cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2537
Views
0
Helpful
7
Replies

No internet access from LAN - Cisco 1941W

dsarance1
Level 1
Level 1

My company got a new Cisco router a couple weeks ago and I've been attempting to configure it whenever I have a chance to do so. I have managed to set up the interfaces and get my ip address set on the outside interface(eth0/1) but I am unable to get any internet access on the inside interface(eth0/0). Here is a summary of my setup.

eth0/1 - Dialer1

IP set through IP Negotiation, getting my static IP through PPPoE using a DSL modem(192.168.1.2).

NAT set to outside

No ACLs set for testing purposes, seems to interfere with NAT settings if set anyways.

eth0/0

IP set to 192.168.1.1 manually

NAT set to inside

No ACLs set for same purpose as above

My DNS is manually set to the servers supplied by my ISP.

Default route is set to Dialer1

From my computer that is connected to the router, IP of 192.168.1.252, I can ping the outside interface but cannot ping any internet address such as Google(IP or using hostname). I am able to ping the outside IP of the router from my 3G connection on my phone with this setup.

It has been a while since I took my Cisco course, almost 5 years now, so I am unsure if there is a setting I am missing in order to access the internet, I thought it was simply setting the NAT to allow internal addresses to convert to the external address. Is there something that I am overlooking that needs to be set up? Thanks for any assistance.

Here is the interface configuration lifted from my router:

interface GigabitEthernet0/0
description ADSL LAN Interface$ES_LAN$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled

interface GigabitEthernet0/1
description Connection to WAN$ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
no mop enabled

interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username #####@#####.com password # ####################
no cdp enable

7 Replies 7

cadet alain
VIP Alumni
VIP Alumni

Hi,

For users inside a LAN with private addresses to communicate with the Internet you must do NAT overload:

- apply nat inside and nat outside commands like you did

- configure an ACL permitting the inside network to be natted e.g access-list 1 permit 192.168.1.0 0.0.0.255

- use this ACL in your nat statement e.g ip nat inside source list 1 interface X/X overload

Then to verify do a ping and then issue show ip nat translation and you should see an entry for icmp.

Regards.

Alain.

Don't forget to rate helpful posts.

I have set up the NAT like you said to but I am still not getting anything on the inside interfaces for the Internet. I can see that NAT translation is working as a lot of stuff is listed when I run the 'show ip nat trans' command, but it seems that I still cannot get anything to work. I applied an ACL list which allows my networked services access from outside and even tried to permit any on both interfaces without any luck. Here is my current config taken from the CLI. I had to bring up my old router which is why line protocols are down. I only have time to test the settings during off hours which is 6am-8am so any suggestions may take a while to test out. Thanks.


LAN INTERFACE
GigabitEthernet0/0 is down, line protocol is down
  Internet address is 192.168.1.1/24
  Broadcast address is 255.255.255.255
  Address determined by non-volatile memory
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is 104
  Inbound  access list is not set
  Proxy ARP is disabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are never sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain inside
  BGP Policy Mapping is disabled
  Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check
  Output features: NAT Inside, Stateful Inspection, IPsec or interface ACL checked on pre-encrypted cleartext packets, Post-Ingress-NetFlow
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled

WAN INTERFACE

Dialer1 is up, line protocol is up
  Internet address will be negotiated using IPCP
  Broadcast address is 255.255.255.255
  MTU is 1452 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is 150
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF switching turbo vector
  IP Null turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
  Input features: Stateful Inspection, Dialer i/f override, Virtual Fragment Reassembly, Access List, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
  Output features: Post-routing NAT Outside, Stateful Inspection, Post-Ingress-NetFlow, Dialer idle reset, Dialer idle reset
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled

ACCESS-LIST 10 - NAT trans for the LAN interface

Standard IP access list 10
    10 permit 192.168.1.0, wildcard bits 0.0.0.255 (2561 matches)


ACCESS-LIST 104 - On LAN Interface - The two addresses listed are the DNS servers.
Extended IP access list 104
    10 permit udp host 67.69.184.212 eq domain any
    20 permit udp host 67.69.184.168 eq domain any
    30 permit ip any any (55205 matches)

ACCESS-LIST 150 - On WAN Interface

    10 permit udp host 67.69.184.212 eq domain any
    20 permit udp host 67.69.184.168 eq domain any (1 match)

    260 permit tcp any host 192.168.1.10 eq www established
    270 permit tcp any host 192.168.1.10 eq 443 established
    340 permit tcp any any eq smtp (1 match)
    350 permit ip any any (2 matches)

SHOW IP NAT STAT
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 276, occurred 00:20:29 ago
Outside interfaces:
  GigabitEthernet0/1, Dialer1
Inside interfaces:
  GigabitEthernet0/0
Hits: 6764  Misses: 0
CEF Translated packets: 1985, CEF Punted packets: 13611
Expired translations: 2500
Dynamic mappings:
-- Inside Source
[Id: 7] access-list 10 interface GigabitEthernet0/0 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

Are the ACLs applied properly?  It appears you have rules for the DNS servers written correctly, but you will need them applied to the interfaces properly (which I don't see here) for it to fully work.  Here's how they should be applied:

-Outbound on WAN interface
ip access-group 150 out

-Inbound on LAN interface
ip access-group 104 in

That sounds like it could be right. I think I have it reversed at the moment and only have outbound on the LAN side set and inbound on the WAN. I'll test it out tomorrow morning, thanks.

I made a fubar here.  As an edit, your WAN ACL (for return traffic) config looks correct. I thought it was for outbound to the internet at 1st glance.  Your LAN ACL is what's backwards.  You have:

  10 permit udp host 67.69.184.212 eq domain any
  20 permit udp host 67.69.184.168 eq domain any
  30 permit ip any any (55205 matches)

I'm assuming the purpose of this ACL is to allow your users acess through the LAN interface and outbound to the internet DNS servers, which in this case you need:

  10 permit udp any host 67.69.184.212 eq domain
  20 permit udp any host 67.69.184.168 eq domain
  30 permit ip any any (55205 matches)

And you will need this inbound on your LAN interface, as in Users -------> LAN (inbound):

ip access-group 104 in

My apologies for the mixup.  I got too much going on today

Message was edited by: Antonio Knox

Alright, I got the ACL straightened out but still no access. I decided to run a connection test on the inside interface through the GUI and I think I might have came up with the problem, my static/default routes.

My outside interface can run the test fine and I can ping from network -> dialer 1, but nothing is going from the network to the internet, not even to my DNS servers.

show ip-route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer1

From the Running-config

ip route 0.0.0.0 0.0.0.0 Dialer1

I don't recall needing anything besides this to access the internet, maybe it is something else I am missing?

What are you seeing in the logs?  Try temporarily setting you logging buffer facility to informational (logging buffered informational) to see any ACL blocks logged.  As far as the route, if this was working before now, I don't see how this would be your issue.  If this isn't the case, try pointing your default route to a next hop address.

Review Cisco Networking for a $25 gift card