cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10443
Views
0
Helpful
29
Replies

Cisco 861 WAN changed from DHCP to Static IP and now can't ping the internet.

eceflyboy
Level 1
Level 1

Hello,

My old office uses Cisco 861 as a VPN router, with the WAN side setup to receive a dynamic IP assigned by Time Warner cable.  Now we switched to a new office, with TowerStream which provide 4G SLA'ed 10Mbit service with static IP, and I get a Cat 5 ethernet down from it.

So all I did, was to go my "interface FastEthernet4", and typed

ip address 173.243.123.123 255.255.255.252.

Changed speed to "speed 100" and "full-duplex" (as instructed by the ISP).

I also did "ip default-gateway 173.243.123.124", which is the default gate way assigned by the ISP.

I also typed "ip name-server 64.17.123.123" to setup the new DNS, am I doing anything wrong?  I can't even use the router to ping google, but if I connect the laptop directly to the outside line, then it works, so I know the outside line is good.

Am I not doing something right?  Why can't I connect to the internet?  I wasted several hours already trying everything in my book to trouble shoot a supposedly very simple configuration change.  Do I need to change something related to NAT when changing to Static IP?  My NAT was working just fine before when under DHCP.

Thanks for the help!

The below is my full config (some IPs changed to preserve anonymity):

=============================================

Building configuration...

Current configuration : 16628 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname PureGate

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 informational

enable secret 5 adsfasdf

enable password 7 asdfasdfdasf

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone PCTime -8

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1245995727

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1245995727

revocation-check none

rsakeypair TP-self-signed-1245995727

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-1234213421342134

certificate self-signed 01

  adsfasdfadfasdfasdfasf

  quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

no ip source-route

!

ip dhcp pool ccp-pool1

   import all

   network 10.2.2.0 255.255.255.0

   default-router 10.2.2.1

   dns-server 10.2.2.1

   domain-name local

!

!

ip dhcp update dns

ip cef

ip domain name local

ip host local ns ns.local

ip host trac.local 10.2.2.7

ip host ns.local 10.2.2.1

ip host-list members.dyndns.org

ip host-list mydomain.dyndns.org

ip name-server 64.17.123.123

ip name-server 64.17.123.124

ip name-server 4.2.2.1

ip ddns update method ccp_ddns

HTTP

  add http://mydomain:passwd@members.dyndns.org/nic/update?system=dyndns&hostname=passwd@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

  remove http://mydomain:passwd@members.dyndns.org/nic/update?system=dyndns&hostname=passwd@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

interval maximum 28 0 0 0

interval minimum 28 0 0 0

!

ip dhcp-client update dns server both

!

!

parameter-map type regex ccp-regex-nonascii

pattern [^\x00-\x80]

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

!

!

username admin privilege 15 secret 5 asdfasdfasdfas

username user2 privilege 15 secret 5 adsfasdfasdfas

!

crypto logging ezvpn

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SDM_POOL_1

!

crypto isakmp client configuration group Company

key sdfgsdfgdsgsd

dns 4.2.2.1 4.2.2.2

pool SDM_POOL_1

acl 102

include-local-lan

max-users 100

netmask 255.255.255.0

banner ^CWelcome to company VPN!  Split tunneling is enabled.        ^C

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto ctcp port 10000

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

!

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

!

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip dhcp client update dns server none

ip ddns update hostname members.dyndns.org

ip ddns update ccp_ddns1

ip address  173.243.123.123 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip nat enable

ip virtual-reassembly

speed 100

full-duplex

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.2.2.1 255.255.255.0

no ip redirects

no ip unreachables

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 10.2.2.100 10.2.2.254

ip default-gateway 173.243.123.124

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 100

sort-by bytes

cache-timeout 1000

!

ip dns server

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 10.0.0.12 80 interface FastEthernet4 999

!

ip access-list extended DYNDNS

permit tcp host 204.13.248.112 eq 443 any established log

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

ip access-list extended VNC

permit tcp any any eq 999

ip access-list extended kwVNC

remark CCP_ACL Category=1

remark kwVNC

permit tcp any host 10.0.0.19 eq 999

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.2.2.0 0.0.0.255

access-list 2 permit 10.0.0.20

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 10.0.0.21

access-list 3 remark CCP_ACL Category=1

access-list 3 permit 10.0.0.11

access-list 3 permit 10.0.0.15

access-list 4 remark CCP_ACL Category=1

access-list 4 permit 10.0.0.14

access-list 4 permit 10.0.0.16

access-list 10 remark CCP_ACL Category=16

access-list 10 permit 10.0.0.19

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 10.2.2.0 0.0.0.255 any

no cdp run

!

control-plane

!

banner exec ^C

29 Replies 29

Hi,

root@dev-server:~$ ping 4.2.2.1

PING 4.2.2.1 (4.2.2.1) 56(84) bytes of data.

