Cisco 831 Configuration

Hey, I got a cisco 831 from a friend for free and erased his config. Now,  the E1 interface for the internet can see the internet or my other router and pings are successful. My Fastethernet 1 interface can see my computer and pings are successful. My problem and question is that my computer cannot see the internet.  what are the simple, basic configurations to allow the internet to go through the cisco 831 to the computer and vice versa??

Thanks
LVL 1
Scott LIT Support AnalystAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

plemieux72Commented:
There are many reasons for this behavior... but on those routers, I find that the easiest way is to first use CRWS (http://10.10.10.1) or whatever IP address of your inside interface and configure the basics using the GUI.

Then, once you have basic connectivity, you can stop using CRWS and start using the command line for configuration of more advanced features like CBAC etc.

Try resetting to the defaults using CRWS and see what happens.  Let us know.
0
Scott LIT Support AnalystAuthor Commented:
sorry, i forgot to mention that the web setup doesnt seem to work.

 I get through the certificate and username/pass part, then it seems to stay at the "loading cisco web setup" page, and when it is checking for the router/ios version/etc, it just keeps checking, running out the progress bar, clearing it and doing it again, over and over.

i had pretty much given up on using that becuase of it, which is why i was doing IOS. However if you know how to fix this prob that would be just as good!

0
navinquadrosCommented:
I'm gonna assume the External interface is called Ethernet 0 and the internal interface, connected to the PC is called FastEthernet 0. also I'm assuming your IP addresses are configured right as you can ping:

try the following:
- Go to priviledged mode [Enable mode]
- config t
- int FastEthernet 0
- ip route 0.0.0.0 0.0.0.0 Ethernet 0
- exit
- copy running startup

Now check. You should be able to hit through. Keep me posted!!

Best of luck,
Navin

0
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Scott LIT Support AnalystAuthor Commented:
well i tried it..no luck on anything different happening though. just in case it helped though, i got my "show config" read out .. here it is:

-------------------------------------------------------------------------------------------------------------------------------------------
Using 1615 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname zion
!
logging buffered 51200 warnings
enable secret 5 $1$EhbY$xAQmOCBd8liMG8eF0R5O8/
enable password bermuda98
!
username scott privilege 15 password 0 bda98
no aaa new-model
ip subnet-zero
no ip routing
ip domain name THEMATRIX
ip host THEREDPILL 192.168.1.1 255.255.0.0
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
ftp-server enable
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
 ip address 10.10.10.1 255.255.255.0
 no ip route-cache
!
interface Ethernet1
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 duplex auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip default-gateway 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip http server
ip http authentication local
ip http secure-server
!
banner login ^Celcome
Haven't gotten the internet hooked up yet!! ^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password bda98
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end
---------------------------------------------------------------------------------------------------------------------------------------


one thing that i dont understand fully is the fastethernet 1 and ethernet 0.

 It seems that ethernet 0 encompasses the 4 fastethers if they are to all have the same settings, but can be optionally configured individually for different settings on each.

i havent touched fastether1(the plug that the pc is connected  too) because i can get the ping with just hte e0. .. yeah..but still nothing going through the router..just either side.
0
plemieux72Commented:
What is the router plugged into going to the Internet?  Is it a cable modem or DSL modem?  I am asking because your outside interface (e1) has a private IP address of 192.168.1.100.  This is probably wrong and should be a public IP address because routers don't forward private addresses onto the Internet.

So, if that's the case, put the public IP address your ISP gave you on the e1 and turn on NAT.  You should then be good to go.

To turn on NAT, setup an access-list describing the traffic to NAT.  Then a route-map to describe what access list is part of the route-map.  Then apply the route map to the outside interface e1 with a "ip nat inside source route-map" command.

For more details on setting up NAT, see http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Technologies:NAT
0
Scott LIT Support AnalystAuthor Commented:
ok..well at the moment it is connected to my gateway router. I left it there becuase it can ping websites, and i get the same  problems with throughput even when the routers external address is set from my isp's dhcp. ill give the nat thing a try, see how it comes out.
0
plemieux72Commented:
Well, NAT should only be turned on if you need to translate from a private to a public IP address.  If your 831 is plugged into another router that already does NAT, then you don't turn on NAT on the 831 as well.

