dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2197

Mbohnen41
@spcsdns.net

Mbohnen41

Anon

[HELP] Setting up Cisco 2621 for home use. Can't get to outside world.

I will apologize up front an say I'm sorry due to I am new to all this. I have to basics of the config setup but unable to get to the outside world. If anyone could help with the config and what commands I would need to do it would be greatly appreciated. I have a cisco 2621 cisco router using it for home use to a cable modem. Below is the config.

Current configuration : 895 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$z3Q9$m6csZdfLmt2LpJR2/ArW4.
enable password
!
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip dhcp pool lan
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 8.8.8.8
!
!
!
!
!
!
interface FastEthernet0/0
description Lan
ip address 192.168.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN
ip address dhcp
ip nat outside
duplex auto
speed auto
no cdp enable
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
line aux 0
line vty 0 4
login
!
!
end

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by Mbohnen41 :

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

get rid of this.
dhcp will hand you a static route.

q.

Mbohnen41
@spcsdns.net

Mbohnen41

Anon

Nope still no outside. I get a ip just cat get to the outside.
mbohnen4
join:2014-04-07

mbohnen4 to Mbohnen41

Member

to Mbohnen41
Any other ideas? Its got to be something simple, I mean there's what half a page of config here.
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer to Mbohnen41

Premium Member

to Mbohnen41
ip nat inside source list 1 interface FastEthernet0/0 overload

F0/0 is the inside interface.
mbohnen4
join:2014-04-07

mbohnen4

Member

Sorry I'm getting what you are saying. Yes fa 0/0 is the inside interface.
mbohnen4

mbohnen4

Member

Geesh can't type either. I don't understand what you are wanting me to do. Yes FA 0/0 is the inside interface.

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by mbohnen4:

Geesh can't type either. I don't understand what you are wanting me to do. Yes FA 0/0 is the inside interface.

read up on nat statements.
you're trying to nat to the inside interface with that command.
this needs to be the external interface.

q.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to Mbohnen41

Premium Member

to Mbohnen41
For the avoidance of doubt...

ip nat inside source list 1 interface FastEthernet0/0 overload
should be
ip nat inside source list 1 interface FastEthernet0/1 overload

I'd add ip dhcp excluded address 192.168.1.254 to preventn dhcp giving out the default gateway address by mistake. Yes it's VERY unlikely but a larger network will almost certainly need some addresses removed from the DHCP pool so get used to doing it sooner rather than later.
mbohnen4
join:2014-04-07

mbohnen4

Member

Awsome!! Knew it had to be something simple. Thanks all I am getting to the outside now.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Best get a firewall running then!
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Mbohnen41

MVM

to Mbohnen41
Since we're making suggestions for improvements...
said by Mbohnen41 :

ip http server

Will want to remove this line... HTTP server on an IOS router is a big no-no from a security perspective.
I also second markysharkey See Profile 's suggestion of getting some sort of actual firewall in place. You should be able to use reflexive ACLs, but if you're the paranoid type, I'd go for something stronger.

My 00000010bits

Regards
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by HELLFIRE:

Since we're making suggestions for improvements...

said by Mbohnen41 :

ip http server

Will want to remove this line... HTTP server on an IOS router is a big no-no from a security perspective.

I have to disagree since the HTTP server feature activation itself is not the no-no. Instead the access to the router itself (either by telnet, ssh, console, HTTP) is a concern when it is open to any incoming IP address.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

Crazy question... has anyone seen a production environment where IOS HTTP/S was enabled and used?
You've got more experience than I could ever dream of having aryoba See Profile , but I personally can't
think of an environment where it was turned on that I ran into...

Regards
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer

Premium Member

Does webvpn count?
aryoba
MVM
join:2002-08-22

aryoba to HELLFIRE

MVM

to HELLFIRE
For those that have web-based centralized management software such as CSM (Cisco Security Manager), HTTP access is needed. And yes, there are those who prefer to use GUI to manage or at least to run reports on
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

@cramer See Profile
I'll have to doublecheck, but I thought doing SSL VPN didn't need "ip http/s server" enabled.

@aryoba See Profile
Like I said, you've got more experience than I could ever dream of having....

Safe to say tho OP likely isn't going to be running any of that stuff, and should lock down his config according to best practices...

Regards

waka
@rr.com

waka to mbohnen4

Anon

to mbohnen4
Hello mbohnen4,

What changes were made on your router to get access to the internet? I'm having a similar issue, can you show your last config. that fixed the problem?

Thank You.
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

About the middle of the page...
quote:
p nat inside source list 1 interface FastEthernet0/0 overload
should be
ip nat inside source list 1 interface FastEthernet0/1 overload

HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Mbohnen41

MVM

to Mbohnen41
@ mbohnen4 See Profile
Cannot 2nd cramer See Profile and markysharkey See Profile enough. I'm surprised something as ancient as the 26xx
can even get it up to 26Mbps bare metal.

Regards
mbohnen4
join:2014-04-07

mbohnen4

Member

Well crap. Guess it back to ebay with this thing. Just bought it too.
So you all are saying I need to get at least a 2800 cisco to get my speeds back?
aryoba
MVM
join:2002-08-22

aryoba

MVM

There is a reason why 2600 series models are dirt cheap
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey to mbohnen4

Premium Member

to mbohnen4
I'm sure there are other routers that will give you the speed, but the 28xx are reasonably cost effective. There are performance documents over on cisco.com, including numbers with services running. If I can find the url I'll post it, otherwise you'll just have to search for it.

DaSneaky1D
what's up
MVM
join:2001-03-29
The Lou

DaSneaky1D to mbohnen4

MVM

to mbohnen4
What's your budget?
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Mbohnen41

MVM

to Mbohnen41
Haven't benchmarked any of the 28xx's extensively myself, but a) watch out for the 2801 and 2811s... you're
probably looking around a 2821 or 2851 to do full services on this series, and b) I'd handidly recommend an
1811 / 1812, or an ASA 5505.

Last I saw, 1811 / 1812 could be had for around $200 USD, plus there's documented proof in the forum FAQ
what you can push with services.

My 00000010bits

Regards

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by HELLFIRE:

you're
probably looking around a 2821 or 2851 to do full services on this series,

define "full services".
i've got light cbac, acls, nat, and voice running on my 2821. it could probably do 60meg (it maxes at about 22% cpu with the torrent machine wide open at max on a 25meg cable line).
2851 should handle it no sweat.

but then again -- define "full services".

q.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

...that's really up to the OP, now isn't it tubbynet See Profile... but thanks for pointing out
that OP should mention what other config(s) this needs to take, if any -- firewall, IDS/IPS,
VPN, crypto, QOS, BGP, etc.

Regards

tubbynet
reminds me of the danse russe
MVM
join:2008-01-16
Gilbert, AZ

tubbynet

MVM

said by HELLFIRE:

IDS/IPS

this is the biggest cpu-suck on the isr platform.

q.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

I saw with my own eyes and my own gear the proof of that

Regards

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_ to tubbynet

MVM

to tubbynet
said by tubbynet:

define "full services".

All the everythings! Naturally.