• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 249
  • Last Modified:

No access to internet

I have a Cisco 2811with one HWIC4ESW. I currently have four VLANS on the HWIC 2 for lan (secure/Unsecure networks) and 2 for wan access. The WAN interfaces are pulling IP's fron the ISP via DHCP. The LAN interfaces are pulling IP's from DHCP pool. ALL DHCP is functioning correctly. Able to ping www.google and googles ip from the router. I am unable to ping google from a LAN client. Below is what my config looks like ip' changed for post. I also need this to work with Dual WANS on single router.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret
enable password

aaa new-model
!
aaa authentication login local_auth local
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool VLAN_2
   network 12.31.0.0 255.255.252.0
   default-router 12.31.0.1
!
ip dhcp pool VLAN_3
   network 12.31.4.0 255.255.252.0
   default-router 12.31.4.1
!
no ip bootp server
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
!
multilink bundle-name authenticated
appletalk routing
!
voice-card 0
 no dspfarm

username    password
archive
 log config
hidekeys

interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex full
 speed auto
 appletalk cable-range 0-0 65434.107
 appletalk discovery
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex full
 speed auto
 appletalk cable-range 0-0 65513.143
 appletalk discovery
 no mop enabled
!
interface FastEthernet0/0/0
 switchport access vlan 4
 no mop enabled
!
interface FastEthernet0/0/1
 switchport access vlan 5
 no mop enabled
!
interface FastEthernet0/0/2
 switchport access vlan 2
 no mop enabled
!
interface FastEthernet0/0/3
switchport access vlan 3
 no mop enabled
!
interface Vlan1
 description Management VLAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 appletalk cable-range 0-0 65326.47
 appletalk discovery
 no mop enabled
!
interface Vlan2
 description Secure VLAN
 ip address 12.31.0.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description NonSecure VLAN
 ip address 12.31.4.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 description WAN1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
!
interface Vlan5
 description WAN2
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0/0 overload
ip access-list extended autosec_firewall_acl
 --More--
 permit udp any any eq bootpc
 deny   ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!

control-plane
!
line con 0
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 password
 login authentication local_auth
 transport input telnet
!
scheduler allocate 20000 1000
!
end




sh run
Building configuration...


Current configuration : 3778 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LestralaurRouter
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$qb0Y$bjU8x1B7KUbrDm6is5ljx0
enable password 7 094E41041B040E150202
 --More--         !
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool VLAN_2
   network 172.31.0.0 255.255.252.0
   default-router 172.31.0.1 
!
ip dhcp pool VLAN_3
   network 172.31.4.0 255.255.252.0
   default-router 172.31.4.1 
 --More--         !
!
no ip bootp server
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
!
multilink bundle-name authenticated
appletalk routing
!
!
voice-card 0
 no dspfarm
 --More--         !
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 7 03065406040E384B4707
archive
 log config
 --More--           hidekeys
! 
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex full
 speed auto
 appletalk cable-range 0-0 65434.107
 appletalk discovery
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 --More--          no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex full
 speed auto
 appletalk cable-range 0-0 65513.143
 appletalk discovery
 no mop enabled
!
interface FastEthernet0/0/0
 switchport access vlan 4
 no mop enabled
!
interface FastEthernet0/0/1
 switchport access vlan 5
 no mop enabled
!
interface FastEthernet0/0/2
 switchport access vlan 2
 no mop enabled
!
interface FastEthernet0/0/3
 --More--          switchport access vlan 3
 no mop enabled
!
interface Vlan1
 description Management VLAN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 appletalk cable-range 0-0 65326.47
 appletalk discovery
 no mop enabled
!
interface Vlan2
 description Secure VLAN
 ip address 172.31.0.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description NonSecure VLAN
 ip address 172.31.4.1 255.255.252.0
 ip nat inside
 --More--          ip virtual-reassembly
!
interface Vlan4
 description WAN1 
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
!
interface Vlan5
 description WAN2
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0/0 overload
!
 --More--         ip access-list extended autosec_firewall_acl
 permit udp any any eq bootpc
 deny   ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
 --More--         !
!
!
line con 0
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 password 7 104C061407160B0C050A7B79
 login authentication local_auth
 transport input telnet
!
scheduler allocate 20000 1000
!
end

LestralaurRouter#

Open in new window

0
canbewired
Asked:
canbewired
  • 7
  • 7
7 Solutions
 
Vito_CorleoneCommented:
One thing is you have two default routes:
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/1

Neither of which is needed as you're using DHCP, this will give you a default automatically. Also, default routes using interfaces are bad as the router thinks all destinations are directly connected to that interface, so it ARPs for everything, which fills your ARP table with external destinations, which is bad all around.

Next, you have this NAT statement:
ip nat inside source list 1 interface FastEthernet0/0/0 overload

I don't see access-list 1, so you will need to add that:
access-list 1 permit <NAT subnet(s)> <mask>
! example
access-list 1 permit 192.168.1.0 0.0.0.255

You're also specifying the physical interface to overload, which is wrong. You need to specify the VLAN interface because it is the interface with the IP you're overloading:
ip nat inside source list 1 interface VLAN 4 overload

Last, you've said you need dual WAN. Here's a guide for load balanced NAT with dual ISPs:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml

It's somewhat complex, so post up here if you have any issues. Though, it may be better with another question. Getting one ISP working should be the priority here, IMO.
0
 
canbewiredAuthor Commented:
Thank you for your response I will try to add these changes. One Question though. Which interface would I apply the access-list staement to? Would I add it both VLAN's with ip nat inside statement?
0
 
Vito_CorleoneCommented:
You will end up using a route-map when you follow that guide. It will load balance across both WAN links. Your route-maps will look like this:

route-map fixed-nat permit 10
 match ip address 1
 match interface vlan 4
!
route-map dhcp-nat permit 10
 match ip address 1
 match interface vlan 5
!
ip nat inside source route-map fixed-nat interface vlan 4 overload
ip nat inside source route-map dhcp-nat interface vlan 5 overload

So you will end up with both VLANs, but not exactly the same type of NAT statement.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
Vito_CorleoneCommented:
Also, here's a simpler guide for dual ISPs:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080950834.shtml

With this one you're leaving out the SLA config. So you lose the monitoring on each link, which means if there is a failure on one of the links you might continue to send traffic across it. Both of the configs will work, one is simpler, but a little less safe.
0
 
canbewiredAuthor Commented:
Okay, sorry about the long response time. So I made the suggested changes but i still can not access the internet from the LAN side. Here is the new config. Can you tell me if I did something wrong I just don't see it.
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
enable secret
enable password
!
no aaa new-model
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool VLAN_2
 network 162.31.0.0 255.255.252.0
 default-router 172.31.0.1
 dns-server 10.170.1.1
!
ip dhcp pool VLAN_3
 network 162.31.4.0 255.255.252.0
 default-router 172.31.4.1
 dns-server 10.170.1.1
!

multilink bundle-name authenticated
appletalk routing
!
voice-card 0
 no dspfarm
!
archive
 log config
  hidekeys
!
interface FastEthernet0/0
 no ip address
 duplex full
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 duplex full
 speed auto
 appletalk cable-range 0-0 65362.134
 appletalk discovery
 no mop enabled
!
interface FastEthernet0/0/0
 switchport access vlan 4
 no mop enabled
!
interface FastEthernet0/0/1
 switchport access vlan 5
 no mop enabled
!
interface FastEthernet0/0/2
 switchport access vlan 2
 no mop enabled
!
interface FastEthernet0/0/3
 switchport access vlan 3
 no mop enabled
!
interface Vlan1
 no ip address
 appletalk cable-range 0-0 65344.120
 appletalk discovery
 no mop enabled
!
interface Vlan2
 description Secure_LAN
 ip address 162.31.0.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 description NonSecure_LAN
 ip address 162.31.4.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan4
 description WAN_1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
!
interface Vlan5
 description WAN_2
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
!
router rip
 redistribute connected
 network 192.168.0.0
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
ip nat inside source route-map dhcp-nat interface Vlan4 overload
!
access-list 110 permit ip host 0.0.0.0 any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
snmp-server community public RO
!
route-map dhcp-nat permit 10
 match ip address 110
 match interface Vlan4
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 password bombaygin12
 login
!
scheduler allocate 20000 1000
!
end

0
 
Vito_CorleoneCommented:
Nothing jumps out at me, but there's a lot going on. Show me some outputs:

sh ip int b
sh ip nat trans (try to ping google from a non-working host before running this)
sh access-list

