CISCO 837 NAT/DNS Problem?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi Forum,

Help needed for Cisco Newbie , I have just purchased a CISCO 837 ADSL router. My WAN interface is receiving a public IP address from my ISP (Sky), I have also configured the name servers as provided by my ISP. From the router I can ping both DNS servers including several public web servers using their IP address. From my internal PC I can ping the router (internal interface). Although I cannot access anything on the Internet, or ping anything past my internal router IP. When performing a nslookup on a particular URL the Name Servers I configured just show time-outs. I’m not sure if this is a DNS issue or NAT related problem. Can anyone help? I’ve dumped the config below. Thanks in advance.

Building configuration...

Current configuration : 2672 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
!
no aaa new-model
ip subnet-zero
ip domain name yourdomain.com
ip name-server x.x.x.x (name server provided by ISP)
ip name-server x.x.x.x (name server provided by ISP)
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
dns-server x.x.x.x x.x.x.x (Same name servers)
default-router 10.10.10.1
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description Ethernet
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname (isp hostname)
ppp chap password 0 (isp password)
!
ip nat inside source list 1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxx
login
!
scheduler max-task-time 5000
!
end


Thanks,

Gill

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

What IP address information has been given to your PC?

 

Hi BosonMichael,

Im receiving the DHCP address 10.10.10.2 along with the DNS servers as configured on the CISCO 837.

Cheers,

 

Where's access list 1? You've got the ip nat inside source list 1 interface Dialer0 overload command, but no access list 1 to go with it...

 

Looks like its been added in error, i have removed the complete entry.
Retested and same results, anything else worth looking at?

 

Actually, I'd have suggested creating the missing access list.

 

What is the client assigned default gateway address?

 

Hi Bluerinse

My PC is assigned 10.10.10.1 as the default g/w, also I can ping this from my PC.

Hi BosonMichael

I will add the line back, could you guide me on the configuration required for this access-list?

Cheers

 

Hi BosonMichael

Would it be something like:

access-list 1 permit 10.10.10.0 0.0.0.255

Although since I have no access-lists running at the moment (after removing the statement) I would have thought that my internal net would be permitted by default? Running sh ip access-lists shows that I have none configured, so as I understand IOS does not have a default drop rule.

 

I believe that without the ip nat inside source list 1 interface Dialer0 overload command, the router won't know to send those packets over the dialer interface using your overloaded public IP. Thus, you need to create access list 1... and whatever you don't specifically allow in an access list will be denied.

Your access list looks good. It will allow everything on the 10.10.10.0/24 network.

 

BosonMichael is right, you'll need that access-list, otherwise the router will not nat anything. As well, lock up your vty lines, no sense giving the world a chance to log in. Use an access-list to restrict the ip addresses allowed to connect to the vty lines, for example:

access-list 10 permit ip 10.10.10.0 0.0.0.255 log
access-list 10 deny ip any log

line vty 0 4
access-class 10 in

This will allow only hosts on your local lan to login to the router. Controlling access to the vty lines is the first thing to do when securing your router.

Spice_Weasel

 

Cool, will give it ago and let you know

cheers

 

That worked a treat, thanks for everyone’s contributions. My next challenge is to lock the router down. Thanks again ppl…..