Re: Impossible ping router to box

Ipefixe · ‎03-02-2020

Hello,
I want to set up a relay / DNS server on my Cisco 891F router but I cannot because I cannot communicate with my ISP router from the router.
Anyone have a solution?
Thank you in advance.

------------

Building configuration...

Current configuration : 5306 bytes
!
! Last configuration change at 20:15:33 UTC Mon Mar 2 2020 by nicolas
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R891F
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
enable secret 5 ***
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!

!
ip dhcp excluded-address 10.0.10.1
ip dhcp excluded-address 10.0.30.1
ip dhcp excluded-address 10.0.20.1
ip dhcp excluded-address 10.0.60.1
!
ip dhcp pool LAN_blablabla
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
domain-name LAN_blablabla
dns-server 10.0.10.1 8.8.8.8
!
ip dhcp pool WLAN_blablabla
network 10.0.30.0 255.255.255.0
default-router 10.0.30.1
domain-name WLAN_blablabla
dns-server 10.0.30.1 8.8.8.8
!
ip dhcp pool ADMINISTRATION
network 10.0.110.0 255.255.255.0
default-router 10.0.110.1
dns-server 10.0.110.1 8.8.8.8
domain-name ADMINISTRATION
!
ip dhcp pool VIDEOSURVEILLANCE
network 10.0.60.0 255.255.255.0
dns-server 10.0.60.1 8.8.8.8
domain-name VIDEOSURVEILLANCE
default-router 10.0.60.1
!
!
!
ip domain name blablabla
ip name-server 192.168.1.1
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891F-K9 sn FCZ2048E0YX
!
!
vtp version 2
username nicolas secret 5 $1$r40u$3TrVq78AW96nkBtyPtPCW1
!
!
!
!
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
description NAS-NICOLAS
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet1
description NAS-NICOLAS_VPN
switchport access vlan 110
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
description CAMERA-STUDIO
switchport access vlan 60
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
description AP-blablabla
switchport access vlan 30
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
description IMPRIMANTE
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
description INTERCO_R891F/WLC-blablabla
switchport mode trunk
no ip address
!
interface GigabitEthernet6
description INTERCO_R891F/SW-POE
switchport mode trunk
no ip address
!
interface GigabitEthernet7
description INTERCO_R891F/2960G
switchport mode trunk
no ip address
!
interface GigabitEthernet8
description INTERCO_WAN-R891F/2960G
ip address 192.168.1.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description LAN_blablabla
ip address 10.0.10.1 255.255.255.0
ip access-group FILTER_ALL_VLAN in
ip helper-address 10.0.10.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan20
description SERVICES
ip address 10.0.20.1 255.255.255.0
ip access-group FILTER_ALL_VLAN in
ip nat inside
ip nat enable
ip virtual-reassembly in
!
interface Vlan30
description WLAN_blablabla
ip address 10.0.30.1 255.255.255.0
ip access-group FILTER_ALL_VLAN in
ip helper-address 10.0.30.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan40
no ip address
!
interface Vlan50
no ip address
!
interface Vlan60
description VIDEOSURVEILLANCE
ip address 10.0.60.1 255.255.255.0
ip access-group FILTER_ALL_VLAN in
ip nat inside
ip virtual-reassembly in
!
interface Vlan70
no ip address
!
interface Vlan100
description INTERCO
ip address 10.0.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan110
description ADMINISTRATION
ip address 10.0.110.1 255.255.255.0
ip helper-address 10.0.110.1
ip nat inside
ip virtual-reassembly in
!
interface Vlan600
no ip address
!
interface Async3
no ip address
encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface GigabitEthernet8 overload
ip nat inside source static 10.0.20.2 192.168.1.2
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended FILTER_ALL_VLAN
permit ip any 10.0.110.0 0.0.0.255
deny ip any 192.168.1.0 0.0.0.255
deny ip any 10.0.10.0 0.0.0.255
permit ip 10.0.60.0 0.0.0.255 10.0.20.0 0.0.0.255
deny ip any 10.0.20.0 0.0.0.255
deny ip any 10.0.30.0 0.0.0.255
permit ip 10.0.20.0 0.0.0.255 10.0.60.0 0.0.0.255
deny ip any 10.0.60.0 0.0.0.255
deny ip any 10.0.100.0 0.0.0.255
deny ip any 10.0.110.0 0.0.0.255
permit ip any any
!
!
access-list 1 permit 10.0.10.0 0.0.0.255
access-list 1 permit 10.0.20.0 0.0.0.255
access-list 1 permit 10.0.30.0 0.0.0.255
access-list 1 permit 10.0.110.0 0.0.0.255
access-list 1 permit 10.0.100.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
password 7 130616101919082F3F36272374
no modem enable
line aux 0
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
transport input ssh
line vty 5 15
transport input ssh
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎03-02-2020

Hello,

--> because I cannot communicate with my ISP router from the router.

The IP address of the ISP router is 192.168.1.1 ? Does the ISP router have a route back to all your local subnets ?

Ipefixe · ‎03-03-2020

paul driver · ‎03-03-2020

Hello

If the addressing 192.168.1.0/24 correct regards connecting to you ISP router?
Can you ping the isp next hop - 192.168.1.1 ?
show ip arp
show int gig0/8

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ipefixe · ‎03-03-2020

Hi Paul,

I can ping 192.168.1.2 it's the IP address of my WAN router interface.

But I can't ping 192.168.1.1.

---------------

R891F#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.0.10.1 - a03d.6f10.8a38 ARPA Vlan10
Internet 10.0.20.1 - a03d.6f10.8a38 ARPA Vlan20
Internet 10.0.20.2 18 245e.be08.0cd1 ARPA Vlan20
Internet 10.0.30.1 - a03d.6f10.8a38 ARPA Vlan30
Internet 10.0.30.2 0 e495.6e4c.8254 ARPA Vlan30
Internet 10.0.30.3 5 e495.6e4c.8254 ARPA Vlan30
Internet 10.0.30.4 14 04cf.8cb8.65b9 ARPA Vlan30
Internet 10.0.30.5 121 7cd9.5c14.cd7e ARPA Vlan30
Internet 10.0.30.6 3 04cf.8cad.1a2a ARPA Vlan30
Internet 10.0.30.13 152 84f3.eb59.98b3 ARPA Vlan30
Internet 10.0.60.1 - a03d.6f10.8a38 ARPA Vlan60
Internet 10.0.60.2 1 ec71.db23.9a0e ARPA Vlan60
Internet 10.0.100.1 - a03d.6f10.8a38 ARPA Vlan100
Internet 10.0.100.2 138 001d.7132.c141 ARPA Vlan100
Internet 10.0.100.3 17 3894.ed1e.1a10 ARPA Vlan100
Internet 10.0.110.1 - a03d.6f10.8a38 ARPA Vlan110
Internet 10.0.110.2 0 245e.be08.0cd2 ARPA Vlan110
Internet 192.168.1.1 0 6035.c063.2080 ARPA GigabitEthernet8
Internet 192.168.1.2 - a03d.6f10.8a4a ARPA GigabitEthernet8

R891F#show int gi8
GigabitEthernet8 is up, line protocol is up
Hardware is PQ3_TSEC, address is a03d.6f10.8a4a (bia a03d.6f10.8a4a)
Description: INTERCO_WAN-R891F/2960G
Internet address is 192.168.1.2/24
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 1Gbps, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/99 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 12000 bits/sec, 10 packets/sec
5 minute output rate 9000 bits/sec, 10 packets/sec
23085700 packets input, 29992278911 bytes, 0 no buffer
Received 438354 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
579 input errors, 0 CRC, 0 frame, 579 overrun, 0 ignored
0 watchdog, 37718 multicast, 0 pause input
11672725 packets output, 5967927511 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
407271 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
1 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out

Georg Pauwen · ‎03-03-2020

Hello,

you only have routes to Vlan 100 and Vlan 110. Can the ISP router ping any host on either of these Vlans ?

Richard Burts · ‎03-03-2020

The original poster tells us that they can not ping the 192.168.1.1 address. So it sounds like there is a connectivity problem communicating with the peer. But the entry in the arp table shows that there is successful communications at layer 2 with the peer. So there is some IP issue. Perhaps the peer has a security policy that does not allow ping? Is there any other information about IP communication with this peer?

HTH

Rick

Ipefixe · ‎03-04-2020

Hi Richard, thank you for your help.
The ISP router has no restrictions and allows pings.

Richard Burts · ‎03-05-2020

Thank you for the information. I have looked through your configuration again and believe that I have identified the issue. You have a static address translation which says that anything arriving on your wan interface is forwarded to 10.0.20.2 and that would include the ping responses.

ip nat inside source static 10.0.20.2 192.168.1.2

HTH

Rick