Solved: unable to access anything other than ping from behind a cisco 1921 router - Page 2

mmarosz1 · ‎02-24-2020

Hello,
I am new to this community, and I am beginning to study for the CCNA exams. I apologize in advance for any 'un-educated' or 'un-necessary' questions, but with that said, I was hoping I could gain some knowledge/guidance with this problem i am having.

:here is the setup:

I have a test network, and it has a cable modem connected to a netgear SOHO router/switch/wireless ap combo device.

I have my 'main pc', aka pc4, connected to the switch part of the netgear combo device, and it can access the internet (and anything else connected to the same switch) normally. the LAN side of the router part of the netgear combo device has an ip of 192.168.1.1.

Then, I purchased a cisco 1921 router, and I am trying to use it to make 2 separate networks in my test network.

I gave the cisco router's ge0/0 interface a static ip of 192.168.1.50, and I connected it to the switch part of the netgear combo device, .

Then, I gave the cisco router's ge0/1 interface a static ip of 10.10.10.1, and I connected it to a separate (unmanaged) switch.

Then, i connected a test pc, aka pc2, to this unmanaged switch.

:here is the question:

I cannot access the internet from pc2, and i dont know why.

I thought i needed to setup local static routes from pc4 and pc2, so i did that, but im not sure if that made any difference.

eg, from each pc, and from the router itself (i connected with the serial console port and putty), I can ping each pc and each interface in the router.
but, i can only ping by IP address, not by name.

eg, from pc2, if I ping pc4 by ip address, pc4 replies normally all 4 times.

eg, from pc2, if I ping pc4 by pc name, i get an error, "ping request could not find host pc4", this error only appears once after a pause.

eg, from pc2, if I ping "google.com", in the 4 ping requests that are sent, i get these 2 errors, "request timed out", and "reply from 10.10.10.1: destination host unreachable".

i have read that "destination host unreachable" means a router in the path of the ping to its destination does not have a stored route to the destination, and the router replies with "destination host unreachable".

but then i also read that "request timed out" means that the ping request never got a reply, which may mean that the routers in the path to the destination did have routes to the destination, and they forwarded the ping request, but then something else happened that caused the ping request to get dropped on its return trip.

so, i dont know how i could get both of those errors in the same ping command.

I am quite stumped as to what to do next, and any help would be greatly appreciated.

-michael

Richard Burts · ‎03-02-2020

Michael

Thanks for the additional information. I am especially interested in your statement that the router is not able to ping beyond 192,168,1,1. If the router does not work then certainly pc2 will not be able to work. Fortunately I believe that the problem on the router is simple and easy to fix. Earlier in the discussion you posted the router config and it had a default route configured. But the most recent router config does not have a default route. You need to add this back to the config:

ip route 0.0.0.0 0.0.0.0 192.168.1.1

After you add that check and see if things are working better.

HTH

Rick

mmarosz1 · ‎03-04-2020

Hello Rick,

Thank you again so much for replying.

I just remembered I meant to ask you about "the route of last resort", and if that is the same as the "default route"?

I have been very busy preparing my resume for 2 sudden opportunities, which means i am looking at this tomorrow, but I am definitely looking at this tomorrow because this is a huge part of what i need to know.
So I will be updating this log tomorrow.
Thank you,
-Michael

Richard Burts · ‎03-05-2020

Michael

I hope things go well with your sudden opportunities. When you ask about route of last resort I wonder if you are really meaning gateway of last resort? There might be things in the context in which the term is used that could influence its meaning, but in general I would say that gateway of last resort/route of last resort are the same as default route.

HTH

Rick

mmarosz1 · ‎03-06-2020

Hello Rick,

Thank you for waiting for my replies (side note, i was called by a job i had interviewed for and was declined about a month ago, but another position opened and i may get that! and in a nutshell i was very busy with that, also, routing knowledge will be required with this job, so i am committed to figuring this out).

regarding my question about the "route of last resort", yes, i should have said "gateway of last resort".

i meant to ask you if that is important, and now i know it is (thank you for clarifying that).

