asked on
Cisco 871 router cannot connect to the Internet
This was working and all of the sudden it stopped. I believe the tunnel still may work but because it can't connect to the Internet, I can't test. Can anyone help?
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname!
boot-start-marker
boot system flash
boot-end-marker
!
logging buffered 51200
logging console critical
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2393214007
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2393214007
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 address x.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to TC
set peer x.x.x.x
set transform-set ESP-3DES-SHA3
set pfs group1
match address 102
!
!
dot11 ssid
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.3.152.1 10.3.152.99
!
ip dhcp pool sdm-pool1
import all
network 10.3.152.0 255.255.255.0
default-router 10.3.152.1
domain-name
dns-server 10.3.101.21 10.3.110.21
!
!
no ip bootp server
no ip domain lookup
ip domain name
ip name-server
ip name-server 10.3.110.20
ip name-server 10.3.101.21
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
multilink bundle-name authenticated
!
!
username admin privilege 15
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
class-map match-any shape
match any
class-map match-any voice
match access-group 5
!
!
policy-map voice-traffic
class voice
priority 64
class class-default
fair-queue
policy-map shape-traffic
class shape
shape average 256000
service-policy voice-traffic
!
!
bridge irb
!
!
interface FastEthernet0
service-policy output shape-traffic
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.3.152.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.3.152.0 0.0.0.255
access-list 5 permit 10.3.152.50
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit ip 10.3.110.0 0.0.0.255 10.3.152.0 0.0.0.255
access-list 101 permit udp host 12.250.41.46 any eq non500-isakmp
access-list 101 permit udp host 12.250.41.46 any eq isakmp
access-list 101 permit esp host 12.250.41.46 any
access-list 101 permit ahp host 12.250.41.46 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.3.152.0 0.0.0.255 10.3.110.0 0.0.0.255
access-list 102 permit ip 10.3.152.0 0.0.0.255 10.11.14.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.3.152.0 0.0.0.255 10.11.15.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.3.152.0 0.0.0.255 10.3.110.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.3.152.0 0.0.0.255 10.11.14.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.3.152.0 0.0.0.255 10.3.101.0 0.0.0.255
access-list 103 permit ip 10.3.152.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.3.152.0 0.0.0.255 10.3.101.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.3.152.0 0.0.0.255 10.11.14.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.3.152.0 0.0.0.255 10.3.110.0 0.0.0.255
access-list 107 permit ip 10.3.152.0 0.0.0.255 10.11.14.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
password
login local
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn cef
end
cisco871#
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname!
boot-start-marker
boot system flash
boot-end-marker
!
logging buffered 51200
logging console critical
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2393214007
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2393214007
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 address x.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to TC
set peer x.x.x.x
set transform-set ESP-3DES-SHA3
set pfs group1
match address 102
!
!
dot11 ssid
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.3.152.1 10.3.152.99
!
ip dhcp pool sdm-pool1
import all
network 10.3.152.0 255.255.255.0
default-router 10.3.152.1
domain-name
dns-server 10.3.101.21 10.3.110.21
!
!
no ip bootp server
no ip domain lookup
ip domain name
ip name-server
ip name-server 10.3.110.20
ip name-server 10.3.101.21
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
multilink bundle-name authenticated
!
!
username admin privilege 15
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
class-map match-any shape
match any
class-map match-any voice
match access-group 5
!
!
policy-map voice-traffic
class voice
priority 64
class class-default
fair-queue
policy-map shape-traffic
class shape
shape average 256000
service-policy voice-traffic
!
!
bridge irb
!
!
interface FastEthernet0
service-policy output shape-traffic
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
encryption mode ciphers tkip
!
ssid
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.3.152.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.3.152.0 0.0.0.255
access-list 5 permit 10.3.152.50
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit ip 10.3.110.0 0.0.0.255 10.3.152.0 0.0.0.255
access-list 101 permit udp host 12.250.41.46 any eq non500-isakmp
access-list 101 permit udp host 12.250.41.46 any eq isakmp
access-list 101 permit esp host 12.250.41.46 any
access-list 101 permit ahp host 12.250.41.46 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.3.152.0 0.0.0.255 10.3.110.0 0.0.0.255
access-list 102 permit ip 10.3.152.0 0.0.0.255 10.11.14.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.3.152.0 0.0.0.255 10.11.15.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.3.152.0 0.0.0.255 10.3.110.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.3.152.0 0.0.0.255 10.11.14.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.3.152.0 0.0.0.255 10.3.101.0 0.0.0.255
access-list 103 permit ip 10.3.152.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.3.152.0 0.0.0.255 10.3.101.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.3.152.0 0.0.0.255 10.11.14.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.3.152.0 0.0.0.255 10.3.110.0 0.0.0.255
access-list 107 permit ip 10.3.152.0 0.0.0.255 10.11.14.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 23 in
privilege level 15
password
login local
transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn cef
end
cisco871#
NetworkingRoutersCisco
Last Comment
vianceadmin
ASKER
cisco871#sh ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES DHCP up up
Dot11Radio0 unassigned YES NVRAM up up
Vlan1 unassigned YES NVRAM up up
NVI0 unassigned NO unset up up
BVI1 10.3.152.1 YES NVRAM up up
cisco87#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.3.152.0 is directly connected, BVI1
cisco871#
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES DHCP up up
Dot11Radio0 unassigned YES NVRAM up up
Vlan1 unassigned YES NVRAM up up
NVI0 unassigned NO unset up up
BVI1 10.3.152.1 YES NVRAM up up
cisco87#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.3.152.0 is directly connected, BVI1
cisco871#
There's your problem... You don't have an IP address (or a default route).
I would either bounce the interface (shut it down and then bring it back up) or remove the IP address assignment and reapply it.
I would either bounce the interface (shut it down and then bring it back up) or remove the IP address assignment and reapply it.
ASKER
FastEthernet 4 is connected to the Internet (ISP) so it's getting it's IP dynamically (don't know what it is). So would I just do a command to send all traffic to FastEthernet 4? Is there a way to see what the IP is on the WAN interface that it is getting from the ISP?
Yes. "show ip int brief"
Yours shows:
Interface IP-Address OK? Method Status Protocol
FastEthernet4 unassigned YES DHCP up up
Yours shows:
Interface IP-Address OK? Method Status Protocol
FastEthernet4 unassigned YES DHCP up up
ASKER
Still showing as unassigned...Does that mean it's just not getting an IP from the ISP? Did a shutdown on the interface and brought it back up...
Does that mean it's just not getting an IP from the ISP?Correct.
Since the interface is showing UP/UP, it would appear that you have a connection. You're just not getting a reply from their DHCP server. So I would contact the ISP.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
None of the answers worked. I came up with a solution on my own.
Are you receiving a default route? (show ip route)