cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12831
Views
5
Helpful
18
Replies

Commands to check internet connection for Cisco 4431 Integrated Services Router

txu
Level 1
Level 1

Hi,

I'm pretty new to business-level routers (I have programming and certain Ubuntu system admin experience though) but I'm facing a problem with Cisco 4431 router.

We have a client with quite strict security policy. The router resides in client's network, with external IP (12.34.56.78) assigned by client's network. The router manages a few Ubuntu servers (X, Y, Z, etc).

 

From my computer at my home, I can log into client's VPN and then access the router with ssh command, like

>ssh admin@12.34.56.78

or access server X with command like

>ssh -p 2210 guest@12.34.56.78

 

When I ssh into X, I issue command

>wget https://www.gnu.org/software/wget    # I have wget installed actually, just to test internet connection

I got error like

>wget: unable to resolve host address: 'ftp.gnu.org'

I think I've set the networking files like "interfaces" correctly on server X and believe it's the client's firewall setting. However, the client's IT department says they don't block anything.

 

To avoid the possibility that I didn't configure X correctly, I also ssh into the router, and I issue command

#show ip nat trans

Pro  Inside global         Inside local          Outside local         Outside global

icmp 172.24.62.135:1    192.168.2.10:15172       8.8.8.8:15172    8.8.8.8:1

.......

tcp  172.24.62.135:2210    192.168.2.10:22       10.132.63.11:43853    10.132.63.11:43853

udp  172.24.62.135:1064    192.168.2.11:21803    129.176.199.5:53      129.176.199.5:53

Total number of translations: 114

I think this says the router is able to sending out outbound requests. However I wonder if there's any command that can show the router is sending outbound to www.gnu.org or www.google.com, but is blocked by the network. An imagined command like this:

#send_outbound_request_to_google

sending request out; sent; returned message saying you are blocked

 

I don't know much about router commands. Can you please help? TIA

-tx

1 Accepted Solution

Accepted Solutions

Hello txu,

from the router shell

try to ping

www.yahoo.com

 

if this does not work

 

report your issues to the client.

 

If the ping to www.yahoo.com works from the router the issue in your server.

 

Hope to help

Giuseppe

View solution in original post

18 Replies 18

balaji.bandi
Hall of Fame
Hall of Fame

Once you loging to your X Server

First do nslookup ftp.gnu.org (check are you able to resolve the DNS resolutions)

 

if it is resolved. you see DNS Entries like below.

 

Non-authoritative answer:
Name: ftp.gnu.org
Addresses: 2001:470:142:3::b
209.51.188.20

 

then use telnet command to test you have access from server to internet 

example :

 

telnet ftp.gnu.org 443  <-- this show you have access or not.

if this fails, then you need to contact client and ask any ACL in the router which was blocking ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello txu,

to verify if the router is able to resolve a host in the internet you can simply use from the router shell:

 

ping ftp.gnu.org

 

About your NAT translations the last line :

>> udp  172.24.62.135:1064    192.168.2.11:21803    129.176.199.5:53      129.176.199.5:53

This actually is a DNS request as the destination UDP port is 53.

So I would say your router NAT is correctly allowing and translating DNS requests.

 

To be noted the inside global address is actually a private address too. I mean 172.24.62.135 is not a public address. If you haven't changed it manually to mask your real public address, there can be another device before going to the public internet.

 

Hope to help

Giuseppe

 

Thanks for reply.

 

ping ftp.gnu.org

returns

% Unrecognized host or address, or protocol not running.

 

172.24.62.135 is the IP assigned by the client to the router

 

If the NAT last line indicates router is set up correctly, I'll use this line to tell the client's IT person, although I was hoping to see a more direct command/return to say "block" or something similar. :)

 

Thanks again 

Hello Txu,

>> the NAT last line indicates router is set up correctly, I'll use this line to tell the client's IT person

That line tells that a DNS query coming from inside is correctly translated to outside.

 

I see that you have opened a new thread.

 

>> 172.24.62.135 is the IP assigned by the client to the router

As I have noted in my previous post this is NOT a public IP address . It is a private address in RFC 1918. This means that another NAT process is performed later in another device that is not your router.

You need to take in account this fact. And the issues that you experience can be located there in the second device that you do not control.

 

Hope to help

Giuseppe

 

Hi Giuseppe,
By "second device that you do not control", you mean a device that manages my router at a higher level (such as the client's network device like a router)? The thing is the client now nearly 100% reluctant to check that possibility, for the reason, which I think make sense too: I can ping external IP, such as Yahoo's 72.30.35.9
How do you think?
Thanks!

Hello txu,

>> By "second device that you do not control", you mean a device that manages my router at a higher level

 

No, I mean the device that performs the next NAT operation.

As I have explained many times you can not go to the public internet with a source address 172.24.x.y because it is private address ( see RFC 1918 to verify).

So some other device near your device or in the service provider network performs another NAT operation.

Try to use a web site that tells you the IP address

for example go to

https://www.ripe.net

and look at Your address field on top right corner it will not show 172.24.x.y

I hope to have been clear now

Perform your tests and you can come to the same conclusion: there is another NAT device in the path to the internet.

Your device allows DNS requests to be NATTED as we have seen before, what about the next NAT device ?

This is the right question to put to your customer

 

Hope to help

Giuseppe

 

 

Hi Giuseppe,
Again, thank you very much for helping me on this.
At ripe.net, I see this
2605:e000:xxxxxxxxxxxx:59e7:459e:7e85:1d6d
instead of 172.24.x.y
I think I understand what you said now: the client has a device (CD) that is responsible translate the IP my router sends out and CD has the public IP
However, the client IT says, you can ping 72.30.35.9 positively, that means no problem
Appreciate your input and time!!
-txu

Hello txu,

>> 2605:e000:xxxxxxxxxxxx:59e7:459e:7e85:1d6d

This is an IPv6 address !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The device after yours is performing NAT64 means that is translating a private IPv4 address to a public IPv6 address.

Now, it is more clear why you have DNS issues.

>> However, the client IT says, you can ping 72.30.35.9 positively, that means no problem

No, because a translation between IPv4 and IPv6 is happening DNS requests have to be handled in a smart way

In short IPv6 addresses have AAAA records in DNS

IPv4 addresses have A record in DNS.

IF an IPv6 host makes a DNS request would get an AAAA response from the DNS server. (the IPv6 address of the site)

You would need the DNS request to be "tuned" in order to get back the A record from the DNS server.(the IPv4 address)

 

Hope to help

Giuseppe

 

Also the client IT says I need configure
DNS server 129.176.100.5 into my router
Is this something like what you said the second device? If yes, how to do it on my router? Thank you very much!

Hello txu,

use

config t

ip name-server 129.176.100.5

end

wr mem

 

And see if the behaviour changes and the DNS issue is solved.

 

Hope to help

Giuseppe

 

Hi Giuseppe,
I wrote what you said into the router. The router returns "Building configuration .... OK".
On my server, I used either 129.176.100.5 (the one given by client) or 208.67.222.222 (from openDNS) as dns nameserevers, but I still got the same problem: ping IP okay, ping domain name like www.yahoo.com returns "Unknown host www.yahoo.com"
What could be wrong?
Thank you!!!

Hello txu,

from the router shell

try to ping

www.yahoo.com

 

if this does not work

 

report your issues to the client.

 

If the ping to www.yahoo.com works from the router the issue in your server.

 

Hope to help

Giuseppe

on router,
ping www.yahoo.com
Success rate is 100 percent (5/5)

Now, it's clear to me the router works, but not my server. Thank you!

pieterh
VIP
VIP

"unable to resolve host address: 'ftp.gnu.org"

this does not say it cannot make contact, this says it cannot resolve the hostname to an ip address

-> SSH into the X and issue command "nslookup ftp.gnu.org"     or maybe "dig gnu.org any"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco