Re: 2 ISPs, 2 LANs, 3 Ethernets, 1 Serial: LAN can't ping other

buford1977 · ‎03-15-2011

Here's what i have...

Gi0/1 Serial0/0

ISP1-----------------------Router AAA------------------ISP2

| |

Gi0/0 | | Gi0/2

| |

VLAN 2 VLAN 8

I have no problems on the left side of this figure. The problem is the right side in red-colored text. Clients on VLAN 8 could only ping the public IP address of Router AAA but not ISP2.

Here's a snippet of my configuration so far.

interface GigabitEthernet0/2
description NETWORK PUBLIC IP
ip address 88.88.88.193 255.255.255.192
ip nat outside
ip virtual-reassembly

no cdp enable
duplex full
speed auto
!

interface GigabitEthernet0/2.1
description ISP2 LINK to VLAN 8

encapulation dot1q 8

ip address 192.168.8.193 255.255.255.192
ip nat inside
ip virtual-reassembly
!

interface Serial0/0/1
no ip address
encapsulation frame-relay IETF
no clock rate 2000000
frame-relay lmi-type ansi

!

interface Serial0/0/1.1 point-to-point
ip address 200.200.200.66 255.255.255.252
ip load-sharing per-packet
snmp trap link-status
no cdp enable
frame-relay interface-dlci 138

!

ip nat inside source static 192.168.8.194 88.88.88.194

ip route 0.0.0.0 0.0.0.0 200.200.200.65

ip route 192.168.8.192 255.255.255.192 192.168.8.194

The client 192.168.8.194 can ping 88.88.88.193 and 200.200.200.66 but it fails on 200.200.200.65. I've been trying to figure this out for a week now... I don't know what I'm missing... Please help...

cadet alain · ‎03-15-2011

Hi,

Maybe the ISP router is configured to not answer pings.

Can you do a debug ip packet 108 , access-list 108 permit icmp any any and post the output for .66

Regards.

Alain.

Don't forget to rate helpful posts.

buford1977 · ‎03-15-2011

I get ICMP replies from ISP2 when i do pings from my router. But I don't get any when I do pings from a client in VLAN 8.

cadet alain · ‎03-15-2011

That still doesn't mean these pings are not filtered by ISP.

Can you do a debug ip icmp and also a debug ip packet

Regards.

Alain.

Don't forget to rate helpful posts.

buford1977 · ‎03-15-2011

i'm sorry...

i don't do a lot of debugging.

could you please give me the step-by-step?

cadet alain · ‎03-15-2011

of course, first create an extended ACL permitting icmp: access-list 101 permit icmp any any, just take care before giving it a number that such an ACL with same number already exists, so verify with show access-list command.

second disable timestamp for debugging: no service timestamp debugging

third enable logging of debugs in buffer and tune buffer size: logging buffered 10000, logging buffered debug

finally enable debug for ip packets hitting the ACL: debug ip packet 101

Then you can do a show log and post the output here

Regards.

Alain.

Don't forget to rate helpful posts.

buford1977 · ‎03-15-2011

hi alain,

here's what i got from the log. First I shutdown interfaces Gi0/0-1, did a ping test on the router and got this output. I hope i got this right.

IP: s=200.200.200.66 (local), d=200.200.200.66, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.66 (local), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.66 (local), d=200.200.200.66 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.66 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.66 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.66 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet
IP: s=0.0.0.0 (local), d=200.200.200.65, len 100, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending
IP: s=200.200.200.66 (local), d=200.200.200.65 (Serial0/0/1.1), len 100, sending full packet
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
IP: tableid=0, s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), routed via RIB
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66 (Serial0/0/1.1), len 100, rcvd 3
IP: s=200.200.200.65 (Serial0/0/1.1), d=200.200.200.66, len 100, stop process pak for forus packet

cadet alain · ‎03-16-2011

Hi,

You are receiving traffic back in both cases.Can you repeat your 2 pings( note the command you did) and do a debug ip icmp for each.Between each test and after having sent the output of sh log, clear your logs: clear log.

Regards.

Alain.

Don't forget to rate helpful posts.

Kishore Chennupati · ‎03-15-2011

Hi buford,

When you ping the ISP 200.200.200.65 from your router the source will be 200.200.200.66. you can do a sh ip cef 200.200.200.65 and you can see that its learning from the directly connected interface. You get responses as the ISP seems to have not blocked any icmp's in that subnet range.

Can you please ping 200.200.200.65 from your router using the source as gi0/2? This will use the source interface as 88.88.88.193.

So if you cant ping using this then that means that the ISP is blocking icmp's from any other range. and since your private ip range is getting NAT'ed to this range you wont be able to ping from that subnet 192.168.8.192/26 as well.

Also, one question I have is that are you actually having a problem with your VLAN 8 going out to the internet. I mean , Is pinging the ISP your only problem, if yes, then i wudnt worry too much about it.

However, you can gladly do what alain has asked for and post in the results.

HTH

Regards,

Kishore

Please rate if helpful

buford1977 · ‎03-15-2011

i haven't really thought that my ISP would block ICMP. My actual plan is to have VLAN2 only use ISP1 and VLAN8 use ISP2. VLAN2 has internet while VLAN8 doesn't. I failed to ping 8.8.8.8 (Google's Public DNS) from VLAN8 using ISP2 actually.

buford1977 · ‎03-15-2011

I found another interesting thing...

My router can not ping the NAT'ed private IPs but my clients can.

Did i do something wrong in my NAT?

eduardopozo56 · ‎03-15-2011

I dont know if im not understanding your network diagram or you have it all mixed:

I see you are sending all the traffic thru the serial interface (frame relay) but doing your nat on the gigaethernet interface

So far you can only ping all your LOCAL interfaces, you are not pinging away from your local router.

I also see this route:

ip route 192.168.8.192 255.255.255.192 192.168.8.194

It says that you will reach the .192 network thru the .194 host? o_O

Maybe if you post a packet tracer like network diagram and your ip scheme i would be able to be more helpful because i dont see sense between your config-diagram

______________________

Now with the frame relay issue: You say that you cant ping .65 from your HOST but can you from your router? if you can, you are having a frame relay issue because you have to be able to ping the next hop (directly connected)

If you can ping from router but CANT from host, do the .65 router have a comeback route to 192.168.8.x subnet? (Vlan 8)

2 ISPs, 2 LANs, 3 Ethernets, 1 Serial: LAN can't ping other ISP