Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 881 can't connect to internet

Posted on 2009-04-16
2
Medium Priority
?
2,098 Views
Last Modified: 2012-06-21
Hi

I have a new Cisco 881 router connected behind a shared network in a serviced office.

Having some issues setting it up - have gone through the basic configuration and can seemingly ping the outside world and resolve DNS entries but can't seem to get any machines connected to it to connect to the outside world.
If we connect a PC direct to the connection we can get outside ok.

Any thoughts on what we've missed in the following config. I'm assuming we're missing something from the fastethernet0-3 which we have local machines connected to.

Many thanks

Building configuration...
 
Current configuration : 10174 bytes
!
! Last configuration change at 15:39:25 PCTime Sun Mar 29 2009 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <removed>
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
aaa session-id common
clock timezone PCTime 0
!
crypto pki trustpoint TP-self-signed-1377610732
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1377610732
 revocation-check none
 rsakeypair TP-self-signed-1377610732
!
!
crypto pki certificate chain TP-self-signed-1377610732
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31333737 36313037 3332301E 170D3039 30333235 31363136 
  34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33373736 
  31303733 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100AE60 4F34D105 5FC5661A 7F9AE434 53ADD4B5 A505DB61 1F4C74B8 3125C143 
  00FCD022 E0FF7FAE FFF53137 C1D9D43E 6261FC9E 10F0247E C624EC68 4828ADAB 
  3BB78FD4 AA069140 F39617E8 9504E4BD 61E3C97E B1C154F2 FB87921D 8DAA027F 
  B93C8FFF 034D5929 9648F432 7049E69D 38B2E300 FB0E95AD 8B67E3B0 DCD8AABC 
  9B5B0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603 
  551D1104 15301382 1170696E 696F6E2E 70696E69 6F6E2E63 6F6D301F 0603551D 
  23041830 1680147C 238FCFDA 9610D238 096E723E 771B6CE1 82D08030 1D060355 
  1D0E0416 04147C23 8FCFDA96 10D23809 6E723E77 1B6CE182 D080300D 06092A86 
  4886F70D 01010405 00038181 00211E24 29B2A32C C5F9C413 8C6DBE64 9C50E819 
  459D9995 B4B6A2E4 A619C3D6 734A37EB 5DCCA927 D2D38536 6DD03288 B0B38903 
  68DC4853 74787227 C525D0F6 7523B9A1 08966F68 A933B349 9755DB1C 6CBE62CC 
  0210BBCC 970DF81F E825651F 05AA9E0E 2A56D81E 9ADBB37E 48529CD1 D0375C8F 
  865857D0 42C4C308 981353FA 19
  	quit
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.121 192.168.0.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.0.0 255.255.255.0
   dns-server 80.169.200.2 212.121.128.11 
   default-router 192.168.0.1 
!
!
ip cef
no ip bootp server
ip domain name pinion.com
ip name-server 80.169.200.2
ip name-server 212.121.128.11
ip port-map user-ezvpn-remote port udp 10000
!
!
!
!
username admin privilege 15 secret 5 <removed>
! 
!
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
no ip rcmd domain-lookup
ip rcmd remote-username sdmRb792658d
!
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
 match protocol user-ezvpn-remote
class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT
 match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
 match access-group 102
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any sdm-service-ccp-inspect-1
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-service-ccp-inspect-2
 match protocol tcp
 match protocol udp
 match protocol http
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match class-map sdm-service-ccp-inspect-2
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect CCP-Voice-permit
  inspect 
 class class-default
  pass
policy-map type inspect ccp-permit
 class type inspect SDM_EASY_VPN_REMOTE_PT
  pass
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 10.15.11.241 255.255.255.0
 ip access-group SDM_IP out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1
!
interface Virtual-Template1 type tunnel
 no ip address
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
 crypto ipsec client ezvpn CISCOCP_EZVPN_CLIENT_1 inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 2 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.15.11.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=128
no cdp run
 
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you 
want to use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Comment
Question by:m_carrington
2 Comments
 
LVL 15

Expert Comment

by:bkepford
ID: 24169772
You can ping from the router but not from clients behind the router? At first I was thinking NAT but your NAT looks okay. Then I was thinking firewall (as the default policy prevents private IP addresses from being allowed) but I saw nothing preventing the return traffic. It may be this route statement.

ip route 0.0.0.0 0.0.0.0 FastEthernet4 2 permanent

This needs to be changed to

ip route 0.0.0.0 0.0.0.0 <IP address of your next hop router>

0
 

Accepted Solution

by:
m_carrington earned 0 total points
ID: 24194883
what would be my next hop?
At present I am planning to replace a very simple LAN with my new 881-W (and plan  to use it's feature rich functionality as time goes by). So for the time being it really is this simple. 1off Router, 1off 8 port hub and 3 PC's. To start with I am using a single static IP PC connected via an ethernet cable to the Router. The Router is then connected via FE4 to the office providers ethernet cable (using a static IP) and thus the internet.
Therefore, I have VLAN1 as my inside zone and FastEthernet4 as my outside zone.
What linkage am I missing here?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question