Cisco Router 881 setup to route my LAN to internet

I assume you are assigning your IP's to clients manually? Don't see a DHCP pool...

This command line is also missing

ip route 0.0.0.0 0.0.0.0 Fastethernet4

Yes my clients already have an IP addres from an internal DHCP server.

I tried the command:

ip route 0.0.0.0 0.0.0.0 fastethernet4

i get an error:

Default route without gateway, if not a point-to-point interface, may impact performance

This is an 881...so that model doesn't have a WAN port as such does it?

Try these commands instead...

ip default-gateway 1.1.1.1 (replace 1.1.1.1 with your external IP)
ip route 0.0.0.0 0.0.0.0 1.1.1.1

See if that works...

As it stands now, from the router can you ping these?

ping 8.8.8.8
ping www.google.com

Do they return replies?

Yes this is an 881 and yes it does have a WAN port (fastethernet 4).

I tried the following commands that you suggested.


ip default-gateway 1.1.1.1 (replace 1.1.1.1 with your external IP)
ip route 0.0.0.0 0.0.0.0 1.1.1.1


the ip default-gateway commmand worked but the ip route command said Incomplete command.

I researched and i think it needs the mask

so i tried:

ip route 0.0.0.0 255.255.0.0 1.1.1.1

then i get this error:


%Invalid next hop address (it's this router)

oh and I cannot ping www.google.com or 8.8.8.8 from router

Yep, that's what I thought(about the ip route command with the ip address at end)

Normally the ip route command takes the 'wan interface' at the end - or the next hop...

Actually that might work - what's the gateway address of your ISP? That's what should be put at end of this command

ip route 0.0.0.0 0.0.0.0 1.1.1.2 - note this should be the gateway from your ISP(should work)

should i remove the default-gateway ??

Em...yes, don't think that is needed once you get the route command setup correctly...

So remove default gateway
Try new route command
If it takes without error - ping 8.8.8.8, ping www.google.com - test to see you have connectivity

ok i removed default gateway

for new route i typed:

ip route 0.0.0.0 255.255.0.0 1.1.1.2

It took it with no errors but i still cannot ping 8.8.8.8

is my subnet mask wrong? the 255.255.0.0 ? that is my internal (LAN) subnet mask

No that is wrong...

ip route 0.0.0.0 0.0.0.0 1.1.1.2

Its 4 zeros, 4 zeros, ISP gateway...

You don't use 255.255.0.0 in there...

ok i tried that but still same results. I cannot ping 8.8.8.8

this is what i typed:

ip route 0.0.0.0 0.0.0.0 1.1.1.2

No...sorry I am not getting this across obviously...

1.1.1.2 - this is a dummy ip address - you need to find out what your ISP's default gateway is

For example you listed your running config using 1.1.1.1 as your external WAN ip ok?
I'm basically doing something similar - 1.1.1.2 is my example - you need to get your ISP's default gateway and put it in there...

For some reason your router will not accept the 'ip route 0.0.0.0 0.0.0.0 fastethernet4' command - so we have to use the 'next hop router' address - which in this case is your ISP's default gateway...

When you received your WAN IP address from your ISP they would have provided a few more details with it - one of which is the default gateway - can you find that? Or ask them?

oh sorry yes i am using my ISP default gateway and it still isnt working. i cannot ping 8.8.8.8

Oh...ok, thanks for the update(I was getting confused!)

Can you ping the ISP gateway then? If you can't ping the gateway then we are missing something...

Last thing - are you pinging these from the router? That's what I wanted sorry...not from a client - from the router itself

ping 8.8.8.8

What does this return from the router?

no i cannot ping the ISP gateway either

yes i am ping from the router and no luck... it doesnt work

Right...quick question

I don't see a Dialer interface(on any of the Cisco routers I've worked with I've always had to create a Dialer interface to talk to the ISP)

Did your ISP give you a username/password to connect to their side? If they did then there's another bit of work to do...

From your config you are just assigning your WAN IP to FA0/4 - but if they gave you a username/password for authentication to their side then this isn't correct...

Are you configuring this router straight from command line? No SDM web interface?

yes they gave us a username and password in order for us to use the internet

Right, then there is a lot missing from the config...

Have you access to SDM? The gui tool that is used to configure routers? It will be a lot faster to get this working...if not then I'll try to build the config and we can test...

if you have username/password for internet, then you need to configure your WAN like this:

interface Fast4
 bandwidth <<kbps>>
 no ip address
 no ip redirects
 speed auto
 duplex auto
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
 no shut
!
interface Dialer1
  mtu 1492
 bandwidth <<kbps>>
 ip address 1.1.1.1 255.255.255.255
ip nat outside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp chap hostname <<username>>
 ppp chap password <<password>>
 ppp pap sent-username  <<username>> password <<password>>
 ppp pap refuse


don't forget to change NAT rule

ip nat inside source list 1 interface dialer 1 overload

put default route

ip route 0.0.0.0 0.0.0.0 di 1

Sorry i have been gone out of town for a few days. I am back now. I will try these commands today and let you know what i find

ok so this is what i have now for a config and i still cannot ping 8.8.8.8 or my ISP default gateway:

Building configuration...

Current configuration : 2057 bytes
!
! Last configuration change at 20:42:53 UTC Mon Apr 8 2013
! NVRAM config last updated at 20:42:55 UTC Mon Apr 8 2013
! NVRAM config last updated at 20:42:55 UTC Mon Apr 8 2013
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Roger
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$RH.e$bLnsdf2sdfyQssdfsdfsWsdfsdIsdfsdfAgDUgwatdSbEA.
enable password 7 143D4asdsdffsd15F59sdf077273750107
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX1702853P
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 2
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet2
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet3
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet4
 no ip address
 no ip redirects
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 ip address 172.20.0.246 255.255.0.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer1
 mtu 1492
 ip address 1.1.1.1 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 no ip route-cache
 dialer pool 1
 dialer-group 1
 ppp chap hostname Juneau
 ppp chap password 7 011D0901534760A0Faa03
 ppp pap sent-username Juneau password 7 04550403022045345345542
 ppp pap refuse
 no cdp enable
!
interface Dialer12
 no ip address
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 1 permit 172.20.0.0 0.0.0.255
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 132F44465443E0FCCF5C727A
 login
 transport input all
!
end

i cant even ping my 1.1.1.1 address from my ISP

I have  doubt on public ip given by your ISP provider..

can you ping/trace your ISP side IP from outside?

go to:

http://whatismyipaddress.com/

put the IP provided by your ISP and check it..ping, trace.

also can you show me your arp?

Couple of questions...

Have you asked your ISP about your setup? I mean have then said its a PPPOE connection? Normally on a PPPOE type dialer setup you don't specify the ip address in the config, its provided by this line

interface Dialer1
 mtu 1492
 ip address negociated

Where in the config above you have

 ip address 1.1.1.1 255.255.255.248

On all connections I've ever setup from Cisco routers with PPPOE the Dialer interface didn't have the IP specified...again not saying this isn't correct - but can you get clarification from your ISP as to how the setup should be?

Ask them if you assign the static ip to your WAN interface - or if its a PPPOE type connection where you provide the username/password and the ip is supplied as part of the handshake...

smckeown777

static or dynamic IP alloction is ISP product rule..

it doesn't means if it is dialer/pppoe then it shud be negotiated (dynamic IP).

in many cases I had issue with dynamic IP due to static cryptos thus I requested ISP to give me fix IP on same set-up and they did it for me.

Ok, no problem @guptasan...I was just trying to be sure since if we have this info(i.e. do you assign ip static to interface or no) then we can get to the root cause quicker...but thanks for the update...

Can you see anything else wrong with the config? Next thing I'd be doing is PPPOE debug messages...as we need to determine if the pppoe session is even connecting...

I requested author to give us arp details and also sh user

also check the public IP are activated in INTERNET ??

ok i talked with my ISP and they gave me the wrong IP addresses so i put in the new ones and now i still cannot ping out with this configuration. If i put back my old configuration i can ping 8.8.8.8 from the router. I can also ping my default gateway and www.google.com. What isnt working is i still cannot get out to the internet from my machine. I put my laptop default gateway to 172.20.0.246 (which is interface 0)

This is the config that I currently have that works with pinging from the router:

Building configuration...

Current configuration : 1855 bytes
!
! Last configuration change at 17:15:52 UTC Tue Apr 9 2013
! NVRAM config last updated at 17:16:55 UTC Tue Apr 9 2013
! NVRAM config last updated at 17:16:55 UTC Tue Apr 9 2013
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Roger
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$RH.e$bLn2yQWIAAAGgDEFUgwatdSbEA.
enable password 7 143D415EGF59077289773750107
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX1702853P
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 2
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet2
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet3
 no ip address
 shutdown
 no cdp enable
!
interface FastEthernet4
 ip address 216.56.60.50 255.255.255.255
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan2
 ip address 172.20.0.246 255.255.0.0
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 172.20.0.0 25 216.56.60.50 25 extendable
ip nat inside source static tcp 172.20.0.0 80 216.56.60.50 80 extendable
ip nat inside source static tcp 172.20.0.0 443 216.56.60.50 443 extendable
ip route 0.0.0.0 0.0.0.0 216.56.60.50
!
access-list 1 permit 172.20.0.0 0.0.0.255
no cdp run
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password 7 132F444898E65Esadf0F5C727A
 login
 transport input all
!
end

ok so  your ISP gave to /32 IP and this is correct.

see:


Pinging 216.56.60.50 with 32 bytes of data:

Reply from 216.56.60.50: bytes=32 time=343ms TTL=243
Reply from 216.56.60.50: bytes=32 time=301ms TTL=243
Reply from 216.56.60.50: bytes=32 time=299ms TTL=244


now do like this

int loopback 100
ip address 216.56.60.50 255.255.255.255

in fa4
ip unnumbered lo100

ip route 0.0.0.0 0.0.0.0 lo100

also change nat

ip nat inside source list 1 interface lo100 overload

when typing

int faste4
ip unnumbered loopback 100

i get this error:

Point-to-point (non-multi-access) interfaces only


i guess i dont understand why i cant have my interface4 to be my outside ip address 216.56.60.50. why are you having me remove that from int fast 4 and adding it to loopback 100 inteface?

i talked with my ISP and they gave me the wrong IP addresses so i put in the new ones and now i still cannot ping out with this configuration. If i put back my old configuration i can ping 8.8.8.8 from the router. I can also ping my default gateway and www.google.com. What isnt working is i still cannot get out to the internet from my machine. I put my laptop default gateway to 172.20.0.246 (which is interface 0)

Ok, so that sounds good - you have connectivity to the outside...

Are you assigning ip manually on laptop?
What does this command show on the router when you are trying to ping 8.8.8.8 from your laptop?

sh ip nat tr

yes my static IP on my laptop is setup to 172.20.1.16. Then I got to thinking that i would try 172.20.0.X number and then i could get to the internet. I think i need to add 172.20.1.X to my access list as permit in order to use the 172.20.1.X ip address, correct?

ok, sounds good.. Yes that worked. I can now access the internet from my laptop. Thank you so much for your help.

This expert was really great to work with. Thank you so much for your help!