-i started all the equipment, i 'logged into the router with putty', i issued the commands we are talking about again, including the newest command you told me about,

ip route 0.0.0.0 0.0.0.0 192.168.1.1

-but the same problems are still happening

-eg pc2 cannot get on the internet, and neither pc2 nor the router can ping google.com

-and when i enter this,

show ip route

-it still shows "gateway of last resort is not set"

-so i'm stumped

-im thinking maybe im doing all the steps that need to be done, but the steps themselves are not completing successfully.

-im hoping i can post what i think is the important output from the router, and then maybe the problem will be clearer.

-thank you (a tremendous amount) again...

-Michael

mmarosz1 · ‎03-06-2020

==========

-question about this line:

access-list 10 permit 10.10.10.0 0.0.0.127

-why is the address "0.0.0.127" in this?

-i was thinking (but i dont know if im misunderstanding this command) that it should be 192.168.1.50 ?

==========

mmarosz1 · ‎03-06-2020

==========

here is the current, "show ip route"

router1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

S* 0.0.0.0/0 [0/0], GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/25 is directly connected, GigabitEthernet0/1
L 10.10.10.1/32 is directly connected, GigabitEthernet0/1
* 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C* 192.168.1.0/24 is directly connected, GigabitEthernet0/0
L 192.168.1.50/32 is directly connected, GigabitEthernet0/0
router1#

==========

mmarosz1 · ‎03-06-2020

==========

-here is the current, "show ip interface brief"
-i dont know why the "NVI0 interface" is down

router1#show ip interface brief
Interface IP-Address OK? Method Status Protocol
Embedded-Service-Engine0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/0 192.168.1.50 YES NVRAM up up
GigabitEthernet0/1 10.10.10.1 YES NVRAM up up
NVI0 unassigned YES unset administratively down down
router1#

==========

mmarosz1 · ‎03-06-2020

==========

here is the current, "show ip nat statistics"

router1#show ip nat statistics
Total active translations: 5 (0 static, 5 dynamic; 5 extended)
Peak translations: 27, occurred 01:04:00 ago
Outside interfaces:
GigabitEthernet0/0
Inside interfaces:
GigabitEthernet0/1
Hits: 2371 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 454
Expired translations: 720
Dynamic mappings:
-- Inside Source
[Id: 2] access-list 10 interface GigabitEthernet0/0 refcount 5

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
router1#

==========

mmarosz1 · ‎03-06-2020

==========

here is the current, "show run"

router1#show run
Building configuration...

Current configuration : 5643 bytes
!
! Last configuration change at 15:35:41 GMT Fri Mar 6 2020 by q
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$yY34$yyXLY/suppuEusq3d7hTs.
enable password 22
!
no aaa new-model
clock timezone GMT -5 0
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
dns-server 192.168.1.100 192.168.1.1
lease 0 2
!
!
!
ip domain name yourdomain.com
ip name-server 192.168.1.1
ip name-server 192.168.1.100
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1801969825
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1801969825
revocation-check none
rsakeypair TP-self-signed-1801969825
!
!
crypto pki certificate chain TP-self-signed-1801969825
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383031 39363938 3235301E 170D3138 30343234 31363232
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38303139
36393832 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810084B7 02BA01D8 6D1AD033 6D97A382 29F88F83 AD830DA0 FAB29F1C 7E2E0AC7
37CA9826 35A600F0 3031622E E3C4698F 33F84748 3F99CEE0 47098CE5 4A9AB4FE
8101A050 A32FF583 2999DEAC E70183BE 8F0D3F89 8CD03F3F 77E17186 FE1B1A15
AC893999 C657DD3F FE1A1182 D1920EE0 A5A0E482 AB17EFC8 D6D3E6A3 47CD82A4
83D10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1475D443 08E1D141 483DE73B 264BD53C 0872F7DB 76301D06
03551D0E 04160414 75D44308 E1D14148 3DE73B26 4BD53C08 72F7DB76 300D0609
2A864886 F70D0101 05050003 81810084 44781F37 39C517A5 2A091E35 34275504
A98C7C67 13A6B048 18099424 CD31B613 65D0E711 C3AF7005 BF5CF583 5E5C0DCB
B8A29752 CF1D4560 4DDED09D A001843E 72B83E9B 7063FD00 22B2B2F5 1D2E7800
0BCB0DE6 19596418 81F80C66 3561F076 8FA9AEF9 C774E94F AAEB12E5 E8E44BD2
A3F65D33 CEDD6E87 7ECD0D11 632431
quit
license udi pid CISCO1921/K9 sn FGL2217921M
!
!
username username privilege 15 secret 5 $1$YWxN$UHwecJPTcRRqbBrZc0ONu.
username radmin1 privilege 15 secret 5 $1$iBVn$GV.xMuDzS/Q3nu6kWR6GE.
username q privilege 15 secret 5 $1$xas9$L/cj5QVPtPCM7bElP3qxd.
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 192.168.1.50 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 10.10.10.1 255.255.255.128
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip default-network 192.168.1.0
ip default-network 0.0.0.0
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
!
access-list 10 permit 10.10.10.0 0.0.0.127
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
exec-timeout 0 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password 11
login local
transport input telnet ssh
line vty 5 15
privilege level 15
password 11
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

