Cisco 871w cannot get internet connection

snoozeit
snoozeit used Ask the Experts™
on
I am trying to configure the 871w but users on the wlan and lan cannot access the internet.

Any ideas
871w#
871w#show run
Building configuration...

Current configuration : 6270 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 871w
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network ezvpn_local local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2847771922
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2847771922
 revocation-check none
 rsakeypair TP-self-signed-2847771922
!
!
crypto pki certificate chain TP-self-signed-2847771922
 certificate self-signed 01
  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383437 37373139 3232301E 170D3039 31303330 31383434
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38343737
  37313932 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BFFD 6A9E4B33 6CA0EFDC F62D3BA5 9A9A1D41 9C9BAB10 4703468F EC6C2E85
  20894F6E FED9EB53 1D4CFAB7 EF7401F0 9D45E0F1 702EFCC6 4A356635 2C4084CF
  731A0847 F2C55C93 3CA6A693 D30B4684 877EB8B0 11589B90 15448B2C 76AB842A
  3AC80F53 B712998D 75E23B0B 0C6CD63F C66B74C2 845D981D 871A0F1A 573F6015
  679D0203 010001A3 64306230 0F060355 1D130101 FF040530 030101FF 300F0603
  551D1104 08300682 04383731 77301F06 03551D23 04183016 8014C7B3 1EF36151
  D8F807B2 8358EFB0 228668F1 2125301D 0603551D 0E041604 14C7B31E F36151D8
  F807B283 58EFB022 8668F121 25300D06 092A8648 86F70D01 01040500 03818100
  A6FF30A8 23AB8CE7 AE762B4D 64D6A8DE 7D09CD75 0EC8784D 50CE6699 453E5245
  15DD7242 0FDEC47F 42916325 E3294378 D6AFC0E1 A97020B4 20BB54DF 47B8289C
  7770CE87 3C373C01 5E0DB367 F826505A 2193920D C9C6D277 D0F991F7 DB8F9C0D
  D20D7D00 D192571D D99BB604 AAC5ADCB 17D2D6AB 533DF686 017CB67D 644A7399
        quit
dot11 syslog
!
dot11 ssid WLAN10
   vlan 10
   authentication open
   authentication key-management wpa
   wpa-psk ascii 0 123456789
!
dot11 ssid WLAN20
   vlan 20
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 12345678
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.2
ip dhcp excluded-address 192.168.3.2
!
ip dhcp pool vlan10
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.2
   lease 4
!
ip dhcp pool VLAN20
   import all
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.2
   lease 4
!
!
!
multilink bundle-name authenticated
!
!
username john privilege 15 password 0 cisco
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group easyvpn
 key bluesky
 pool ezvpnpool
 acl 125
crypto isakmp profile ike-profile-1
   match identity group easyvpn
   client authentication list default
   isakmp authorization list ezvpn_local
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ike-profile-1
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet1
interface FastEthernet1
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet2
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto
 no cdp enable
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 ip nat inside
 ip virtual-reassembly
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile profile1
!
interface Dot11Radio0
 no ip address
 no dot11 extension aironet
 !
 encryption vlan 10 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 !
 ssid WLAN10
 !
 ssid WLAN20
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
!
interface Dot11Radio0.10
 encapsulation dot1Q 10
 bridge-group 10
 bridge-group 10 subscriber-loop-control
 bridge-group 10 spanning-disabled
 bridge-group 10 block-unknown-source
 no bridge-group 10 source-learning
 no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 spanning-disabled
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
!
interface Vlan1
 no ip address
 bridge-group 10
 bridge-group 10 spanning-disabled
!
interface Vlan10
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 10
 bridge-group 10 spanning-disabled
!
interface Vlan20
 description Guest Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 20
 bridge-group 20 spanning-disabled
!
interface Vlan30
 no ip address
!
interface BVI10
 description Bridge to Internal Network
 ip address 192.168.3.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface BVI20
 description Bridge to Guest Network
 ip address 192.168.4.2 255.255.255.0
 ip access-group Guest-ACL in
 ip nat inside
 ip virtual-reassembly
!
ip local pool ezvpnpool 192.168.11.1 192.168.11.12
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!
ip http server
ip http secure-server
!
ip access-list extended Guest-ACL
 deny   ip any 192.168.3.0 0.0.0.255
 permit ip any any
!
access-list 100 deny   ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 125 permit ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255 log
access-list 125 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
!
control-plane
!
bridge 10 route ip
bridge 20 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

871w#

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Don JohnstonInstructor
Top Expert 2015

Commented:
Looks like the NAT statement is missing.

access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
!
ip nat inside source list 1 int fa4

Author

Commented:
Thanks for your reply.
Yes it was missing the nat statement. Any reason why I cannot use the extended access list 100 for nat.
 
 

Author

Commented:
Okay I changes it to a standard acl and still no luck. I cleared the config and started from scratch it works I can ping outside from the router up until I configure the bridge interfaces after that I ping a outside ip address I get timed out.
any ideas
 
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Don JohnstonInstructor
Top Expert 2015

Commented:
Please post the current config.

Author

Commented:
Hi,
Below is the new config.

I could ping from the router to any outside public but after inputting the default route I cannot
do that.
Users cannot get to the internet or ping any outside public address.



Thanks,


wireless#show run
Building configuration...

Current configuration : 2062 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname wireless
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool 10
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
!
ip dhcp pool vlan20
   import all
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1
!
!
!
multilink bundle-name authenticated
!
!
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
 switchport access vlan 10
 spanning-tree portfast
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 10
 bridge-group 10 spanning-disabled
!
interface Vlan10
 description internal
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 10
 bridge-group 10 spanning-disabled
!
interface Vlan20
 description guest
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 20
 bridge-group 20 spanning-disabled
!
interface BVI10
 description internal network
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface BVI20
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
access-list 1 permit 192.168.3.0
access-list 1 permit 192.168.4.0
!
!
!
!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
bridge 20 protocol ieee
bridge 20 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end

Author

Commented:
The users are on the Lan not wlan, I have removed the vpn and wlan for now.
Instructor
Top Expert 2015
Commented:
Why are you putting the VLAN interfaces in a bridge group? A bridge group and a VLAN are the same thing.

Assign the IP addresses to the VLAN interface.

Author

Commented:
That did not solve it. My goal is to have a internal network ( wlan and lan) and a guest network ( wlan) What changes can I make in the above config to accomplish that.


Don JohnstonInstructor
Top Expert 2015

Commented:
I'm not following you.  Can you provide a topology diagram?

Author

Commented:

here click this link

http://i.i.com.com/cnwk.1d/i/tr/downloads/images/cisco_871/cisco_871_a.png

Open in new window

Author

Commented:
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial