Re: Can ping from Router, but not from Client PC

ddevecka · ‎06-16-2014

I configure routers about once or twice a year, so I am a noob.

I just set up a basic config on a 2600 series router, but I can't get to the internet through the router. From the router I can ping 4.2.2.2 and next hop, but from client PC I can inside and outside interfaces but not next hop router or 4.2.2.2. Here is a copy of my config.

Thanks for any pointers.

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-Loaner
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******
enable password ******
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 172.18.0.1 172.18.127.255
!
ip dhcp pool NET-POOL
   network 172.18.0.0 255.255.0.0
   default-router 172.18.0.1
   dns-server 1.8.13.144 1.8.15.10
   lease 10
!
ip audit po max-events 100
!
!
!
!
interface FastEthernet0/0
ip address 1.18.54.2 255.255.255.192
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.18.0.1 255.255.0.0
duplex auto
speed auto
!
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 1.18.54.1
!
!
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
password ******
login
!
!
end

hbackus · ‎06-16-2014

Do you have an access list to permit traffic.

ip access-list extended acl-Internet-In

permit icmp any host 1.18.54.2 echo-reply
permit icmp any host 1.18.54.2 unreachable
permit icmp any host 1.18.54.2 source-quench
permit icmp any host 1.18.54.2 redirect
permit icmp any host 1.18.54.2 echo
permit icmp any host 1.18.54.2 time-exceeded
permit icmp any host 1.18.54.2 parameter-problem
permit icmp any host 1.18.54.2 timestamp-request
permit icmp any host 1.18.54.2 timestamp-reply
permit icmp any host 1.18.54.2 information-request
permit icmp any host 1.18.54.2 information-reply

!
interface FastEthernet0/0
ip address 1.18.54.2 255.255.255.192
ip access-group acl-Internet-in in
duplex auto
speed auto

!

Marvin Rhoads · ‎06-16-2014

No access-list is necessary since there is no security setup on this router (by the way it's wide open to all sorts of hacking in many ways).

As to why your hoist cannot reach the internet while the router can, you don't have any NAT setup. Without it, your host's private IP address will pass unchanged via the router and your provider will not route private IP address ranges.

The configuration details vary according to whether you want to simply allow outbound (inside-initiated) or inbound traffic.

RDGamm · ‎08-29-2017

I have the same issue. I can reply with captured CLI info.

RDGamm · ‎08-29-2017

show run
Building configuration...

Current configuration : 2596 bytes
!
! Last configuration change at 15:34:43 Central Tue Aug 29 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DNCEF
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ############################
!
no aaa new-model
clock summer-time Central recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.30.254
!
ip dhcp pool INTERNET
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
dns-server 192.168.20.187 192.168.20.254 8.8.8.8
netbios-name-server 192.168.30.254
domain-name 192.168.30.254
lease 0 2
!
!
!
ip name-server 195.202.128.2
ip name-server 195.202.128.3
ip name-server 192.168.20.254
ip cef
login on-success log every 12
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn
!
!
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.21
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
ip address 192.168.20.187 255.255.255.0
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
ip default-gateway 192.168.20.254
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 3 interface GigabitEthernet0/1/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.20.254
!
!
!
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
!
control-plane
!
!
banner motd ^C

-------------------------------------------------------

Unauthorized is prohibited. You must contact the administrator for more
details. Please disconnect and call the local administrator.

______________________________________________________________

^C
!
line con 0
exec-timeout 20 30
password 7 ###############
logging synchronous
login
line aux 0
line 2
exec-timeout 20 30
password 7 ###############
logging synchronous
login
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 20 30
password 7 #################
logging synchronous
login
transport input none
!
scheduler allocate 20000 1000
!
end

DNCEF#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.20.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.20.254
      192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, GigabitEthernet0/1/0
L        192.168.20.187/32 is directly connected, GigabitEthernet0/1/0
      192.168.30.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.30.0/24 is directly connected, GigabitEthernet0/0
L        192.168.30.254/32 is directly connected, GigabitEthernet0/0
DNCEF#show ip arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 10.1.1.1                -   885a.9264.74a1 ARPA   GigabitEthernet0/1
Internet 192.168.20.96          57   0024.508e.10c0 ARPA   GigabitEthernet0/1/0
Internet 192.168.20.187          -   885a.9264.74b0 ARPA   GigabitEthernet0/1/0
Internet 192.168.20.254          0   c8d7.1924.3417 ARPA   GigabitEthernet0/1/0
Internet 192.168.30.1            0   34e6.d70c.f059 ARPA   GigabitEthernet0/0
Internet 192.168.30.254          -   885a.9264.74a0 ARPA   GigabitEthernet0/0

DNCEF#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (192.168.20.254) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.139.180.149, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/48 ms
DNCEF#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
DNCEF#

paul driver · ‎08-29-2017

Hello RDGamm

You have both domain and domain-less nat enabled however that shouldn’t cause nat to fail, it will just nat on the defined nat statement you specify. However your access-list encompass the outside interface ip range so try amending that.

no access-list 3
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.30.0 0.0.0.255
access-list 3 permit 10.1.1.0.0 0.0.0.255

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

RDGamm · ‎08-29-2017

Thanks! That seems to have it up and working.

Georg Pauwen · ‎08-29-2017

Hello,

try the configuration below (changes and additions are marked in bold):

Current configuration : 2596 bytes
!
! Last configuration change at 15:34:43 Central Tue Aug 29 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DNCEF
!
boot-start-marker
boot-end-marker
!
enable secret 5 ############################
!
no aaa new-model
clock summer-time Central recurring last Sun Mar 1:00 last Sun Oct 2:00
!
ip dhcp excluded-address 192.168.30.254
!
ip dhcp pool INTERNET
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
dns-server 192.168.20.187 192.168.20.254 8.8.8.8
netbios-name-server 192.168.30.254
domain-name 192.168.30.254
lease 0 2
!
ip name-server 195.202.128.2
ip name-server 195.202.128.3
ip name-server 192.168.20.254
ip cef
login on-success log every 12
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO1921/K9 s
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.30.254 255.255.255.0
ip nat inside
no ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.21
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
ip address 192.168.20.187 255.255.255.0
ip nat outside
no ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
no ip default-gateway 192.168.20.254
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/1/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.20.254
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
!
control-plane
!
banner motd ^C

RDGamm · ‎08-30-2017

Thanks, very helpful!

paul driver · ‎08-30-2017

Hello

@georg
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any <----- this isnt required as it the wan interface subnet
access-list 100 permit ip 192.168.30.0 0.0.0.255 any

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

RDGamm · ‎08-30-2017

My WAN interface is Gi0/1/0, so it does matter in this case. I may use the .20 network in a subinterface scenario.

R

Georg Pauwen · ‎08-29-2017

Hello,

you have the same problem...can you post the configuration of your router ? In the initial post, there is a mixup of NVI NAT and traditional NAT, do you also have 'nat enable' and 'ip nat inside' configured on your interfaces ?

RDGamm · ‎08-29-2017

The interfaces I'm using are Gi0/0 and Gi0/1/0 and I have NAT enabled on both. From the router I can ping the Internet (www.yahoo.com) and I can ping my machine at 192.168.30.1. The machine at 192.168.30.1 can ping the router at 192.168.20.187 but cannot get to the Internet.