Link to home
Start Free TrialLog in
Avatar of butterhook
butterhookFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco 877 internet access problem from VLAN1

Hi there, I have done an intial configuration using SDM with the following facts:

1. VLAN1 set up with range 192.168.0.1 - 255 in the DHCP available addresses - other machines added to ethernet ports on Cisco 877 pick up IP addresses OK within this range
2. Dialer0 interface set up correctly to connect to my ADSL connection, connection test successful pinging external domain e.g. www.google.com
3. NAT configured with VLAN1 entire range as inside and Dialer0 as outside

But I cannot browse the internet using a browsr from anywhere within VLAN1.

How can I get to browse the web?
Avatar of futurefiles
futurefiles
Flag of United Kingdom of Great Britain and Northern Ireland image

can you do a show run and paste your config
Avatar of butterhook

ASKER

Here it is. Passwords and domains etc. replaced with 'blah'
Thanks!
!This is the running config of the router: 192.168.0.2
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco877
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$Nh.H$kYh6B6XVs5urKjdqvCYg90
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.2
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.2 
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name blah.blah
ip name-server blah.blah.blah.blah
ip name-server blah.blah.blah.blah
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1033066415
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1033066415
 revocation-check none
 rsakeypair TP-self-signed-1033066415
!
!
crypto pki certificate chain TP-self-signed-1033066415
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31303333 30363634 3135301E 170D3032 30333031 30323030 
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30333330 
  36363431 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  81009FA8 D7B7B6AD C5118292 FC22D708 98489AF5 530E1652 401CBEB9 C593E98E 
  68D39738 04DFFFD0 FF6DED68 6B63512A 1D437999 08566A1B 9983E523 82048562 
  7751BE86 FC1E5B60 4CBE4CDE 69FB31C6 8377223B 3A1637F4 AFA82172 1FE918BF 
  58D41028 3A76FD6F 78CB84A3 E93131F7 A24A3C69 5D1B2EAF B5A5E380 6E6F8796 
  E8770203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 149290B9 069F09A6 48B46DFA AE888812 ADCFFEB9 
  16301D06 03551D0E 04160414 9290B906 9F09A648 B46DFAAE 888812AD CFFEB916 
  300D0609 2A864886 F70D0101 04050003 8181008F 67D10E0B A6B76DB6 A84A62F9 
  32004E04 0BDE7A7F 99074135 CBC4C568 883D1197 8E4FC287 40A53F84 E6C07167 
  48123F94 48994106 948689B4 975E178E 24ECF414 009E5A51 78444AD1 32B87D1B 
  4A9D3370 5BD0FDE2 FB67EA8B BDD1B825 BD73A2A9 E0A6EDF6 4B0FF8AE AB46DCB4 
  DB12EB3C 343573C1 8C9FF08D CBDB0785 DB77FD
  quit
username administrator privilege 15 secret 5 $1$WF71$VGG9ZNckoRE0CWcWLnfxp0
!
! 
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 no snmp trap link-status
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname blah@blah.demonadsl.co.uk
 ppp chap password 7 0707205F460118161F
 ppp pap sent-username blah@blah.demonadsl.co.uk password 7 blah
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 158.152.1.43 eq domain any
access-list 101 permit udp host 158.152.1.58 eq domain any
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Open in new window

I dont see any Nat statement...

pppoanat.pdf
Avatar of Les Moore
futurefiles is correct that you need nat. Here is what you need to enter:

interface dialer 0
 ip nat outside

interface vlan 1
 ip nat inside

access-list 10 permit 192.168.0.0 0.0.0.255
ip nat inside source list 10 interface Dialer0 overload
 
Hello, I've tried the nat configuation and appear to have set it up right according to your recommendations though still cannot connect. Here is my updated config - could you have a look at it? thanks so much.

What could stop this NAT configuration working? It's strange that I can ping internet domains successfully every time but can't get the NAT sorted despite doing all the right bits according to both the SDM interface and your own recommendations ... is there any particular way I should be connecting equipment to the router itself? I suppose the computer I am using SDM on should be able to simultaneously connect using it's browser to the web?

Thanks again.




!This is the running config of the router: 172.16.0.2
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.1 172.16.0.2
ip dhcp excluded-address 172.16.1.0 172.16.255.254
!
ip dhcp pool sdm-pool
   import all
   network 172.16.0.0 255.255.0.0
   default-router 172.16.0.2 
!
!
ip domain name yourdomain.com
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
crypto pki trustpoint TP-self-signed-1033066415
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1033066415
 revocation-check none
 rsakeypair TP-self-signed-1033066415
!
!
crypto pki certificate chain TP-self-signed-1033066415
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31303333 30363634 3135301E 170D3032 30333031 30323237 
  32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30333330 
  36363431 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  81009FA8 D7B7B6AD C5118292 FC22D708 98489AF5 530E1652 401CBEB9 C593E98E 
  68D39738 04DFFFD0 FF6DED68 6B63512A 1D437999 08566A1B 9983E523 82048562 
  7751BE86 FC1E5B60 4CBE4CDE 69FB31C6 8377223B 3A1637F4 AFA82172 1FE918BF 
  58D41028 3A76FD6F 78CB84A3 E93131F7 A24A3C69 5D1B2EAF B5A5E380 6E6F8796 
  E8770203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 149290B9 069F09A6 48B46DFA AE888812 ADCFFEB9 
  16301D06 03551D0E 04160414 9290B906 9F09A648 B46DFAAE 888812AD CFFEB916 
  300D0609 2A864886 F70D0101 04050003 8181001B C763857E 98B3126E C5EBF972 
  EA634960 A3FB9124 BDEA63CF D9CBE787 70CF2ECB B0EF1526 38E6FA36 7A746E33 
  DD1DEE43 6C12AD8C CC6E0C01 B4F3A8A9 A51F4AA0 6C476484 B7D0844B 154DFC06 
  9F9D3519 7BB702E7 AC167395 86FD2CCB 1DDE5B0C A87C548C BB5C49E2 B80EC1EE 
  5AE6DCD7 AC5822D5 02A4DB48 E8043D97 01D3FB
  quit
username administrator privilege 15 secret 5 x.
!
! 
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description Main ADSL
 no snmp trap link-status
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description General VLAN$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 172.16.0.2 255.255.0.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname x
 ppp chap password 0 x
 ppp pap sent-username x password 0 hashhash
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 199 interface Dialer0 overload
!
access-list 199 remark Charlie's NAT rule
access-list 199 remark SDM_ACL Category=2
access-list 199 remark Permit any VLAN host to see the internet
access-list 199 permit ip 172.16.0.0 0.0.0.255 any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device. 
This feature requires the one-time use of the username "cisco" 
with the password "cisco". The default username and password have a privilege level of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI. 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use. 
 
For more information about SDM please follow the instructions in the QUICK START 
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Open in new window

What IP address does your pc get that you are running SDM on? 172.16.0.x?
Setup a continuous ping on the pc to 198.6.1.2
C:\>ping -t 198.6.1.2
Then post result of "show ip nat trans"
and result of "sho ip access-list 199"
Hi there. Will do. Out of interest, what is the relevance of 198.6.1.2?
198.6.1.2 is just a permanent tier 1 dns cache server that is always on line and always responds to pings.
SOLUTION
Avatar of futurefiles
futurefiles
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
That is already in the current configuration.
so it is i missed that!
No probs - thanks so much for your efforts! Will be interesting to see the fruits of my ping experiment later.
I think you need to add to.................
interface ATM0.1 point-to-point
 description Main ADSL
 no snmp trap link-status
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
add this............
 ip nat outside
or too interface ATM0
not sure which
ni i'm way off there ignore me this time!
What is the difference between the ATM0, ATM 0.1 and Dialer0?

ATM0 appears to be in the default configuration but cannot be edited within SDM
ATM0.1 appears when I create a new DSL connection using the SDM wizard, and I can test this connection OK
Dialer0 - what is this one?

