Cisco 871 router cannot connect to the Internet

Posted on 2014-12-08
Last Modified: 2015-01-14
This was working and all of the sudden it stopped.  I believe the tunnel still may work but because it can't connect to the Internet, I can't test.  Can anyone help?  

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
boot system flash
logging buffered 51200
logging console critical

no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2393214007
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2393214007
 revocation-check none
 rsakeypair TP-self-signed-2393214007
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 6 address x.x.x.x
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel to TC
 set peer x.x.x.x
 set transform-set ESP-3DES-SHA3
 set pfs group1
 match address 102
dot11 ssid
   authentication open
   authentication key-management wpa
   wpa-psk ascii
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp pool sdm-pool1
   import all
no ip bootp server
no ip domain lookup
ip domain name
ip name-server
ip name-server
ip name-server
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
multilink bundle-name authenticated
username admin privilege 15
 log config
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
class-map match-any shape
 match any
class-map match-any voice
 match access-group 5
policy-map voice-traffic
 class voice
  priority 64
 class class-default
policy-map shape-traffic
 class shape
  shape average 256000
  service-policy voice-traffic
bridge irb
interface FastEthernet0
 service-policy output shape-traffic
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
interface Dot11Radio0
 no ip address
 encryption mode ciphers tkip
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
 bridge-group 1 spanning-disabled
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 5 permit
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host any
access-list 100 deny   ip any
access-list 100 permit ip any any
access-list 101 permit ip
access-list 101 permit udp host any eq non500-isakmp
access-list 101 permit udp host any eq isakmp
access-list 101 permit esp host any
access-list 101 permit ahp host any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip
access-list 102 permit ip
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip
access-list 103 remark IPSec Rule
access-list 103 deny   ip
access-list 103 remark IPSec Rule
access-list 103 deny   ip
access-list 103 remark IPSec Rule
access-list 103 deny   ip
access-list 103 permit ip any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip
access-list 107 permit ip
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 103
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

webvpn cef

Question by:vianceadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 50

Expert Comment

by:Don Johnston
ID: 40486664
is the F4 interface up? (show ip int brief)
Are you receiving a default route? (show ip route)

Author Comment

ID: 40486742
cisco871#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  down                  down
FastEthernet1              unassigned      YES unset  up                    down
FastEthernet2              unassigned      YES unset  up                    up  
FastEthernet3              unassigned      YES unset  up                    down
FastEthernet4              unassigned      YES DHCP   up                    up  
Dot11Radio0                unassigned      YES NVRAM  up                    up  
Vlan1                      unassigned      YES NVRAM  up                    up  
NVI0                       unassigned      NO  unset  up                    up  
BVI1                   YES NVRAM  up                    up  

cisco87#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set is subnetted, 1 subnets
C is directly connected, BVI1
LVL 50

Expert Comment

by:Don Johnston
ID: 40486755
There's your problem... You don't have an IP address (or a default route).

I would either bounce the interface (shut it down and then bring it back up) or remove the IP address assignment and reapply it.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 40486764
FastEthernet 4 is connected to the Internet (ISP) so it's getting it's IP dynamically (don't know what it is).  So would I just do a command to send all traffic to FastEthernet 4?  Is there a way to see what the IP is on the WAN interface that it is getting from the ISP?
LVL 50

Expert Comment

by:Don Johnston
ID: 40486782
Yes. "show ip int brief"

Yours shows:
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet4             unassigned      YES DHCP   up                    up

Author Comment

ID: 40486787
Still showing as unassigned...Does that mean it's just not getting an IP from the ISP?  Did a shutdown on the interface and brought it back up...
LVL 50

Expert Comment

by:Don Johnston
ID: 40486810
Does that mean it's just not getting an IP from the ISP?

Since the interface is showing UP/UP, it would appear that you have a connection.  You're just not getting a reply from their DHCP server. So I would contact the ISP.

Accepted Solution

vianceadmin earned 0 total points
ID: 40541137
I was missing the access-list to allow DHCP requests on the WAN interface (to allow it to get an IP from the ISP).

Author Closing Comment

ID: 40548534
None of the answers worked.  I came up with a solution on my own.

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
QoS on Cisco router 10 58
Cisco Nexus 5 56
How to extreme from web browser to the internet 2 42
Restore DC not visible on network 13 23
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question