cisco router 1

[gregworcester]

Hello Everyone

I hope someone can help me with this.
Everything i have in the config is correct to the best
of my limited knowledge, but for the liofe of me I cannot get
out to the internet with this.
Not getting DNS. I have a sneaky suspicion it is my access-list
and have tried different orders but to date nothing has worked.
I also wonder if my overload statement is correct



hostname WP2621
!
boot-start-marker
boot-end-marker
no aaa new-model
resource policy
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.2 192.168.0.101
ip dhcp excluded-address 192.168.0.249 192.168.0.254
!
ip dhcp pool whitepine
network 192.168.0.0 255.255.255.0
default-router 192.168.0.101
dns-server 192.168.0.101
domain-name seg.net
!
ip name-server 206.34.181.15 (These are seg.net)
ip name-server 206.34.181.16
ip name-server 69.24.0.2 (These are my ISP)
ip name-server 69.24.8.2
!
interface ATM0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0/0
ip address dhcp
ip access-group 101 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.101 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
ip route 0.0.0.0 0.0.0.0 216.107.xxx.0
!
no ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/0 overload
!
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 deny ip any any



sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 216.107.224.0 to network 0.0.0.0

C 192.168.0.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 216.107.xxx.0
C 216.107.xxx.0/23 is directly connected, FastEthernet0/0



Output of debug IP packet


: tableid=0, s=192.168.0.101 (local), d=192.168.0.104 (FastEthernet0/1), route
: s=216.107.224.1 (FastEthernet0/0), d=255.255.255.255, len 328, rcvd 2
: tableid=0, s=192.168.0.101 (local), d=192.168.0.104 (FastEthernet0/1), route
: s=216.107.224.1 (FastEthernet0/0), d=255.255.255.255, len 328, rcvd 2


Any help would be very much appreciated!!!

Thanks
Greg Worcester

 

[North323]

what interface is configured for 216.107.x.0?

 

[gregworcester]

fa0/0 it is grabbing its IP from
my adsl modem.

 

[North323]

then is this statement correct?

ip route 0.0.0.0 0.0.0.0 216.107.xxx.0

how do you know?

 

[gregworcester]

I am assuming it is, is it not a path to
my WAN side? This is what I need help
on. I did a static route as I am not running
RIP.

 

[unclerico]

A couple of things:
1) This does not seem right:

ip route 0.0.0.0 0.0.0.0 216.107.xxx.0

It is a network address and not a host address. The best thing to do with a dchp provided address is to list the exit interface as the next hop:

ip route 0.0.0.0 0.0.0.0 f0/0

2) Your NAT statement does not seem right. You should split your ACL 101 into two ACLs. Your ACL in this case should indicate which networks are permitted to be NATed:

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

Then go into ACL 101 and remove your first line.
3) Your ACL 101 should be applied inbound on f0/1. It is best practice to place extended access lists as close to the source as possible. If you were using a standard access list then your placement would be fine. It's not that it's adversely affecting anything, it's just best practice.
4) You may want to alter this ACE in ACL 101:

access-list 101 permit udp any eq domain any

to be this:

access-list 101 permit udp any any eq domain

Also, you may want to limit this only to your ISP DNS servers as opposed to any any to minimize any man-in-the-middle attacks that could happen.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[gregworcester]

Thanks for your help.
I made the changes you suggested,
but still not routing to the lan.
IE is giving me a dns error still.
Since i am not running RIP do I perhaps need a static route
for my internal network. I can ping google
from the console port on the router, so it is there,
I just need to complete the path.

Current config:

no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.2 192.168.0.101
ip dhcp excluded-address 192.168.0.249 192.168.0.254
!
ip dhcp pool whitepine
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.101
domain-name seg.net
dns-server 69.24.0.2 69.24.8.2
!
ip name-server 206.34.181.15
ip name-server 206.34.181.16
!
interface ATM0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0/0
ip address dhcp
ip access-group 102 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.101 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface FastEthernet0/0 overload
!
access-list 101 permit tcp any any established
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 deny ip any any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any

 

[unclerico]

From a client on your inside, go to

http://72.14.205.147

(it is one of

http://www.google.com's

addresses)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[brianinms]

Take access-list 102 off fa0/0

 

[gregworcester]

I took the access list 102 of of the fa0/0 interface,
now my clients cannot contact the dhcp pool.
Cisco can be so frustrating. Before when I had the
101 access list going out on fa0/0 they could
contact the pool. I also have an ADSL WIC card on the
router, do you guys think i should go with this instead of
the cheapo adsl i am using?

 

[Minue]

Hello
What your'e try to do is very easy.You don't need to change technology.(In any case what kind of connection are you using now).
It's all better to start with a basic conf and work your way up.So you should get rid of the extended access-list.And remove this command "ip access-group 101 in"
as Brianinms Let all the traffic pass.Just use a simple access-list for NAT.Even a standard will do.
Your Internet access should work with does simple steps.
Regards

 

[gregworcester]

Hi Thanks for your response

I have reduced my config to the most basic.
I created a std access list permitting all.
I can get an ip from the router pool.
My adsl modem is going into fa0/0
My lan is on 0/1
fa0/0 is picking up an IP from the ISP.
IE is still giving a dns error.
My dns from the ISP are:
69.24.0.2
69.24.8.2
Their name-servers are:
206.34.181.15
206.34.181.16
I think these are correct in my config
but i am not 100% sure.
Correct me if I am wrong.
This should work now, unless whatever I am missing
is right in front of me.
And I am an CCNP, CCVP, CCDP.
Duh, can you believe it.

 

[Minue]

Hello
I do believe your'e.But nothing beats the on the job experience .Cisco certs doesn't prepare you for the real world.It's just all theory,that doesn't help you much in the field.Where I work,the Manager of IP operations isn't even aCCNA.But boy he does make CCIE's look like rookies.

In any case back to your problem.Can you tell what kind of Internet connection your'e using.Please try to ping 4.2.2.2 from the router to see if you can get to the Internet.Also ping from the PC and post a "show ip nat translation".For the DNS problem you can use other DNS server for testing,even 4.2.2.2 will do the job.
Regards

 

[silverhairb]

This is from an 831 that was connected to an ADSL modem. On an 831, Ethernet0 is the LAN, Ethernet1 is the WAN. I had the router set as an http server to facilitate CRWS. (I don't really know what I'm doing.) This config seemed to work OK:

Current configuration : 2706 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
ip subnet-zero
ip name-server 192.168.1.254
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.155 10.10.10.254
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit po max-events 100
no ftp-server write-enable
!
!
partition flash 2 10 2
!
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
!
ip classless
ip http server
no ip http secure-server
ip nat inside source list 102 interface Ethernet1 overload
!
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
no cdp run
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end



HTH,

[the other] Bill

 

[ChrisAC]

From a clinet PC can you dig or nslookup any DNS server? When you do, do you see NAT translations on the router? Have you tried logging any drops on the acls?

And I am an CCNP, CCVP, CCDP.
Duh, can you believe it.

errr ... no!

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[silverhairb]

And I am an CCNP, CCVP, CCDP.
Duh, can you believe it."

I know a CCNP (on this forum) that had similar problems connecting his 2620XL to an ADSL modem. IIRC, he finally bought a WIC-1ADSL card and bypassed the modem.

I remember messing around with our 831 until it started talking to the ADSL modem. That's why I posted that running config.



[the other] Bill

 

[burtsbees]

DUDE...

int fa0/0
no ip access-group 102 out

int fa0/1
no ip access-group 101 in

Then try pinging

http://www.google.com

from the router. If you cannot, then the ip name-server needs to be something else. You can't have a NAT acl pointing to an interface and use the SAME acl to filter outbound traffic! If anything, your acl's are backwards...but take them both off since they're wrong anyway, then try to get to google FROM THE ROUTER! I have a 2620XM that I was unsuccessful with connecting the MODEM to, but the modem ended up being bad (had not noticed that the dog had tried eating it), so I got a WIC-1ADSL.

Burtness

 

[gregworcester]

thanks for the response burtsbees.

I tried your suggestion, nothing.
Begining to suspect that speedstream adsl modem.
I do have a ADSL-WIC card in the router.
Any chance of getting a sample of your config?
Here is my most recent config that does not work.
The only other thing I can think of is maybe I need
client-id on the fa0/0 after dhcp?

ip dhcp excluded-address 192.168.0.2 192.168.0.101
ip dhcp excluded-address 192.168.0.249 192.168.0.254
!
ip dhcp pool whitepine
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.101
dns-server 69.24.0.2 69.24.8.2
!
!
interface ATM0/0
mac-address 0007.eb78.10c0
bandwidth 3000
no ip address
no ip redirects
no ip unreachables
ip route-cache flow
shutdown
no atm ilmi-keepalive
atm ilmi-pvc-discovery
dsl operating-mode auto
dsl enable-training-log
!
interface ATM0/0.35 point-to-point
ip address dhcp client-id FastEthernet0/0
no ip redirects
no ip unreachables
ip accounting output-packets
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/35
encapsulation aal5snap
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
speed auto
half-duplex
!
interface FastEthernet0/1
ip address 192.168.0.101 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
no mop enabled
!
router rip
version 2
network 192.168.0.0
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any