Re: No internet access from LAN - Cisco 1941W

dsarance1 · ‎04-22-2011

My company got a new Cisco router a couple weeks ago and I've been attempting to configure it whenever I have a chance to do so. I have managed to set up the interfaces and get my ip address set on the outside interface(eth0/1) but I am unable to get any internet access on the inside interface(eth0/0). Here is a summary of my setup.

eth0/1 - Dialer1

IP set through IP Negotiation, getting my static IP through PPPoE using a DSL modem(192.168.1.2).

NAT set to outside

No ACLs set for testing purposes, seems to interfere with NAT settings if set anyways.

eth0/0

IP set to 192.168.1.1 manually

NAT set to inside

No ACLs set for same purpose as above

My DNS is manually set to the servers supplied by my ISP.

Default route is set to Dialer1

From my computer that is connected to the router, IP of 192.168.1.252, I can ping the outside interface but cannot ping any internet address such as Google(IP or using hostname). I am able to ping the outside IP of the router from my 3G connection on my phone with this setup.

It has been a while since I took my Cisco course, almost 5 years now, so I am unsure if there is a setting I am missing in order to access the internet, I thought it was simply setting the NAT to allow internal addresses to convert to the external address. Is there something that I am overlooking that needs to be set up? Thanks for any assistance.

Here is the interface configuration lifted from my router:

interface GigabitEthernet0/0
description ADSL LAN Interface$ES_LAN$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled

interface GigabitEthernet0/1
description Connection to WAN$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
no mop enabled

interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username #####@#####.com password # ####################
no cdp enable

cadet alain · ‎04-22-2011

Hi,

For users inside a LAN with private addresses to communicate with the Internet you must do NAT overload:

- apply nat inside and nat outside commands like you did

- configure an ACL permitting the inside network to be natted e.g access-list 1 permit 192.168.1.0 0.0.0.255

- use this ACL in your nat statement e.g ip nat inside source list 1 interface X/X overload

Then to verify do a ping and then issue show ip nat translation and you should see an entry for icmp.

Regards.

Alain.

Don't forget to rate helpful posts.

dsarance1 · ‎04-26-2011

I have set up the NAT like you said to but I am still not getting anything on the inside interfaces for the Internet. I can see that NAT translation is working as a lot of stuff is listed when I run the 'show ip nat trans' command, but it seems that I still cannot get anything to work. I applied an ACL list which allows my networked services access from outside and even tried to permit any on both interfaces without any luck. Here is my current config taken from the CLI. I had to bring up my old router which is why line protocols are down. I only have time to test the settings during off hours which is 6am-8am so any suggestions may take a while to test out. Thanks.

LAN INTERFACE
GigabitEthernet0/0 is down, line protocol is down
Internet address is 192.168.1.1/24
Broadcast address is 255.255.255.255
Address determined by non-volatile memory
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is 104
Inbound access list is not set
Proxy ARP is disabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are never sent
ICMP unreachables are never sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain inside
BGP Policy Mapping is disabled
Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
Output features: NAT Inside, Stateful Inspection, IPsec or interface ACL checked on pre-encrypted cleartext packets, Post-Ingress-NetFlow
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled

WAN INTERFACE

Dialer1 is up, line protocol is up
Internet address will be negotiated using IPCP
Broadcast address is 255.255.255.255
MTU is 1452 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is 150
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is enabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
BGP Policy Mapping is disabled
Input features: Stateful Inspection, Dialer i/f override, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
Output features: Post-routing NAT Outside, Stateful Inspection, Post-Ingress-NetFlow, Dialer idle reset, Dialer idle reset
WCCP Redirect outbound is disabled
WCCP Redirect inbound is disabled
WCCP Redirect exclude is disabled

ACCESS-LIST 10 - NAT trans for the LAN interface

Standard IP access list 10
10 permit 192.168.1.0, wildcard bits 0.0.0.255 (2561 matches)

ACCESS-LIST 104 - On LAN Interface - The two addresses listed are the DNS servers.
Extended IP access list 104
    10 permit udp host 67.69.184.212 eq domain any
    20 permit udp host 67.69.184.168 eq domain any
    30 permit ip any any (55205 matches)

ACCESS-LIST 150 - On WAN Interface

10 permit udp host 67.69.184.212 eq domain any
20 permit udp host 67.69.184.168 eq domain any (1 match)

    260 permit tcp any host 192.168.1.10 eq www established
    270 permit tcp any host 192.168.1.10 eq 443 established
    340 permit tcp any any eq smtp (1 match)
    350 permit ip any any (2 matches)

SHOW IP NAT STAT
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 276, occurred 00:20:29 ago
Outside interfaces:
GigabitEthernet0/1, Dialer1
Inside interfaces:
GigabitEthernet0/0
Hits: 6764 Misses: 0
CEF Translated packets: 1985, CEF Punted packets: 13611
Expired translations: 2500
Dynamic mappings:
-- Inside Source
[Id: 7] access-list 10 interface GigabitEthernet0/0 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Antonio Knox · ‎04-26-2011

Are the ACLs applied properly? It appears you have rules for the DNS servers written correctly, but you will need them applied to the interfaces properly (which I don't see here) for it to fully work. Here's how they should be applied:

-Outbound on WAN interface
ip access-group 150 out

-Inbound on LAN interface
ip access-group 104 in

dsarance1 · ‎04-26-2011

That sounds like it could be right. I think I have it reversed at the moment and only have outbound on the LAN side set and inbound on the WAN. I'll test it out tomorrow morning, thanks.

Antonio Knox · ‎04-26-2011

I made a fubar here. As an edit, your WAN ACL (for return traffic) config looks correct. I thought it was for outbound to the internet at 1st glance. Your LAN ACL is what's backwards. You have:

10 permit udp host 67.69.184.212 eq domain any
20 permit udp host 67.69.184.168 eq domain any
30 permit ip any any (55205 matches)

I'm assuming the purpose of this ACL is to allow your users acess through the LAN interface and outbound to the internet DNS servers, which in this case you need:

10 permit udp any host 67.69.184.212 eq domain
20 permit udp any host 67.69.184.168 eq domain
30 permit ip any any (55205 matches)

And you will need this inbound on your LAN interface, as in Users -------> LAN (inbound):

ip access-group 104 in

My apologies for the mixup. I got too much going on today

Message was edited by: Antonio Knox

dsarance1 · ‎04-28-2011

Alright, I got the ACL straightened out but still no access. I decided to run a connection test on the inside interface through the GUI and I think I might have came up with the problem, my static/default routes.

My outside interface can run the test fine and I can ping from network -> dialer 1, but nothing is going from the network to the internet, not even to my DNS servers.

show ip-route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Dialer1

From the Running-config

ip route 0.0.0.0 0.0.0.0 Dialer1

I don't recall needing anything besides this to access the internet, maybe it is something else I am missing?

Antonio Knox · ‎04-28-2011

What are you seeing in the logs? Try temporarily setting you logging buffer facility to informational (logging buffered informational) to see any ACL blocks logged. As far as the route, if this was working before now, I don't see how this would be your issue. If this isn't the case, try pointing your default route to a next hop address.