Solved: Re: Cisco 831 can't ping gateway

picotable · ‎08-14-2010

Hi: I'm new to this and I'm trying to set up a stub network with a DMZ on a

Cisco 831. I haven't set up NAT or any access lists yet. The router can ping

everything in all three segments-- WAN, LAN, DMZ. A PC in (ether2) can

ping all router interfaces, but cannot ping PC or gateway in the WAN segment. A PC in WAN

segment can ping gateway and 831 WAN interface, but no inside interfaces. Can anyone

point out my mistake please?

Cisco831#show arp

Protocol Address Age (min) Hardware Addr Type Interface

Internet 192.168.40.1 - 0011.20da.ee3f ARPA Ethernet0

Internet 192.168.30.1 - 0011.20da.ee3f ARPA Ethernet2

Internet 192.168.30.10 2 00a0.cc79.b659 ARPA Ethernet2

Internet 172.16.2.10 - 0011.20da.ee40 ARPA Ethernet1

Internet 172.16.2.5 4 001d.60d1.6f2a ARPA Ethernet1

Internet 172.16.2.1 0 0018.3a08.ced8 ARPA Ethernet1

Cisco831#show ip route

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

C 192.168.30.0/24 is directly connected, Ethernet2

C 192.168.40.0/24 is directly connected, Ethernet0

C 172.16.0.0/16 is directly connected, Ethernet1

S* 0.0.0.0/0 [1/0] via 172.16.2.1

Cisco831#show run

Building configuration...

Current configuration : 1455 bytes

!

version 12.3

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Cisco831

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

!

username PICOMETER

no aaa new-model

ip subnet-zero

!

no ip domain lookup

ip ids po max-events 100

no ftp-server write-enable

password encryption aes

!

interface Ethernet0

description inside LAN segment

ip address 192.168.40.1 255.255.255.0

no cdp enable

!

interface Ethernet1

description internet WAN segment

ip address 172.16.2.10 255.255.0.0

duplex auto

no cdp enable

!

interface Ethernet2

description DMZ LAN segment

ip address 192.168.30.1 255.255.255.0

no cdp enable

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet3

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip classless

ip route 0.0.0.0 0.0.0.0 172.16.2.1

!

ip http server

no ip http secure-server

!

no cdp run

!

control-plane

!

line con 0

exec-timeout 120 0

no modem enable

transport preferred all

transport output all

stopbits 1

line aux 0

transport preferred all

transport output all

line vty 0 4

exec-timeout 120 0

password 7 11031008161606050A

login

transport preferred all

transport input all

transport output all

!

scheduler max-task-time 5000

end

show ip int br

Interface IP-Address OK? Method Status

Protocol

Ethernet0 192.168.40.1 YES manual up

up

Ethernet1 172.16.2.10 YES NVRAM up

up

Ethernet2 192.168.30.1 YES NVRAM up

up

FastEthernet1 unassigned YES unset up

up

FastEthernet2 unassigned YES unset administratively down

down

FastEthernet3 unassigned YES unset administratively down

down

FastEthernet4 unassigned YES unset up

up

paolo bevilacqua · ‎08-14-2010

Check that PCs have valid default routes.

View solution in original post

Richard Burts · ‎08-17-2010

Jim

The information that you have supplied has been helpful. While it is not quite enough to definitely identify the problem it helps me to make a guess at the problem.

I have looked through the router config and I do not see any issues there that would produce these symptoms. I have looked at the output from route print from the PC and it looks to be ok. I do not believe that the problem is with either the 831 router or this PC.

My guess is that the issue is with the PC in the WAN subnet and with the Gateway for the WAN subnet. My guess is that the PC has its gateway configured to be the WAN gateway and that the WAN gateway does not have a route for the 192.168.30.0 subnet. My guess is that when your PC attempts to ping the PC in the WAN that the ping gets to the WAN PC and that it attempts to respond. But since its gateway is the WAN gateway it forwards its ping response to the WAN gateway. And if the WAN gateway does not have 192.168.30.0 in its route table then it can not forward the ping reponse.

Can you check the WAN PC and confirm that its configured gateway is the WAN gateway? And can you check the WAN gateway and confirm that it does not have a route for 192.168.30.0?

HTH

Rick

HTH

Rick

View solution in original post

DialerString_2 · ‎08-17-2010

Does the gateway router '172.16.2.1' have a route to the 192.168.30.0 network? If not try adding a route and see what happens.

