Choose any of these login options:

Cisco 2901: Unable to NAT to Internet

I currently replaced my Cisco 831 with a Cisco 2901 router running 15.1 (4) M1. On the LAN side, I can ping google and yahoo as well as others but I can't HTTP or FTP to them using IE. Is there something that I'm doing wrong? The config is the same as it was on the Cisco 831 and it worked fine.
!
! Last configuration change at 15:06:04 PCTime Mon Feb 20 2012
! NVRAM config last updated at 15:06:08 PCTime Mon Feb 20 2012
! NVRAM config last updated at 15:06:08 PCTime Mon Feb 20 2012
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$O3zs$8FK2nk1UL6qWNHigdl5GX.
!
aaa new-model
!
aaa authentication login vpnclientauth local
aaa authorization network vpngroupauth local
!
aaa session-id common
!
clock timezone PCTime -5 0
clock summer-time EDT recurring
!
no ipv6 cef
no ip source-route
ip cef
!
ip dhcp excluded-address 192.168.2.1 192.168.2.189
!
ip dhcp pool sdm-pool1
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
!
ip flow-cache timeout active 5
no ip bootp server
ip name-server 24.92.226.11
ip name-server 24.92.226.12
!
interface GigabitEthernet0/0
description Elimra Outside GigabitEthernet0/0
ip address dhcp client-id GigabitEthernet0/0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
description Elimra Inside GigabitEthernet0/1 Default Gateway
ip address 192.168.2.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
!
logging trap debugging
logging source-interface GigabitEthernet0/1
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 permit udp host 64.90.182.55 eq ntp any eq ntp
access-list 103 permit udp host 206.246.122.250 eq ntp any eq ntp
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit udp any eq bootps any eq bootpc
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip any any log
 
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
scheduler max-task-time 5000
no scheduler allocate
ntp update-calendar
ntp server 64.90.182.55 prefer source GigabitEthernet0/0
ntp server 206.246.122.250 prefer source GigabitEthernet0/0
end
 
When I run "debug ip nat detailed", I see the following below. The client is 192.168.2.151. It is using a static IP and static default gateway (which is the Cisco 2901 router) and static DNS (which is the Cisco 2901 router). The router is acting as the DNS server for the clients.
 
001080: Mar 12 21:34:36.089 EDT: NAT: map match SDM_RMAP_1
001081: Mar 12 21:34:36.089 EDT:  mapping pointer available mapping:0
001082: Mar 12 21:34:36.089 EDT: NAT: [0] Allocated Port for 192.168.2.151 -> 208.105.101.191: wanted 51603 got 51603
001083: Mar 12 21:34:36.089 EDT: NAT*: i: tcp (192.168.2.151, 51603) -> (204.160.125.126, 80) [20305]
001084: Mar 12 21:34:36.089 EDT: NAT*: i: tcp (192.168.2.151, 51603) -> (204.160.125.126, 80) [20305]
001085: Mar 12 21:34:36.089 EDT: NAT*: s=192.168.2.151->208.105.101.191, d=204.160.125.126 [20305]
001086: Mar 12 21:34:36.117 EDT: %SEC-6-IPACCESSLOGP: list 103 denied tcp 204.160.125.126(80) -> 208.105.101.191(51603), 1 packet
001087: Mar 12 21:34:36.341 EDT: NAT: map match SDM_RMAP_1
001088: Mar 12 21:34:36.341 EDT:  mapping pointer available mapping:0
001089: Mar 12 21:34:36.341 EDT: NAT: [0] Allocated Port for 192.168.2.151 -> 208.105.101.191: wanted 51604 got 51604
001090: Mar 12 21:34:36.341 EDT: NAT*: i: tcp (192.168.2.151, 51604) -> (98.139.127.62, 80) [20308]
001091: Mar 12 21:34:36.341 EDT: NAT*: i: tcp (192.168.2.151, 51604) -> (98.139.127.62, 80) [20308]
001092: Mar 12 21:34:36.341 EDT: NAT*: s=192.168.2.151->208.105.101.191, d=98.139.127.62 [20308]
001093: Mar 12 21:34:37.333 EDT: NAT: expiring 208.105.101.191 (192.168.2.151) tcp 51585 (51585)
001094: Mar 12 21:34:37.333 EDT: NAT-SymDB: DB is either not enabled or not initiated.
001095: Mar 12 21:34:37.453 EDT: %SEC-6-IPACCESSLOGP: list 103 denied tcp 199.7.50.72(80) -> 208.105.101.191(51571), 1 packet
001096: Mar 12 21:34:38.357 EDT: NAT: expiring 208.105.101.191 (192.168.2.151) tcp 51586 (51586)
001097: Mar 12 21:34:38.357 EDT: NAT-SymDB: DB is either not enabled or not initiated.
001098: Mar 12 21:34:38.869 EDT: NAT: expiring 208.105.101.191 (192.168.2.191) tcp 743 (743)
001099: Mar 12 21:34:38.869 EDT: NAT-SymDB: DB is either not enabled or not initiated.
001100: Mar 12 21:34:38.869 EDT: %SEC-6-IPACCESSLOGP: list 103 denied tcp 217.156.169.160(80) -> 208.105.101.191(51578), 1 packet
 
What is "NAT-SymDB: DB is either not enabled or not initiated." and why is NAT: expiring?
 
The solution:
Copy this on your router.
 
ip inspect name FW tcp
ip inspect name FW udp
 
interface GigabitEthernet0/0
ip inspect FW in
 
Add out as well
interface GigabitEthernet0/0
ip inspect FW out

The similar router 
Cisco 2911, also works for this configuration.



share on: Share it! Tweet it! Stumble it! Digg it! Email it!  |  Permalink  |  cisco2900router in Cisco 2901 | 2 Comments
Reader Comments  (2)

no photo
abhim | August 20th 2017 at 1503296352

It will easy to grab moviestarplanet diamonds if we had msp hack tool .
no photo
marson   | September 18th 2017 at 1505723540

Not as long back, a woman's parka was cheap moncler coats just a guy's jacket sized to fit a smaller sized body. Using one welcomed comparisons to tire-company mascots, marshmallows or Arctic voyagers. But it was all ignored for the sake of warmth." Ladies purchased them to battle the elements, except design," states Robyn Shimada, the assistant director of style for Sporting Life, a Toronto store focusing on active apparel.After that, in a collective eureka moment, different outerwear moncler outlet uk business-- from high-end French tag Moncler to Canada's own Mackage, Rudsak and also Canada Goose-- began rearranging hooded jackets both quilted as well as not as city staples rather than attire designed for winter sporting activities or treking throughout icy expanse. Among one of the most obvious modifications was a better emphasis on the waist, whether by rearranging the fill or http://www.monclercoatscheapsale.com adding cinched belts. Without a doubt, females not appeared they were using their comforters.

Post a Comment
Author:
Email:
(Optional)
  
cisco2900router
Reputation: 0 (0%)
Member Since:  Jan 2014
Last activity: 5/18/15, 12:38 am