Cisco 2821

[gregworcester]

Hi Guys,

TRrying to setup a new 2821 router. I can ping 4.2.2.2, google etc from the console of the router, but cant seem to ping anything on my inside network. Config is below.


MadisonEl# wr
Building configuration...
[OK]
MadisonEl#
%Error opening tftp://255.255.255.255/network-confg (Timed out)
MadisonEl#
MadisonEl#sh run
Building configuration...

Current configuration : 2544 bytes
!
! Last configuration change at 16:35:19 EST Sun Aug 8 2010
! NVRAM config last updated at 16:59:17 EST Sun Aug 8 2010
!
version 15.0
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MadisonEl
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$D5I5$W77uajPJfhug38FGQmo810
!
no aaa new-model
clock timezone EST -5
clock summer-time EST recurring
!
no ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.0.2 192.168.0.20
ip dhcp excluded-address 192.168.0.240 192.168.0.254
!
ip dhcp pool madison
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
!
!
ip name-server 69.24.0.2
ip name-server 69.24.8.2
ntp max-associations 20
multilink bundle-name authenticated
!
!
!
license udi pid CISCO2821 sn FTX1429AHAP
!
!
!
!
!
!
interface GigabitEthernet0/0
description Outside Interface
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ntp disable
no cdp enable
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip forward-protocol nd
!
!
ip http server
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 192.168.0.0 255.255.255.0 216.107.224.0
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp any any eq pop3 log-input
access-list 101 permit tcp any any eq smtp log-input
access-list 101 permit tcp any any eq

http://www log-input

access-list 101 permit tcp any any eq ftp log-input
access-list 101 permit udp any any eq tftp log-input
access-list 101 permit udp any eq domain any log-input
access-list 101 permit tcp any any established log-input
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any log-input
access-list 101 permit tcp any any eq 23460
access-list 101 permit udp any any eq 2967
access-list 101 permit tcp any any eq 8080
access-list 101 permit tcp any any eq 5900
!
snmp-server community Madison RO
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password mustangca
login
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
ntp source GigabitEthernet0/0
ntp master
ntp server 66.70.29.130
ntp server 198.200.182.10
ntp server 67.106.77.184
ntp server 64.247.17.253
end

Any help would be greatly appreciated.

 

[imbadatthis]

acl 101 is probably stopping responds coming back ...
all ACL's end with deny any any, so you'll have to allow icmp out.


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

 

[QuinceOcha]

your nat pool should be pointing to outside interface "ip nat inside source list 1 interface GigabitEthernet0/0 overload" not "ip nat inside source list 1 interface GigabitEthernet0/1 overload

 

[gregworcester]

Thanks for the reply Quinceocha. I changed the overload statement to the outside interface. Now I cant ping from the router console. This one is being a pain.
New config.

no ip source-route
!
!
ip cef
ip dhcp excluded-address 192.168.0.2 192.168.0.20
ip dhcp excluded-address 192.168.0.240 192.168.0.254
!
ip dhcp pool madison
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.200
!
!
ip domain name yourdomain.com
ip name-server 69.24.0.2
ip name-server 69.24.8.2
ntp max-associations 20
multilink bundle-name authenticated!
!
!
!
interface GigabitEthernet0/0
description Outside Interface
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ntp disable
no cdp enable
!
interface GigabitEthernet0/1
description $ES_LAN$
no ip address
ip access-group 105 in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1.200
description Local Lan
encapsulation dot1Q 200 native
ip address 192.168.0.200 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 192.168.0.0 255.255.255.0 216.107.224.0
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 101 permit tcp any any eq pop3 log-input
access-list 101 permit tcp any any eq smtp log-input
access-list 101 permit tcp any any eq

http://www log-input

access-list 101 permit tcp any any eq ftp log-input
access-list 101 permit udp any any eq tftp log-input
access-list 101 permit udp any eq domain any log-input
access-list 101 permit tcp any any established log-input
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any log-input
access-list 101 permit tcp any any eq 23460
access-list 101 permit udp any any eq 2967
access-list 101 permit tcp any any eq 8080
access-list 101 permit tcp any any eq 5900
access-list 105 permit ip any any
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to

http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp master
ntp server 66.70.29.130
ntp server 198.200.182.10
ntp server 67.106.77.184
ntp server 64.247.17.253
end

Thanks for any help.

 

[QuinceOcha]

No problem

 

[gregworcester]

Got this working. Used the built-in CPExpress. So much
for my manual config skills. Think it was the name servers in the dhcp pool and a few other things. Thanks

 

[Quadratic]

It wasn't the name servers if you couldn't ping IP's in the inside network. I think the ACL was a good place to start, since it would have been a showstopper for outbound ICMP traffic (link Ping) on that interface, which was already pointed out. The following was added to your LAN-side link, but not your WAN-side link, which would explain why ICMP can't get into the LAN but you could ping public addresses:

ip access-group 101 out

I suspect the Wizard utility either refined ACL 101, or removed that entry.

Also, I suggest getting rid of ACL 105 since it currently serves no purpose. It's just a permit to all, and it's applied only as an access group for inbound filtering. That does nothing but make the config less efficient.

CCNP, CCDP