Cannot access Internet from behind Cisco 887

Posted on 2010-11-24
Last Modified: 2012-05-10
I have just purchased an 887 ADSL Router to replace my ageing Netgear and have never setup one of the before. I have a small amount of experience with a PIX-501 firewall.

I followed the start up wizard and entered all the details as I understand them from my ISP. I have a static IP but I set the WAN address type as IP Negotiated as I do not know the IP address and on my old modem I had it set to DHCP and it worked ok.

My provider told me I was conencted but I could not browse. And using the built in interface to ping it timed out and got no responses.

Where should I be looking to rectify this issue?
yourname#show running-config

Building configuration...

Current configuration : 8063 bytes


! Last configuration change at 12:35:15 PCTime Thu Nov 25 2010 by cct

! NVRAM config last updated at 12:32:14 PCTime Thu Nov 25 2010 by cisco


version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers


hostname yourname





security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$GUhI$szUxF9mjhPtZ.mGKyd3Uy/


no aaa new-model

memory-size iomem 10

clock timezone PCTime 10

clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00


crypto pki trustpoint TP-self-signed-1036814177

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1036814177

 revocation-check none

 rsakeypair TP-self-signed-1036814177



crypto pki certificate chain TP-self-signed-1036814177

 certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31303336 38313431 3737301E 170D3130 31313235 30323238

  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30333638

  31343137 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A331 4BBD09AA D0037B71 80D236A7 31B38AB7 E657B731 749E59A5 F4F99930

  4556C3D6 A36E5F6D 325BF7C6 A2606735 52BCCB59 146AE4DE 97723C72 27619300

  46619B55 6DE005F3 B710CFF1 608E6449 94CE0E4A F80136F7 12EB22D5 BC846958

  023CC029 24C1464B 01244CB6 9871E855 8A01790C 87F36D4E 49AFCDE8 0512255C

  ADA70203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

  301F0603 551D2304 18301680 141F1367 1D5CA2C1 8EF74B11 9E6FB7BD FC772C68

  42301D06 03551D0E 04160414 1F13671D 5CA2C18E F74B119E 6FB7BDFC 772C6842

  300D0609 2A864886 F70D0101 04050003 8181004B 5FEE1B31 3B437648 04BED8CE

  D61AE961 727B0FD9 B81E3F39 8CC9E911 61A448A2 98B586BB C54FBF5B 6D7E8091

  F1F0A494 599CD1F8 8860110F 267052BB 283EA906 88094A11 49117C29 8793E02D

  ECD9F0B7 0D7F5080 CE8C7EC7 ED5F35F4 2A559FDB 5AEF637F 85447398 3F305BC6

  77BBE1E4 29014DEA 24171997 174CE1CF 224C19


no ip source-route



ip dhcp excluded-address


ip dhcp pool ccp-pool1

   import all





ip cef

no ip bootp server

no ip domain lookup

ip domain name

no ipv6 cef



license udi pid CISCO887-K9 sn FHK144574YL



username cct privilege 15 secret 5 $1$XDFZ$JC188p8JVxbEeRy8Rp6re/



ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2


class-map type inspect match-any SDM_BOOTPC

 match access-group name SDM_BOOTPC

class-map type inspect match-any SDM_DHCP_CLIENT_PT

 match class-map SDM_BOOTPC

class-map type inspect match-any sdm-cls-bootps

 match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol h323

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all ccp-insp-traffic

 match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

 match protocol icmp

class-map type inspect match-all ccp-icmp-access

 match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

 match access-group 100

class-map type inspect match-all ccp-protocol-http

 match protocol http



policy-map type inspect ccp-permit-icmpreply

 class type inspect sdm-cls-bootps


 class type inspect ccp-icmp-access


 class class-default


policy-map type inspect ccp-inspect

 class type inspect ccp-invalid-src

  drop log

 class type inspect ccp-protocol-http


 class type inspect ccp-insp-traffic


 class class-default


policy-map type inspect ccp-permit

 class type inspect SDM_DHCP_CLIENT_PT


 class class-default



zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

 service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

 service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

 service-policy type inspect ccp-permit








interface BRI0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 encapsulation hdlc


 isdn termination multidrop


interface ATM0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 no atm ilmi-keepalive


interface ATM0.1 point-to-point

 description $FW_OUTSIDE$$ES_WAN$

 ip flow ingress

 ip nat outside

 ip virtual-reassembly

 pvc 8/35

  encapsulation aal5mux ppp dialer

  dialer pool-member 1



interface FastEthernet0


interface FastEthernet1


interface FastEthernet2


interface FastEthernet3


interface Vlan1


 ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

 ip tcp adjust-mss 1452


interface Dialer0

 description $FW_OUTSIDE$

 ip address dhcp

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 zone-member security out-zone

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap pap callin

 ppp chap hostname

 ppp chap password 7 0501015A3B19460B4106

 ppp pap sent-username password 7 12130242085E04067228

 no cdp enable


ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000


ip nat inside source list 1 interface ATM0.1 overload


ip access-list extended SDM_BOOTPC

 remark CCP_ACL Category=0

 permit udp any any eq bootpc


logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host any

access-list 100 permit ip any

dialer-list 1 protocol ip permit

no cdp run








banner exec ^C

% Password expiration warning.


Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.



banner login ^CAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C


line con 0

 login local

 no modem enable

 transport output telnet

line aux 0

 login local

 transport output telnet

line vty 0 4

 privilege level 15

 login local

 transport input telnet ssh


scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500


Open in new window

Question by:Rondog_88
  • 2
LVL 10

Accepted Solution

Wolfhere earned 500 total points
ID: 34210337
Is your DNS dynamic? or static? I do not see any DNS entries. There are no "ip name-server 'address'"

Author Comment

ID: 34210371
DNS is static, I'm using my ISP's DNS. I realised that and have now input that. So I will accept your answer as the solution.

However my NAT isnt working correctly, some entries are working: IE: 80, 25, 443. But 5721 is not and the local IP is correct its functioning. I'm using to check.

Any thoughts there?
LVL 10

Expert Comment

ID: 34212802
I think you are on the right track Ron (

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now