So, if I understand correctly, here is how you are setup:

Internal LAN (10.10.10.0/24) ---> 10.10.10.1 Cisco831 192.168.1.100 ---> Second LAN (192.168.1.0/24) ---> 192.168.1.x GatewayRouter x.x.x.x (public IP from ISP DHCP) ---> cable modem or whatever ---> Internet

If so, your 831 needs a route that tells it to what IP address to send traffic with destination IP addresses on the Internet (which is your GatewayRouter's inside IP):
ip route 0.0.0.0 0.0.0.0 192.168.1.x

Try that and see if that works.

0
Scott LIT Support AnalystAuthor Commented:
excellent!!  i did the  ip route things (a few different ways and for both directions) and i got connectivity. I can ping websites from behind the cisco router. The only problem is that they have terrible results (20-40%).  I also can't access websites from teh computer itself. Thanks a million!!

Any ideas on how to get a better connection? i woudl imagine somehow if i were in a large business it could fall under QoS, but i doubt that would need tinkering since its just a basic router.


I know the points on this are low..so im gettin more!!
0
Scott LIT Support AnalystAuthor Commented:
nevermind...i screwed up. i was pinging the web from teh console terminal, not my pc. in actual fact, there is no connection.

im still getting more points though.
0
plemieux72Commented:
Was I correct in what I assumed to be your setup?  
Also, did you verify the TCP/IP settings on your computers?

The computers on the 10.10.10.0/24 network need to have a default gateway of 10.10.10.1.
The computers on the 192.168.1.0/24 network need to have a default gateway of 192.168.1.x

0
Miki18Commented:
Hello.

That problem you had ( display "loading cisco web setup" and not continue ) when you were trying to use "CRWS" on LAN port of your router was JAVA related !
Try installing new java or in my case (on win XP) try deinstalling your current version and use the one in Win XP.
Or maby use another PC for configuration.
When CWRS works first ser router to "DEFAULTS" in advanced configuration. then it will reboot and use default Ip (10.10.10.1) then you can use wizard to establish NAT to your internal router, or conect it directly to internet (CABLE, DSL, ADSL...)

Hope this will help you....
0
Scott LIT Support AnalystAuthor Commented:
plemieux..
yup..that was the correct setup. nice diagram to illustrate that too! to simplify things i have gotten the dhcp's to pretty much set the same ips each time. so my pc is always 10.10.10.2 going to router interface e0 with ip 10.10.10.1 and router interface e1 (internet ) being 192.168.1.100 going to gateway router 192.168.1.1, then the cable modem. This is just such a mess..i would think basic connectivity would not be to hard.  just a q about your last  post... exactly which tcp/ip settings on teh computer are you talking about.  I normally knwo how to set comps up for internet, but sometimes there is just one little thing that doesnt get configed that messes the whole thing up!

Miki, alright..ill give that whirl. it sounds promising. i didnt think win xp had a proper java version, but i guess then many users wouldnt be able to setup this  router, and i doubt cisco would do that.  but who knows..im having probs!

talk to ya guys in a bit!!!!
0
plemieux72Commented:
I was just talking about the default gateway when I referred to the TCP/IP settings on the computers.

So, on your PC, you should have:
IP 10.10.10.2
SM 255.255.255.0
GW 10.10.10.1

Wait a minute, I just noticed in your config... check your subnet masks.  For now, it would be just easier to use /24 (255.255.255.0) for everything.  Ensure your DHCP hands out /24 masks and make sure both routers all have 255.255.255.0 masks on all interfaces.




0
Scott LIT Support AnalystAuthor Commented:
Ok here's the new config, ive been changing things and not updating it here.  Both routers have 255.255.255.0 on all interfaces.


---------------------------------------------
zion#show conf
Using 1678 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname zion
!
logging buffered 51200 warnings
enable secret 5 $1$EhbY$xAQmOCBd8liMG8eF0R5O8/
enable password
!
username scott privilege 15 password 0
no aaa new-model
ip subnet-zero
no ip routing
ip domain name THEMATRIX
ip host THEREDPILL 192.168.1.1 255.255.0.0
ip host MYBOX 10.10.10.2
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
ftp-server enable
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$
 ip address 10.10.10.1 255.255.255.0
 no ip route-cache
!
interface Ethernet1
 ip address 192.168.1.100 255.255.255.0
 no ip route-cache
 duplex auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip default-gateway 192.168.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 10.10.10.2
ip http server
ip http authentication local
ip http secure-server
!
banner login ^Celcome
Haven't gotten the internet hooked up yet!! ^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end
----------------------------------------------
0
Scott LIT Support AnalystAuthor Commented:
oh..back up at the NAT info, how exactly to i apply the access list to the route map...im having a lil trouble with that...

