Avatar of rossmar
rossmarFlag for United States of America asked on

No internet access with Cisco Router

I have a Cisco 1811 Intergrated Services Router which has been in operation for over a year.  It also provides VPN access for the Cisco dialer VPN and three small remote offices with PIX 501s connected back to the main office.  All worked well, except I discovered the outbound e-mail came from an incorrect IP address.  I did not want to change the public DNS records. To correct this address problem I applied a number of changes to make sure the SMTP traffic came from the correct address.  Everything works for inbound services, web mail, VPN access.  The e-mail messages do show the correct IP address. The problem is no one on the inside network can reach the internet.  The exception is the server at 192.168.10.111, (the mail server) which can access the internet over port 80 and also send e-mail from port 25.  Attached is the configuration as it is now applied.  I have another office with an ISR and a similar configuration (it doesn't have the spoke VPNs from remote offices) and it works OK.  What do I need to add to this configuration to allow outbound internet traffic?
MainChngesNoOutbound.TXT
Routers

Avatar of undefined
Last Comment
rossmar

8/22/2022 - Mon
JFrederick29

Add this:

conf t
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
Les Moore

>ip nat inside source list 100 interface FastEthernet0 overload
But, you do not even have acl 100 defined.

access-list 100 deny ip host 192.168.10.111 any
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any

interface FastEthernet0
 ip address 24.227.206.180 255.255.255.248 secondary  <== you don't need this. I would remove it.

ASKER
rossmar

Thanks for the fast response.  I had made changes to ACL 100 and ended up without one.  However entering the lines per JFrederick did not correct.  When I tried the JMoore lines I got an error when I tried to add the ip nat inside source list line, it gave me the message that dynamic mapping active, cannot change.  In any case I will need to work from the console of the router because I may want to start the config over from scratch.  However, it may be best to show you the configuration from which I started working.  Everything worked in this configuration except my e-mails show as coming from the router's address of 24.227.206.178 instead of the IP address 24.227.206.180, which is what I need.  Perhaps there is a better approach to this problem than the one I attempted.  I am attaching that original configuration.

Again thanks for the responses.
Main1-21-09.TXT
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SOLUTION
Les Moore

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
rossmar

I will be trying that this PM.
Thanks.
ASKER
rossmar

Your configuration addition has worked in every way I could test it and the e-mail shows the correct IP address.  The only thing I could not test were the VPN connections from the remote offices connecting with the PIX 501s.  I will know that in the morning.

Thanks for your help.
ASKER
rossmar

Well everything did work, but the remote offices connected by PIX did not. They could not access resources on the internal network.  Here is the config I had after applying your changes.  Do I need to add lines to the ACL split?


Main01-26-09.TXT
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
rossmar

Pardon my lack of understanding.  The dialer VPN connections with the Cisco VPN client did work, but the connections from the remote PIXs didn't.  Is there a reason why the NATing is different for these two similar types of connections?

Thanks again.
JFrederick29

No, not really.  What isn't working?  Were they working before?
ASKER
rossmar

With the configuration I posted this morning (Main01-26-09) the following worked: E-mail correctly showed as coming from 24.227.206.180, remote admin of the server from outside worked, FTP and Web access to the server from outside worked, access to the internet from the internal network worked, and the Cisco VPN dialer client worked.  What did not work was the VPN access from the remote offices via the PIX to main office router.

With the config I posted first (MainChngesNoOutbound) All the above worked except there was no outbound traffic allowed to the internet from the internal network.  The exception was the server at 192.168.10.111 (the e-mail/DNS/WINS server), which could browse the internet with port 80, but could not ping the internet). I had a report that the remote offices could connect, but I did not completely verify that with the other sites.

With my original configuration (Main1-21-09) everything worked, except e-mail showed as coming from 24.227.206.178 instead of 24.227.206.180, which was my original problem.

So with each configuration I've had a different problem.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
rossmar

OK.  I started with my Main1-21-09 config, added the lrmoore lines of 1-25 and then the JFrederick lines of 1-27.  I ended up with the attached config.  All seems to be working.  My only question concerns what limits the types of trafiic to 192.168.10.111 to SMTP, Remote Admin, SMTP, and HTTP?

Thanks for all the help with this question.

Ross
JFrederick29

Access-list 198 applied inbound on the FastEthernet0 interface is restricting the access.
ASKER
rossmar

Starting with confi Main1-21-09 and adding the changes I noted above, I did not have an access list 198.  I am assuming I should add back in ACL 196, ACL 198, ACL 199 and basically add to the config MainChngesNoOutbound, the make the additions you recommended.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
rossmar

I started with the config I had originally poste (MainChngesNoOutbound), added LRMoore changes, added JFrederick29 changes and came up with the attached config.  With this config i have no internet from the internal network.

I probably have misinterpreted your suggestions. If you make suggestions, please cite which config to use as the starting point.
MainStillNoInternet.txt
JFrederick29

Looks good except for access-list 198 blocking all traffic to the outside interface.

Do this:

conf t
ip access-list ext 198
no deny ip any host 24.227.206.180
no permit ip any any
permit udp any eq 53 any
permit icmp any any unreachable
permit icmp any any echo-reply
permit icmp any any time-exceeded

This allows DNS replies and the ability to ping from inside but denies everything else.  The other statements in 198 allow traffic to the server and the tcp established rule allows return TCP traffic.
JFrederick29

Oops, nevermind.  Disregard my last post.  Thought the .180 address was the F0 interface IP.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
rossmar

I'm kinda back where I started - one choice being e-mail comping from the wrong IP or the problem corrected, but no internet access from the inside.  What is odd is that PIXs or ASAs with static (inside, outside) stements do direct SMTP traffic out the correct IP.  It seems to be much more difficult with the routers.

Thanks again.
JFrederick29

I don't see anything wrong with your last config "MainStillNoInternet.txt" posted 1/28.  The email server should appear to the Internet as 24.227.206.180 and the 192.168.10.0/24 subnet should have Internet access (translated to 24.227.206.178).  Can you post an "ipconfig /all" from the 192.168.10.x PC you are testing from and also the following output from a command prompt on the PC:

ping www.google.com
ping 74.125.95.147
telnet www.google.com 80
telnet 74.125.95.147 80

When using those commands on the PC, do the following on the router:

show ip nat t | i 192.168.10.x

Where 192.168.10.x is the IP of the PC you are testing with.
ASKER
rossmar

OK.  I did the following:  I returned to the config I had most recently posted, however, I eliminated ACL 1.

Here are the results:
Inbound and outbound e-mail works as long as it is to a DNS cached destination on the outbound.
Access to the 192.168.10.111 server works over port 80, 3389, and 21. This is the WINS/DNS server for the network.
Dialer VPN works.  Access from the remote sites work.
From the 192.168.10.111 server I cannot ping the internet nor get DNS from the external DNS hosts.
New things:
 I can access the internet via port 80 if I know the IP addess, but cannot get IP addresses from 192.168.10.111.
I can ping the internet from another host (192.168.10.50).  I can connect to the internet via port 80 if I know the IP address.
So it looks like I have internet access on hosts except for 192.168.10.111, but I do have access using at least port 80 and port 3389 (same ports on the inbound access list). Sine I don't have access over port 53, I'm not getting DNS.

Here are screens from Show IP T: (from 192.168.10.111)

udp 24.227.206.180:1038 192.168.10.111:1038 4.2.2.2:53       4.2.2.2:53
udp 24.227.206.180:1038 192.168.10.111:1038 24.28.131.62:53  24.28.131.62:53
udp 24.227.206.180:1038 192.168.10.111:1038 24.28.131.63:53  24.28.131.63:53
tcp 24.227.206.180:3389 192.168.10.111:3389 66.162.88.196:61405 66.162.88.196:61
405
tcp 24.227.206.180:34931 192.168.10.111:34931 74.125.95.147:80 74.125.95.147:80
--- 24.227.206.180     192.168.10.111     ---                ---

AND from 192.168.10.50
icmp 24.227.206.178:512 192.168.10.50:512 74.125.95.147:512  74.125.95.147:512
tcp 24.227.206.178:4834 192.168.10.50:4834 8.14.192.48:80    8.14.192.48:80
tcp 24.227.206.178:4864 192.168.10.50:4864 74.125.95.147:80  74.125.95.147:80

Attached is the config that gave the described results.
So it now appears we only have the internet access problem from 192.168.10.111.  This is different from my first post where I had not internet access.

Thanks.
Main1-31-09.txt
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
rossmar

It appears all is working now.  Thanks for the help.
ASKER
rossmar

I ultimately needed the input from both of you.  I appreciate your sticking with this complex issue.