Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
10
Helpful
2
Replies

Trouble routing on UBR924

Go to solution
cbell20
Level 1
Level 1

‎05-31-2004 05:49 PM - edited ‎03-02-2019 04:03 PM

I am having problems getting my desktop to route properly with the ubr924. Its already been provisioned and I can sucessfully ping websites from it. When I try to ping places from my desktop I receive "Reply from 192.168.1.200: Destination net unreachable." SO obviously there is something not right with the routing. TIA

version 12.2

no service pad

service tcp-keepalives-in

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname ubr924

!

logging console informational

enable secret 5

enable password

!

clock timezone - -6

clock summer-time PST recurring

ip subnet-zero

ip tcp synwait-time 5

ip telnet source-interface Loopback0

ip dhcp excluded-address 192.168.1.1 192.168.1.200

!

ip dhcp pool LOCAL_NET

network 192.168.1.0 255.255.255.0

default-router 192.168.1.200

dns-server 192.168.1.115

!

ip audit notify log

ip audit po max-events 100

call rsvp-sync

!

!

interface Loopback0

ip address 66.191.25.xxx 255.255.255.255

!

interface Ethernet0

ip address 192.168.1.200 255.255.255.0

ip nat inside

no ip mroute-cache

no cdp enable

!

interface cable-modem0

ip access-group 130 in

ip access-group 140 out

ip nat outside

no ip mroute-cache

no cable-modem compliant bridge

cable-modem dhcp-proxy nat PUBLIC

!

ip nat pool PUBLIC 66.191.25.xxx 66.191.25.xxx netmask 255.255.254.0

ip nat inside source route-map nonat pool PUBLIC overload

ip classless

ip route 192.168.3.0 255.255.255.0 192.168.1.105

ip http server

ip http cable-monitor advance 192.168.1.200 255.255.255.0

!

logging trap debugging

logging 192.168.1.108

access-list 1 permit 192.168.1.0 0.0.0.255 log

access-list 120 permit ip 192.168.1.0 0.0.0.255 any

access-list 120 permit ip 10.0.0.0 0.255.255.255 any

access-list 130 deny udp any any eq snmp log-input

access-list 130 deny udp any any eq snmptrap log-input

access-list 130 permit ip any any

access-list 130 permit icmp any any net-unreachable

access-list 130 permit icmp any any host-unreachable

access-list 130 permit icmp any any port-unreachable

access-list 130 permit icmp any any packet-too-big

access-list 130 permit icmp any any administratively-prohibited

access-list 130 permit icmp any any source-quench

access-list 130 permit icmp any any ttl-exceeded

access-list 130 permit icmp any any echo-reply

access-list 130 deny icmp any any log-input

access-list 140 deny udp any any eq netbios-ns

access-list 140 deny udp any any eq netbios-dgm

access-list 140 deny udp any any eq netbios-ss

no cdp run

route-map nonat permit 10

match ip address 120

!

snmp-server packetsize 4096

snmp-server enable traps tty

snmp-server manager

!

voice-port 0

input gain -2

output attenuation 0

shutdown

!

voice-port 1

input gain -2

output attenuation 0

shutdown

!

banner motd ^C

This is a PRIVATE router

Unless authorized, get off NOW! ^C

!

line con 0

exec-timeout 30 0

password

line vty 0

access-class 1 in

exec-timeout 15 0

password

login

line vty 1

access-class 1 in

password

login

line vty 2 4

access-class 1 in

login

!

scheduler max-task-time 5000

ntp clock-period 17248359

ntp server 209.81.9.7 source Loopback0

ntp server 63.149.208.5 source Loopback0

ntp server 128.118.25.3 source Loopback0

end

Gateway of last resort is 10.213.160.1 to network 0.0.0.0

66.0.0.0/32 is subnetted, 1 subnets

C 66.191.25.43 is directly connected, Loopback0

10.0.0.0/19 is subnetted, 1 subnets

C 10.213.160.0 is directly connected, cable-modem0

C 192.168.1.0/24 is directly connected, Ethernet0

S 192.168.3.0/24 [1/0] via 192.168.1.105

S* 0.0.0.0/0 [254/0] via 10.213.160.1

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jonaallen
Level 1
Level 1

‎06-01-2004 09:40 AM

Basically, your outbound access list 140 is not configured correctly. There is no permit statement, to allow any traffic out of your network, and as you know, at the bottom of every access list is an implicit "deny ip any any". When you are telnet or console to the router, the ACL rules do not apply, so you would be able to ping anywhere you want.

You need to add "permit ip any any" to the end of access list 140.

For your NAT configuration, the route-map is not necessary, and could cause a problem with NAT.

Change the following line from:

ip nat inside source route-map nonat pool PUBLIC overload

to this:

ip nat inside source list 120 pool PUBLIC overload.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

Then you can remove your route map statements.

I also noticed that the only route statement that you have is for an internal network. You should add a "gateway of last resort" statement, to avoid any confusion.

That statement should read:

ip route 0.0.0.0 0.0.0.0 interface cable-modem0

http://www.cisco.com/en/US/about/ac123/ac114/ac173/Q2-04/department_techtips.html

One last note for you is that access list 130 is built incorrectly. Access lists are read from top to bottom, so the first 3 lines are correct, in which you deny a specific UDP function, and then permit ALL other traffic with "permit ip any any".

The lines that follow the "permit ip any any" statement are basically useless because of the exlicit permit statement in front of them. If you should need to save space in your configuration file, you should start by removing those last lines of access list 130.

View solution in original post

2 Replies 2

Go to solution
jonaallen
Level 1
Level 1

‎06-01-2004 09:40 AM

Basically, your outbound access list 140 is not configured correctly. There is no permit statement, to allow any traffic out of your network, and as you know, at the bottom of every access list is an implicit "deny ip any any". When you are telnet or console to the router, the ACL rules do not apply, so you would be able to ping anywhere you want.

You need to add "permit ip any any" to the end of access list 140.

For your NAT configuration, the route-map is not necessary, and could cause a problem with NAT.

Change the following line from:

ip nat inside source route-map nonat pool PUBLIC overload

to this:

ip nat inside source list 120 pool PUBLIC overload.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

Then you can remove your route map statements.

I also noticed that the only route statement that you have is for an internal network. You should add a "gateway of last resort" statement, to avoid any confusion.

That statement should read:

ip route 0.0.0.0 0.0.0.0 interface cable-modem0

http://www.cisco.com/en/US/about/ac123/ac114/ac173/Q2-04/department_techtips.html

One last note for you is that access list 130 is built incorrectly. Access lists are read from top to bottom, so the first 3 lines are correct, in which you deny a specific UDP function, and then permit ALL other traffic with "permit ip any any".

The lines that follow the "permit ip any any" statement are basically useless because of the exlicit permit statement in front of them. If you should need to save space in your configuration file, you should start by removing those last lines of access list 130.

Go to solution
cbell20
Level 1
Level 1
In response to jonaallen

‎06-01-2004 12:33 PM

Thanks!! I had forgetten about the importance of the ACL ordering. It now works great.

0 Helpful
Customers Also Viewed These Support Documents