Hello,
I used to use a CentOS self-made server for intranet for my little office, but I bouth few days ago a Cisco 861 router to replace the linux box.
My requirements:
1. I have 2 public IP classes from my ISP. 1 class is limitted to 80mbit upload, the other to 30mbit upload. So I need some sort of DNAT to be able to know exactly which intranet computer uses big internet and which one limitted internet.
2. I need DHCP server and with static IP addresses (one computer must always have the same IP address, etc).. i have my needs for this.
3. Also I need external access to some servers inside (web, ftp, etc)
Settings:
Intranet (dhcp): 10.11.12.x 255.255.255.0)
Public Internet 1: 89.45.204.118 255.255.255.248 (89.45.204.117 as gateway)
Public internet 2: some other IP in same class (let's assume 89.45.204.58/24 for example)
DNS: 89.45.200.1
So far so good, all looks simple and I can achieve this in 2 hours on a centos linux box (correct routes, ip forwarding enabled and few iptables rules for NAT/SNAT/DNAT).
But on this brand new Centos router ... well, i'm not even successful in pinging the outside world, nor the inside world I'm tired of reading the forums, the documentation... i want (at first) a simple scenario: vlan+dhcp, fa4 with 1 public ip address and ACCESS to the real world. I wasn't able to achieve not even that much.
ok, first, here is a copy of the running config:
Building configuration...
Current configuration : 5826 bytes
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco861
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 [removed-from-context]
enable password [removed-from-context]
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2459631067
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2459631067
revocation-check none
rsakeypair TP-self-signed-2459631067
!
!
crypto pki certificate chain TP-self-signed-2459631067
certificate self-signed 01
[removed-from-context]
quit
ip source-route
!
!
ip dhcp excluded-address 10.11.12.1
ip dhcp excluded-address 10.11.12.251 10.11.12.254
!
ip dhcp pool cisco861-iasi
import all
network 10.11.12.0 255.255.255.0
domain-name cisco861.iasi
dns-server 10.11.12.1 89.45.200.1
default-router 10.11.12.1
netbios-name-server 10.11.12.2 10.11.12.3
!
ip dhcp pool testPC
host 10.11.12.111 255.255.255.0
client-identifier 0100.c030.1012.09
client-name testpc-01
!
!
ip cef
ip domain name cisco861.iasi
ip name-server 89.45.200.1
!
!
license udi pid CISCO861-K9 sn [removed-from-context]
!
!
username admin privilege 15 secret 4 [removed-from-context]
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description external$ETH-LAN$
ip address 89.45.204.118 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex full
speed auto
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.11.12.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 23 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 89.45.204.117
!
access-list 23 permit 10.11.12.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community cisco861.iasi RO
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password [removed-from-context]
login local
transport input telnet ssh
!
end
( i found no CODE or QUOTE like on other forums... so i tried to indent the config for you guys)
Also, here are some troubleshooting commands I've used, maybe they can help some of you find out what's wrong
cisco861#show ip interface brief
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 89.45.204.118 YES manual up up
NVI0 89.45.204.118 YES unset up up
Vlan1 10.11.12.1 YES manual up up
cisco861#show mac-address-table
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- --------------------
xxxx.xxxx.xxxx Dynamic 1 FastEthernet0
xxxx.xxxx.xxxx Self 1 Vlan1
WEIRD: there is no mac-address for the connected FastEthernet 4. How comes? I changed 3 cables. All cables are OK.
cisco861#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 89.45.204.117 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 89.45.204.117
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.11.12.0/24 is directly connected, Vlan1
L 10.11.12.1/32 is directly connected, Vlan1
89.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 89.45.204.117/29 is directly connected, FastEthernet4
L 89.45.204.118/32 is directly connected, FastEthernet4
router#show interfaces FastEthernet 4
FastEthernet4 is up, line protocol is up
Hardware is PQII_PRO_UEC, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
Description: external$ETH-LAN$
Internet address is 89.45.204.118/29
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:02:54, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
28 packets input, 3909 bytes
Received 14 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
110 packets output, 25366 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
router#show interfaces vlan 1
Vlan1 is up, line protocol is up
Hardware is EtherSVI, address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
Description: $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
Internet address is 10.11.12.1/24
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not supported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:06, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
512 packets input, 53381 bytes, 0 no buffer
Received 185 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
180 packets output, 13248 bytes, 0 underruns
0 output errors, 1 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
Also, I have tried other combinations, as following
- ip route static inter-vfr
- ip default-gateway 89.45.204.117 (ofc combined with no ip routing). I can ping 8.8.8.8 in this scenario, but not other IP addresses. WTF ?!
- ip default-network 89.45.204.117 (the gateway) - nothing
- ip default-network 89.45.204.118 - bothing
- ip route 0.0.0.0 0.0.0.0 FastEthernet 4 (with or without 89.45.204.117 and with or without permanent keyword)
Please have mercy and help me.
P.S. I have also attached the config and the troubleshooting files if it will be easier for you to follow them this way.
Many thanks and God bless you!
