dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
2696
share rss forum feed


JohnD

@194.75.225.x

[Config] Cisco 1921/k9 no wan / internet connectivity

I am unable to get internet / wan connectivity can any one spot what I have missed in this config?

BSCMAIN#sh conf
Using 3857 out of 262136 bytes
!
! Last configuration change at 07:09:10 UTC Tue May 29 2012 by johnduck
! NVRAM config last updated at 07:09:20 UTC Tue May 29 2012 by johnduck
! NVRAM config last updated at 07:09:20 UTC Tue May 29 2012 by johnduck
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BSCMAIN
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 XXXXX
enable password XXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
no process cpu extended history
no process cpu autoprofile hog
!
no ipv6 cef
!
!
!
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool Client
import all
network 192.168.2.0 255.255.255.0
domain-name test.local
dns-server xxx.xx.x.x xxx.xx.xx.xxx
default-router 192.168.2.1
option 150 ip xxx.xx.xx.xx
lease infinite
!
!
ip name-server xxx.xx.x.xx
ip name-server xxx.xx.xx.xxx
ip cef
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-XXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXX
revocation-check none
rsakeypair TP-self-signed-XXXXX
!
!
crypto pki certificate chain TP-self-signed-295657481
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
license udi pid CISCO1921/K9 sn XXXXX
!
!
username XXXXX privilege 15 password 0 XXXXX
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no cdp enable
!
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description $ETH-WAN$
ip address xxx.xx.xx.xx 255.255.255.240
ip nat outside
no ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
ip default-gateway xxx.xx.xxx.xx
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip default-network 192.168.2.1
ip default-network 192.168.2.0
ip route 0.0.0.0 0.0.0.0 xxx.xx.xxx.xx
!
ip access-list extended FROM_INET
permit udp any eq ntp any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit ip host 92.118.118.40 any
permit ip 193.92.74.0 0.0.0.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.0.0.0 0.0.0.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 198.18.0.0 0.1.255.255 any
deny ip 198.51.100.0 0.0.0.255 any
deny ip 203.0.113.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
permit esp any host 194.75.225.34
permit udp any host 194.75.225.34 eq isakmp
permit udp any host 194.75.225.34 eq non500-isakmp
permit ahp any host 194.75.225.34
deny udp any host 194.75.225.34 eq snmp
deny udp any host 194.75.225.34 eq snmptrap
deny tcp any host 194.75.225.34 eq 22
deny tcp any host 194.75.225.34 eq telnet
deny tcp any host 194.75.225.34 eq www
deny tcp any host 194.75.225.34 eq 8082
!
no service-routing capabilities-manager
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!
!
snmp-server community XXXXX RO
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password XXXXX
transport input all
!
scheduler allocate 20000 1000
!
end


SYNner

@tds.net
I would get rid of the ip default-gateway and ip default-network to start with. ip default-gateway is only configured when ip routing is disabled on a router. Your ip default-network flags your internal network as a candidate for the gateway of last resort and since it's pointing to your internal network, that doesn't work very well for machines trying to connect to the internet.

what is your default gateway?

Is the address in: ip route 0.0.0.0 0.0.0.0 xxx.xx.xxx.xx

pointing to the other end of your gig 0/1 connection?

r2d2

join:2012-05-29
reply to JohnD
Remove ip default gateway xxx.xxx.xxx
Remove ip default-network xxx.xxx.xxx -
Keep ip route 0.0.0.0 0.0.0.0 x.x.x.x.
Enable ip routing on your router as I did not see it in your configuration.

Verify with sh int Gi0/1 that the interface is up/up and that has no errors and check to see if your routing is in place with sh ip route.


TomS_
Git-r-done
Premium,MVM
join:2002-07-19
London, UK
kudos:5
reply to JohnD
edit: well, most of the below has already been asked/pointed out. I guess thats what happens when you write something up then walk away from the keyboard for a while and decide to post anyway. :-P

The config is simple enough that I cant spot anything glaringly wrong.

What troubleshooting steps have you performed?

Are your interfaces up/up?

What does the routing table look like, and does your default route appear in it?

Can any of your PCs ping the router?

From the router can you ping the gateway IP "xxx.xx.xx.xx"? (i.e. can you even get any form of data transfer across the WAN.)

From the router, sourcing a ping from Gi0/0, can you ping the gateway IP "xxx.xx.xx.xx"? (i.e. is NAT configured and working properly.)

IMO you also have "conflicting" configuration, e.g. specifying "ip default-gateway" and a default route. My rule of thumb: if you enable routing, only use routes. If you disable routing, use the "ip default-gateway" command. One or the other, but not both at the same time.

HELLFIRE
Premium
join:2009-11-25
kudos:20
reply to JohnD
Was looking at this earlier today, and didn't see the obvious ones usually seen around here, ie. 'no ip routing'
and missing NAT config.

Does 'show ip nat translation' show anything?

Regards


JohnD

@194.75.225.x
reply to JohnD
I have done as suggested I can ping from a cmd window both router and external ip but no www?

hestonk

join:2011-11-17
Vancouver, BC
Just want to clarify - you can ping the external IP of the router's Gig0/1 interface?

Try pinging the next hop from that interface, aka the xxx.xxx.xxx.xxx ip listed in your ip route.

something else you can try is hooking your PC directly to the "WAN" connection and statically configure the NIC card to have the IP, subnet mast, and default gateway and see if you can ping the
next hop...

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to JohnD
You've removed all the IP's that would be helpful for us to see, but then leave public addresses in the access list nothing references. ???

Things to check...
- check outside IP address and netmask are correct
- check default route (ip route 0.0.0.0 0.0.0.0 ...) is correct
- make sure the router can ping it's gateway from both interfaces
- check that the router can ping an outside IP (8.8.8.8 google dns) from both interfaces
- make sure the dns server addresses are correct (for DHCP pools and the router if you want it resolve names "ip name-server ...")
- check the network setting on the internal host(s) ("ipconfig /all", etc.)
- make sure internal hosts can ping the router (both interfaces)
- check if an internal host can ping an outside address
- make sure the internal hosts can ping the DNS servers
- check if internal hosts can resolve DNS (nslookup, etc.)

If your DNS servers are inside the network, first try to resolve something they already know -- or it will have to query an outside DNS server which may be failing. Then ask for something it doesn't know. If it cannot resolve external addresses, then it's an internal DNS server issue -- most likely a security setting making it unhappy with non-port 53 traffic.

Unless there are typos with the masked addresses, I don't see anything wrong with that configuration. (or there's something related to the service module in that router that we aren't seeing in the config.)


JohnD

@194.75.225.x
I have resolved the issues with your help, I did as above but it still was not working. there is another port Embedded service engine. I closed this port and all is fine now.

HELLFIRE
Premium
join:2009-11-25
kudos:20
reply to JohnD
1921 IIRC doesn't have a service module... wonder how it fit into everything.

Glad you got it working though JohnD

Regards