Solved: Re: Allowing icmp to router external interface.

jomo frank · ‎02-14-2019

Hello All,

I have Cisco 892 router using a pppoe dialer and would like to allow pings to the interface for monitoring by ISP.

Could you provide guidance how configure same

Below is my wan interface

Interface Dialer2
ip address 10.192.252.4 255.255.255.0
ip mtu 1400
encapsulation ppp
dialer pool 1
keepalive 10 6
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
no cdp enable

Regards

Francesco Molino · ‎02-15-2019

your EIGRP is just for LAN? you don't have a route for path 190.124.224.2?

If you run a debug and you don't see any icmp packets incoming, then you need to ask your ISP how will he be able to reach your Dialer. I understand this is a Dialer given by an ISP but at some point, a route must exists. Can you ask him to do a traceroute to see?

Not sure I understood your point with GRE. Do you have a GRE tunnel on your router sourced with Dialer interface?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎02-14-2019

Hi

I don't understand your question.
There's no acl on the interface which means by default you would be able to ping it.
From where you want to ping it? The dialer interface has a private IP and not a public which means you can ping it from internet (in this state)

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jomo frank · ‎02-15-2019

Hello Francesco,

The end user is coming from 190.124.224.2 address but they not are getting any response.

The access list I have is for gre tunnels.

Regards

jomo frank · ‎02-15-2019

hello ,
The access list the config.

crypto map SDM_CMAP_1 3 ipsec-isakmp
set peer 10.192.252.131
set transform-set manbosvpn
match address 102
crypto map SDM_CMAP_1 4 ipsec-isakmp
set peer 10.192.252.143
set transform-set bcpmanbosvpn
match address 100
!

access-list 100 remark CCP_ACL Category=4
access-list 100 permit gre host 10.192.252.4 host 10.192.252.143
access-list 102 remark CCP_ACL Category=4
access-list 102 permit gre host 10.192.252.4 host 10.192.252.131

Regards

Francesco Molino · ‎02-15-2019

I saw your post with crypto map which indicates, you have IPSEC tunnel.

The IP 190.124.224.2 is trying to ping what IP (your dialer IP)? Your Dialer IP is 10.192.252.4 which is in 10.0.0.0/8 (RFC1918), a private IP.
Maybe you're trying to ping a public IP but this public IP is sitting on your ISP modem I believe?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jomo frank · ‎02-15-2019

@Francesco Molino wrote:
I saw your post with crypto map which indicates, you have IPSEC tunnel.

The IP 190.124.224.2 is trying to ping what IP (your dialer IP)? Your Dialer IP is 10.192.252.4 which is in 10.0.0.0/8 (RFC1918), a private IP.
Maybe you're trying to ping a public IP but this public IP is sitting on your ISP modem I believe?

Hello Francesco,

The guy at the ISP is using this ip address 190.124.224.2 to try to ping the router wan interface 10.192.252.4. but no response.

Regards

Francesco Molino · ‎02-15-2019

Let's start this again.
Your router with Dialer:
- Is there any default static route?
- People from inside or even from your Dialer, are you able to access internet?
- Who is doing nat to access internet?

Now your ISP guy is trying to ping your Dialer private IP?
- If you run a debug on your router (debug ip icmp) and you type "term mon" on your ssh session. When the guy tries to ping you, do you see any traffic in? I believe not

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jomo frank · ‎02-15-2019

Hello Francesco,

Is there any default static route? -------------- No, I am using eigrp for routing
People from inside or even from your Dialer, are you able to access internet . -------------------No this router is not allow to go the internet
Who is doing nat to access internet . -------I did not configure any nat to access the internet. since this router is using the ISP to connect to remote location on the same wan subnet.
If you run a debug on your router (debug ip icmp) and you type "term mon" on your ssh session. When the guy tries to ping you, do you see any traffic in? I believe not ------------- No traffic is showing.
I should mention this router use a pppoe via a ISP to another remote location using gre tunnels.
No nat or route to internet is in place.

Do I need to do any nat configuration if so could you post the config changes I need to make.
Will the changes if any be disruptive since the router is in production mode ?

Regards

Regards

Francesco Molino · ‎02-15-2019

your EIGRP is just for LAN? you don't have a route for path 190.124.224.2?

If you run a debug and you don't see any icmp packets incoming, then you need to ask your ISP how will he be able to reach your Dialer. I understand this is a Dialer given by an ISP but at some point, a route must exists. Can you ask him to do a traceroute to see?

Not sure I understood your point with GRE. Do you have a GRE tunnel on your router sourced with Dialer interface?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard Burts · ‎02-16-2019

I agree with Francesco that there is a lot that we do not know about this environment and that impacts our ability to give good advice. The original post was quite clear that the objective was to be able to ping the external interface. In that case I do not see how a GRE tunnel to another site plays any role in ping to the external interface.

I agree with Francesco that an important question is how the ping packet from a Public IP would be routed to the router of the original poster. How would the outside device have a route to an IP address in network 10.0.0.0. When a device with a Public IP wants to communicate with an address in private network 10.0.0.0 there generally needs to be some address translation. We have not been told of any address translation.

The original poster tells us that this router is not allowed to access the Internet. Since the address originating the ping appears to be an address in the Internet then how would the router be able to respond to it?

HTH

Rick

HTH

Rick

jomo frank · ‎02-16-2019

Hello All,

Thanks for leading me in the right direction, the issue is now resolve.

I had to add a static route using the dialer interface as gateway now the tech at the ISP can ping my device.

Regards

Francesco Molino · ‎02-18-2019

Happy to see your issue is solved.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Allowing icmp to router external interface.

Allow ICMP through Cisco ASA

FTD Interface Allow ICMP

Allow ICMP types on Fortigate

Secure Access: allow ICMP firewall rule

Allow ICMP (ping & tracert) between interfaces on Firepower 1140