Actually, one thing jumped out. Your ACL is wrong:

access-list 110 permit ip host 0.0.0.0 any

This is matching a single IP, 0.0.0.0, it needs to be:

access-list 110 permit ip 0.0.0.0 0.0.0.0 any

If that doesn't fix it, show me those outputs.
0
 
canbewiredAuthor Commented:
Here are those outouts

#sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
icmp 192.168.106.108:512 162.31.0.2:512   74.125.53.99:512   74.125.53.99:512
FastEthernet0/0            unassigned      YES manual up                    down
FastEthernet0/1            unassigned      YES manual up                    down
FastEthernet0/0/0          unassigned      YES unset  down                  down
FastEthernet0/0/1          unassigned      YES unset  up                    down
FastEthernet0/0/2          unassigned      YES unset  up                    up
FastEthernet0/0/3          unassigned      YES unset  up                    down
Vlan1                      unassigned      YES manual up                    down
Vlan2                      162.31.0.1      YES manual up                    up
Vlan3                      162.31.4.1      YES manual up                    down
Vlan4                      192.168.106.108 YES DHCP   up                    down
Vlan5                      unassigned      YES manual up                    down
NVI0                       unassigned      NO  unset  up                    up

sh access-list
Extended IP access list 110
    10 permit ip 162.31.0.0 0.0.0.255 any (28 matches)
0
 
Vito_CorleoneCommented:
Nothing looks right in those outputs. Your fa0/0/0 is down/down, your VLAN 4 int is up/down. The translation seems to be happening though, which is also odd. Can you post a "sh ip route" and "sh vlan" or "sh vlan-switch" please?

What is fa0/0/0 connected to? Why is it using a 192 instead of a public IP? Why are all of your interfaces down other than fa0/0/2?
0
 
canbewiredAuthor Commented:
Sorry I had one of the interfaces unplugged when I did the capture.f0/0/0 is my WAN access and that is the address assignded by the dhcp server. Here are those outputs.

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active
2    Secure_LAN                       active    Fa0/0/2
3    NonSecure_LAN                    active    Fa0/0/3
4    WAN_1                            active    Fa0/0/0
5    WAN_2                            active    Fa0/0/1
20   VLAN0020                         active


Gateway of last resort is 192.168.106.1 to network 0.0.0.0

C    192.168.106.0/24 is directly connected, Vlan4
     172.31.0.0/22 is subnetted, 1 subnets
C       172.31.0.0 is directly connected, Vlan2
     10.0.0.0/32 is subnetted, 1 subnets
S       10.170.1.22 [254/0] via 192.168.106.1, Vlan4
S*   0.0.0.0/0 [254/0] via 192.168.106.1

FastEthernet0/0            unassigned      YES manual up                    down

FastEthernet0/1            unassigned      YES manual up                    down

FastEthernet0/0/0          unassigned      YES unset  up                    up

FastEthernet0/0/1          unassigned      YES unset  up                    down

FastEthernet0/0/2          unassigned      YES unset  up                    up

FastEthernet0/0/3          unassigned      YES unset  up                    down

Vlan1                      unassigned      YES manual up                    down

Vlan2                      172.31.0.1      YES manual up                    up

Vlan3                      172.31.4.1      YES manual up                    down

Vlan4                      192.168.106.108 YES DHCP   up                    up
0
 
Vito_CorleoneCommented:
Things are looking better now. Are you able to ping and access the internet? Do you see tranlsations in "sh ip nat trans"?
0
 
canbewiredAuthor Commented:
I am still unable to access the internet but I do see transalations bieng done. I tried to ping www.google.com,google' ip address, and 192.6.1.2( dns ping test site) and no luck. I can ping the default gateway and the dns, So I know that now I am getting through the router from the client just not out to the web.
0
 
canbewiredAuthor Commented:
I fixed the route map and the acces list. Now I have connectivity to the web. But only one problem.I only have connectivity if i go through VLAN2 to VLAN4. When I try to go VLAN3 to VLAN4 I get nothing.
0
 
Vito_CorleoneCommented:
Sounds like an issue with your NAT ACL. Is it allowing both subnets?
0
 
canbewiredAuthor Commented:
It was the nat ACL and for some reason when I was doing a show run my second WAN interface was listed.But when I did a show ip int b I realized it was missing so I added it and fixed the NAT ACL along with adding a route -map staement for the second subnet. My route-map staement also was not correct it only listed one WAN interface so I fixed that. I will post the configuration for others to review since this seems to be a common question on the web. Thanks for your help Vito. Now I just have to figure out why my SDM won't work for VPN. Application comes up but VPN wizard does nothing. But I will repost in differnt question so others that search can filter better in future.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now