View solution in original post

paolo bevilacqua · ‎08-17-2010

Check 172.16.2.1 also.

And disable firewall on all PCs.

View solution in original post

DialerString_2 · ‎08-19-2010

Good to hear and good luck on the DMZ setup. Thanks for the rating also!!

View solution in original post

paolo bevilacqua · ‎08-14-2010

Check that PCs have valid default routes.

picotable · ‎08-14-2010

Still Can't ping 172.16.2.1...

From PC 192.168.30.10

Any clues?

Richard Burts · ‎08-17-2010

Jim

The information that you have supplied has been helpful. While it is not quite enough to definitely identify the problem it helps me to make a guess at the problem.

I have looked through the router config and I do not see any issues there that would produce these symptoms. I have looked at the output from route print from the PC and it looks to be ok. I do not believe that the problem is with either the 831 router or this PC.

My guess is that the issue is with the PC in the WAN subnet and with the Gateway for the WAN subnet. My guess is that the PC has its gateway configured to be the WAN gateway and that the WAN gateway does not have a route for the 192.168.30.0 subnet. My guess is that when your PC attempts to ping the PC in the WAN that the ping gets to the WAN PC and that it attempts to respond. But since its gateway is the WAN gateway it forwards its ping response to the WAN gateway. And if the WAN gateway does not have 192.168.30.0 in its route table then it can not forward the ping reponse.

Can you check the WAN PC and confirm that its configured gateway is the WAN gateway? And can you check the WAN gateway and confirm that it does not have a route for 192.168.30.0?

HTH

Rick

HTH

Rick

DialerString_2 · ‎08-17-2010

Does the gateway router '172.16.2.1' have a route to the 192.168.30.0 network? If not try adding a route and see what happens.

paolo bevilacqua · ‎08-17-2010

Check 172.16.2.1 also.

And disable firewall on all PCs.

picotable · ‎08-19-2010

Success

Thanks to the support community for combining forces. The instincts were good regarding the gateway—Thanks to Richard Burts, Dialer String and p. bevilacqua.

Apparently the gateway router, which is a proprietary design/configuration of the ISP (Westell 6100), was somehow incapable of acting in this network scenario. Actually, I was unable to obtain its routing table, which lead me to the ISP support services. They informed me of its deficiencies, without going into detail, and recommended configuring the device in bridge mode. I then inserted a run-of-the-mill router at R1 (Linksys BEFSR41) as the gateway router which had the advantage of being something familiar to the support tech, who was able to configure it with their bridge device to the point that I had a hard LAN interface. I then arranged the network as in the diagram below.

The rest was inserting the route to the 30.0 network and then strangely, everything started pinging (a great feeling in its own right) including the 40.0 network in ether0. Apparently there is a sharing of electrical resources between ether2 and ether0 in the 831:

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xr/dmz_port.pdf

•Because the media-independent interface, which connects the router's LAN interface to the Marvel switch, operates only at 10 Mbps, inter-LAN routing speed between Ethernet 0 and Ethernet 2 interfaces will be limited to a maximum of 10 Mbps.

•Because Ethernet 0 and Ethernet 2 interfaces share the same Tx/Rx rings, buffer pools, and communication controller, the output of some of the commands such as show controller and show buffers may be similar.

•The MAC address for the Ethernet 2 interface will be same as that for the Ethernet 0 interface.

I inserted a route to the 40.0 network to no apparent detriment. If anyone has a good reference, I'd like to learn more about the architecture level involving "Tx/Rx rings, buffer pools, and communication controller" etc.

Now it's onward and upward to the DMZ configuration. Thanks again and wish me luck!

R1 routing table

Cisco 831 routing table

Gateway of last resort is 172.16.2.1 to network 0.0.0.0

C    192.168.30.0/24 is directly connected, Ethernet2
C    192.168.40.0/24 is directly connected, Ethernet0
C    172.16.0.0/16 is directly connected, Ethernet1
S*   0.0.0.0/0 [1/0] via 172.16.2.1

DialerString_2 · ‎08-19-2010

Good to hear and good luck on the DMZ setup. Thanks for the rating also!!

picotable · ‎08-14-2010

For PC_192.168.30.10

Is there something missing or present that causes this? Metric?