router1#

==========

mmarosz1 · ‎03-06-2020

that's a lot of stuff, thank you for again for looking at this!

-Michael

Richard Burts · ‎03-06-2020

Michael

I am quite surprised about this

Gateway of last resort is not set

The show run now does have the route that I asked you to put into the config and it should have set the gateway of last resort. I am not sure why it did not. Can you do a ping to 192.168.1.1 and then immediately do a show arp and post that output?

As far as access list 10 in configuring access lists on IOS devices the mask is not like a subnet mask. It is generally referred to as a wildcard mask and is essentially the inverse of the subnet mask. (turn every 1 into a zero and every zero into a 1) So if your interface uses mask of 255.255.255.128 then the mask of the access list should be 0.0.0.127.

HTH

Rick

mmarosz1 · ‎03-08-2020

Hello Rick,

-thank you again with another step forward...

-what you said about the 255.255.255.128 becoming 0.0.0.127 is very interesting, I plain did not know that.

=========================

-i started up the test network

-i entered this

ip nat inside source list 10 interface gigabitethernet0/0 overload

...though i think i did not have to because i ran "show run" and this line is already in that output...is that right?...does the fact that it is in the "show run" output means it is already running?

-then i entered this,

ip route 0.0.0.0 0.0.0.0 192.168.1.1

-but then "show ip route" still says "gateway of last resort is not set"

-and i still cannot ping google.com from pc2, it still returns the same ip address that we talked about before, but it also still says "request timed out" like we did before

so i entered these commands from the router, and this is the output

=========================

router1#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override

Gateway of last resort is not set

S* 0.0.0.0/0 [0/0], GigabitEthernet0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/25 is directly connected, GigabitEthernet0/1
L 10.10.10.1/32 is directly connected, GigabitEthernet0/1
* 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C* 192.168.1.0/24 is directly connected, GigabitEthernet0/0
L 192.168.1.50/32 is directly connected, GigabitEthernet0/0
router1#
router1#
router1#
router1#
router1#
router1#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
router1#
router1#
router1#
router1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 - 700f.6a90.6e21 ARPA GigabitEthernet0/1
Internet 10.10.10.2 0 b4b5.2fcd.6f06 ARPA GigabitEthernet0/1
Internet 192.168.1.1 0 10da.431d.3e0b ARPA GigabitEthernet0/0
Internet 192.168.1.50 - 700f.6a90.6e20 ARPA GigabitEthernet0/0
router1#
router1#
router1#
router1#ping google.com
Translating "google.com"...domain server (192.168.1.1) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.217.12.142, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
router1#
router1#
router1#
router1#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 - 700f.6a90.6e21 ARPA GigabitEthernet0/1
Internet 10.10.10.2 0 b4b5.2fcd.6f06 ARPA GigabitEthernet0/1
Internet 172.217.12.142 0 Incomplete ARPA
Internet 192.168.1.1 1 10da.431d.3e0b ARPA GigabitEthernet0/0
Internet 192.168.1.50 - 700f.6a90.6e20 ARPA GigabitEthernet0/0
router1#

=========================

im hoping this sheds more light on what is (os is not) going on.

can i ask you 2 other quick questions?