Which bit should I ignore? All of the ATM changes you mention?
ignore all of it
Yes, ignore all of futurefiles' latests posts. I think more coffee is in order.
ATM0 is the physical interface
ATM0.1 is the logical interface for the PVC
Dialer0 is the interface that attaches to the PVC, gets the IP address and sends the username/pass, etc..
Dialer0 is where the ip nat outside goes.
the only difference i can see on your to one i just setup is the access list
MINE
access-list 199 permit 172.16.0.0 0.0.0.255
YOURS
access-list 199 permit 172.16.0.0 0.0.0.255 any log
The coffees where it all started... NO MORE!!!
lrmoore
your the GURU! whats your take on it
When you say one you just setup do you mean an actual router with the same settings as mine?
different model but an 800 series
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Should I be able to access the web on the same PC from which I'm running SDM? i.e. ethernet cable directly to the port on the 877
thanks lrmoore only my fourth week configuring ciscos but learning heaps
>Should I be able to access the web on the same PC from which I'm running SDM
Yes, but I need to see the information from "ipconfig/all" and "route print" from your PC
Then I will need to see the output of the show commands listed earlier.
Do I need to change ACL 199 to number 99 instead?
No.
What you have is correct.
show ip nat trans
sho ip access-list 199

What interface do I write these commands into? Can I do it somewhere in SDM?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi there, I've done the following:

1. Got the ipconfig /all details
2. done the pings and sho ip stuff
3. done the route print

The results to all of this are in the attached file.

Thanks - please note that the configuration is identical.
ipconfig-sho-ip-route-print.txt
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
On my other (Netgear!) router, it comes up with the IP addresses for DNS servers, which I copied into SDM under the DNS server settings. I know when I test the connection it uses these DNS servers to locate the remote server e.g. www.google.com which was tested correctly.

Where do I place the DNS server settings in order to get them to populate through to hosts on the domain?

Attached are the results to 'sho ip int brief'

Thanks so much!
sho-ip-int-brief.txt
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So if I have 2 DNS servers available I would just put it in like
dns-server address1 address2

?
You guys will be pleased to hear that I have solved the internet access problem. I'll post what I think the solution was tomorrow.
You guys will be pleased to hear that I have solved the internet access problem. I'll post what I think the solution was tomorrow.
You guys will be pleased to hear that I have solved the internet access problem. I'll post what I think the solution was tomorrow.
Awesome!
I'll post the differences in the configs up later. As originally suggested, the problems related to the DNS servers not being transferred across to hosts in the DHCP pool, and also wrongly configured NAT. You guys have been great - and I have learnt loads so thanks for your help. Will post up the information later this evening.
Hi Guys, Attached are I believe the changes that made the config work.

As you can see - DNS servers are specified (I've used x in the IP addresses to obfuscate them)

I also enabled RIP

and you can also see the access rules.

Thanks for your help, I believe you both helped me learn so you will see what I hope is a fair breakdown of the points between you both.
!
ip dhcp pool sdm-pool
   network 172.16.0.0 255.255.0.0
   dns-server x.x.1.58 x.x.1.43 
   default-router 172.16.0.2 
!
---------------------
 
!
interface Vlan1
 description General VLAN$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 172.16.0.2 255.255.0.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
!
 
----------------
 
!
router rip
 passive-interface Dialer0
 network 172.16.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 172.16.0.10 80 interface Dialer0 80
ip nat inside source static tcp 172.16.0.11 3390 interface Dialer0 3390
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq www
access-list 101 permit udp host 158.152.1.43 eq domain any
access-list 101 permit udp host 158.152.1.58 eq domain any
access-list 101 deny   ip 172.16.0.0 0.0.255.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 195 remark permit HTTP traffic
access-list 195 remark SDM_ACL Category=2
access-list 195 permit tcp any any eq www
access-list 199 remark Charlie's NAT rule
access-list 199 remark SDM_ACL Category=2
access-list 199 remark Permit any VLAN host to see the internet
access-list 199 permit ip 172.16.0.0 0.0.0.255 any log
dialer-list 1 protocol ip permit
no cdp run
!

Open in new window

Thanks. I used the hints from both of you to solve my problem and get a better understanding of my new router, VLANs and firewalls and NATing in general. So thanks again!