08-04-2008 06:37 PM - edited 03-03-2019 11:01 PM
I have a Cisco 871 router and its F4 interface connects to the Internet and vlan 10 interface connects to the internal network (10.0.0.0/24). I can't ping internal network which is sourced from interface F4. I don't think it's normal, right? Can anybody please let me know why? Thanks!
CCSPHOMERTR#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
CCSPHOMERTR#ping 10.0.0.3 source f4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
Packet sent with a source address of 70.64.2.22
.....
Success rate is 0 percent (0/5)
CCSPHOMERTR#
08-04-2008 08:00 PM
Do you have an ACL blocking traffic from the outside network? If so then yes this would not work
08-05-2008 11:39 AM
Thank you for your reply John. I don't have any ACL at all. Here is the config:
interface FastEthernet4
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map VPN_MAP
end
!
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
ip nat inside
no ip virtual-reassembly
end
08-06-2008 09:11 AM
NAT will not allow traffic from the outside port to the inside.. for security reason im sure....
I checked it on my 871 and it does the same thing and works fine. I would suggest leaving blocked as that could make a big security hole.
John
08-06-2008 12:32 PM
However I have a 2851 router and they can ping inside interfaces... The reason why I want to fix it is because I have EZVPN configured and the remote client can't ping internal computers because of the same reason...
08-05-2008 07:40 AM
Debug ip packet detail.
I think reverse routing is not opened.
08-05-2008 09:30 AM
Hi,
Can you paste show ip int brief and show run.
regards
pravin
08-05-2008 11:43 AM
Sure! Here it is:
CCSPHOMERTR#sh ip int brief
Interface IP-Address OK? Method Status Prot ocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 70.64.22.2 YES DHCP up up
Vlan1 unassigned YES NVRAM up down
NVI0 unassigned NO unset up up
Vlan10 10.0.0.254 YES NVRAM up up
08-05-2008 11:46 AM
(Because it's too long, I deleted the line configuration part... Hope it won't affect your troubleshooting)
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CCSPHOMERTR
!
boot-start-marker
boot-end-marker
!
enable secret xxx
!
aaa new-model
!
!
aaa authentication login LOGIN_AUTHEN local
aaa authorization console
aaa authorization exec EXEC_AUTHOR local
aaa authorization network NETWORK_AUTHOR local
!
!
aaa session-id common
!
!
!
!
crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP
key XXXXXXXX
dns 10.0.0.254
domain pc-pro.ca
pool IPPOOL_EZVPN
acl 101
banner ^CIf you are not Vicky, logout immediately ^C
!
!
crypto ipsec transform-set IPSEC_TRANS_EZVPN esp-aes esp-md5-hmac
!
crypto dynamic-map EZVPN_DYNAMIC_MAP 1
set transform-set IPSEC_TRANS_EZVPN
reverse-route
!
!
crypto map VPN_MAP client authentication list LOGIN_AUTHEN
crypto map VPN_MAP isakmp authorization list NETWORK_AUTHOR
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 65535 ipsec-isakmp dynamic EZVPN_DYNAMIC_MAP discover
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.3
ip dhcp excluded-address 10.0.0.254
!
ip dhcp pool VLAN10_IP_POOL
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
dns-server 10.0.0.254
domain-name pc-pro.ca
!
ip dhcp pool VISTA_IP_POOL
host 10.0.0.3 255.255.255.0
client-identifier 0100.1a92.d12a.de
default-router 10.0.0.254
dns-server 10.0.0.254
domain-name pc-pro.ca
!
!
no ip bootp server
ip domain name pc-pro.ca
!
multilink bundle-name authenticated
!
!
username support privilege 15 secret 5 $1$pKI2$9rPzlEdfn8OW1lNTutHY7/
archive
log config
hidekeys
!
!
ip ssh rsa keypair-name RSA_SSH
!
class-map type inspect match-all CMAP_OUT2IN
match access-group name ACL_OUT2IN
class-map type inspect match-any CMAP_IN2OUT
match protocol http
match protocol https
match protocol icmp
match protocol ftp
match protocol tcp
match protocol udp
!
!
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
!
interface FastEthernet4
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map VPN_MAP
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
ip local pool IPPOOL_EZVPN 10.200.200.1 10.200.200.253
ip route 10.0.0.0 255.255.255.0 Vlan10
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source static tcp 10.0.0.2 22 interface FastEthernet4 2222
ip nat inside source route-map ROUTE_MAP_NAT interface FastEthernet4 overload
!
ip access-list extended ACL_EZVPN_SPLIT
permit ip 10.0.0.0 0.0.0.255 10.255.255.0 0.0.0.255
ip access-list extended ACL_NAT
deny ip 10.0.0.0 0.0.0.255 10.200.200.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended ACL_OUT2IN
permit ip 10.200.200.0 0.0.0.255 any
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
access-list 199 permit ip 10.200.200.0 0.0.0.255 any
!
!
!
route-map ROUTE_MAP_NAT permit 10
match ip address ACL_NAT
!
!
!
scheduler max-task-time 5000
!
webvpn cef
end
08-05-2008 11:40 AM
Will try it tonight. It's my home router and I turned off all computers so I have nothing to ping now...
08-05-2008 01:25 PM
Thanks for the reply Rupesh. How to enable reverse routing? I did some research on Google but didn't find anything... Thanks!
08-06-2008 12:23 PM
Here is the output of debug.
CCSPHOMERTR#debug ip packet 101
IP packet debugging is on for access list 101
CCSPHOMERTR#ping 10.0.0.3 repeat 1 source fastEthernet 4
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
Packet sent with a source address of 70.64.22.2
*Aug 6 20:18:25.281: IP: tableid=0, s=70.64.22.2 (local), d=10.0.0.3 (Vlan10), routed via FIB
*Aug 6 20:18:25.285: IP: s=70.64.22.2 (local), d=10.0.0.3 (Vlan10), len 100, sending.
Success rate is 0 percent (0/1)
The access-list is:
CCSPHOMERTR#sh access-list 101
Extended IP access list 101
10 permit ip 10.0.0.0 0.0.0.255 any (4 matches)
20 permit ip any 10.0.0.0 0.0.0.255 (4 matches)
08-06-2008 06:00 AM
Does anybody have any sulotion? Thanks...
08-06-2008 09:06 AM
Create a default route towards your F4 ip address from your internal network
08-06-2008 12:28 PM
Like this?
ip route 0.0.0.0 0.0.0.0 fastEthernet 4
After I did this I lost my connection to my router (I was ssh into the router) and I can't connect with it anymore...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide