No internet on new Cisco Router

S

simonhutton

n00b
Joined
Nov 4, 2014
Messages
17
Hi,

I have installed a new router to break up our existing LAN to add in 2 additional LAN's. The new router has 3 interfaces.

0/0 has IP 10.20.3.253 and is connected to the rest of the network via a Cisco ASA
0/1 has IP 10.20.4.1 /26
0/0/0 has IP 10.20.5.1 /26

From both 0/1 and 0/0/0 i can connect a laptop and ping the existing network and from existing network ping the laptop. I get DNS resolution on laptop plugged into 0/1 or 0/0/0 but i am unable to get out to the Internet. If i ping google i get the IP but ping fails. If i do a tracert it goes to the default gateway 10.20.4.1 and then times out. What am i missing?

Can post running config if needed.
 
It simply sounds like you haven't set a default gateway in the new router.

The new router knows how to access the three subnets it's directly connected to. This is why you can ping across the router and get DNS resolution from a local server. But the new unit doesn't know to go to the ASA for anything non-local to it.
 
There could be a lot of reasons, but a tracert failing after the gateway tells me its a routing issue.

Post your router's routing table and if possible, your ASA's also. That should tell you if you are missing something (ie. static routes or a properly configured routing protocol)
 
Below is my running config.

Building configuration...

Current configuration : 5298 bytes
!
! Last configuration change at 08:39:26 London Wed Mar 4 2015 by simon
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec

!
hostname *** **** ****
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret *** **** ****
enable password *** **** ****
!
no aaa new-model
clock timezone London 0 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
!
!
ip dhcp excluded-address 10.20.4.1
ip dhcp excluded-address 10.20.5.1
!
ip dhcp pool Train
import all
network 10.20.4.0 255.255.255.192
dns-server 10.20.0.150 10.20.0.153
default-router 10.20.4.1
lease 8
!
ip dhcp pool Demo
import all
network 10.20.5.0 255.255.255.192
dns-server 10.20.0.150 10.20.0.153
domain-name *** **** ****
default-router 10.20.5.1
lease 8
!
!
!
ip domain name *** **** ****
ip name-server 10.20.0.150
ip name-server 10.20.0.153
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed*** **** ****
enrollment selfsigned
subject-name cn=IOS-Self-Si*** **** ****
revocation-check none
rsakeypair TP-self-signed-2598932824
!
!
crypto pki certificate chain TP-self-signed-2598932824
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31*** **** ****18D0030 81890281
8100E5DE 5D5C775A 1DA0AD04 8FADAA5C B7BDB80E 02D6D065 E8A4FFE4 B6095AE7
D6C7BF86 B628245F FF316D27 1AF9643B FE878F66 512FD4DA FDB6E812 A9B41658
53F8B2C9 E9FAFB30 F333E0AE C16AD332 5FA111B7 8C0EDC35 BF531A21 BA73716D
98778D29 F445430E 4B19713F 923B3D91 5DCE0AD3 C78EEDC6 152FE993 1E87235E
D9A82822
323E6AEB 30D754A1 39D62F6B 11E5D2AA F5CF7872 700767D4 3A291813 EE12414A
CEE6EDCB AFC3D50B 035659FC F68DBB67 67E11826 F67D5529 5B8DD58B 7B71FB33
1E1C5FBF F9207880 8C3DB2C9 BDF523
quit
license udi pid CISCO1921/K9 sn FCZ1811C4DU
!
!
username *** **** ****
username *** **** ****
!
redundancy
!
!
no ip ftp passive
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LAN Port to Rest of Network$ETH-LAN$
ip address 10.20.3.253 255.255.252.0
ip access-group Allow3 in
ip access-group Allow3 out
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Training Room$ETH-LAN$
ip address 10.20.4.1 255.255.255.192
ip access-group Allow3 in
ip access-group Allow out
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0/0
description Demo Room$ETH-LAN$
ip address 10.20.5.1 255.255.255.192
ip access-group Allow2 in
ip access-group Test out
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
media-type rj45
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp ipcp dns request
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.20.3.254 permanent
ip route 10.20.0.0 255.255.255.0 10.20.3.254 permanent
ip route 10.20.4.0 255.255.255.192 GigabitEthernet0/1 permanent
ip route 10.20.5.0 255.255.255.192 GigabitEthernet0/0/0
!
ip access-list extended Allow
remark Training Room
remark CCP_ACL Category=1
permit ip any any
ip access-list extended Allow2
remark Demo Room
remark CCP_ACL Category=1
permit ip 10.20.4.0 0.0.0.255 any
ip access-list extended Allow3
remark CCP_ACL Category=1
permit udp host 10.20.0.153 eq domain any
permit udp host 10.20.0.150 eq domain any
permit udp host 10.20.0.21 eq domain any
permit udp host 10.20.0.20 eq domain any
permit ip any any
ip access-list extended Test
remark CCP_ACL Category=1
permit ip any any
!
dialer-list 1 protocol ip permit
!
!
snmp-server community public RO
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.20.4.0 0.0.0.63
access-list 1 permit 10.20.5.0 0.0.0.63
access-list 2 remark CCP_ACL Category=2
access-list 2 permit any
access-list 199 remark CCP_ACL Category=16
access-list 199 permit ip any any
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password *** **** ****
login local
transport input telnet
transport output telnet
!
scheduler allocate 20000 1000
!
end
 
Last edited:
Does the ASA have routes going to the 10.20.4.0 and 10.20.5.0 networks?
 
Yes on the ASA i have Routes set up as below.
Interface IP Address Netmask Gateway IP
Inside 10.20.4.0 255.255.255.192 10.20.3.253
Inside 10.20.5.0 255.255.255.192 10.20.3.253
 
ip route 10.20.0.0 255.255.255.0 10.20.3.254 permanent
ip route 10.20.4.0 255.255.255.192 GigabitEthernet0/1 permanent
ip route 10.20.5.0 255.255.255.192 GigabitEthernet0/0/0
Click to expand...

Delete these. You do not need to define static routes for directly connected subnets. The mask on the first entry is also incorrect.


ip access-list extended Allow2
remark Demo Room
remark CCP_ACL Category=1
permit ip 10.20.4.0 0.0.0.255 any
Click to expand...

This ACL is assigned to G0/0/0 in, but that interface is directly connected to subnet 10.20.5.0/26. As-is, nothing should be able to get into the router on that interface, as the ACL allows only packets with a source IP address in 10.20.4.0/24. But that subnet is directly connected to G0/1

Actually, I'd recommend removing all ACL entries from all interfaces until you've gotten basic connectivity working properly.

Also, edit your post to remove any password/cert/sensitive info from the config.
 
Thanks for the suggestions. i have removed the static routes except the default route and have also removed ACL's and now when I ping the laptop on the 10.20.4.x network it comes back with the 10.20.3.253 IP address and get TTL expired in tranist
 
I'm not going to go through your config for you but normal troubleshooting procedure would be to remove the ACLs from the interfaces and check connectivity. Once you establish connectivity you then go back and add ACLs one at a time until you break it. You've then isolated the problem and can fix it.
 
Nicklebon said:
I'm not going to go through your config for you but normal troubleshooting procedure would be to remove the ACLs from the interfaces and check connectivity. Once you establish connectivity you then go back and add ACLs one at a time until you break it. You've then isolated the problem and can fix it.
Click to expand...

Thanks for that. but as mentioned in post #8 ACL's have already been removed!
 
You must log in or register to reply here.
Back
Top