Cisco 851 configuration issues 1

[sdibias]

It's been a while since I have been here, good to be back!

I'm hoping someone here can help me out I can't think anymore and this is driving me crazy! I have an older Cisco 851 router running IOS 12.4 that I've hooked up to my cable mode. I have a dynamic public address so I configured the WAN interface with the following command

int fa4
ip address dhcp

The router get's an IP address from COX at this point and I'm able to ping external IP addresses so I have a connection to the outside world. At this point I disconnected the router from the cable modem inn order to lock it down. This is the part where I get confused...

From inside my internal network I cannot connect to the internet. I have my internal network pointing to the routers BVI interface, is this wrong? If anyone can review this config and point out my mistakes I would appreciate it greatly!!!


Building configuration...

Current configuration : 1885 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SDrouter
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****************************
!
no aaa new-model
!
resource policy
!
no ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.20
!
ip dhcp pool LAN
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
!
!
ip cef
ip inspect name InspectFirewallR icmp
ip inspect name InspectFirewallR tcp
ip inspect name InspectFirewallR udp
no ip domain lookup
!
!
!
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip inspect InspectFirewallR in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.100.1 255.255.255.0
ip access-group 100 in
ip inspect InspectFirewallR in
ip nat inside
ip virtual-reassembly
!
ip classless
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface FastEthernet4 overload
!
access-list 10 permit 192.168.100.0 0.0.0.255
access-list 10 deny any
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip any any
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password ***********
login
!
scheduler max-task-time 5000
end




Visit www.netwerkin.com
MCSE MCSA MCTS MCITP MCP CCNA CCA A+ N+

 

[Minue]

Hello
I am a bit confused with the way you word your post. Are you trying to connect to the Internet when the router is disconnected from the cable modem?
Can you connect to the Internet in normal conditions ?

Regards

 

[sdibias]

Sorry for any confusion I was tired last night.

With the configuration you see above I can console into the router and ping out to the internet just fine. However on my LAN my computers are net getting IP addresses from the router which I setup as a DHCP server. Even if I configure my computers with static addresses they can't even ping the default gateway which which I assume should be the BVI interface of the router?

In short, I must have goofed on the config somewhere and I'm confused as to what my computers should point to as there default gateway?

Also I'm stumped as to why the router will not hand out addresses?

I have connectivity to the outside world from the router itself, but no LAN computers can even get to the router!

Any ideas on what I'm doing wrong here?



Visit www.netwerkin.com
MCSE MCSA MCTS MCITP MCP CCNA CCA A+ N+

 

[drewdown]

I am assuming you have a switch in between your router and a machine on the LAN? Default Gateway for your LAN machines is going go 192.168.100.1...and you can't ping that address from your LAN computers when you statically assign them an IP address in 192.168.100.0/24 subnet?

Also how come you are using the BVI interface? Why dont you just configure one of the Fa interfaces? I would try configuring an ethernet port as your inside interface with 192.168.100.1 address + ip nat inside + etc..

 

[drewdown]

Also with your dhcp configuration make sure to configure DNS servers or else your LAN machines will run into problems when doing DNS lookups.

ip dhcp pool LAN
import all
network 192.168.100.0 255.255.255.0
#dns-server x.x.x.x x.x.x.x
default-router 192.168.100.1

 

[sdibias]

Well this is one of those "Integrated Services" routers that has a built in switch. Fast Ethernet 0 through 3 are being used by computers on the LAN and Fast Ethernet 4 is the WAN port.

I attempted to configure the FA interfaces with an IP address but recieved an error:

% IP addresses may not be configured on L2 links

I Have tried every variant of the "No switchport" command to change it to a layer 3 but continue to get the same error. It seems to me that the built-in switch is Layer 2 only, if that's the case I wont be able to change them to Laywer 3 and add an IP address to them.

I will make sure to add the DNS portion to DHCP, however I still can't grab an IP address from the router yet

If I get rid of the BVI interface what interface should I configure? I can't use the ports becuase they are Layer 2.

Of all the routers I have configured using Point-to-Point, Frame, or MPLS this is the most trouble I have ever had, and it's a SOHO router, Ha!



Visit www.netwerkin.com
MCSE MCSA MCTS MCITP MCP CCNA CCA A+ N+

 

[Minue]

Hello
First kill the access-list 100,best to avoid when troubleshooting.For now use a workstation with static address setting.You will need to get layer 3 connectivity between the router and the LAN.Before you can do anything else.
Put the ip address on the "VLAN 1" instead of the BVI take out the bridge line's and try to ping the router.
Regards

 

[sdibias]

Thanks Minue - I'm at work right now but I will do as you suggest as soon as I get home tonight, which should be around 6:00PM Pacific.

I will report the outcome around 6:30.

If anyone else has any other suggestions please don't hesitate to post them. Thanks!

Visit www.netwerkin.com
MCSE MCSA MCTS MCITP MCP CCNA CCA A+ N+

 

[Minue]

Hello
Before you try the conf I recommended.First take out these 2 line's :
ip access-group 100 in
ip inspect InspectFirewallR in

Then try to ping the interface.If it doesn't work then try using the VLAN 1.
This BVI interface is a new implementation for Cisco.It's a bit tricky!If after all,you can't get the router to work with the command line.Try the SDM GUI,that will get it up.
Tommorow I will install an IOS that support the BVI,so I can help you troubleshoot your problem.
Regards

 

[sdibias]

I just downloaded SDM-V25.zip from cisco.com in case it gets to that point, I supposed that would probably show us what I did wrong eh!

Thanks for all your help!


Visit www.netwerkin.com
MCSE MCSA MCTS MCITP MCP CCNA CCA A+ N+

 

[Minue]

Hello
For the BVI,you will need this command "bridge 1 route ip"

Regards

 

[sdibias]

Ah good catch, I will try that before anything else!

Visit www.netwerkin.com
MCSE MCSA MCTS MCITP MCP CCNA CCA A+ N+

 

[sdibias]

Dude, that was it man! I was missing this one command

"bridge 1 route ip"

Thanks for all your help on this I truly appreciate it!



Visit www.netwerkin.com
MCSE MCSA MCTS MCITP MCP CCNA CCA A+ N+