Cisco 3925 Router not routing IP traffic between two GB interfac

john.evans.ggs · ‎01-15-2013

We currently installed a 100Mbps fiber line with Ethernet hand-off. I purchased a Cisco 3925 ISR to be the gateway for this connection. I am not going to use it for any security purposes. I have an ASA5520 that will do that work. Right now I am currently just trying to get the router online.

I know the following

Laptop <--->GB 0/1((()))GB0/0<---->Ethern

et handoff from ISP.

I can ping and SSH to the outside interface of the router from outside the network. I can also ping and SSH to the router from the laptop that is directly attached to the routers GB0/1 port. From the Router's CLI I can ping IP addresses on the internet. From the laptop I can not.

I can not access the internet through the router though.

Here is my config.
Building configuration...

Current configuration : 3724 bytes
!
! Last configuration change at 02:17:03 UTC Tue Jan 15 2013 by ggsis
! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsis
! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsis
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXNAMEXXX
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
memory-size iomem 20
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name XXXXXXXXXXXXXXDomainXXXXXXXXXXX
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-XXXXXXXXXXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXXXXX
revocation-check none
rsakeypair TP-self-signed-XXXXXXXXXXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXXXXXXXXX
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
quit
license udi pid C3900-SPE100/K9 sn FOC16140N3N
!
!
username XXXXX privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip ssh time-out 60
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP Side of Router$ES_WAN$$ETH-WAN$
ip address 50.XXX.XX.XXX 255.255.255.252
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description My Side of Router$ES_LAN$$ETH-LAN$
ip address 50.YYY.YY.YYY 255.255.255.0
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 50.XXX.XX.NextHop
ip route 50.YYY.YY.0 255.255.255.0 GigabitEthernet0/1
!
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Marcel Zehnder · ‎01-15-2013

Hi John

Is the default gateway on your laptop correctly configured (IP-address of gig0/1)?

john.evans.ggs · ‎01-15-2013

Marcel,

It sure is...thanks!

John

Marcel Zehnder · ‎01-15-2013

Sorry for the stupid question ;-)

Maybe your local subnet (50.YYY.YY.YYY 255.255.255.0) is not routed on your ISPs router? Could you try to ping to the internet from the router with the src-ip of your gig 0/1 interface? If this fails you have to configure NAT from your internal to your external interface.

HTH

john.evans.ggs · ‎01-15-2013

I just did a ping 4.2.2.2 source gigab 0/1 and it failed. Looks like you are onto something.

john.evans.ggs · ‎01-15-2013

They are the ones who gave me the IP block for that side of the router.

John Blakley · ‎01-15-2013

Are you supposed to be using a routing protocol with them? They'll either need to route for the subnet they assigned you with static routing or you'll need to have a routing protocol configured with the ISP.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Marcel Zehnder · ‎01-15-2013

I suggest you talk to your ISP. In the meanwhile you can try to setup NAT:

interface GigabitEthernet0/1

ip nat inside

!

interface gig0/0

ip nat outside

!

ip access-list NAT-SOURCE

deny ip 50.YYY.YY.YYY 0.0.0.255 50.YYY.YY.YYY 0.0.0.255

permit ip 50.YYY.YY.YYY 0.0.0.255 any

!

ip nat inside source list NAT-SOURCE interface gig0/0 overload

HTH

KEVIN LIVINGSTON · ‎01-18-2013

May not fix anything but, why have a staic route to your 50.yyy.yyy.yyy/24 network? Isn't it connected toy your G0/1?

Ali Muazzam · ‎01-18-2013

Dear John

This is just due to the fact that no NAT service is configured on the router. Either you have to enable NAT on the router or the other case can be advertising your LAN subnet via your ISP to the internet which is least possible as in such case you would have to run protocol with your ISP. If the ISP has provided you the /24 subnet to use in your LAN then the ISP would have to route the subnet to your Point-to-point IP to make it work. In this case contact your ISP/

Marcel is right with the NAT configurations. Go with it and it shall probably solve the problem

BR

Muazzam

synbureau · ‎01-18-2013

Adding NAT will just allow outbound internet connection but will kill the idea of having public IP range. Ask the ISP to add static route on their router for 50.YYY.YY.0 255.255.255.0 pointing to your router (50.XXX.XX.XXX 255.255.255.252).

On another note, why do you have "ip route 50.YYY.YY.0 255.255.255.0 GigabitEthernet0/1"? That network is local to the router.

Cisco 3925 Router not routing IP traffic between two GB interfaces.