From 10.2.2.1 icmp_seq=1 Destination Net Unreachable

So your router( default gw) can't reach this destination.  can you do a show ip route 4.2.2.1 on your router

Regards.

Alain.

Don't forget to rate helpful posts.

Hi Alain,

My router can ping the internet fine, just not my linux box which is behind the router.

-------------

PureGate#ping 4.2.2.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/22/28 ms

--------------

The strange thing is, all the windows boxes were okay, the mac boxes were having stability issues until I took out the "import all" from the dhcp pool  below.

------------

ip dhcp pool ccp-pool1

   import all                     <----  REMOVED, helped with mac laptop's internet stability issues.

   network 10.2.2.0 255.255.255.0

   default-router 10.2.2.1    <-- Regarding the default-router, should I put in the router's IP address or the default gateway from the ISP?

   dns-server 10.2.2.1        <-- same question, should I use the router as a dns server, or use the ISP's dns server?

   domain-name local

------------
Is anything in this dhcp pool above not setup correctly so that linux boxes cannot receive dhcp properly?
Also, I tried "debug ip dhcp server event", and then did a renewal of the DHCP lease on the linux server, but I don't see any debug messages on the Cisco router.
Thanks,
Kuangwei
Thanks,
Kuangwei

Hi,

default-router 10.2.2.1    <-- Regarding the default-router, should I put in the router's IP address or the default gateway from the ISP?

dns-server 10.2.2.1        <-- same question, should I use the router as a dns server, or use the ISP's dns server?

for default-router : you must put the router ip address  because this is the default gw your machines will use and it must be in the same subnet as the hosts

for dns-server: you can give ip of ISP dns server or the router but then you must configure your router as a caching router.

Is anything in this dhcp pool above not setup correctly so that linux boxes cannot receive dhcp properly?

No looking at this pool config there is nothing unusual. and your ping proves this box was using the good default-router

Could you post the entire running as well as output from ip config of windows and linux

Regards.

Alain.

Don't forget to rate helpful posts.

Hello Alain,

Here is my entire running config, I really appreciate the help.  I have also attached the ipconfig /all of the windows laptop I am using (internet working), and the ifconfig -a of the linux server (internet not working) as well as the routing table for both.

Kuangwei

========= Cisco 861 router ==============

Building configuration...

Current configuration : 16638 bytes

!

! Last configuration change at 12:06:11 PCTime Mon Jan 24 2011 by admin

! NVRAM config last updated at 12:06:28 PCTime Mon Jan 24 2011 by admin

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname PureGate

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 informational

enable secret 5 asdfasdf

enable password 7 asdfasdf

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone PCTime -8

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1341234

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1234234

revocation-check none

rsakeypair TP-self-signed-12341234

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

!

crypto pki certificate chain TP-self-signed-asdfasdf

certificate self-signed 01

  aasdfasdfasdf

  quit

crypto pki certificate chain test_trustpoint_config_created_for_sdm

no ip source-route

!

ip dhcp pool ccp-pool1

   network 10.2.2.0 255.255.255.0

   default-router 10.2.2.1

   dns-server 64.17.248.2

   domain-name local

!

!

ip dhcp update dns

ip cef

ip domain name local

ip host local ns ns.local

ip host trac.local 10.2.2.7

ip host ns.local 10.2.2.1

ip host-list members.dyndns.org

ip host-list company.dyndns.org

ip name-server 64.17.248.2

ip name-server 69.38.208.20

ip name-server 64.17.248.20

ip name-server 69.38.208.2

ip ddns update method ccp_ddns1

HTTP

  add http://company:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=

  remove http://company:password@members.dyndns.org/nic/update?system=dyndns&hostname=password@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=

interval maximum 28 0 0 0

interval minimum 28 0 0 0

!

ip dhcp-client update dns server both

!

!

parameter-map type regex ccp-regex-nonascii

pattern [^\x00-\x80]

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

!

!

username admin privilege 15 secret 5 adsfasdfa

!

crypto logging ezvpn

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SDM_POOL_1

!

crypto isakmp client configuration group Company

key adsfsdfasdf

dns 4.2.2.1 4.2.2.2

pool SDM_POOL_1

acl 102

include-local-lan

max-users 100

netmask 255.255.255.0

banner ^CWelcome to Company VPN!  Split tunneling is enabled.      ^C

!

crypto isakmp profile ciscocp-ike-profile-1

   match identity group Comapny

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto ctcp port 10000

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

!

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect imap match-any ccp-app-imap

match  invalid-command

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

match  service any

class-map type inspect msnmsgr match-any ccp-app-msn-otherservices

match  service any

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect aol match-any ccp-app-aol-otherservices

match  service any

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect pop3 match-any ccp-app-pop3

match  invalid-command

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

class-map type inspect msnmsgr match-any ccp-app-msn

match  service text-chat

class-map type inspect ymsgr match-any ccp-app-yahoo

match  service text-chat

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect http match-any ccp-app-httpmethods

match  request method bcopy

match  request method bdelete

match  request method bmove

match  request method bpropfind

match  request method bproppatch

match  request method connect

match  request method copy

match  request method delete

match  request method edit

match  request method getattribute

match  request method getattributenames

match  request method getproperties

match  request method index

match  request method lock

match  request method mkcol

match  request method mkdir

match  request method move

match  request method notify

match  request method options

match  request method poll

match  request method propfind

match  request method proppatch

match  request method put

match  request method revadd

match  request method revlabel

match  request method revlog

match  request method revnum

match  request method save

match  request method search

match  request method setattribute

match  request method startrev

match  request method stoprev

match  request method subscribe

match  request method trace

match  request method unedit

match  request method unlock

match  request method unsubscribe

class-map type inspect http match-any ccp-http-blockparam

match  request port-misuse im

match  request port-misuse p2p

match  req-resp protocol-violation

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect aol match-any ccp-app-aol

match  service text-chat

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect http match-any ccp-http-allowparam

match  request port-misuse tunneling

!

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip dhcp client update dns server none

ip ddns update hostname members.dyndns.org

ip ddns update ccp_ddns1

ip address 173.243.149.226 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat outside

ip nat enable

ip virtual-reassembly

speed 100

full-duplex

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 10.2.2.1 255.255.255.0

no ip redirects

no ip unreachables

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 10.2.2.100 10.2.2.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet4

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 100

sort-by bytes

cache-timeout 1000

!

ip dns server

ip dns primary local soa ns.local kwh@pureconduit.com 21600 900 7776000 86400

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 10.0.0.12 80 interface FastEthernet4 999

ip nat inside source static tcp 10.0.0.10 24669 interface FastEthernet4 24669

!

ip access-list extended DYNDNS

permit tcp host 204.13.248.112 eq 443 any established log

ip access-list extended IansBittorrent

remark CCP_ACL Category=256

remark Ian's bittorrent

permit tcp host 10.0.0.222 eq www any eq www

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

ip access-list extended VNC

permit tcp any any eq 999

ip access-list extended kwVNC

remark CCP_ACL Category=1

remark kwVNC

permit tcp any host 10.0.0.19 eq 999

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.2.2.0 0.0.0.255

access-list 2 permit 10.0.0.20

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 10.0.0.21

access-list 3 remark CCP_ACL Category=1

access-list 3 permit 10.0.0.11

access-list 3 permit 10.0.0.15

access-list 4 remark CCP_ACL Category=1

access-list 4 permit 10.0.0.14

access-list 4 permit 10.0.0.16

access-list 10 remark CCP_ACL Category=16

access-list 10 permit 10.0.0.19

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 10.2.2.0 0.0.0.255 any

no cdp run

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

exec-timeout 0 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

========= Linux ifconfig  (internet doens't work) =================

root@dev-server:~$ ifconfig -a

eth0      Link encap:Ethernet  HWaddr 00:26:b9:89:64:de 

          inet addr:10.2.2.7  Bcast:10.2.2.255  Mask:255.255.255.0

          inet6 addr: fe80::226:b9ff:fe89:64de/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2635 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1024 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:597543 (597.5 KB)  TX bytes:450490 (450.4 KB)

          Interrupt:16 Memory:da000000-da012800

eth1      Link encap:Ethernet  HWaddr 00:26:b9:89:64:df 

          UP BROADCAST MULTICAST  MTU:1500  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

          Interrupt:17 Memory:dc000000-dc012800

lo        Link encap:Local Loopback 

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:154 errors:0 dropped:0 overruns:0 frame:0

          TX packets:154 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:113695 (113.6 KB)  TX bytes:113695 (113.6 KB)

========= Linux routing table (internet doesn't work) ============

root@dev-server:~$ netstat -nr

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

10.2.2.0        0.0.0.0         255.255.255.0   U         0 0          0 eth0

169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0

0.0.0.0         10.2.2.1        0.0.0.0         UG        0 0          0 eth0

========= Windows ipconfig (Internet Works) ===============

C:\Users\developer>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : developer-THINK

   Primary Dns Suffix  . . . . . . . :

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : local

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . : local

   Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6200 AGN

   Physical Address. . . . . . . . . : 58-94-6B-4A-CC-20

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::84f4:4abf:f1ba:3f75%13(Preferred)

   IPv4 Address. . . . . . . . . . . : 10.2.2.4(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Lease Obtained. . . . . . . . . . : Monday, January 24, 2011 11:00:17 AM

   Lease Expires . . . . . . . . . . : Monday, January 24, 2011 2:44:00 PM

   Default Gateway . . . . . . . . . : 10.2.2.1

                                       173.243.149.225

   DHCP Server . . . . . . . . . . . : 255.255.255.255

   DHCPv6 IAID . . . . . . . . . . . : 324572267

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-8F-24-77-F0-DE-F1-2F-76-59

   DNS Servers . . . . . . . . . . . : 64.17.248.2

   NetBIOS over Tcpip. . . . . . . . : Enabled

========= Windows routing table (Internet Works) ============

C:\Users\developer>route print

===========================================================================

Interface List

13...58 94 6b 4a cc 20 ......Intel(R) Centrino(R) Advanced-N 6200 AGN

11...f0 de f1 2f 76 59 ......Intel(R) 82577LM Gigabit Network Connection

  1...........................Software Loopback Interface 1

12...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter

18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

34...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0         10.2.2.1         10.2.2.4     25

          0.0.0.0          0.0.0.0  173.243.149.225         10.2.2.4     25

         10.2.2.0    255.255.255.0         On-link          10.2.2.4    281

         10.2.2.1  255.255.255.255         On-link          10.2.2.4     26

         10.2.2.4  255.255.255.255         On-link          10.2.2.4    281

       10.2.2.255  255.255.255.255         On-link          10.2.2.4    281

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link          10.2.2.4    281

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link          10.2.2.4    281

===========================================================================

Persistent Routes:

  None

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

14     58 ::/0                     On-link

  1    306 ::1/128                  On-link

14     58 2001::/32                On-link

14    306 2001:0:4137:9e76:189a:37e4:f5fd:fdfb/128

                                    On-link

13    281 fe80::/64                On-link

14    306 fe80::/64                On-link

14    306 fe80::189a:37e4:f5fd:fdfb/128

                                    On-link

13    281 fe80::84f4:4abf:f1ba:3f75/128

                                    On-link

  1    306 ff00::/8                 On-link

14    306 ff00::/8                 On-link

13    281 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

Hi,

I'm gonna take a look at it tomorrow.

Regards.

Alain.

Don't forget to rate helpful posts.

Still not having any luck, another piece of information on tracepath (Ubuntu version of tracert):

root@dev-server:/etc/dhcp3$ tracepath 4.2.2.1

1:  dev-server.local (10.2.2.7)                    0.130ms pmtu 1500

1:  10.2.2.1 (10.2.2.1)                                    0.685ms !N

1:  10.2.2.1 (10.2.2.1)                                    0.643ms !N

     Resume: pmtu 1500

I don't see anything in the config that should provoke the symptom you have.

Can you sniff on linux box when pinging( and the same on windows) and also provide output of arp cache on linux box, windows and on the router( sh ip arp).

Regards.

Alain.

Don't forget to rate helpful posts.

I've had the same issue with a ubuntu box, basically is was holding onto the old default gateway or didn't apply it.

