06-08-2007 06:39 AM - edited 03-03-2019 05:21 PM
Hi all. I can't ping the public ip address of a 1750 I can ping all internal ip addresses.
chr01rt01ec#sh run
Building configuration...
Current configuration : 3851 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname chr01rt01ec
!
no logging on
enable password 7 xxxx
!
memory-size iomem 20
ip subnet-zero
no ip finger
no ip domain-lookup
ip host test 2005 192.168.18.1
ip dhcp excluded-address 192.168.18.1 192.168.18.20
!
ip dhcp pool charlotte
import all
network 192.168.18.0 255.255.255.0
default-router 192.168.18.1
domain-name xxxx
dns-server 172.17.2.60
netbios-name-server 172.17.2.60 172.17.2.30
netbios-node-type h-node
lease 30
!
ip dhcp pool jdirect1
host 192.168.18.20 255.255.255.0
hardware-address 0030.c154.724b
client-name NPI54724b
!
ip dhcp pool jdirect2
host 192.168.18.19 255.255.255.0
hardware-address 0030.c153.bdbc
client-name NPI53bdbc
!
chat-script modem ABORT ERROR "" "ATDT\T" TIMEOUT 60 CONNECT \c
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key xxxxx address public ip of PIX
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
set peer IP OF OUR PIX
set transform-set sharks
match address 121
!
!
!
!
interface Ethernet0
ip address Public IP assigned by isp 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
crypto map nolan
!
interface FastEthernet0
ip address 192.168.18.1 255.255.255.0
ip helper-address 172.17.2.30
ip helper-address 172.17.2.255
ip helper-address 172.17.255.255
ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
speed auto
!
interface Async5
ip address 170.1.1.18 255.255.255.0
encapsulation ppp
keepalive 10
dialer in-band
dialer idle-timeout 300
dialer string xxxx
dialer-group 1
fair-queue
ppp authentication chap
!
interface Dialer1
no ip address
no cdp enable
!
router eigrp 100
network 65.0.0.0
network 170.1.0.0
network 172.20.0.0
network 172.21.0.0
network 192.168.18.0
auto-summary
no eigrp log-neighbor-changes
!
ip nat inside source route-map nonat interface Ethernet0 overload
ip kerberos source-interface any
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip forward-protocol udp netbios-ss
ip forward-protocol udp 42508
ip route 0.0.0.0 0.0.0.0 ip address of ISP gateway
ip route 0.0.0.0 0.0.0.0 Async5 200
no ip http server
!
no logging trap
access-list 110 deny ip 192.168.18.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 110 deny ip 192.168.18.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 110 permit ip 192.168.18.0 0.0.0.255 any
access-list 120 permit ip 192.168.18.0 0.0.0.255 any
access-list 121 permit ip 192.168.18.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 121 permit ip 192.168.18.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 150 permit esp host public ip of PIX host xxxx
access-list 150 permit udp host public ip of PIX host xxxx eq isakmp
access-list 150 permit ip any 192.168.18.0 0.0.0.255
access-list 150 deny ip any any
priority-list 1 protocol ip high
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 110
!
banner motd ^CCC
xxxxxx
Unauthorized access is prohibited
Violators will be prosecuted
Welcome to Charlotte
^C
!
line con 0
password 7 xxxx
login
transport input none
line aux 0
password 7 xxxx
autoselect ppp
modem InOut
modem autoconfigure discovery
transport input all
autohangup
speed 2400
flowcontrol hardware
line vty 0 4
password 7 xxxx
login
!
no scheduler allocate
end
06-08-2007 06:58 AM
Looking at the config there is not anything obvious that would stop ping to the public address of interface Ethernet 0. It would probably help if we knew a few more details such as where you are telnetting from.
I can guess at a few things which might turn out to be part of the problem.
- if you can ping the inside addresses but not the outside address, I wonder if you have a route to the outside address?
- I wonder if there could be a firewall or something doing traffic filtering that does permit ping to inside addresses but not to outside addresses?
- I wonder if the nat outside on the Ethernet 0 interface is getting your ping involved in NAT and preventing the ping from completing?
- I wonder whether the crypto map on Ethernet 0 is part of the problem?
As one way to investigate the problem you could turn on debug ip icmp. Then try the ping to the outside interface. The debug output should show whether the ping was received or not and whether a response was generated. If we knew this it would help us focus on the area where the problem is.
HTH
Rick
06-08-2007 08:49 AM
Try taking out the ip route that points to the ASync interface and see what happens. You'll have to clear out your NAT tables to be able to make sure things work properly.
06-19-2007 09:53 AM
Removing the backup route to the Async didn't make a change. How do I clear the NAT table?
06-19-2007 09:57 PM
Hi ,
You can use the command "clear ip nat translations * " to clear nat table entries.
Thanks,
Satish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide