|
Mbohnen41
Anon
2014-Apr-7 4:12 pm
[HELP] Setting up Cisco 2621 for home use. Can't get to outside world.I will apologize up front an say I'm sorry due to I am new to all this. I have to basics of the config setup but unable to get to the outside world. If anyone could help with the config and what commands I would need to do it would be greatly appreciated. I have a cisco 2621 cisco router using it for home use to a cable modem. Below is the config.
Current configuration : 895 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable secret 5 $1$z3Q9$m6csZdfLmt2LpJR2/ArW4. enable password ! no aaa new-model ip subnet-zero ip cef ! ! ! ip dhcp pool lan network 192.168.1.0 255.255.255.0 default-router 192.168.1.254 dns-server 8.8.8.8 ! ! ! ! ! ! interface FastEthernet0/0 description Lan ip address 192.168.1.254 255.255.255.0 ip nat inside duplex auto speed auto ! interface FastEthernet0/1 description WAN ip address dhcp ip nat outside duplex auto speed auto no cdp enable ! ip nat inside source list 1 interface FastEthernet0/0 overload ip http server ip classless ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 ! ! access-list 1 permit 192.168.1.0 0.0.0.255 ! line con 0 line aux 0 line vty 0 4 login ! ! end |
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
said by Mbohnen41 :ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 get rid of this. dhcp will hand you a static route. q. |
|
|
Mbohnen41
Anon
2014-Apr-7 5:00 pm
Nope still no outside. I get a ip just cat get to the outside. |
|
|
to Mbohnen41
Any other ideas? Its got to be something simple, I mean there's what half a page of config here. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC |
to Mbohnen41
ip nat inside source list 1 interface FastEthernet0/0 overload
F0/0 is the inside interface.
|
|
|
|
Sorry I'm getting what you are saying. Yes fa 0/0 is the inside interface. |
|
mbohnen4 |
Geesh can't type either. I don't understand what you are wanting me to do. Yes FA 0/0 is the inside interface. |
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
said by mbohnen4:Geesh can't type either. I don't understand what you are wanting me to do. Yes FA 0/0 is the inside interface. read up on nat statements. you're trying to nat to the inside interface with that command. this needs to be the external interface. q. |
|
|
to Mbohnen41
For the avoidance of doubt...
ip nat inside source list 1 interface FastEthernet0/0 overload should be ip nat inside source list 1 interface FastEthernet0/1 overload
I'd add ip dhcp excluded address 192.168.1.254 to preventn dhcp giving out the default gateway address by mistake. Yes it's VERY unlikely but a larger network will almost certainly need some addresses removed from the DHCP pool so get used to doing it sooner rather than later. |
|
|
Awsome!! Knew it had to be something simple. Thanks all I am getting to the outside now. |
|
|
Best get a firewall running then! |
|
|
to Mbohnen41
Since we're making suggestions for improvements... said by Mbohnen41 :ip http server Will want to remove this line... HTTP server on an IOS router is a big no-no from a security perspective. I also second markysharkey 's suggestion of getting some sort of actual firewall in place. You should be able to use reflexive ACLs, but if you're the paranoid type, I'd go for something stronger. My 00000010bits Regards |
|
|
aryoba
MVM
2014-Apr-8 12:51 pm
said by HELLFIRE:Since we're making suggestions for improvements... said by Mbohnen41 :ip http server Will want to remove this line... HTTP server on an IOS router is a big no-no from a security perspective. I have to disagree since the HTTP server feature activation itself is not the no-no. Instead the access to the router itself (either by telnet, ssh, console, HTTP) is a concern when it is open to any incoming IP address. |
|
|
Crazy question... has anyone seen a production environment where IOS HTTP/S was enabled and used? You've got more experience than I could ever dream of having aryoba , but I personally can't think of an environment where it was turned on that I ran into... Regards |
|
cramer Premium Member join:2007-04-10 Raleigh, NC |
cramer
Premium Member
2014-Apr-8 9:06 pm
Does webvpn count? |
|
|
to HELLFIRE
For those that have web-based centralized management software such as CSM (Cisco Security Manager), HTTP access is needed. And yes, there are those who prefer to use GUI to manage or at least to run reports on |
|
|
@cramer I'll have to doublecheck, but I thought doing SSL VPN didn't need "ip http/s server" enabled. @aryoba Like I said, you've got more experience than I could ever dream of having.... Safe to say tho OP likely isn't going to be running any of that stuff, and should lock down his config according to best practices... Regards |
|
|
waka to mbohnen4
Anon
2014-Apr-10 11:34 pm
to mbohnen4
Hello mbohnen4,
What changes were made on your router to get access to the internet? I'm having a similar issue, can you show your last config. that fixed the problem?
Thank You. |
|
|
About the middle of the page... quote: p nat inside source list 1 interface FastEthernet0/0 overload should be ip nat inside source list 1 interface FastEthernet0/1 overload
|
|
|
to Mbohnen41
@ mbohnen4 Cannot 2nd cramer and markysharkey enough. I'm surprised something as ancient as the 26xx can even get it up to 26Mbps bare metal. Regards |
|
|
Well crap. Guess it back to ebay with this thing. Just bought it too. So you all are saying I need to get at least a 2800 cisco to get my speeds back? |
|
|
aryoba
MVM
2014-Apr-11 12:01 pm
There is a reason why 2600 series models are dirt cheap |
|
|
to mbohnen4
I'm sure there are other routers that will give you the speed, but the 28xx are reasonably cost effective. There are performance documents over on cisco.com, including numbers with services running. If I can find the url I'll post it, otherwise you'll just have to search for it. |
|
|
to mbohnen4
What's your budget? |
|
|
to Mbohnen41
Haven't benchmarked any of the 28xx's extensively myself, but a) watch out for the 2801 and 2811s... you're probably looking around a 2821 or 2851 to do full services on this series, and b) I'd handidly recommend an 1811 / 1812, or an ASA 5505.
Last I saw, 1811 / 1812 could be had for around $200 USD, plus there's documented proof in the forum FAQ what you can push with services.
My 00000010bits
Regards |
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
said by HELLFIRE:you're probably looking around a 2821 or 2851 to do full services on this series, define "full services". i've got light cbac, acls, nat, and voice running on my 2821. it could probably do 60meg (it maxes at about 22% cpu with the torrent machine wide open at max on a 25meg cable line). 2851 should handle it no sweat. but then again -- define "full services". q. |
|
|
...that's really up to the OP, now isn't it tubbynet ... but thanks for pointing out that OP should mention what other config(s) this needs to take, if any -- firewall, IDS/IPS, VPN, crypto, QOS, BGP, etc. Regards |
|
tubbynetreminds me of the danse russe MVM join:2008-01-16 Gilbert, AZ |
this is the biggest cpu-suck on the isr platform. q. |
|
|
I saw with my own eyes and my own gear the proof of that Regards |
|
TomS_Git-r-done MVM join:2002-07-19 London, UK |
to tubbynet
said by tubbynet:define "full services". All the everythings! Naturally. |
|