1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

CISCO 837 NAT/DNS Problem?

Discussion in 'Routing & Switching' started by gillz, Oct 22, 2007.

  1. gillz

    gillz New Member

    9
    0
    1
    Hi Forum,

    Help needed for Cisco Newbie :blink, I have just purchased a CISCO 837 ADSL router. My WAN interface is receiving a public IP address from my ISP (Sky), I have also configured the name servers as provided by my ISP. From the router I can ping both DNS servers including several public web servers using their IP address. From my internal PC I can ping the router (internal interface). Although I cannot access anything on the Internet, or ping anything past my internal router IP. When performing a nslookup on a particular URL the Name Servers I configured just show time-outs. I’m not sure if this is a DNS issue or NAT related problem. Can anyone help? I’ve dumped the config below. Thanks in advance.

    Building configuration...

    Current configuration : 2672 bytes
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    !
    no aaa new-model
    ip subnet-zero
    ip domain name yourdomain.com
    ip name-server x.x.x.x (name server provided by ISP)
    ip name-server x.x.x.x (name server provided by ISP)
    ip dhcp excluded-address 10.10.10.1
    !
    ip dhcp pool sdm-pool1
    import all
    network 10.10.10.0 255.255.255.0
    dns-server x.x.x.x x.x.x.x (Same name servers)
    default-router 10.10.10.1
    !
    !
    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0
    description Ethernet
    ip address 10.10.10.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer0
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname (isp hostname)
    ppp chap password 0 (isp password)
    !
    ip nat inside source list 1 interface Dialer0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    no ip http secure-server
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    password xxxxxx
    login
    !
    scheduler max-task-time 5000
    !
    end


    Thanks,

    Gill
     
  2. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    What IP address information has been given to your PC?
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  3. gillz

    gillz New Member

    9
    0
    1
    Hi BosonMichael,

    Im receiving the DHCP address 10.10.10.2 along with the DNS servers as configured on the CISCO 837.

    Cheers,
     
  4. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Where's access list 1? You've got the ip nat inside source list 1 interface Dialer0 overload command, but no access list 1 to go with it...
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  5. gillz

    gillz New Member

    9
    0
    1
    Looks like its been added in error, i have removed the complete entry.
    Retested and same results, anything else worth looking at?
     
  6. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    Actually, I'd have suggested creating the missing access list. :)
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  7. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,871
    167
    256
    What is the client assigned default gateway address?
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  8. gillz

    gillz New Member

    9
    0
    1
    Hi Bluerinse

    My PC is assigned 10.10.10.1 as the default g/w, also I can ping this from my PC.

    Hi BosonMichael

    I will add the line back, could you guide me on the configuration required for this access-list?

    Cheers
     
  9. gillz

    gillz New Member

    9
    0
    1
    Hi BosonMichael

    Would it be something like:

    access-list 1 permit 10.10.10.0 0.0.0.255

    Although since I have no access-lists running at the moment (after removing the statement) I would have thought that my internal net would be permitted by default? Running sh ip access-lists shows that I have none configured, so as I understand IOS does not have a default drop rule.
     
  10. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I believe that without the ip nat inside source list 1 interface Dialer0 overload command, the router won't know to send those packets over the dialer interface using your overloaded public IP. Thus, you need to create access list 1... and whatever you don't specifically allow in an access list will be denied.

    Your access list looks good. :) It will allow everything on the 10.10.10.0/24 network.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  11. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    BosonMichael is right, you'll need that access-list, otherwise the router will not nat anything. As well, lock up your vty lines, no sense giving the world a chance to log in. Use an access-list to restrict the ip addresses allowed to connect to the vty lines, for example:

    access-list 10 permit ip 10.10.10.0 0.0.0.255 log
    access-list 10 deny ip any log

    line vty 0 4
    access-class 10 in

    This will allow only hosts on your local lan to login to the router. Controlling access to the vty lines is the first thing to do when securing your router.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  12. gillz

    gillz New Member

    9
    0
    1
    Cool, will give it ago and let you know

    cheers
     
  13. gillz

    gillz New Member

    9
    0
    1
    That worked a treat, thanks for everyone’s contributions. My next challenge is to lock the router down. Thanks again ppl….. :D
     

Share This Page

Loading...