871 Problem - Cannot Ping Any Outside IP Addresses

stu.packett · ‎12-12-2005

I have an 871 that I would like the FE4 WAN port to get an IP address from the WAN DHCP server and the inside IP address to be 10.17.1.x/24. The goal is for remote users to bring the 871 with them and plug in an IP phone. Right now, when I plug the 871 in, I do get an outside IP address on the WAN port, but I cannot ping any outside IP addresses. Could you please see my config and tell me what I'm doing wrong? I think it may be a NAT problem. Thank in advance.

or871#sh run

Building configuration...

Current configuration : 3059 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname or871

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret xxxx

!

username cisco privilege 15 secret xxxx

no aaa new-model

ip subnet-zero

ip cef

ip dhcp excluded-address 10.17.1.1

!

ip dhcp pool or871-pool

import all

network 10.17.1.0 255.255.255.0

dns-server 10.54.0.6 10.54.0.7

domain-name or.local

option 150 ip 10.54.0.10

default-router 10.17.1.100

!

no ip domain lookup

ip domain name or.local

no ftp-server write-enable

!

interface FastEthernet0

no ip address

no cdp enable

!

interface FastEthernet1

no ip address

no cdp enable

!

interface FastEthernet2

no ip address

no cdp enable

!

interface FastEthernet3

no ip address

no cdp enable

!

interface FastEthernet4

description WAN Interface

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

no cdp enable

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.17.1.100 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet4

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet4 overload

!

access-list 1 permit 10.17.1.0 0.0.0.255

no cdp run

!

control-plane

!

line con 0

logging synchronous

login local

no modem enable

transport preferred all

transport output all

line aux 0

transport preferred all

transport output all

line vty 0 4

privilege level 15

login local

transport preferred all

transport input telnet ssh

transport output all

!

scheduler max-task-time 5000

end

or871#

Georg Pauwen · ‎12-12-2005

Hello,

your configuration looks ok, I think the problem might be your default route, whcih points to FastEthernet4, can you replace that with a default route to the next hop address:

ip route 0.0.0.0 0.0.0.0 X.X.X.X

where X.X.X.X is the IP address of the next hop, and not FastEthernet4...

HTH,

GP

stu.packett · ‎12-12-2005

Is there a way to avoid using the IP address of the next hop? Thanks, that did work, but the goal is to have my remote users bring this router from client site to client site without them or me having to configure the router. We're so used to have a PIX 501, but we would like to take advantage of the QoS and wireless on the 871.

Georg Pauwen · ‎12-12-2005

Hello,

the problem is that when you define an Ethernet interface as next hop, the router sends an Address Resolution Protocol (ARP) request for your destination address, which the router realizes is not on this interface. The ARP entry for this address is "Incomplete," as seen by the show arp command. An encapsulation failure then occurs as the router is unable to put the packet on the wire with no ARP entry.

So, you need the next hop IP address for this to work...

HTH,

GP

Richard Burts · ‎12-15-2005

I agree with Georg that from a reliability standpoint the static route with next hop address is the best solution. A static route which specifies the Ethernet interface instead of a next hop address will work IF the next hop layer 3 device supports proxy ARP. But not all routers are set to support proxy ARP. So the static route with interface specified may work or may not and the static route with next hop address will always work (if you have the correct next hop address configured). So the original poster will have to decide which is better: a more flexible solution which requires no config change as they move from site to site and may or may not work or a solution which always works but requires config changes when they move from site to site.

As a side note: the implementation of static route specifying a LAN interface will make the router work harder than a static route with next hop. The router will be sending lots more ARP requests, will have a much bigger ARP table to manitain, and will spend some extra CPU cycles maintaining the larger ARP cache. This is not true of static routes with a point to point interface but is true for static routes with a LAN interface.

HTH

Rick

HTH

Rick

Michael Stuckey · ‎12-14-2005

I am curious why are you putting in a default route for the WAN. If you are doing DHCP client on that interface it should receive a default route from the DHCP server automatically. This would resolve all your problems.

How did you use the PIX do you have a sample config for it?

Just curious.

Rate if it helps!

Mike

johnnylingo · ‎01-26-2007

I agree. With DHCP, the router will create a static route for you automatically with a distance of 254. You can verify this with "show ip route". Mine looks something like this:

Cisco871W#show ip route

Gateway of last resort is 1.2.3.4 to network 0.0.0.0

C 192.168.1.0/24 is directly connected, VLan1

C 1.2.3.0/24 is directory connected, FastEthernet4

S* 0.0.0.0/0 [254/0] via 1.2.3.1

desai.jaideep · ‎12-17-2005

Hi

Though its not advisiable,but try giving both the routes.

The one with FastEthernet and one with IP address.

Since both the routes are routed through same interface, there wont be any effect.

Pls try it

Regards

JD

BillBores · ‎01-18-2007

You need to remove IP CEF. This will fix your problem. I have had this problem before and just yesterday afternoon could not get an IP address via DHCP. I removed the IP CEF statement and ...BAM... got an IP address on FE4.

Bill Bores

lowes.jgibson · ‎01-18-2007

I dont know ... I use a route map for my 1811...try this:

ip nat inside source route-map NAT-RM interface FastEthernet4 overload

!

access-list 101 permit ip 10.17.1.0 0.0.0.255 any

!

route-map NAT-RM permit 1

match ip address 101