05-31-2004 05:49 PM - edited 03-02-2019 04:03 PM
I am having problems getting my desktop to route properly with the ubr924. Its already been provisioned and I can sucessfully ping websites from it. When I try to ping places from my desktop I receive "Reply from 192.168.1.200: Destination net unreachable." SO obviously there is something not right with the routing. TIA
version 12.2
no service pad
service tcp-keepalives-in
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ubr924
!
logging console informational
enable secret 5
enable password
!
clock timezone - -6
clock summer-time PST recurring
ip subnet-zero
ip tcp synwait-time 5
ip telnet source-interface Loopback0
ip dhcp excluded-address 192.168.1.1 192.168.1.200
!
ip dhcp pool LOCAL_NET
network 192.168.1.0 255.255.255.0
default-router 192.168.1.200
dns-server 192.168.1.115
!
ip audit notify log
ip audit po max-events 100
call rsvp-sync
!
!
interface Loopback0
ip address 66.191.25.xxx 255.255.255.255
!
interface Ethernet0
ip address 192.168.1.200 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
!
interface cable-modem0
ip access-group 130 in
ip access-group 140 out
ip nat outside
no ip mroute-cache
no cable-modem compliant bridge
cable-modem dhcp-proxy nat PUBLIC
!
ip nat pool PUBLIC 66.191.25.xxx 66.191.25.xxx netmask 255.255.254.0
ip nat inside source route-map nonat pool PUBLIC overload
ip classless
ip route 192.168.3.0 255.255.255.0 192.168.1.105
ip http server
ip http cable-monitor advance 192.168.1.200 255.255.255.0
!
logging trap debugging
logging 192.168.1.108
access-list 1 permit 192.168.1.0 0.0.0.255 log
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 permit ip 10.0.0.0 0.255.255.255 any
access-list 130 deny udp any any eq snmp log-input
access-list 130 deny udp any any eq snmptrap log-input
access-list 130 permit ip any any
access-list 130 permit icmp any any net-unreachable
access-list 130 permit icmp any any host-unreachable
access-list 130 permit icmp any any port-unreachable
access-list 130 permit icmp any any packet-too-big
access-list 130 permit icmp any any administratively-prohibited
access-list 130 permit icmp any any source-quench
access-list 130 permit icmp any any ttl-exceeded
access-list 130 permit icmp any any echo-reply
access-list 130 deny icmp any any log-input
access-list 140 deny udp any any eq netbios-ns
access-list 140 deny udp any any eq netbios-dgm
access-list 140 deny udp any any eq netbios-ss
no cdp run
route-map nonat permit 10
match ip address 120
!
snmp-server packetsize 4096
snmp-server enable traps tty
snmp-server manager
!
voice-port 0
input gain -2
output attenuation 0
shutdown
!
voice-port 1
input gain -2
output attenuation 0
shutdown
!
banner motd ^C
This is a PRIVATE router
Unless authorized, get off NOW! ^C
!
line con 0
exec-timeout 30 0
password
line vty 0
access-class 1 in
exec-timeout 15 0
password
login
line vty 1
access-class 1 in
password
login
line vty 2 4
access-class 1 in
login
!
scheduler max-task-time 5000
ntp clock-period 17248359
ntp server 209.81.9.7 source Loopback0
ntp server 63.149.208.5 source Loopback0
ntp server 128.118.25.3 source Loopback0
end
Gateway of last resort is 10.213.160.1 to network 0.0.0.0
66.0.0.0/32 is subnetted, 1 subnets
C 66.191.25.43 is directly connected, Loopback0
10.0.0.0/19 is subnetted, 1 subnets
C 10.213.160.0 is directly connected, cable-modem0
C 192.168.1.0/24 is directly connected, Ethernet0
S 192.168.3.0/24 [1/0] via 192.168.1.105
S* 0.0.0.0/0 [254/0] via 10.213.160.1
Solved! Go to Solution.
06-01-2004 09:40 AM
Basically, your outbound access list 140 is not configured correctly. There is no permit statement, to allow any traffic out of your network, and as you know, at the bottom of every access list is an implicit "deny ip any any". When you are telnet or console to the router, the ACL rules do not apply, so you would be able to ping anywhere you want.
You need to add "permit ip any any" to the end of access list 140.
For your NAT configuration, the route-map is not necessary, and could cause a problem with NAT.
Change the following line from:
ip nat inside source route-map nonat pool PUBLIC overload
to this:
ip nat inside source list 120 pool PUBLIC overload.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
Then you can remove your route map statements.
I also noticed that the only route statement that you have is for an internal network. You should add a "gateway of last resort" statement, to avoid any confusion.
That statement should read:
ip route 0.0.0.0 0.0.0.0 interface cable-modem0
http://www.cisco.com/en/US/about/ac123/ac114/ac173/Q2-04/department_techtips.html
One last note for you is that access list 130 is built incorrectly. Access lists are read from top to bottom, so the first 3 lines are correct, in which you deny a specific UDP function, and then permit ALL other traffic with "permit ip any any".
The lines that follow the "permit ip any any" statement are basically useless because of the exlicit permit statement in front of them. If you should need to save space in your configuration file, you should start by removing those last lines of access list 130.
06-01-2004 09:40 AM
Basically, your outbound access list 140 is not configured correctly. There is no permit statement, to allow any traffic out of your network, and as you know, at the bottom of every access list is an implicit "deny ip any any". When you are telnet or console to the router, the ACL rules do not apply, so you would be able to ping anywhere you want.
You need to add "permit ip any any" to the end of access list 140.
For your NAT configuration, the route-map is not necessary, and could cause a problem with NAT.
Change the following line from:
ip nat inside source route-map nonat pool PUBLIC overload
to this:
ip nat inside source list 120 pool PUBLIC overload.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
Then you can remove your route map statements.
I also noticed that the only route statement that you have is for an internal network. You should add a "gateway of last resort" statement, to avoid any confusion.
That statement should read:
ip route 0.0.0.0 0.0.0.0 interface cable-modem0
http://www.cisco.com/en/US/about/ac123/ac114/ac173/Q2-04/department_techtips.html
One last note for you is that access list 130 is built incorrectly. Access lists are read from top to bottom, so the first 3 lines are correct, in which you deny a specific UDP function, and then permit ALL other traffic with "permit ip any any".
The lines that follow the "permit ip any any" statement are basically useless because of the exlicit permit statement in front of them. If you should need to save space in your configuration file, you should start by removing those last lines of access list 130.
06-01-2004 12:33 PM
Thanks!! I had forgetten about the importance of the ACL ordering. It now works great.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide