Cisco – Clients connected to Cisco router can’t access to internet

ciscointernetrouting

I'm currently undergoing CCNa academy so I got a "job" from my boss to configure Cisco 871 router. Unfortunately we just finished first semester at academy so there are some things that I'm still having hard time to understand.

I managed to configure router so it connect to internet or to be exact it has internet access through another adsl modem that is in bridge mode.

Here is picture of setup

http://www.pohrani.com/f/3m/EI/gxiOrOu/network.jpg

The problem is that users are not able to use internet when connected to this router. I'm able to access router through telnet ( ip 192.168.13.10) but that's it.

Here is the config from router
http://pastebin.com/8JaMmqdT

192.168.13.0 255.255.255.128 is network that we use at work. 192.168.13.5 is IP address that is assigned to zyxel adsl modem ( If I'm correct, we could have used any address here since we are connecting this directly to router ? )

Zyxel adsl modem is connected to FA4 port on Cisco router. LAN cable is connected to FA0 port and from there it goes to switch ( it's some asus switch with 50 ports).

Here is routing table

Router-Cisco#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.13.5 to network 0.0.0.0

              192.168.13.0/24 is variably subnetted, 2 subnets, 2 masks
      S       192.168.13.5/32 is directly connected, Dialer1
      C       192.168.13.0/25 is directly connected, Vlan1
              172.29.0.0/32 is subnetted, 1 subnets
      C       172.29.252.89 is directly connected, Dialer1
              93.0.0.0/32 is subnetted, 1 subnets
      C       93.139.143.80 is directly connected, Dialer1
              10.0.0.0/24 is subnetted, 1 subnets
      C       10.10.10.0 is directly connected, Loopback0
      S*      0.0.0.0/0 [1/0] via 192.168.13.5

And here is IP interface brief

Router-Cisco#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Dialer0                    unassigned      YES manual administratively down down   
Dialer1                    93.139.143.80   YES IPCP   up                    up     
FastEthernet0              unassigned      YES unset  up                    up     
FastEthernet1              unassigned      YES unset  administratively down down   
FastEthernet2              unassigned      YES unset  administratively down down   
FastEthernet3              unassigned      YES unset  administratively down down   
FastEthernet4              unassigned      YES manual up                    up     
Loopback0                  10.10.10.100    YES manual up                    up     
Virtual-Access1            unassigned      YES unset  up                    up     
Vlan1                      192.168.13.10   YES manual up                    up

If I ping google dns from router e.g. ping 8.8.8.8 it works. If I ping www.google.com it doesn't work.
Also I'm able to access router via 192.168.13.10 but if I use router as default gateway then I'm not able to access the internet.
Can anyone point me in right direction here or tell me what I missed out ?

p.s.
From where is network
172.29.0.0/32 is subnetted, 1 subnets
C 172.29.252.89 is directly connected, Dialer1
comming from ? I cleared router config before starting and I don't remember configuring this one or that we use something like this at work.

Best Answer

You've done a lot, but there are still a few things to correct.

Change the IP address on your modem to something not in the 192.168.13.0/25 range.

The modem's IP address should only be used for configuration and not for routing.

Ensure that ip routing has been set. (It's not visible in the running-config).
Remove the 3 ip routes:

Replace the first one (the default) with a route towards Dialer1 (your WAN interface): ip route 0.0.0.0 0.0.0.0 Dialer1.

The second one might not even work as Dialer1 is a PPP interface. And for the last one, 192.168.13.10 is on Vlan1.

Change the DHCP default-router:

Use the ip address of Vlan1, 192.168.13.10.

Remove ip nat outside from Fa4:

Having it on Dialer1 should be enough.

Add NAT configuration:

ip nat inside source list 10 interface Dialer1 overload and access-list 10 permit 192.168.13.0 0.0.0.128.

That should be enough.

You might also take a look at this configuration or this one to have a broader picture.

And regarding 172.29.252.89, it might a server address within the ISP network, pushed with PPP/IPCP.

Related Solutions

Windows – Can’t access the internet when connected to OpenVPN server

It looks to me like the server is pushing the "redirect-gateway" option down to the client. This causes the client to use the VPN as its default gateway. Comment out the line in the server config 'push "redirect-gateway def1"'.

Woah there-- just saw your edit. You client can't be using the same IP addresses as the LAN it's connecting to. That's not going to work. One end or the other needs to use different IP addresses.

Edit:

Assuming routing is configured properly on your Windows Server 2003 machine (per the www.itsatechworld.com page you referenced), you should be able to PING the Windows Server 2003 machine and Windows Vista machine by their LAN IPs via the VPN. If you can, then you've got routing right on the Windows Server 2003 and DD-WRT machines and you can proceed. If not, then you need to start tracking down why either (1) PING traffic coming off the OpenVPN tunnel isn't getting to the destination, or (b) why PING replies from the destination host aren't coming back. You may end up putting something like Wireshark on your Windows Vista machine to see if the PING requests are even getting there (since PING can't tell you if your request is being received and the reply is just being lost).

Once you've got IP connectivity across the VPN working fine. I'd recommend installing the DNS and WINS services on your Windows Server 2003 VPN server computer and configuring the server computer and the Windows Vista home computer to use that machine for WINS and DNS. You can either add your ISP's DNS as a "forwarded" on the Windows Server 2003 machine, or leave the stock "root hints" configured to allow it to resolve Internet names. In your OpenVPN server configuration, add the following line right after the 'push "dhcp-option DNS 192.168.1.1" line:

push "dhcp-option WINS 192.168.1.1"

This is going to get the remote clients taking to the WINS and DNS servers on your Windows Server 2003 machine, and should get you both DNS and NetBIOS name resolution.

If you're not using an Active Directory domain at home, you'll probably want to setup a standard forward lookup zone on the Windows Server 2003 DNS server for your Windows Server 2003 and Windows Vista machines to register into. You'll want to grant clients permission to dynamically update records (albeit insecurely) when you create this zone. You should add the option "DNS domain name" (option 15) to your DHCP scope at home so that your client computers there pick up the right DNS domain name suffix. (If you're using DD-WRT for DNS then I can't tell you how to do that. I'm an OpenWRT guy, and I manage my WRT54G from the command line. I'd recommend running DHCP from the Windows Server 2003 machine anyway, but I just like that DHCP server more.)

If you are using an Active Directory domain you'll already have a forward lookup zone created in DNS. Since your remote VPN clients aren't members of your domain, though, they won't be able to register in DNS under the stock security settings that Windows Server sets on the DNS zone (at least, if you let it create the zone during DCPROMO). It's insecure, but if you want to allow them to register you could either (a - less secure) chang the permission on the zone to allow insecure registrations, or (b - more secure but still insecure) create A and PTR records for them and modify the permission on each of those records to allow anyone to update them.

It sounds like this is a home networking thing, and it's really a good learning opportunity for a lot of things-- IP routing, VPNs, name resolution. Perhaps you're looking for it to "just work" and not as a learning opportunity, in which case I can only offer my apologies and say that these things just aren't "turnkey" yet.

Windows – No Internet access while being connected to VPN using Cisco VPN Client 5

Not sure on the Cisco setup, because we use Watchguard. However, when setting up a new VPN account I have a checkbox that says forward all traffic from user over VPN. If this is checked all network traffic from the user is forced through the VPN. This is set up on the gateway device, not on the users system. I don't know if it is the same with Cisco, but I would assume it is similar.

Best Answer

Related Solutions

Windows – Can’t access the internet when connected to OpenVPN server

Windows – No Internet access while being connected to VPN using Cisco VPN Client 5

Related Topic