Solved: The IP-addresses of the VPN modem are not pinged - Page 2

SerhioGonsales · ‎11-01-2024

Hello! An Internet modem is connected to the FastEthernet4 interface of the Cisco 881-SEC-K9 router, a VPN modem is connected to the FastEthernet1 interface, and an unmanaged LAN switch is connected to the FastEthernet0 interface. It is necessary to that the computer connected to the switch have the Internet and access certain resources via a VPN modem. The IP address of the Internet modem is 10.41.196.2 (DHCP is enabled on the modem), the VPN modem is 172.26.66.171. The Cisco configuration is as follows:

Spoiler

version 15.5

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname 881_Router

!

boot-start-marker

boot system flash:c880data-universalk9-mz.155-3.M10.bin

boot-end-marker

!

!

logging buffered 65536

enable secret 5 ******************************

!

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

ethernet lmi ce

memory-size iomem 10

clock timezone EET 1 0

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

ip port-map http port tcp from 1 to 65535 list 1

!

!

!

!

ip domain name *****************

ip inspect name CSM_INSPECT_1 http

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn ***********

!

!

archive

log config

logging enable

logging size 200

hidekeys

object-group service RDP

tcp eq 3389

!

username Admin_bez privilege 15 secret 5 ******************************

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface FastEthernet0

description lan

switchport access vlan 20

no ip address

!

interface FastEthernet1

description vpn

switchport access vlan 30

no ip address

!

interface FastEthernet2

description lan

switchport access vlan 20

no ip address

!

interface FastEthernet3

description lan

switchport access vlan 20

no ip address

!

interface FastEthernet4

description WAN

ip address dhcp client-id FastEthernet4

ip nat outside

ip virtual-reassembly in

shutdown

duplex auto

speed auto

!

interface Vlan1

no ip address

no ip redirects

no ip proxy-arp

ip virtual-reassembly in

!

interface Vlan20

description lan

ip address 10.40.169.3 255.255.255.0

ip access-group Inbound in

ip access-group Outbound out

ip nat inside

ip virtual-reassembly in

!

interface Vlan30

description vpn

ip address 172.26.66.173 255.255.255.248

ip access-group Inbound in

ip nat outside

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip dns server

ip nat inside source route-map RMAP_NAT_FastEthernet4 interface FastEthernet4 overload

ip route 10.96.16.0 255.255.255.0 172.26.66.169

ip route 10.128.217.12 255.255.255.255 172.26.66.169

ip route 10.254.11.31 255.255.255.255 172.26.66.169

ip route 81.30.80.63 255.255.255.255 172.26.66.169

ip route 172.26.0.0 255.255.0.0 172.26.66.169

ip route 172.30.1.242 255.255.255.255 172.26.66.169

ip route 192.168.110.0 255.255.255.0 172.26.66.169

ip route 192.168.120.0 255.255.255.0 172.26.66.169

ip route 192.168.144.0 255.255.240.0 172.26.66.169

ip route 192.168.201.0 255.255.255.0 172.26.66.169

ip route 0.0.0.0 0.0.0.0 dhcp

ip ssh version 2

!

ip access-list standard SNMP_ACCESS_RO

permit 10.96.16.2

ip access-list standard admin

permit 10.96.16.91

permit 10.96.16.32

permit 10.40.169.234

permit 10.40.169.115

deny any log

!

ip access-list extended ACL_NAT

permit ip 10.40.169.0 0.0.0.255 any

ip access-list extended Inbound

permit icmp any any

permit udp any any

permit tcp any any

ip access-list extended Outbound

permit icmp any any

permit udp any any

permit tcp any any

!

!

route-map RMAP_NAT_FastEthernet4 permit 10

match ip address ACL_NAT

match interface FastEthernet4

!

snmp-server community zabbix_mos_admin RO SNMP_ACL

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server host 10.96.16.2 version 2c zabbix_mos_admin

!

!

!

control-plane

!

!

line con 0

logging synchronous

no modem enable

line aux 0

line vty 0 4

access-class admin in

exec-timeout 60 0

password 7 **********************

logging synchronous

transport input ssh

!

ntp source Vlan30

ntp update-calendar

ntp server 10.96.16.2

!

