Solved: Host Can't Access Internet

sxiong1111 · ‎04-30-2018

All, I'm having some trouble getting hosts to connect to the Internet. Directly from the router (Cisco C1111-8P), I can ping 8.8.8.8 and google.com; however from a host machine, I can ping 8.8.8.8, but not google.com.

Pinging google.com from the Router:
xio-1-br01#ping google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.6.142, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/28 ms

Pinging google.com from a Host PC:
C:\Users\pc>ping google.com
Ping request could not find host google.com. Please check the name and try again.

Here's my router configuration below.

xio-1-br01#show running-config
Building configuration...


Current configuration : 3783 bytes
!
! Last configuration change at 04:26:57 UTC Sat May 5 2018
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname xio-1-br01
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip dhcp excluded-address 10.2.255.1 10.2.255.254
ip dhcp excluded-address 10.1.255.1 10.1.255.254
ip dhcp excluded-address 10.4.255.1 10.4.255.254
ip dhcp excluded-address 10.3.255.1 10.3.255.254
ip dhcp excluded-address 10.5.255.1 10.5.255.254
!
ip dhcp pool p2
 import all
 network 10.2.0.0 255.255.0.0
 default-router 10.2.255.254
 dns-server 10.2.255.254
 lease 3
!
ip dhcp pool p1
 import all
 network 10.1.0.0 255.255.0.0
 default-router 10.1.255.254
 dns-server 10.1.255.254
 lease 3
!
ip dhcp pool p3
 import all
 network 10.3.0.0 255.255.0.0
 default-router 10.3.255.254
 dns-server 10.3.255.254
 lease 3
!
ip dhcp pool p4
 import all
 network 10.4.0.0 255.255.0.0
 default-router 10.4.255.254
 dns-server 10.4.255.254
 lease 3
!
ip dhcp pool p5
 import all
 network 10.5.0.0 255.255.0.0
 default-router 10.5.255.254
 dns-server 10.5.255.254
 lease 3
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3932058017
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3932058017
 revocation-check none
 rsakeypair TP-self-signed-3932058017
!
!
crypto pki certificate chain TP-self-signed-3932058017
!
!
license udi pid C1111-8P sn FGL2204923K
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Loopback0
 ip address 10.240.9.1 255.255.255.0
!
interface GigabitEthernet0/0/0
 ip address dhcp
 ip nat outside
 negotiation auto
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 ip address 10.240.8.1 255.255.255.0
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
 switchport access vlan 5
!
interface GigabitEthernet0/1/5
 switchport access vlan 5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
 switchport mode trunk
!
interface Vlan1
 ip address 10.1.255.254 255.255.0.0
 ip nat inside
!
interface Vlan2
 ip address 10.2.255.254 255.255.0.0
 ip nat inside
!
interface Vlan3
 ip address 10.3.255.254 255.255.0.0
 ip nat inside
!
interface Vlan4
 ip address 10.4.255.254 255.255.0.0
 ip nat inside
!
interface Vlan5
 ip address 10.5.255.254 255.255.0.0
 ip nat inside
!
ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 10.1.0.0 255.255.0.0 Vlan1
ip route 10.2.0.0 255.255.0.0 Vlan2
ip route 10.3.0.0 255.255.0.0 Vlan3
ip route 10.4.0.0 255.255.0.0 Vlan4
ip route 10.5.0.0 255.255.0.0 Vlan5
ip route 10.140.8.0 255.255.255.0 GigabitEthernet0/0/1
ip route 10.140.9.0 255.255.255.0 GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
access-list 100 permit ip 10.1.0.0 0.0.255.255 any
access-list 100 permit ip 10.2.0.0 0.0.255.255 any
access-list 100 permit ip 10.3.0.0 0.0.255.255 any
access-list 100 permit ip 10.4.0.0 0.0.255.255 any
access-list 100 permit ip 10.5.0.0 0.0.255.255 any
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 password pass
 logging synchronous
 login
 transport input none
 stopbits 1
line vty 0
 exec-timeout 0 0
 password pass
 logging synchronous
 login
line vty 1 4
 login
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

xio-1-br01#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0/0   192.168.1.127   YES DHCP   up                    up
GigabitEthernet0/0/1   10.240.8.1      YES NVRAM  up                    up
GigabitEthernet0/1/0   unassigned      YES unset  down                  down
GigabitEthernet0/1/1   unassigned      YES unset  down                  down
GigabitEthernet0/1/2   unassigned      YES unset  down                  down
GigabitEthernet0/1/3   unassigned      YES unset  down                  down
GigabitEthernet0/1/4   unassigned      YES unset  down                  down
GigabitEthernet0/1/5   unassigned      YES unset  down                  down
GigabitEthernet0/1/6   unassigned      YES unset  down                  down
GigabitEthernet0/1/7   unassigned      YES unset  up                    up
Loopback0              10.240.9.1      YES NVRAM  up                    up
Vlan1                  10.1.255.254    YES NVRAM  up                    up
Vlan2                  10.2.255.254    YES NVRAM  up                    up
Vlan3                  10.3.255.254    YES NVRAM  up                    up
Vlan4                  10.4.255.254    YES NVRAM  up                    up
Vlan5                  10.5.255.254    YES NVRAM  up                    up

Can I get some help to look over the configs and see why I can't get host machines to connect to the Internet?

Georg Pauwen · ‎05-05-2018

Hello,

delete access list 100 and make the below changes:

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

access-list 1 permit 10.0.0.0 0.255.255.255

Also, in your DHCP pools, try and use the Google DNS servers instead of your internal ones:

dns-server 8.8.8.8 8.8.4.4

View solution in original post

sxiong1111 · ‎05-04-2018

I'd like to bump this to the top, as I've been stuck trying to figure this out for days. I'm using a physical/live router and switch. The switch configuration can be found below (whereas the router configuration can be found in the original message above).

This is the Switch (WS-C2960XR-48FPS-I) Configuration:
xio-1-as01#show run
Building configuration...

Current configuration : 6935 bytes
!
! Last configuration change at 18:59:56 UTC Fri May 4 2018
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xio-1-as01
!
boot-start-marker
boot-end-marker
!
enable password admin
!
no aaa new-model
switch 1 provision ws-c2960xr-48fps-i
system mtu routing 1500
ip routing
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2063789952
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2063789952
 revocation-check none
 rsakeypair TP-self-signed-2063789952
!
!
crypto pki certificate chain TP-self-signed-2063789952
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303633 37383939 3532301E 170D3138 30343232 30373531
  35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30363337
  38393935 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A367 4AB5795B 5848917F 4CF831D8 8B536D11 6A1D7E4F 65A3A6EA 85D1395A
  0B066141 94CFB6CC 3B2CC8AC 5CED9FB2 86F40557 F6BC91BD 4F0DD55B 57BDC524
  A06872BC 00A98429 5C745AEE 39EF9549 A94CCABA B60DA63D 33FB3F8E 8CFF86D4
  852DF9F8 E99BA09E 648FAC93 BF336C8F 73F05646 4D94A22D EF663B66 86AAE5BB
  D1030203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14456224 32E30CD2 006921E5 2194D118 045185AC 7B301D06
  03551D0E 04160414 45622432 E30CD200 6921E521 94D11804 5185AC7B 300D0609
  2A864886 F70D0101 05050003 8181002A 9F294C50 2FF34461 359DEE41 31367D8F
  F6A10CBE 4C8604C6 62ED3383 E09EA295 9A987D02 EE77C6A5 2CCB0DFC 09DA7FAB
  F23190E0 D9E35A84 FD28321D 040BFF80 6E106ADE B95DA4D7 1F356210 11536D57
  5588DBAB C6B1BD9C A651ACDA DE6BC9A9 1F521818 5C047832 F83E72E9 77CB9F85
  8CDF9027 EC9254B6 DB30E598 C8B772
        quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.140.9.1 255.255.255.0
!
interface FastEthernet0
 no ip address
 no ip route-cache
!
interface GigabitEthernet1/0/1
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/5
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/6
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/7
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/8
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/9
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/10
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/11
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/12
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/13
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/14
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/15
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/16
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/17
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/18
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/19
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/20
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/21
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/22
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/23
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/24
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/25
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/26
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/27
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/28
 switchport access vlan 2
 switchport mode trunk
!
interface GigabitEthernet1/0/29
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/30
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/31
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/32
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/33
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/34
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/35
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/36
 switchport access vlan 2
 switchport mode access
!
interface GigabitEthernet1/0/37
!
interface GigabitEthernet1/0/38
!
interface GigabitEthernet1/0/39
!
interface GigabitEthernet1/0/40
!
interface GigabitEthernet1/0/41
!
interface GigabitEthernet1/0/42
!
interface GigabitEthernet1/0/43
 switchport access vlan 4
!
interface GigabitEthernet1/0/44
 switchport access vlan 4
!
interface GigabitEthernet1/0/45
 switchport access vlan 4
!
interface GigabitEthernet1/0/46
 switchport access vlan 4
!
interface GigabitEthernet1/0/47
 no switchport
 ip address 10.140.8.1 255.255.255.0
 ip access-group 100 in
 ip access-group 100 out
!
interface GigabitEthernet1/0/48
 switchport mode trunk
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
 ip address 10.1.255.253 255.255.0.0
!
interface Vlan2
 ip address 10.2.255.253 255.255.0.0
!
interface Vlan3
 ip address 10.3.255.253 255.255.0.0
!
interface Vlan4
 ip address 10.4.255.253 255.255.0.0
!
interface Vlan5
 ip address 10.5.255.253 255.255.0.0
!
ip default-gateway 10.140.8.1
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet1/0/47
ip route 10.1.0.0 255.255.0.0 Vlan1
ip route 10.2.0.0 255.255.0.0 Vlan2
ip route 10.3.0.0 255.255.0.0 Vlan3
ip route 10.4.0.0 255.255.0.0 Vlan4
ip route 10.5.0.0 255.255.0.0 Vlan5
ip route 10.240.8.0 255.255.255.0 GigabitEthernet1/0/47
ip route 10.240.9.0 255.255.255.0 GigabitEthernet1/0/47
!
!
access-list 100 permit ip any any
!
no vstack
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login
line vty 0
 password pass
 logging synchronous
 login
line vty 1 4
 login
line vty 5 15
 login
!
end

Georg Pauwen · ‎05-05-2018

Hello,

delete access list 100 and make the below changes:

ip nat inside source list 1 interface GigabitEthernet0/0/0 overload

access-list 1 permit 10.0.0.0 0.255.255.255

Also, in your DHCP pools, try and use the Google DNS servers instead of your internal ones:

dns-server 8.8.8.8 8.8.4.4

sxiong1111 · ‎05-05-2018

Hi Georg,

After making the suggested configuration changes you've mentioned, the host machines can now resolve things like cisco.com and folks can now browse the Internet without issues. In addition to using Google's DNS servers, I've used COX's DNS servers a couple others. We can consider this discussion resolved.

I do want to mention that initially I used Google's DNS servers, but made no difference (before making a post on this forum). I believe it was a combination of what you've mentioned of removing the extended access-list 100 and replacing it with a standard range access-list 1 and then using Google's DNS servers. I'm not quite sure how changing from an extended access-list to a standard-access list made a difference. Just like most people on this forum, I'm here to learn and appreciate the help from the people in this community.

In any case, I'll share my updated router's entire running configuration, in hopes that someone else in the same situation may find it useful. As always, if anyone sees something out of the ordinary in my configs that doesn't make sense, please let me know. I'm not too worried about security at this point, but will eventually get there, once I gain more knowledge.

xio-1-br01#show running-config
Building configuration...


