful.

cadet alain · ‎03-14-2012

Hi,

that was me who had posted the solution but seems ther was a bug on the site as it has completely vanished

Regards.

Alain

Don't forget to rate helpful posts.