end

version 15.5no service padservice timestamps debug datetime localtimeservice timestamps log datetime localtimeservice password-encryption!hostname 881_Router!boot-start-markerboot system flash:c880data-universalk9-mz.155-3.M10.binboot-end-marker!!logging buffered 65536enable secret 5 ******************************!aaa new-model!!!!!!!aaa session-id commonethernet lmi cememory-size iomem 10clock timezone EET 1 0!!!!!!!!!!!!!!!!!ip port-map http port tcp from 1 to 65535 list 1!!!!ip domain name *****************ip inspect name CSM_INSPECT_1 httpip cefno ipv6 cef!!multilink bundle-name authenticatedlicense udi pid CISCO881-SEC-K9 sn ***********!!archivelog configlogging enablelogging size 200hidekeysobject-group service RDPtcp eq 3389!username Admin_bez privilege 15 secret 5 ******************************!!!!!!!!!!!!!!interface FastEthernet0description lanswitchport access vlan 20no ip address!interface FastEthernet1description vpnswitchport access vlan 30no ip address!interface FastEthernet2description lanswitchport access vlan 20no ip address!interface FastEthernet3description lanswitchport access vlan 20no ip address!interface FastEthernet4description WANip address dhcp client-id FastEthernet4ip nat outsideip virtual-reassembly inshutdownduplex autospeed auto!interface Vlan1no ip addressno ip redirectsno ip proxy-arpip virtual-reassembly in!interface Vlan20description lanip address 10.40.169.3 255.255.255.0ip access-group Inbound inip access-group Outbound outip nat insideip virtual-reassembly in!interface Vlan30description vpnip address 172.26.66.173 255.255.255.248ip access-group Inbound inip nat outsideip virtual-reassembly in!ip forward-protocol ndno ip http serverno ip http secure-server!!ip dns serverip nat inside source route-map RMAP_NAT_FastEthernet4 interface FastEthernet4 overloadip route 10.96.16.0 255.255.255.0 172.26.66.169ip route 10.128.217.12 255.255.255.255 172.26.66.169ip route 10.254.11.31 255.255.255.255 172.26.66.169ip route 81.30.80.63 255.255.255.255 172.26.66.169ip route 172.26.0.0 255.255.0.0 172.26.66.169ip route 172.30.1.242 255.255.255.255 172.26.66.169ip route 192.168.110.0 255.255.255.0 172.26.66.169ip route 192.168.120.0 255.255.255.0 172.26.66.169ip route 192.168.144.0 255.255.240.0 172.26.66.169ip route 192.168.201.0 255.255.255.0 172.26.66.169ip route 0.0.0.0 0.0.0.0 dhcpip ssh version 2!ip access-list standard SNMP_ACCESS_ROpermit 10.96.16.2ip access-list standard adminpermit 10.96.16.91permit 10.96.16.32permit 10.40.169.234permit 10.40.169.115deny any log!ip access-list extended ACL_NATpermit ip 10.40.169.0 0.0.0.255 anyip access-list extended Inboundpermit icmp any anypermit udp any anypermit tcp any anyip access-list extended Outboundpermit icmp any anypermit udp any anypermit tcp any any!!route-map RMAP_NAT_FastEthernet4 permit 10match ip address ACL_NATmatch interface FastEthernet4!snmp-server community zabbix_mos_admin RO SNMP_ACLsnmp-server enable traps snmp authentication linkdown linkup coldstart warmstartsnmp-server host 10.96.16.2 version 2c zabbix_mos_admin!!!control-plane!!line con 0logging synchronousno modem enableline aux 0line vty 0 4access-class admin inexec-timeout 60 0password 7 **********************logging synchronoustransport input ssh!ntp source Vlan30ntp update-calendarntp server 10.96.16.2!end

There is Internet on the computers of the local network. The IP address 172.26.66.173 of the Vlan30 port bound to the FastEthernet1 interface to which the VPN modem is connected is pinged from the LAN computer (if the mask of the additional IP address of the computer 172.26.66.177 is 255.255.255.248, if the mask is 255.255.255.0, then no). The IP addresses of the 172.266.66.XXX network and the IP addresses specified in the Cisco "ip route" commands are pinged from the Cisco console. But all these addresses are not pinged from the LAN computer, only 172.266.66.173 (Vlan30 address). I tried to enable routing on my computer:

route ADD 10.128.217.12 255.255.255.255 172.26.66.173

Nothing has changed, the address 10.128.217.12 did not ping after that. Question: what should I do to make the IP addresses of the 172.26.66.xxx network and those specified in the "ip route" commands on Cisco "visible" from the computer?

SerhioGonsales · ‎11-10-2024

I looked at the network settings of the VPN modem yesterday (IP address, mask, gateway). The IP address there is 172.26.66.171, the mask is 255.255.255.0. The gateways tried to specify 10.40.169.3, 172.26.66.173, there is no ping of this modem from the computer (IP address 10.40.169.234), unfortunately, in any case. The problem is definitely on the internal network, and not on the service provider's side, since even the VPN modem itself (IP address 172.26.66.171), which is located on the internal network, does not ping from the computer. For clarity, I drew a diagram of the network:

Interestingly, the computer that is connected via the VPN modem port (IP-address 172.26.66.170) is pinged, by the modem itself is not.
Pings from the computer's command line (IP address 10.40.169.234):

Pings from the Cisco console:

In the future, instead of a VPN modem, I will try to connect a computer with the same IP address, mask and gateway and with delete routes and see if there will be a ping. Based on the results, it will be possible to judge whether the problem is in the VPN modem or not.

