Outside connectivity fails from IOS command line

Discussion in 'Cisco' started by JF Mezei, Oct 27, 2009.

  1. JF Mezei

    JF Mezei Guest

    Cisco 871W.

    Commands from the IOS command line to reach the outside world fail. Be
    it PING, Traceroute telnet etc. Hosts that connect to the internet via
    this router are able to perform those functions.


    Commands to talk to the LAN work fine. The LAN machines I talk to are on
    VLAN10.

    The architecture:

    FA0/4 is the port to the ADSL modem (dial pool 1)

    Dialer 1
    interface Dialer1
    description PPPoE to Modem
    ip address negotiated
    ip access-group ACLinbound in
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer idle-timeout 0
    dialer enable-timeout 10
    dialer persistent
    no cdp enable
    ppp authentication pap callin
    ppp pap sent-username password 0 mickey.mouse
    end


    BVI 10 has:

    bridge irb
    bridge 10 protocol ieee
    bridge 10 route ip
    !
    interface BVI 10
    ip address 10.0.0.2 255.255.0.0
    ip nat inside
    ip virtual-reassembly
    no shutdown

    From the console (the serial port or a telnet session into the router),
    I can telnet to a local host and confirm that the console uses the
    10.0.0.2 IP address of the router (and obviously is in the VLAN 10 as it
    can reach the LAN machines in that vlan).


    If I remove the "IP NAT INSIDE" from the BVI 10 interface, then the
    commands (traceroute etc) work fine from IOS CLI, but not from computers
    attached to that router.


    The console lines are defined as:
    line con 0
    exec-timeout 0 0
    no modem enable
    terminal-type VT300
    exec-character-bits 8
    databits 8
    stopbits 1
    length 0
    international
    flowcontrol software
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    terminal-type vt300
    exec-character-bits 8
    length 0
    international
    transport input telnet ssh


    Do I need to add something to the con and vty definitions to cause them
    to get properly natted when doing commands that reach out to the internet ?
     
    JF Mezei, Oct 27, 2009
    #1
    1. Advertisements

  2. JF Mezei

    geoar75 Guest

    Hi,

    Could you post the result of the "sh run" command?

    Giorgos
     
    geoar75, Oct 27, 2009
    #2
    1. Advertisements

  3. Local traffic, like a ping, launched from the console uses as source IP the
    address on the egress interface by default, so if you ping something on the
    lan you will see 10.0.0.2. Traffic going through the dialer interface will
    use whatever address it has received from your ISP.
    This is turning off NAT so no suprise your 10.0.0.x hosts can't get
    anywhere.

    Check your NAT configuration, particularly the access list. If it
    says "permit any" that's bad and will cause upsets to telnet like you are
    seeing though generally not to ping and traceroute.
     
    Martin Gallagher, Oct 28, 2009
    #3
  4. JF Mezei

    geoar75 Guest

    That's why I asked to check the configuration.

     
    geoar75, Oct 28, 2009
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.