Hello folks newbie here I've got a Cisco 1921 that my office chucked because of upgrades, I'm just trying to set it up as a basic router (while learning what I can in the process). Basically want Gi0/0 to be my WAN port and Gi0/1 to be the LAN port. I will post my config file feel free to critique it, basically most of it is me searching this forum and trying config option and seeing what they do, I just can't seem to get traffic from my LAN port to get past or through the WAN port. My WAN port can hit the internet and ping everything. Any help will be appreciated. Using 2365 out of 262136 bytes ! ! Last configuration change at 17:56:08 UTC Sat Aug 29 2020 ! NVRAM config last updated at 17:56:11 UTC Sat Aug 29 2020 ! NVRAM config last updated at 17:56:11 UTC Sat Aug 29 2020 version 15.1 service config service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname JLVBCISC1921 ! boot-start-marker boot-end-marker ! ! enable secret 5 $1$LP8J$do7T.2ozAnQNXiGyRzWKq. enable password Canada2004 ! no aaa new-model ! ! no ipv6 cef ! ! ! ip dhcp excluded-address 192.168.1.1 192.168.1.20 ! ip dhcp pool JLVB network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 192.168.1.1 ! ! ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! ! license udi pid CISCO1921/K9 sn FGL160720QS ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! interface Loopback1 ip address 1.2.3.4 255.255.255.255 ! interface Embedded-Service-Engine0/0 no ip address no ip route-cache shutdown ! interface GigabitEthernet0/0 ip address dhcp ip nat outside ip virtual-reassembly in no ip route-cache duplex auto speed auto no cdp enable ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in no ip route-cache duplex auto speed auto no cdp enable ! interface FastEthernet0/0/0 no ip address no mop enabled ! interface FastEthernet0/0/1 no ip address shutdown ! interface FastEthernet0/0/2 no ip address shutdown ! interface FastEthernet0/0/3 no ip address shutdown ! interface Vlan1 no ip address no ip route-cache shutdown ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat inside source route-map NAT-Gi interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1 90 ip route 0.0.0.0 0.0.0.0 192.168.0.1 254 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 90 ! access-list 100 permit ip any any ! no cdp run ! ! ! route-map NAT-Gi permit 10 match ip address 100 match interface GigabitEthernet0/0 ! ! ! control-plane ! ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password ********** login transport input all ! scheduler allocate 20000 1000 end
1 Accepted Solution
Responding to the new config: - This config contains a line no ip routing This will disable ip routing. You need to enter the command ip routing Note that when you do this the running config will not contain the line ip routing, but that is because ip routing is the default and most of the time default values do not show up in the running config. - I do not see any routing statements, most especially no default route is configured. It might look something like ip route 0.0.0.0 0.0.0.0 Gi0/0 dhcp - I do not see any address translation. It might look some like int Gi0/0 ip nat outside int Fi0/1 ip nat inside ip nat inside source list 1 interface Gi0/0 overload access-list 1 permit 192.168.1.0 0.0.0.255 - I suggest that you remove this line enable password Canada2004 This line will be ignored since you have also configured enable secret. Enable secret is a more recent enhancement and is more secure than enable password. If both commands are entered then the enable password command will be ignored. Since it is not useful I suggest that you remove it. - I do not think that you need the line service config so I suggest that you remove it. - your config contains the line no ip cef I suggest that cef is generally a good thing and unless you have a particular reason to remove it that cef should be enabled. 9 Replies 9
Looks good; couple questions: what or where is 192.168.0.1 90? is it cable/internet modem? I am not sure about using route-map with NAT; just use dynamic NAT mapping with list 100, ip nat inside source list 100 interface GigabitEthernet0/0 overload
192.168.0.1 is my ISP router, I don't know what the 90 part actually does, I've been copying config settings from other post trying stuff out so its very likely some stuff in my config does not need to exist at all like using the route-map NAT was just trying stuff to see if it worked i will look into this "dynamic NAT mapping with list 100, ip nat inside source list 100 interface GigabitEthernet0/0 overload" now thks
your 192.168.0.1 is my ISP router does not know how to reach internal network of 1921 router, 192.168.1.0 /24 you need to add static route on that ISP box. what is it btw?
There are several things about your config that I would comment on: - you have configured this ip nat inside source route-map NAT-Gi interface GigabitEthernet0/0 overload Using a route map for address translation introduces complexity into the configuration. And I see no reason why a route map is called for here. The typical reason for using a route map with address translation is that there are more than 1 outbound interfaces that need to do address translation. And that is not the case here. A more simple approach would be better. - the access list that you use is: access-list 100 permit ip any any why are you using an extended access list? Most of the time for address translation a standard access list that specifies the inside subnets is sufficient. Using an extended acl suggests that you want to make decisions based on either destination address or on port selection. But your acl does neither of these. Again more simple is better than more complex. - you have configured 3 default routes ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 192.168.0.1 90 ip route 0.0.0.0 0.0.0.0 192.168.0.1 254 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 90 and I do not know why you have done this. 2 of the 3 define that the next hop is 192.168.0.1. Since Gig0/0 is specified to learn its IP using DHCP the address could potentially change. But these static routes are static. If the learned IP address changed then these static routes would not work. The better approach is to specify a default route using the interface and dhcp option as this one does ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 90 I am puzzled why you are using 90 in the configuration of this route. This typically suggests a backup route. But it looks to me that this should be your primary default route. It is not related to the main question of this post but I would like to comment on these parts of your configuration enable secret 5 $1$LP8J$do7T.2ozAnQNXiGyRzWKq. enable password Canada2004 enable password was the earliest implementation of a password for enable mode. And it turns out to not be very secure. enable secret was a newer approach and was more secure. If both type of passwords are present in the configuration then the device will use the values in enable secret and ignore the values in enable password. So why have both? And I surely hope that the password that you used for enable secret is not "Canada2004". Since specifying no service password-encryption means that your enable password in now exposed for everyone to see. - You have disabled cdp. Is there a reason for that? I can understand disabling cdp on the outside interface. But why disable it globally?
Hey Rick thks for the info i will look into a lot of the stuff you just posted, the short answer for most your why have you done this or why config it this way, is just trying things I've found and seen in this forum much of it may be completely wrong, too complex or unnecessary, just trying to learn stuff by trial and error. Basically I want to start with a basic setup one WAN port and one LAN port, I want the LAN port to have a DHCP and be able to access the internet through the WAN port and then build from there. As it stands I can't seem to ping the outside word from the PC I have on the LAN port. thks
OK so blanked the Router did a few basic config's, what do I need to do so my PC on Gi0/1 can ping the outside word on the WAN port of Gi0/0 Using 1831 out of 262136 bytes ! ! Last configuration change at 21:16:02 UTC Sat Aug 29 2020 ! NVRAM config last updated at 21:16:04 UTC Sat Aug 29 2020 ! NVRAM config last updated at 21:16:04 UTC Sat Aug 29 2020 version 15.1 service config service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname CISCO1921 ! boot-start-marker boot-end-marker ! ! enable secret 5 $1$/0B2$70QjVhO/f1tneOFaYcuUl0 enable password Canada2004 ! no aaa new-model ! ! no ipv6 cef ip source-route no ip routing no ip cef ! ! ! ip dhcp excluded-address 192.168.1.1 192.168.1.20 ! ip dhcp pool JLVB network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 192.168.1.1 ! ! ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! ! license udi pid CISCO1921/K9 sn FGL160720QS ! ! ! redundancy ! ! ! ! ! ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address no ip route-cache shutdown ! interface GigabitEthernet0/0 ip address dhcp no ip route-cache duplex auto speed auto ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 no ip route-cache duplex auto speed auto ! interface FastEthernet0/0/0 no ip address no mop enabled ! interface FastEthernet0/0/1 no ip address shutdown ! interface FastEthernet0/0/2 no ip address shutdown ! interface FastEthernet0/0/3 no ip address shutdown ! interface Vlan1 no ip address no ip route-cache shutdown ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ! ! ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password Canada2004 login transport input all ! scheduler allocate 20000 1000 end
Responding to the new config: - This config contains a line no ip routing This will disable ip routing. You need to enter the command ip routing Note that when you do this the running config will not contain the line ip routing, but that is because ip routing is the default and most of the time default values do not show up in the running config. - I do not see any routing statements, most especially no default route is configured. It might look something like ip route 0.0.0.0 0.0.0.0 Gi0/0 dhcp - I do not see any address translation. It might look some like int Gi0/0 ip nat outside int Fi0/1 ip nat inside ip nat inside source list 1 interface Gi0/0 overload access-list 1 permit 192.168.1.0 0.0.0.255 - I suggest that you remove this line enable password Canada2004 This line will be ignored since you have also configured enable secret. Enable secret is a more recent enhancement and is more secure than enable password. If both commands are entered then the enable password command will be ignored. Since it is not useful I suggest that you remove it. - I do not think that you need the line service config so I suggest that you remove it. - your config contains the line no ip cef I suggest that cef is generally a good thing and unless you have a particular reason to remove it that cef should be enabled.
Thank you so much Rick those were the base level configs I needed, I now know were to start and move forward with testing and playing with this cisco stuff. thks Folks
I am glad that my suggestions have been helpful. I think that you have a good approach, to start with simple basic configs, get them to work, and then incrementally add other things to the config. There is a lot to learn and I believe that you are making a good start. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community. |