Basically  change the network setting for the ubuntu box from DHCP to manual and enter some setting sucj as 192.168.1.1 255.255.255.0 def gateway 192.168.1.1, accept this  and it will apply your entered settings, then go back in and clear them  all off then change it to DHCP ( clear all the settings first ) and then apply those setting and your  box should pick up the new or changed default gateway.

Hi Ian, could you go into a bit more specifics on what you did to fix it?

I changed to static IP assignment (did an ip dhcp excluded-address for an address range), and have the Linux server assign a static IP, dns, default gateway (10.2.2.1) for itself, subnet 255.255.255.0.  After rebooting, it still can't ping the internet (ping 4.2.2.1).

However, in the morning when I came back into the office, I was able to ping 4.2.2.1!  I thought about your response and thought maybe now the gateway has "unstuck" itself from the previous configuration, and I set it back to DHCP, took out the DHCP excluded address range, and restarted the network interface on the ubuntu box.  However, now I can't ping 4..2.2.1 anymore.  I tried rebooting as well, doesn't work.  I tried changing it back to Static IP, doesn't work either, reboot doesn't work either.  Quite frustrating problem. =(

It was a test lab I had and I changed the default gate address on a router, and had

to ammend the DHCP. When I done this the ubuntu box had a new IP in the correct subnet but couldn't ping

a remote router or access the internet.

From the Ubuntu box, I removed all DHCP setting and set the nic to manual and manually entered a new IP address, subnet mask and default gateway, I then applied this to the box.

I then went back in and cleared these setting so that the IP address, Subnet mask and default gateway where blank. I may have hit ok and tried to apply these, I then went back in and made sure all setting where blank set the nic to DHCP applied and all worked.

The issue was on the ubuntu box for me, it just kept hold of the old default gateway for some strange reason.

So after serveral reboots on the Ubuntu box as DHCP, I converted it back to static IP.  When that didn't work, I hard rebooted the Cisco router, and that fixed it, now I am able to connect to the internet on the Linux box.  Since the Linux box is in a production environment, I will keep it running on static IP for now.  I have saved all my configs and server settings in the case this DHCP issue need to be revisited in the future.

Thanks all again for help.

Hi Alain,

I am not sure what tool to use for sniffing the Linux box (can you let me know?), but I can show you the arp cache now:

Linux box:

root@dev-server:~$ arp -n

Address                  HWtype  HWaddress           Flags Mask            Iface

10.2.2.33                ether   5c:ac:4c:bf:b6:0f   C                     eth0

10.2.2.55                ether   c8:bc:c8:ea:d4:0c   C                     eth0

10.2.2.1                 ether   30:46:9a:a1:a1:1c   C                     eth0

10.2.2.4                 ether   58:94:6b:4a:cc:20   C                     eth0

routing table:
root@dev-server:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.2.2.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
0.0.0.0         10.2.2.1        0.0.0.0         UG    100    0        0 eth0

Windows:

C:\Users\khwang>arp -a

Interface: 10.2.2.4 --- 0xd

  Internet Address      Physical Address      Type

  10.2.2.1              c4-7d-4f-16-33-58     dynamic

  10.2.2.6              58-94-6b-47-c9-10     dynamic

  10.2.2.7              00-26-b9-89-64-de     dynamic

  10.2.2.24             5c-ac-4c-bd-42-5e     dynamic

  10.2.2.33             5c-ac-4c-bf-b6-0f     dynamic

  10.2.2.40             5c-ac-4c-bd-01-32     dynamic

  10.2.2.43             1c-c1-de-12-37-42     dynamic

  10.2.2.44             00-26-ab-54-9d-91     dynamic

  10.2.2.45             5c-ac-4c-bd-42-5a     dynamic

  10.2.2.47             c0-cb-38-44-ed-47     dynamic

  10.2.2.49             00-26-bb-0e-cb-5c     dynamic

  10.2.2.54             00-26-bb-0e-cb-5c     dynamic

  10.2.2.55             c8-bc-c8-ea-d4-0c     dynamic

  10.2.2.255            ff-ff-ff-ff-ff-ff     static

  224.0.0.22            01-00-5e-00-00-16     static

  224.0.0.251           01-00-5e-00-00-fb     static

  224.0.0.252           01-00-5e-00-00-fc     static

  239.255.255.250       01-00-5e-7f-ff-fa     static

  255.255.255.255       ff-ff-ff-ff-ff-ff     static

Router:  The arp cache here is too large to show, there are 10+ ppl  working at the company right now and this is a production router:
PureGate#show arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  1.36.3.168             46   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  1.160.25.171           28   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  1.160.194.38           51   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  4.2.2.1                58   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  4.255.67.151           38   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  10.0.0.4               65   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  10.2.2.1                -   c47d.4f16.3358  ARPA   Vlan1
Internet  10.2.2.4                0   5894.6b4a.cc20  ARPA   Vlan1
Internet  10.2.2.6                0   5894.6b47.c910  ARPA   Vlan1
Internet  10.2.2.7               33   0026.b989.64de  ARPA   Vlan1
Internet  10.2.2.23             125   dc2b.618e.7d13  ARPA   Vlan1
Internet  10.2.2.24               0   5cac.4cbd.425e  ARPA   Vlan1
Internet  10.2.2.25             106   24ab.8178.49f2  ARPA   Vlan1
Internet  10.2.2.26              95   40a6.d92f.c2a8  ARPA   Vlan1
Internet  10.2.2.28              18   5cac.4cbf.3e30  ARPA   Vlan1
Internet  10.2.2.33               0   5cac.4cbf.b60f  ARPA   Vlan1
Internet  10.2.2.34             106   40a6.d930.b60d  ARPA   Vlan1
Internet  10.2.2.35              92   40a6.d999.a6f6  ARPA   Vlan1
Internet  10.2.2.38               1   001c.26c8.33b5  ARPA   Vlan1
Internet  10.2.2.40               0   5cac.4cbd.0132  ARPA   Vlan1
Internet  10.2.2.41             111   5894.6b48.2f54  ARPA   Vlan1
Internet  10.2.2.42              13   581f.aa65.8710  ARPA   Vlan1
Internet  10.2.2.43             130   1cc1.de12.3742  ARPA   Vlan1
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.2.2.44               0   0026.ab54.9d91  ARPA   Vlan1
Internet  10.2.2.45               0   5cac.4cbd.425a  ARPA   Vlan1
Internet  10.2.2.46              43   c8bc.c8ea.d40c  ARPA   Vlan1
Internet  10.2.2.47               0   c0cb.3844.ed47  ARPA   Vlan1
Internet  10.2.2.48             186   904c.e541.9256  ARPA   Vlan1
Internet  10.2.2.49              72   0026.bb0e.cb5c  ARPA   Vlan1
Internet  10.2.2.50              29   24ab.8178.49f2  ARPA   Vlan1
Internet  10.2.2.51               3   40a6.d930.b60d  ARPA   Vlan1
Internet  10.2.2.52               1   40a6.d92f.c2a8  ARPA   Vlan1
Internet  10.2.2.53               8   40a6.d999.a6f6  ARPA   Vlan1
Internet  10.2.2.54              17   0026.bb0e.cb5c  ARPA   Vlan1
Internet  10.2.2.55              13   c8bc.c8ea.d40c  ARPA   Vlan1
Internet  12.129.210.71          13   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  12.130.81.249           8   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  12.187.155.101         40   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  15.193.112.23          17   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  15.201.49.21           18   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  15.217.8.105           55   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  15.217.120.21          18   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  15.240.238.53          72   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  17.149.36.114          72   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  17.151.16.21           72   0016.c7eb.ff5f  ARPA   FastEthernet4
Internet  17.151.16.23           73   0016.c7eb.ff5f  ARPA   FastEthernet4
--More--
I was able to briefly pring 4.2.2.1 this morning from the Linux dev box, but not anymore now.  We really need to get to the bottom of this for this production environment.
Thanks!
Kuangwei

Hi,

to sniff traffic on linux bow use tcpdump.

Looking at your arp caches you haven't got the same mapping for 10.2.2.1 on linux and windows.

On windows the MAC is the MAC address of the Cisco router but on the linux box it corresponds to a netgear box.

Regards.

Alain.

Don't forget to rate helpful posts.

Oh wow, you are right!  The previous gateway was a netgear, I guess that arp cache got stuck in there.  How do you properly clear the arp cache on a linux box to ensure this doesn't happen again?

Thanks again for root causing this.

Cheers,

Kuangwei

arp -d 10.2.2.1 should do the trick.

Regards.

Alain.

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: