Outside connectivity fails from IOS command line

Cisco 871W.

Commands from the IOS command line to reach the outside world fail. Be it PING, Traceroute telnet etc. Hosts that connect to the internet via this router are able to perform those functions.

Commands to talk to the LAN work fine. The LAN machines I talk to are on VLAN10.

The architecture:

FA0/4 is the port to the ADSL modem (dial pool 1)

Dialer 1 interface Dialer1 description PPPoE to Modem ip address negotiated ip access-group ACLinbound in ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 dialer idle-timeout 0 dialer enable-timeout 10 dialer persistent no cdp enable ppp authentication pap callin ppp pap sent-username snipped-for-privacy@disney.org password 0 mickey.mouse end

BVI 10 has:

bridge irb bridge 10 protocol ieee bridge 10 route ip ! interface BVI 10 ip address 10.0.0.2 255.255.0.0 ip nat inside ip virtual-reassembly no shutdown

From the console (the serial port or a telnet session into the router), I can telnet to a local host and confirm that the console uses the

10.0.0.2 IP address of the router (and obviously is in the VLAN 10 as it can reach the LAN machines in that vlan).

If I remove the "IP NAT INSIDE" from the BVI 10 interface, then the commands (traceroute etc) work fine from IOS CLI, but not from computers attached to that router.

The console lines are defined as: line con 0 exec-timeout 0 0 no modem enable terminal-type VT300 exec-character-bits 8 databits 8 stopbits 1 length 0 international flowcontrol software line aux 0 line vty 0 4 access-class 23 in privilege level 15 terminal-type vt300 exec-character-bits 8 length 0 international transport input telnet ssh

Do I need to add something to the con and vty definitions to cause them to get properly natted when doing commands that reach out to the internet ?

Reply to
JF Mezei
Loading thread data ...

Hi,

Could you post the result of the "sh run" command?

Giorgos

Reply to
geoar75

Local traffic, like a ping, launched from the console uses as source IP the address on the egress interface by default, so if you ping something on the lan you will see 10.0.0.2. Traffic going through the dialer interface will use whatever address it has received from your ISP.

This is turning off NAT so no suprise your 10.0.0.x hosts can't get anywhere.

Check your NAT configuration, particularly the access list. If it says "permit any" that's bad and will cause upsets to telnet like you are seeing though generally not to ping and traceroute.

Reply to
Martin Gallagher

Reply to
geoar75

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.