thanks
0
plemieux72Commented:
Why are you wanting to turn on NAT on the 831?  I suggested that when I thought your 831 needed to translate from private to public IP addresses.  Right now, that's not the case, 10.0.0.0/24 and 192.168.1.0/24 are both PRIVATE.  Your 831 is simply routing, there is no need for NAT.  NAT is being handled by your GatewayRouter (the one directly connected to the Internet).

Now, you have 4 default routes... there should only be one:
ip route 0.0.0.0 0.0.0.0 192.168.1.1

So, remove the others:
no ip route 0.0.0.0 0.0.0.0 Ethernet1
no ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip route 0.0.0.0 0.0.0.0 10.10.10.2

Also, do the following commands to clean up the subnet masks as I previously mentioned:
no ip host THEREDPILL 192.168.1.1 255.255.0.0
ip host THEREDPILL 192.168.1.1 255.255.255.0
ip dhcp pool sdm-pool
 network 10.10.10.0 255.255.255.0
end

Finally, turn on IP routing with the following command:
ip routing

0
Miki18Commented:
If you wil not use CRWS
than use this configuration.

There is no problem if you use NAT (maby usefull if you have access lists in your current gateway)


Delete your configuration
-write erase then reload)

Do not forget to turn on ip routing (it is on by default on routers)
-ip routing

So your configuration should look like this....
It should work.


version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname zion
!
logging buffered 51200 warnings
enable secret 5 $1$EhbY$xAQmOCBd8liMG8eF0R5O8/
enable password
!
username scott privilege 15 password 0
no aaa new-model
ip subnet-zero
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
ftp-server enable
no ftp-server write-enable
!
!
interface Ethernet0
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip route-cache
 duplex auto

!
interface Ethernet1
 ip address 192.168.1.100 255.255.255.0
 ip nat outside
 no ip route-cache
 duplex auto

ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http server
ip http secure-server
ip nat inside source list 1 interface Ethernet1 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255

ip http server
ip http authentication local
ip http secure-server
!
banner login ^Celcome
It works now :-) ^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
end

I hope this works...
0
plemieux72Commented:
Hey Drunkinbda,

I think I found your problem... the GatewayRouter is only aware of the DIRECTLY-CONNECTED networks which are:
1) The Internet
2) The 192.168.1.0/24 network

It has NO IDEA how to reach the 10.10.10.0/24 network since it's not directly connected.  Therefore, you need to add a route on it.

The route should be something like this:
route 10.10.10.0 mask 255.255.255.0 192.168.1.100

It basically tells the GatewayRouter that any traffic it receives that has a destination of 10.10.10.0/24 should be forwarded to 192.168.1.100 which is your 831.  From there, the 831 takes over.

Please try that and let me know.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott LIT Support AnalystAuthor Commented:
EXCELLENT...A CONNECTION!!!! i just gotta fiddle with it a little bit to make sure how and why things are working!! one quick question before i start get points out, if i move the cisco router to be the gateway router(connected to the modem) am i gonna hve to get into a lot more configs with nat and such???

Thanks again guys!!!!!!
0
Scott LIT Support AnalystAuthor Commented:
another quicky plemieux
...i assume that i can use the dynamic routing on my gateway router to do the same job that the startic routing does right?
0
plemieux72Commented:
Great!  Glad it worked...

To answer your other questions, if you move the 831 to the edge, yes, you will have to reconfigure it and it WILL have to do NAT.  I would then also configure the IOS firewall as well (CBAC) and ensure you harden the rest of the config as best you can.  Any router directly connected to the Internet should be configured as such if you want to prevent worms and other threats on your LAN.  There are great books and online articles on how to harden IOS.  Just do a google search.

Dynamic routing - yes it would do the same job.  However, you never said what kind your other router is and what routing protocol it supports (RIP, OSPF, EIGRP, etc.) and for a small setup like yours, static routing is perfectly fine.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.