Cisco 877W config help

S

systemx

n00b
Joined
Dec 1, 2010
Messages
60
Hi Guys, could someone help me out? I have a problem with clients behind the 887W not being able to get out on the internet. When the Dlink is plugged in, everything is ok so the problem is in the config. Any ideas?

887W or DLINK 192.168.77.1 255.255.255.0
|
SERVER 2008 (DHCP, DNS); IP: 192.168.77.6 255.255.255.0
|
CLIENTS; get IP from server above and default gateway is 192.168.77.1 255.255.255.0



Code: 
877W#sh run
Building configuration...

Current configuration : 2564 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 877W
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid CM
   vlan 1
   authentication open
   authentication key-management wpa
   wpa-psk ascii 0 cisco123
!
dot11 ssid Computer
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 cisco123
!
no ip subnet-zero
ip cef
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
!
!
!
no crypto isakmp enable
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface ATM0
 description ADSL
 no ip address
 no atm ilmi-keepalive
 pvc 0/35
  pppoe-client dial-pool-number 1
 !
 bundle-enable
 bundle enable
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 1/1
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 broadcast-key vlan 1 change 45
 !
 !
 ssid Computer
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2437
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 ip address 192.168.77.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dialer1
 description PPPOE
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username USERNAME password 0 PASSWORD
 ppp ipcp dns request
!
interface BVI1
 ip address 10.0.1.1 255.255.255.0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 192.168.77.0 0.0.0.255
!
!
!
!
control-plane
!
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 login
 transport input telnet ssh
!
scheduler max-task-time 5000
end
877W#ping 4.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/26/28 ms
877W#
 
Last edited:
First things first, how are your clients connected to the router (wireless/wired)? Can they ping the router, and do they have the router set as the gateway? Also, can you please tell us what the client computers subnet information is?

I only ask because it doesn't appear as if DHCP is being offered from this router, and you don't explicitly state what it is, or how they get that info.
 
Additionally, when you say they can't get out to the internet, do you mean they can't pull up webpages, or does even ping not work when given the IP address 4.2.2.2?
 
Good point, i updated my request.Everything works with the DLINK plugged in.
Clients are wired, unable to ping 887W because permissions are probably not set and network config looks like:

887W or DLINK 192.168.77.1 255.255.255.0
|
SERVER 2008 (DHCP, DNS); IP: 192.168.77.6 255.255.255.0
|
CLIENTS; get IP from server above and default gateway is 192.168.77.1 255.255.255.0
 
are the clients able to pull an IP address from the DHCP server when they are connected to the 887? was thinking that you need to setup ip helper-address but not 100% sure.

edit: I think you also dont need the second entry in your access-list 1.

you have 192.168.0.0 0.0.255.255 which incorporates the 192.168.77.0 range, so I think you can remove the 192.168.77.0 0.0.0.255...or remove the 192.168.0.0 0.0.255.255 and just leave the .77.0 entry.
 
Last edited:
Try this:

Code: 
!
interface Vlan1
 no ip address
 no ip nat inside
 no ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 ip address 192.168.77.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
no access-list 1 permit 192.168.0.0 0.0.255.255
!

A Bridged Virtual Interface (BVI) is used in the cases of the Cisco 877 & Cisco fat Access Points to allow the wireless and the wired (or VLAN) interfaces to be bridged together to form the same layer 2 network and share a layer 3 address. If an interface is a member of a BVI, it should not have an IP of it's own.
 
systemx said:
Good point, i updated my request.Everything works with the DLINK plugged in.
Clients are wired, unable to ping 887W because permissions are probably not set and network config looks like:

887W or DLINK 192.168.77.1 255.255.255.0
|
SERVER 2008 (DHCP, DNS); IP: 192.168.77.6 255.255.255.0
|
CLIENTS; get IP from server above and default gateway is 192.168.77.1 255.255.255.0
Click to expand...

Actually, you should be able to ping the 192.168.77.1 interface from your clients as there is not any incoming access lists/inspects on the VLAN 1 interface. Since they are on the same subnet and vlan, and plugged in directly (client-->877w) you should able to pass icmp packets (ping).

I don't normally use bridge-groups, but IMO it looks like you have your wireless interface and vlan 1 interface in bridge-group 1, but not your Fast-Ethernet interfaces (0-3). On my 870, it looks like you can put FE int's into bridge-groups.

I would try adding the "bridge-group 1" command on each FE int, and see if that allows you to ping the gateway and ultimately access the internet. It does look like NAT and routing are setup correctly, so if this is the problem I think you should be good to go.
 
thnx guys, will try both solutions this afternoon and report back

UPDATE:
TowlieMatrix > your config helped me to be able to see the router on the network and pings to and from network work well, thank you!
skjervem > the router responded that bridge-groups are not supported on FE interfaces, thank you it was worth a try!

I'm still unable to get out on the internet with both the server and the clients, any ideas?

router is connected to internet no problem, clients can ping the router, clients can't ping 4.2.2.2 or open IE/FF and browse. below is my updated config:


877W#sh run
Building configuration...

Current configuration : 2455 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 877W
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid CM
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 cisco123
!
dot11 ssid Computer
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 cisco123
!
no ip subnet-zero
ip cef
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
!
!
!
no crypto isakmp enable
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
description ADSL
no ip address
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
bundle-enable
bundle enable
!
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
pvc 1/1
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 45
!
!
ssid Computer
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer1
description PPPOE
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username USERNAME password 0 PASSWORD
ppp ipcp dns request
!
interface BVI1
ip address 192.168.77.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
!
!
!
!
control-plane
!
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input telnet ssh
!
scheduler max-task-time 5000
end

877W#



This is ipconfig/all from 1 client:
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : computer.local
Description . . . . . . . . . . . : Intel(R) 82567LM-3 Gigabit Network Connec
tion
Physical Address. . . . . . . . . : 70-F3-95-11-56-72
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::40cf:baac:c1cb:c4eb%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.77.194(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, May 03, 2012 1:14:48 PM
Lease Expires . . . . . . . . . . : Friday, May 11, 2012 1:14:48 PM
Default Gateway . . . . . . . . . : 192.168.77.1
DHCP Server . . . . . . . . . . . : 192.168.77.6
DHCPv6 IAID . . . . . . . . . . . : 242283413
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-56-06-A2-70-F3-95-11-56-72

DNS Servers . . . . . . . . . . . : 192.168.77.6
NetBIOS over Tcpip. . . . . . . . : Enabled


This is ipconfig/all from the server:
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connectio
n
Physical Address. . . . . . . . . : 00-21-5E-67-5A-3F
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::10c4:5825:557d:75b0%10(Preferred)
Link-local IPv6 Address . . . . . : fe80::a7b6:e831:2c95:7eff%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.77.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.77.1
DHCPv6 IAID . . . . . . . . . . . : 234889566
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-75-CD-95-00-21-5E-67-5A-3F

DNS Servers . . . . . . . . . . . : fe80::a7b6:e831:2c95:7eff%10
192.168.77.6
NetBIOS over Tcpip. . . . . . . . : Enabled
 
Last edited:
Glad to hear that the BVI change allows you to see the router from your LAN now.

It looks like you took out your access-list 1, which is needed for NAT. My guess is that is why you can now ping the router but not access the internet in any form from your clients.

Try re-adding the following:

access-list 1 permit 192.168.77.0 0.0.0.255

and see if that allows you outbound.
 
Your nat config is looking for access list one but there isn't a number 1. Do what the poster above me did and you should get internet now.
 
You must log in or register to reply here.
Back
Top