Solved

Cisco 2611, can ping websites from router but cannot access internet from inside the network

Posted on 2004-08-19
2
474 Views
Last Modified: 2010-03-18
I have the following setup at this time.

Static IP----2611-----static IP------Internal network.  

I can ping sites such as nhl.com or 24.217.0.3 from the router without a problem.  However I cannot ping or access any websites from the internal LAN, I have tried static and DHCP setups inside the LAN.  I think it is an ACL issue but not sure.  I have included my config below

Current configuration : 1553 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Wont-Run
!
logging rate-limit console 10 except errors
enable secret 5 xxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxx
!
ip subnet-zero
no ip source-route
!
!
ip name-server 151.164.14.201
ip name-server 151.164.1.8
ip dhcp excluded-address 10.0.1.1 10.0.1.9
!
ip dhcp pool MGMT
   network 10.0.1.0 255.255.255.0
   dns-server 151.164.14.201 151.164.1.8
   default-router 69.148.10.bb 69.148.10.aa 10.0.1.1
   lease infinite
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0/0
 description inside
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 out
 no ip proxy-arp
 ip nat inside
 half-duplex
 no cdp enable
!
interface Serial0/0
 ip address 192.168.0.1 255.255.255.0
 no cdp enable
!
interface Ethernet0/1
 description outside
 ip address 69.148.10.bb 255.255.255.248
 no ip proxy-arp
 ip nat outside
 half-duplex
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/1 69.148.10.cc
no ip http server
!
access-list 101 permit tcp any any
access-list 102 permit ip any any
no cdp run
!
line con 0
 exec-timeout 5 0
 password 7 xxxxxxxx
 login
line aux 0
 no exec
 exec-timeout 0 10
line vty 0 4
 no exec
 exec-timeout 0 30
 password 7 xxxxxxxx
 login
 transport input none
line vty 5 15
 password 7 xxxxxxxx
 login
!
!
end

Any help would be greatly appreciated.
0
Comment
Question by:pjn308
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 11845009
Add the following to your configuration:

en
conf t
access-list 1 permit 10.0.0.0 0.0.0.255
ip nat inside source list 1 interface ethernet0/1 overload

Also, access-list 101 configured on ethernet0/0 is only allowing TCP traffic out.  You won't be able to resolve DNS lookups if you don't add UDP to your access-list "access-list 101 permit udp any any".

It would be better if you removed the access-list altogether and added a list inbound on Ethernet0/1.  Here is a basic list that works in most cases and will help protect you from the Internet.

access-list 101 permit udp any eq 53 any          <--- Allow return DNS replies
access-list 101 permit tcp any any established   <--- Allow established TCP sessions from the inside network
access-list 101 permit icmp any any echo-reply  <--- Allow icmp replies back into your network

Apply it inbound on Ethernet0/1:

interface ethernet0/1
ip access-group 101 in
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 11850702
Yupe, that should work.  :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now