Cisco 871 can't reach the internet, Nat Problem?

[evob]

Hi,

I have a problem when configuring a cisco 871.
I can ping external ip's from the console session on the 871.

But i cannot reach the internet from from my internal network.
I think this is a NAT problem.

I'm stuck after two days of trying.

Can anybody have a look at the config?
The ip of my adsl router is bridged to the cisco 871
Its applied to interface FastEthernet4

My internal network is 192.168.200.x

Can somebody see what i've done wrong?

Thanks,

evob


The config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret ******
enable password ******
!
no aaa new-model
!
resource policy
!
ip subnet-zero
no ip routing
no ip cef
!
!
!
!
ip name-server 195.234.3.34
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 103 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.200.253 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache
ip tcp adjust-mss 1452
!
ip classless
!
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 75.0.0.0 0.255.255.255 any
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.200.0 0.0.0.255 any
access-list 101 permit icmp any host 75.83.130.234 echo-reply
access-list 101 permit icmp any host 75.83.130.234 time-exceeded
access-list 101 permit icmp any host 75.83.130.234 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 192.168.200.0 0.0.0.255 any
access-list 103 permit udp any eq bootps any eq bootpc
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip any any log
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ******
login
!
scheduler max-task-time 5000
end

 

[Alterac]

You have routing disabled:
no ip routing

Issue a
ip routing

and see if that fixes it, if their are still problems, provide a default route.

----------------------------------
Bill

 

[Alterac]

ip route 0.0.0.0 0.0.0.0 dhcp

or
ip route 0.0.0.0 0.0.0.0 FastEthernet4



----------------------------------
Bill

 

[burtsbees]

access-list 103 deny ip 192.168.200.0 0.0.0.255 any
Why is that there? That's denying your own subnet back in!

Burt

 

[Alterac]

Its because 103 is the internet incoming ACL and it has a deny all on it anyways and doesnt matter because ip inspect is in charge of letting the traffic back in



----------------------------------
Bill

 

[burtsbees]

He's got it outbound (the firewall rule), and I didn't see the deny any any log on acl 103...lol
The default route and "ip routing" sure do help...lol

Burt