Current configuration : 4000 bytes
!
! Last configuration change at 20:03:21 UTC Sat May 5 2018
!
version 16.6
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname xio-1-br01
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
ip dhcp excluded-address 10.2.255.1 10.2.255.254
ip dhcp excluded-address 10.1.255.1 10.1.255.254
ip dhcp excluded-address 10.4.255.1 10.4.255.254
ip dhcp excluded-address 10.3.255.1 10.3.255.254
ip dhcp excluded-address 10.5.255.1 10.5.255.254
!
ip dhcp pool p2
 import all
 network 10.2.0.0 255.255.0.0
 default-router 10.2.255.254
 dns-server 68.1.16.107 68.1.16.108 68.111.106.68 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 91.239.100.100
 lease 3
!
ip dhcp pool p1
 import all
 network 10.1.0.0 255.255.0.0
 default-router 10.1.255.254
 dns-server 68.1.16.107 68.1.16.108 68.111.106.68 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 91.239.100.100
 lease 3
!
ip dhcp pool p3
 import all
 network 10.3.0.0 255.255.0.0
 default-router 10.3.255.254
 dns-server 68.1.16.107 68.1.16.108 68.111.106.68 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 91.239.100.100
 lease 3
!
ip dhcp pool p4
 import all
 network 10.4.0.0 255.255.0.0
 default-router 10.4.255.254
 dns-server 68.1.16.107 68.1.16.108 68.111.106.68 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 91.239.100.100
 lease 3
!
ip dhcp pool p5
 import all
 network 10.5.0.0 255.255.0.0
 default-router 10.5.255.254
 dns-server 68.1.16.107 68.1.16.108 68.111.106.68 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 91.239.100.100
 lease 3
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3932058017
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3932058017
 revocation-check none
 rsakeypair TP-self-signed-3932058017
!
!
crypto pki certificate chain TP-self-signed-3932058017
!
!
license udi pid C1111-8P sn FGL2204923K
!
diagnostic bootup level minimal
spanning-tree extend system-id
!
!
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface Loopback0
 ip address 10.240.9.1 255.255.255.0
!
interface GigabitEthernet0/0/0
 ip address dhcp
 ip nat outside
 negotiation auto
 no cdp enable
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1
 ip address 10.240.8.1 255.255.255.0
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
 switchport access vlan 5
!
interface GigabitEthernet0/1/5
 switchport access vlan 5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
 switchport mode trunk
!
interface Vlan1
 ip address 10.1.255.254 255.255.0.0
 ip nat inside
!
interface Vlan2
 ip address 10.2.255.254 255.255.0.0
 ip nat inside
!
interface Vlan3
 ip address 10.3.255.254 255.255.0.0
 ip nat inside
!
interface Vlan4
 ip address 10.4.255.254 255.255.0.0
 ip nat inside
!
interface Vlan5
 ip address 10.5.255.254 255.255.0.0
 ip nat inside
!
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip route 10.1.0.0 255.255.0.0 Vlan1
ip route 10.2.0.0 255.255.0.0 Vlan2
ip route 10.3.0.0 255.255.0.0 Vlan3
ip route 10.4.0.0 255.255.0.0 Vlan4
ip route 10.5.0.0 255.255.0.0 Vlan5
ip route 10.140.8.0 255.255.255.0 GigabitEthernet0/0/1
ip route 10.140.9.0 255.255.255.0 GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 dhcp
!
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 password pass
 logging synchronous
 login
 transport input none
 stopbits 1
line vty 0
 exec-timeout 0 0
 password pass
 logging synchronous
 login
line vty 1 4
 login
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Dennis Mink · ‎05-05-2018

what do you get on a local machine when you do an nslookup www.google.com does it actually resolve in an IP address at all?

Please remember to rate useful posts, by clicking on the stars below.

sxiong1111 · ‎05-05-2018

Here's the result:

C:\Users\pc>nslookup google.com
Server:  UnKnown
Address:  68.1.16.107

*** UnKnown can't find google.com: Query refused

usamasohail147 · ‎03-06-2019

hi i have network in which i connect my dns server with pppoe connection. on the other LAN card i connect my router Cisco 2921.

with router my switch is connected. now i can access internet on my router. but on devices i cannot. already configure router as default ip route.