nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Cisco 871w

alanier

I am trying to setup my 871w on my home network. I have a static ip address from my dsl provider. if i telnet into router and perform a ping i get replies. If i ping the outside from my laptop I can not. here is my config. any ideas?

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SnellRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxx
enable password 7 xxxxxxx
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
no ip routing
no ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.74
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 4.2.2.2 205.152.37.23
default-router 192.168.1.1
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
bridge irb
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $FW_OUTSIDE$$ES_WAN$
ip address x.x.x.x 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid SnellPub
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x permanent
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark 192.168.1.76
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host x.x.x.x echo-reply
access-list 101 permit icmp any host x.x.x.x time-exceeded
access-list 101 permit icmp any host x.x.x.x unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
password 7 xxxxxxxxxxxxxxxx
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
end

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

themagicone

i'm thinking something is missing in NAT. You have your interfaces set right but no pool set. I'll look it up here for you in a bit.

themagicone

Configuring Network Address Translation: Getting Started - Cisco Systems

alanier

ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark 192.168.1.76

this should be fine right?

themagicone

Should be. Sorry I quickly read through it and didn't see it so I thought that it might be the problem. I'll see if I can find something else up with it here.

themagicone

Nope I was right... You need one more line.

ip nat pool (name) (external address) (external address) prefix 24

Then...
ip nat inside source list (access list number) pool (name from above) overload

You need to define the outside address that the nat will translate to. Being you only have 1 external IP you use the first line with a prefix of 24. The second line you already had, just need to add the pool info. The access list in it defines the internal address that are translated.

alanier

thanks for the help. i will try it later today

kryolla

alanier wrote: »

thanks for the help. i will try it later today

your NAT statment looks right Im assuming you cant ping out due to the firewall, if your NAT statement was wrong you wont get any internet connectivity.

edit
You need bridge group 1 put under your dot11 interface, what you are bridging is your vlan 1 ports fa0/0 - 3 with your dot11 port and the bvi is representing the whole group so you can route out the fa0/4 port. Also you need to apply your firewall to an interface and ACL 101 isnt applied to any interface

alanier

how do i apply the firewall to an interface and fix the acl 101

kryolla

alanier wrote: »

how do i apply the firewall to an interface and fix the acl 101

before applying these make sure you have reachability to the internet.
Firewall should be applied to BVI interface and ACL101 should be applied to fa0/4

alanier

I can not get out on the internet. that was my original problem. if i logged into the router i could ping outside ips. i hope the nat command will fix that.

alanier

how about the no ip routing command. i think that is what is causing it

kryolla

alanier wrote: »

how about the no ip routing command. i think that is what is causing it

yes you need that to route between interfaces BVI and fa0/4 and the other issues I mentioned. There is nothing wrong with the NAT it should point out the interface with overload

kryolla

by yes you need that I meant to turn on ip routing and I have 850w and on dot11 interface I created a subinterface for vlan 1 and the firewall is applied to fa4 out and the ACL is applied to fa4 in

interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1

I get my IP via DHCP so here is my config for fa4

interface FastEthernet4
ip address dhcp
ip access-group OUTSIDE in
ip inspect FIREWALL out
ip nat outside