New Cisco 871 Router Can't Get on Internet

[mtarnowski]

I'm trying to set up a new Cisco 871 router, and I've gone through many different configurations and I still cannot access the internet. I'm pretty sure that its my access-lists. I could use an extra set of eyes to look over my configs, if anyone wouldn't mind. At this point I just want to get on the net...don't really care about security right now. Here is a copy of my config.


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$oAK1$loTKH3mxsYLFBUJ5pdOEE.
!
no aaa new-model
!
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool home
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1
!
!
ip inspect name Internet cuseeme
ip inspect name Internet dns
ip inspect name Internet ftp
ip inspect name Internet h323
ip inspect name Internet https
ip inspect name Internet icmp
ip inspect name Internet imap
ip inspect name Internet pop3
ip inspect name Internet netshow
ip inspect name Internet rcmd
ip inspect name Internet realaudio
ip inspect name Internet rtsp
ip inspect name Internet esmtp
ip inspect name Internet sqlnet
ip inspect name Internet streamworks
ip inspect name Internet tftp
ip inspect name Internet tcp
ip inspect name Internet udp
ip inspect name Internet vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip domain lookup
!
!
!
!
!
archive
log config
hidekeys
!
!
ip tcp mss 1452
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip access-group 103 in
ip access-group 102 out
ip inspect Internet out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan2
no ip address
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
ip http server
no ip http secure-server
ip dns server view-group dns
ip dns server
ip nat inside source list 101 interface FastEthernet4 overload
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit tcp 192.168.10.0 0.0.0.255 any eq www
access-list 102 permit ip any any
access-list 103 permit tcp any 192.168.10.0 0.0.0.255 eq www
access-list 103 permit ip any any
!
!
!
control-plane
!
!
line con 0
password xxxxx
login
no modem enable
line aux 0
line vty 0 4
password xxxxxx
login
!
scheduler max-task-time 5000
end

 

[burtsbees]

ip inspect Internet out

needs to be inbound, not outbound. Also, post a sh ip int bri

If you ever want to test functionality of an acl or to see if it disables functions, always take the acl off of the interface and then test. You allowing only port 80 outbound will never work---it can be allowed inbound, but outbound will not use port 80. It uses a random tcp port...take the acls off one at a time and you will see. What does fa4 connect to?

Burt

 

[mtarnowski]

Thanks Burt, my fa4 is is connected to a cable modme. Here is my sh ip int brief. The 871 is not connected to the cable modem at the moment, so the protocols will be down.


Gateway#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset up down
FastEthernet4 67.163.37.190 YES DHCP up down
Vlan1 192.168.10.1 YES NVRAM up down
NVI0 unassigned YES unset administratively down down
Vlan2 unassigned YES NVRAM up down

 

[Minue]

Hello
Try to use the most basic config as possible kill all access-lists an ip inspect.Only leave the access-list for NAT.The try using the next hop router as the default gateway,ex. ip route 0.0.0.0 0.0.0.0 67.163.37.XXX
Regards

 

[burtsbees]

Well, the thing that will get you on the internet is

int fa4
no ip access-group 102 out

Burt

 

[mtarnowski]

Thanks for the replies,

I have tried removing all access-lists, and it still will not let me out

I used the SDM to test the connection, and it came back with an error saying that either there is a DNS issue, and there may be an authentication problem. Do I have to issue any PPP authentication commands for my cable connection?

 

[Minue]

Hello
SDM isn't good for troubleshooting.It's just taking a wide shot.Did you try using the next hop router as the default-gateway?Can you please post your present conf.
Also try to ping the cable modem,your ISP DNS server or gateway and any public IP address like 4.2.2.2 and post the results.
Regards

 

[mtarnowski]

Thanks for all the responses

I was able to get it going. My problem was the DNS server IPs. I did not specify them in my DHCP pool.