-what is the best practice for connecting and disconnecting the cat-6 cables to the interface 0/0 and 0/1 ports, and the serial to console port cable?

-i've been making sure the router is off before i connect or disconnect everything, but if that is not necessary, it could save time.

and i was not sure when i ping from the router, eg from the putty interface, which interface in the router is sending the ping? do i have (or need) any control over that?

thank you again for keeping this post alive!

-michael

Richard Burts · ‎03-09-2020

Michael

Let me deal with the easy questions first. I need to think a bit more about why ping from the router is not working.

- if you entered this

ip route 0.0.0.0 0.0.0.0 192.168.1.1

then I am surprised and a bit puzzled that the show ip route indicates only the outbound interface. Perhaps posting a fresh copy of show run might be helpful in understanding a couple of things that are going on.

- when connecting cables to router interfaces or the console port there is not any need to power down first.

- when you are pinging from the putty interface there is a default for the source address (source interface) and you do have an option for some control about the source address of the ping. By default the router will choose for the source address the address of the interface through which it will send the ping packet. So when you ping google.com the router looks into the routing table and finds which interface it will use. That turns out to be G0/0. So by default the router will use source address 192.168.1.50. But you have an option to change the source address to something else. Are you familiar with the on line help in the router ? (the ability to enter a question mark and the router will tell you what is available) If you enter this

ping google.com ?

then the router should tell you what optional parameters are available. And one of those options should be fore source address.

Until we resolve the issue with the router accessing the Internet there is not much point in trying to test from pc2. Since pc2 must go through the router to get to the Internet I would be absolutely amazed if pc2 was successful in something that the router fails to do.

HTH

Rick

mmarosz1 · ‎03-10-2020

hello Rick,

thats an excellent post, thank you yet, again.

i will get to this again tomorrow (I hope).

thank you for clarifying the questions about powering down while switching cables, and the getting help from the router interface, and how that can let me control which interface is sending the ping.

about what you said about the router choosing which interface will send a ping, eg if pinging google.com, you said "the router looks into the routing table and finds which interface it will use. That turns out to be G0/0.",

how does the router "find" which interface it will use?

does the router do the arp thing from both of its interfaces, and then it finds there is no mac address for "google.com" (that is unclear to me?!), and then since it cannot find a mac address it sends the ping to a default gateway like a pc would? eg, is the 0/0 interface on the router like a default gateway on a pc?

eg, what in the routing table helps the router make that choice?

I cant wait to get back to this, thank you for keep pointing me in the right direction!

-michael

Richard Burts · ‎03-11-2020

Michael

In some respects the logic is the same for a PC and a router and in some respects they are different. For both of them the first step is to determine whether the address they are trying to reach is local or is remote. For both of them if the destination address is local then they arp for the destination address and if they get a response then they have the mac address they need to send the packet to the destination device.

If the destination is remote the logic is different for the PC and for the router. In general the PC will just forward the packet to its default gateway. For the router it will look into its routing table and try to find an entry that is the best match for the destination. Every entry in the routing table will indicate the interface to use to reach that destination. Note that it is possible that there could be more than one entry in the routing table that is a match for the destination. For example let us assume that the router has a packet to send to destination 10.1.1.1. When the router looks into its routing table it might find these

an entry for 10.1.1.0 255.255.255.0 using interface 1

an entry for 10.0.0.0 255.0.0.0 using interface 2

an entry for 0.0.0.0 0.0.0.0 using interface 3 (this is the default route)

When there are multiple entries that match the router will choose the most specific entry (sometimes referred to as longest match).

So in your case you are attempting to ping google.com. The first thing the router does is to check DNS to find the IP address for google.com. Once it has the IP address it determines whether the destination is local or is remote. In this case it is remote so there is no arp. So the router checks its routing table, In your case there is not an entry that matches the address of google other than the default route. And the default route on your router is associated with G0/0.

HTH

Rick