Flavio Miranda · ‎11-10-2024

I might say, congratulation on the diagram, very well done.

I believe if you change the vlan30 config it will work

int vlan 30

ip add 172.26.66.173 255.255.255.0

And the routes below shoult not have as gateway the IP .169 but the Modem which is .171

ip route 10.96.16.0 255.255.255.0 172.26.66.169
ip route 10.128.217.12 255.255.255.255 172.26.66.169
ip route 10.254.11.31 255.255.255.255 172.26.66.169
ip route 81.30.80.63 255.255.255.255 172.26.66.169
ip route 172.26.0.0 255.255.0.0 172.26.66.169
ip route 172.30.1.242 255.255.255.255 172.26.66.169
ip route 192.168.110.0 255.255.255.0 172.26.66.169
ip route 192.168.120.0 255.255.255.0 172.26.66.169
ip route 192.168.144.0 255.255.240.0 172.26.66.169
ip route 192.168.201.0 255.255.255.0 172.26.66.169

SerhioGonsales · ‎11-11-2024

I did so, but, unfortunately, the ping of the VPN modem (ping 172.26.66.171) from the computer (10.40.169.234) persistently does not appear. But that's how it should be. I simulated the situation in the Cisco Packet Tracer program. The role of the VPN modem is played by the PC-PT P0 computer (the same network settings):

The Cisco Packet Tracer program file in the attachment. The result is the same as in the real network. The Cisco Vlan 30 interface is pinged, but the PC-PT P0 computer is not:

What should I do to make PC-PT PC0 (172.26.66.171) ping from PC-PT PC2 (10.40.169.234)?

Flavio Miranda · ‎11-11-2024

Let me check

Flavio Miranda · ‎11-11-2024

Ok, this is not right. You can not have a gateway in a different network from the PC

The gateway for this PC must be 172.26.66.173, which is the interface vlan on the switch.

And the switch, on this case, must have the command "ip routing"

You can see on the file I am attaching that the PC can ping each otther

SerhioGonsales · ‎11-11-2024

Yes, Flavio Miranda, thank you very much! This works in Cisco Packet Tracer. It remains to check in the real network

SerhioGonsales · ‎11-14-2024

In Cisco Packet Tracer everything looks nice, but in the real network there is no ping of address 172.26.66.171 from 10.40.169.234. The "ip routing" command, switching on IPv4 routing, did not help. I read on the Internet that routing in Cisco routers is enabled by default. Today, instead of a VPN modem (IP address 172.26.66.171), I connected a computer with the same network settings (IP address 172.26.66.171, mask 255.255.255.0, gateway 172.26.66.173), deleted the permanent routes, and rebooted the computer. The ping of the address 172.26.66.171 from 10.40.169.234 appeared. So, apparently, it's about the VPN modem settings. The VPN modem is pinged from the Cisco console, from a computer that is connected to its port with a Lan cable directly (IP address 172.26.66.170), but not from a computer (IP address 10.40.169.234). Need to figure out the VPN modem settings.

SerhioGonsales · ‎11-18-2024

I read in the instructions for the VPN modem that its LAN interfaces are connected to the PC's network card with a direct network cable, as well as to a hub, switch or router with a crossover network cable. I will try to change the LAN cable between Cisco and the VPN modem

SerhioGonsales · ‎11-30-2024

First, I changed the cable between the Cisco FastEthernet1 interface and the VPN modem, then, in addition, between the FastEthernet0 interface and the unmanaged switch to a crossover cable. Cables crimping diagram:

Unfortunately, there is no VPN modem ping in any case. The VPN modem is an ancient Chinese ADSL modem ZTE ZXHN H108N V.2.5 I think that either the VPN modem itself is hardware protected from ping in this way or its specific firmware does not allow this or this modem is not fully compatible with Cisco equipment. I do not see any other reasons.

SerhioGonsales · ‎03-03-2025

@Flavio Miranda wrote:
check the config and my conclusion is that the problem may not be one your side.

Yes, Flavio Miranda, you were right, in the end it turned out that the The actions that should have been taken should have been taken on not my part. The owner of the VPN network did port forwarding on his side and everything worked. The VPN modem (172.26.66.171) still could it doesn't ping, but it turned out that this was not necessary. But the gateway on the provider's side (172.26.66.169) began to be pinged and the addresses specified in the "ip route" commands on Cisco, for example, 10.128.217.12, began to be pinged not only from the Cisco console, but also from the network computer (10.40.169.234). Also, the address 10.128.217.12 and similar ones began to open on the network computer (10.40.169.234) in a web browser, which is what was required. Thus, everything that was needed worked. Thank you very much for your help.