Solved

Cisco 2611, can ping websites from router but cannot access internet from inside the network

Posted on 2004-08-19
2
479 Views
Last Modified: 2010-03-18
I have the following setup at this time.

Static IP----2611-----static IP------Internal network.  

I can ping sites such as nhl.com or 24.217.0.3 from the router without a problem.  However I cannot ping or access any websites from the internal LAN, I have tried static and DHCP setups inside the LAN.  I think it is an ACL issue but not sure.  I have included my config below

Current configuration : 1553 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Wont-Run
!
logging rate-limit console 10 except errors
enable secret 5 xxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxx
!
ip subnet-zero
no ip source-route
!
!
ip name-server 151.164.14.201
ip name-server 151.164.1.8
ip dhcp excluded-address 10.0.1.1 10.0.1.9
!
ip dhcp pool MGMT
   network 10.0.1.0 255.255.255.0
   dns-server 151.164.14.201 151.164.1.8
   default-router 69.148.10.bb 69.148.10.aa 10.0.1.1
   lease infinite
!
no ip bootp server
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0/0
 description inside
 ip address 10.0.1.1 255.255.255.0
 ip access-group 101 out
 no ip proxy-arp
 ip nat inside
 half-duplex
 no cdp enable
!
interface Serial0/0
 ip address 192.168.0.1 255.255.255.0
 no cdp enable
!
interface Ethernet0/1
 description outside
 ip address 69.148.10.bb 255.255.255.248
 no ip proxy-arp
 ip nat outside
 half-duplex
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/1 69.148.10.cc
no ip http server
!
access-list 101 permit tcp any any
access-list 102 permit ip any any
no cdp run
!
line con 0
 exec-timeout 5 0
 password 7 xxxxxxxx
 login
line aux 0
 no exec
 exec-timeout 0 10
line vty 0 4
 no exec
 exec-timeout 0 30
 password 7 xxxxxxxx
 login
 transport input none
line vty 5 15
 password 7 xxxxxxxx
 login
!
!
end

Any help would be greatly appreciated.
0
Comment
Question by:pjn308
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 11845009
Add the following to your configuration:

en
conf t
access-list 1 permit 10.0.0.0 0.0.0.255
ip nat inside source list 1 interface ethernet0/1 overload

Also, access-list 101 configured on ethernet0/0 is only allowing TCP traffic out.  You won't be able to resolve DNS lookups if you don't add UDP to your access-list "access-list 101 permit udp any any".

It would be better if you removed the access-list altogether and added a list inbound on Ethernet0/1.  Here is a basic list that works in most cases and will help protect you from the Internet.

access-list 101 permit udp any eq 53 any          <--- Allow return DNS replies
access-list 101 permit tcp any any established   <--- Allow established TCP sessions from the inside network
access-list 101 permit icmp any any echo-reply  <--- Allow icmp replies back into your network

Apply it inbound on Ethernet0/1:

interface ethernet0/1
ip access-group 101 in
0
 
LVL 9

Expert Comment

by:Pentrix2
ID: 11850702
Yupe, that should work.  :)
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface There are many applications where some computing systems need have their system clocks running synchronized within a small margin and eventually need to be in sync with the global time. There are different solutions for this, i.e. the W3…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month4 days, 23 hours left to enroll

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question