jgrammer42
asked on
Internet access is block through Cisco 819 router
I have a Cisco 819 router that has been in service for a couple of years. Works great.
I have a need to change the VLAN local LAN IP addressing scheme from 192.168.1.x to 10.5.50.x
However, when I change the entries below to the new scheme; all of the workstations stop accessing the internet. I HAVE just be missing something. Something I am not seeing in the configuration.
Can anyone see what I am missing? Again, all I am changing is the 192.168.1.x to 10.5.50.x
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
dns-server 166.102.165.11 8.8.4.4
default-router 192.168.1.1
!
!
!
ip domain name gwik.com
ip name-server 4.2.2.1
ip name-server 8.8.4.4
ip cef
no ipv6 cef
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source route-map nat2wan interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 173.91.4.21 10 track 10
I have a need to change the VLAN local LAN IP addressing scheme from 192.168.1.x to 10.5.50.x
However, when I change the entries below to the new scheme; all of the workstations stop accessing the internet. I HAVE just be missing something. Something I am not seeing in the configuration.
Can anyone see what I am missing? Again, all I am changing is the 192.168.1.x to 10.5.50.x
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
dns-server 166.102.165.11 8.8.4.4
default-router 192.168.1.1
!
!
!
ip domain name gwik.com
ip name-server 4.2.2.1
ip name-server 8.8.4.4
ip cef
no ipv6 cef
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source route-map nat2wan interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 173.91.4.21 10 track 10
ASKER
Predrag,
Here is the full config, (with some of the Internet IP addressing changed for security reasons.)
Can you provide me with the exact syntax that I am missing in the commands?
I have indicated in the configuration below what lines I changed. And only those lines. But when I made those changes in the running-config and then refreshed my workstation IP's, they did pull an IP address of 10.5.50.x, but could NOT access the Internet.
I hope this clarifies in detail what I am needing help with.
thank you,
(the following is the full configuration of the Cisco 819 router)
!
! Last configuration change at 19:31:36 UTC Tue Nov 3 2015 by absadmin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Dino-819
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
(the above line I changed to the following line in the running-config)
ip dhcp excluded-address 10.5.50.1 10.5.50.100
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
(the above line I changed to the following line in the running-config)
network 10.5.50.0 255.255.255.0
dns-server 166.102.165.11 8.8.4.4
default-router 192.168.1.1
(the above line I changed to the following line in the running-config)
default-router 10.5.50.1
!
!
!
ip domain name kwikit.org
ip name-server 4.2.2.1
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL1" TIMEOUT 20
!
!
!
!
!
!
cts logging verbose
license udi pid C819G-4G-VZ-K9 sn FTX1928827L
!
!
username absadmin privilege 15 secret 5 $1$Vcvj$mEo039e8ijNypGa0/x c4w.
username gwik privilege 15 secret 5 $1$pUK2$OVvy.c3gT3gAnKnlfZ 7S3/
username netadmin privilege 15 secret 5 $1$oUV4$v.6.L4lnjkM8VeYBR5 zN51
!
!
!
!
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
track 10 list boolean or
object 11
object 12
delay down 5 up 5
!
track 11 ip sla 1 reachability
!
track 12 ip sla 2 reachability
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Cellular0
ip address negotiated
ip access-group WAN in
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
ip address 173.91.4.25 255.255.255.248
ip access-group WAN in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
(the last change I made was the above line to the following line the running-config)
ip address 10.5.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local policy route-map ip-sla
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static tcp 192.168.1.100 100 interface GigabitEthernet0 100
ip nat inside source static tcp 192.168.1.210 3391 interface GigabitEthernet0 3391
ip nat inside source static tcp 192.168.1.211 3392 interface GigabitEthernet0 3392
ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source route-map nat2wan interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 173.91.4.21 10 track 10
ip route 0.0.0.0 0.0.0.0 Cellular0 20
!
ip access-list extended WAN
permit udp any eq bootps any eq bootpc
permit tcp any any eq 3391
permit tcp any any eq 3392
permit tcp any any eq 100
permit tcp any any eq 11990 12005
permit icmp any any echo-reply
permit tcp host 12.150.103.129 any eq 22
permit tcp any any gt 1024
permit udp any any gt 1024
permit udp any eq domain any
permit tcp any any established
permit tcp host 172.14.35.46 any eq 22
deny ip any any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0
threshold 500
timeout 500
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2 source-interface GigabitEthernet0
threshold 500
timeout 500
frequency 5
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 1 react timeout threshold-type immediate
ip sla reaction-configuration 2 react timeout threshold-type immediate
ip sla enable reaction-alerts
dialer-list 1 protocol ip permit
!
route-map nat2wan permit 10
match ip address 101
match interface GigabitEthernet0
!
route-map ip-sla permit 10
match ip address 110
set ip next-hop 173.91.4.21
set interface GigabitEthernet0 Null0
!
route-map nat2cell permit 10
match ip address 101
match interface Cellular0
!
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit icmp any host 8.8.8.8
access-list 110 permit icmp any host 4.2.2.2
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
modem InOut
no exec
line vty 0 4
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
!
!
event manager directory user policy "flash:/"
event manager session cli username "absadmin" privilege 15
event manager applet pri_back
event track 10 state any
action 1.0 cli command "clear ip nat trans forced"
event manager applet sms
event ipsla operation-id 1 reaction-type timeout
action 1.0 if $_ipsla_condition eq "Occurred"
action 1.1 wait 2
action 1.2 syslog msg "Primary Circuit Down"
action 1.3 cli command "cellular 0 lte sms send 8592306307 Dino Primary Circuit Down, 4G Active"
action 1.31 wait 1
action 1.32 cli command "cellular 0 lte sms send 5027519574 Dino Primary Circuit Down, 4G Active"
action 1.33 wait 1
action 1.34 cli command "cellular 0 lte sms send 5025482028 Dino Primary Circuit Down, 4G Active"
action 1.35 wait 1
action 1.36 cli command "cellular 0 lte sms send 8598067952 Dino Primary Circuit Down, 4G Active"
action 1.4 else
action 1.5 syslog msg "Primary Circuit UP"
action 1.6 cli command "cellular 0 lte sms send 8592306307 Dino Primary Circuit Up"
action 1.61 wait 1
action 1.62 cli command "cellular 0 lte sms send 5027519574 Dino Primary Circuit Up"
action 1.63 wait 1
action 1.64 cli command "cellular 0 lte sms send 5025482028 Dino Primary Circuit Up"
action 1.65 wait 1
action 1.66 cli command "cellular 0 lte sms send 8598067952 Dino Primary Circuit Down, 4G Active"
action 1.7 end
!
end
Here is the full config, (with some of the Internet IP addressing changed for security reasons.)
Can you provide me with the exact syntax that I am missing in the commands?
I have indicated in the configuration below what lines I changed. And only those lines. But when I made those changes in the running-config and then refreshed my workstation IP's, they did pull an IP address of 10.5.50.x, but could NOT access the Internet.
I hope this clarifies in detail what I am needing help with.
thank you,
(the following is the full configuration of the Cisco 819 router)
!
! Last configuration change at 19:31:36 UTC Tue Nov 3 2015 by absadmin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Dino-819
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
(the above line I changed to the following line in the running-config)
ip dhcp excluded-address 10.5.50.1 10.5.50.100
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
(the above line I changed to the following line in the running-config)
network 10.5.50.0 255.255.255.0
dns-server 166.102.165.11 8.8.4.4
default-router 192.168.1.1
(the above line I changed to the following line in the running-config)
default-router 10.5.50.1
!
!
!
ip domain name kwikit.org
ip name-server 4.2.2.1
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL1" TIMEOUT 20
!
!
!
!
!
!
cts logging verbose
license udi pid C819G-4G-VZ-K9 sn FTX1928827L
!
!
username absadmin privilege 15 secret 5 $1$Vcvj$mEo039e8ijNypGa0/x
username gwik privilege 15 secret 5 $1$pUK2$OVvy.c3gT3gAnKnlfZ
username netadmin privilege 15 secret 5 $1$oUV4$v.6.L4lnjkM8VeYBR5
!
!
!
!
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
track 10 list boolean or
object 11
object 12
delay down 5 up 5
!
track 11 ip sla 1 reachability
!
track 12 ip sla 2 reachability
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface Cellular0
ip address negotiated
ip access-group WAN in
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
ip address 173.91.4.25 255.255.255.248
ip access-group WAN in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
(the last change I made was the above line to the following line the running-config)
ip address 10.5.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local policy route-map ip-sla
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static tcp 192.168.1.100 100 interface GigabitEthernet0 100
ip nat inside source static tcp 192.168.1.210 3391 interface GigabitEthernet0 3391
ip nat inside source static tcp 192.168.1.211 3392 interface GigabitEthernet0 3392
ip nat inside source route-map nat2cell interface Cellular0 overload
ip nat inside source route-map nat2wan interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 173.91.4.21 10 track 10
ip route 0.0.0.0 0.0.0.0 Cellular0 20
!
ip access-list extended WAN
permit udp any eq bootps any eq bootpc
permit tcp any any eq 3391
permit tcp any any eq 3392
permit tcp any any eq 100
permit tcp any any eq 11990 12005
permit icmp any any echo-reply
permit tcp host 12.150.103.129 any eq 22
permit tcp any any gt 1024
permit udp any any gt 1024
permit udp any eq domain any
permit tcp any any established
permit tcp host 172.14.35.46 any eq 22
deny ip any any
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0
threshold 500
timeout 500
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 4.2.2.2 source-interface GigabitEthernet0
threshold 500
timeout 500
frequency 5
ip sla schedule 2 life forever start-time now
ip sla reaction-configuration 1 react timeout threshold-type immediate
ip sla reaction-configuration 2 react timeout threshold-type immediate
ip sla enable reaction-alerts
dialer-list 1 protocol ip permit
!
route-map nat2wan permit 10
match ip address 101
match interface GigabitEthernet0
!
route-map ip-sla permit 10
match ip address 110
set ip next-hop 173.91.4.21
set interface GigabitEthernet0 Null0
!
route-map nat2cell permit 10
match ip address 101
match interface Cellular0
!
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
access-list 110 permit icmp any host 8.8.8.8
access-list 110 permit icmp any host 4.2.2.2
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
modem InOut
no exec
line vty 0 4
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
!
!
event manager directory user policy "flash:/"
event manager session cli username "absadmin" privilege 15
event manager applet pri_back
event track 10 state any
action 1.0 cli command "clear ip nat trans forced"
event manager applet sms
event ipsla operation-id 1 reaction-type timeout
action 1.0 if $_ipsla_condition eq "Occurred"
action 1.1 wait 2
action 1.2 syslog msg "Primary Circuit Down"
action 1.3 cli command "cellular 0 lte sms send 8592306307 Dino Primary Circuit Down, 4G Active"
action 1.31 wait 1
action 1.32 cli command "cellular 0 lte sms send 5027519574 Dino Primary Circuit Down, 4G Active"
action 1.33 wait 1
action 1.34 cli command "cellular 0 lte sms send 5025482028 Dino Primary Circuit Down, 4G Active"
action 1.35 wait 1
action 1.36 cli command "cellular 0 lte sms send 8598067952 Dino Primary Circuit Down, 4G Active"
action 1.4 else
action 1.5 syslog msg "Primary Circuit UP"
action 1.6 cli command "cellular 0 lte sms send 8592306307 Dino Primary Circuit Up"
action 1.61 wait 1
action 1.62 cli command "cellular 0 lte sms send 5027519574 Dino Primary Circuit Up"
action 1.63 wait 1
action 1.64 cli command "cellular 0 lte sms send 5025482028 Dino Primary Circuit Up"
action 1.65 wait 1
action 1.66 cli command "cellular 0 lte sms send 8598067952 Dino Primary Circuit Down, 4G Active"
action 1.7 end
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Predrag,
Thank you very much! I completely missed seeing that ACL. I very much appreciate it.
Thank you very much! I completely missed seeing that ACL. I very much appreciate it.
You're welcome.
ip dhcp excluded-address 10.5.50.1 10.5.50.100
!
ip dhcp pool LAN
network 10.5.50.0 255.255.255.0
dns-server 166.102.165.11 8.8.4.4
default-router 10.5.50.1
interface Vlan1
ip address 10.5.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
Check your route-maps nat2cell and nat2wan .
If you did not change those that is problem. You need to enable network 10.5.50.x to be natted instead of 192.168.1.0 network. Currently 192.168.1.0 is permited to be natted in those route-maps since that network range is able to go to internet.