cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2019
Views
0
Helpful
12
Replies

Initial ISR 4221 config fails to ping

TimothyRogers
Level 1
Level 1

I have an initially installed a ISR 4221. 

 

I have tried a few iterations of the configuration, and have ended up at the same impasse a few times.

 

Best description is that when I use the UI to test the WAN interface I get to the ISP, get DNS services and fail a pint to sundry addresses (8.8.8.8 || 128.138.140.44 ( utcnist.colorado.edu NTP server)).

 

I have pared the config down a bit and got rid of a few things along the way (e.g. router on a stick).

 

BLUF - two interfaces.  0/0/0 faces the ISP 0/0/1 faces my switch.

 

Appreciate any assistance, obviously I'm missing something (simple likely) and would appreciate the guidance.  As a net admin I make a pretty good DBA.

 

 

///////////////////////// conf follows///////////////////////////////////////////

 

 

 

Last configuration change at 15:35:00 UTC Fri Dec 28 2018 by admin
!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname NEW_Router_Edge
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$yWHt$Wf/pW.MDvSEpz0WU4jSLs0
enable password ENABLE_PSWD
!
no aaa new-model
clock timezone UTC -5 0
!
ip name-server 71.10.216.1 71.10.216.2
ip dhcp excluded-address 192.168.1.1 192.168.1.128
ip dhcp excluded-address 192.168.2.1 192.168.2.128
!
ip dhcp pool TEMP
network 192.168.2.0 255.255.255.0
lease infinite
!
ip dhcp pool TEMP1
network 192.168.1.0 255.255.255.0
lease infinite
!
!
!
!
!
!
!
!
!
!
subscriber templating
ipv6 unicast-routing
!
!
multilink bundle-name authenticated
passthru-domain-list NEW
match DOMAIN_NAME.COM
!
!
!
crypto pki trustpoint TP-self-signed-3004460203
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3004460203
revocation-check none
rsakeypair TP-self-signed-3004460203
!
!
crypto pki certificate chain TP-self-signed-3004460203
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
!
license udi pid ISR4221/K9 sn FGLXXXXXXXX
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
username admin privilege 15 secret 9 $9$3F6E4/2K1lAH2E$oYywunCsF3dQtYqBxCXigw8zNugjQjdo.8oZpkh8LAI
username admin secret 9 $9$2UwI1l6L3/6E2k$sXZyOg5gXpd.JpUNIu6Y6Oek9cvd.AOCh1uZxPtbfY6
!
redundancy
mode none
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Facing ISP
ip dhcp relay information trusted
ip address dhcp hostname NEW_Router_EDGE
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description Facing OPS Switches
ip dhcp relay information trusted
ip address 192.168.2.1 255.255.255.0
ip nat inside
negotiation auto
!
!
router eigrp NEW
!
address-family ipv4 unicast autonomous-system 9
!
topology base
exit-af-topology
network 192.168.0.0 0.0.255.255
eigrp router-id 192.168.2.2
exit-address-family
!
ip nat inside source list NEW-PRIV-NETS interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip ftp source-interface GigabitEthernet0/0/1
ip ftp username admin
ip ftp password ENABLE_PSWD
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip tftp source-interface GigabitEthernet0/0/1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0
ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0/0
!
!
!
ip access-list extended NEW-PRIV-NETS
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
!
route-map track-primary-if permit 1 
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
password password
login
length 0
!
ntp server ip time.nist.gov prefer source GigabitEthernet0/0/0
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

12 Replies 12

Richard Burts
Hall of Fame
Hall of Fame

There are several things in the config that is posted that should be addressed.

 

Your configuration of address translation has a simple but significant problem. You configured

ip nat inside source list NEW-PRIV-NETS interface GigabitEthernet0/0/1 overload

but you are telling the translation to use the inside interface. It should use Gig0/0/0

 

You have configured two versions of the password for privilege mode

enable secret 5 $1$yWHt$Wf/pW.MDvSEpz0WU4jSLs0
enable password ENABLE_PSWD

the enable password was the older approach and enable secret was introduced to increase the security associated with the password. When both versions of the password are present the enable secret is used and the enable password is ignored. I suggest that you remove the enable password.

 

You have configured 2 DHCP pools which specify networks to use for the pools. But fail to specify other important parameters, especially the default router. And specifying the lease time as infinite makes me nervous. It is an invitation to have the DHCP pool exhausted and filled with stale leases which no longer have active hosts. Making the lease go a long time if fine, but there should be some expiration of stale leases.

 

You have 2 static routes each of which has some issue

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0

It is not good to have a static route specify only the outbound interface when that interface is Ethernet. Generally the static route would specify the next hop address. Or in your case it could specify that the default route is learned by DHCP. Change the static route and then please post the output of the command show ip route so that we can see what we have got for routing.
ip route 192.168.2.0 255.255.255.0 GigabitEthernet0/0/0

this is interesting. actually 192.168.2.0 is the subnet of the network on Gig0/0/1. So you are pointing at the wrong outbound interface. Also this is another example of a static route specifying only the outbound interface. And (probably most importantly) you do not need a static route for a network/subnet that is locally connected. I wonder if the intent had been to have a route for the 192.168.1.0 network. That is one of the networks used in your DHCP pools but there is no indication in the config where that network is connected.

 

Please post the output of these commands

show ip interface brief

show ip route

 

HTH

 

Rick

 

HTH

Rick

Some of the items mentioned were hold overs from a previous (failed) config.

 

That said.  Good advice is just that.  I cleaned up the old enable password.  Added a 9 day lease to the DHCP Pools

Deleted the two default routes

 

#show ip int brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 47.26.248.44 YES DHCP up up
GigabitEthernet0/0/1 192.168.2.1 YES NVRAM up up

show ip route

#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is 47.26.248.1 to network 0.0.0.0
S* 0.0.0.0/0 [254/0] via 47.26.248.1
47.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 47.26.248.0/23 is directly connected, GigabitEthernet0/0/0
L 47.26.248.44/32 is directly connected, GigabitEthernet0/0/0
68.0.0.0/32 is subnetted, 1 subnets
S 68.114.39.168 [254/0] via 47.26.248.1, GigabitEthernet0/0/0
192.168.2.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.2.0/24 is directly connected, GigabitEthernet0/0/1
L 192.168.2.1/32 is directly connected, GigabitEthernet0/0/1

Hello,

 

so is it working now after Richard's suggestions ?

Apologies for not responding sooner.  A bathroom tile project was "prioritized" above all else.  I am willing to accept help on that one too!

 

That said.  No, it still doesn't allow connection.

 

 

Hello,

 

priorities are priorities I guess...:)

 

Can you post the configuration you currently have ?

The drawing seems to suggest that this is some type of simulator rather than actual equipment. Is that correct? What can you tell us about this simulator?

 

Let us take small steps in testing:

- would you post the output of attempting to ping the gateway next hop address

- would you post the output of the command show arp

 

HTH

 

Rick

HTH

Rick

 

 

 

The equipment is all "real"  I have a simple edge configuration where the ISR (will) stand between a small set of switches, a WAP and sundry servers.

 

 

#ping 47.26.248.44
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 47.26.248.44, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

Mon Dec 31 2018 09:12:37 GMT-0500 (Eastern Standard Time)
===================================================================================
#show arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 8.8.4.4 0 Incomplete ARPA
Internet 8.8.8.8 0 Incomplete ARPA
Internet 23.23.78.48 0 Incomplete ARPA
Internet 34.205.208.184 0 Incomplete ARPA
Internet 47.26.248.1 0 0001.5ca2.0046 ARPA GigabitEthernet0/0/0
Internet 47.26.248.44 - bc26.c78f.0d10 ARPA GigabitEthernet0/0/0
Internet 71.10.216.1 0 Incomplete ARPA
Internet 71.10.216.2 0 Incomplete ARPA
Internet 128.138.141.172 0 Incomplete ARPA
Internet 131.78.200.85 0 Incomplete ARPA
Internet 140.153.76.75 0 Incomplete ARPA
Internet 172.217.8.206 0 Incomplete ARPA
Internet 172.217.9.35 0 Incomplete ARPA
Internet 185.176.26.39 0 Incomplete ARPA
Internet 192.168.0.122 0 Incomplete ARPA
Internet 192.168.0.123 0 Incomplete ARPA
Internet 192.168.0.124 0 Incomplete ARPA
Internet 192.168.0.125 0 Incomplete ARPA
Internet 192.168.0.126 0 Incomplete ARPA
Internet 192.168.0.127 0 Incomplete ARPA
Internet 192.168.0.128 0 Incomplete ARPA
Internet 192.168.0.129 0 Incomplete ARPA
Internet 192.168.0.130 0 Incomplete ARPA
Internet 192.168.0.131 0 Incomplete ARPA
Internet 192.168.0.132 0 Incomplete ARPA
Internet 192.168.0.133 0 Incomplete ARPA
Internet 192.168.0.134 0 Incomplete ARPA
Internet 192.168.0.135 0 Incomplete ARPA
Internet 192.168.0.136 0 Incomplete ARPA
Internet 192.168.0.137 0 Incomplete ARPA
Internet 192.168.0.138 0 Incomplete ARPA
Internet 192.168.0.139 0 Incomplete ARPA
Internet 192.168.0.140 0 Incomplete ARPA
Internet 192.168.0.141 0 Incomplete ARPA
Internet 192.168.0.142 0 Incomplete ARPA
Internet 192.168.0.143 0 Incomplete ARPA
Internet 192.168.0.144 0 Incomplete ARPA
Internet 192.168.0.145 0 Incomplete ARPA
Internet 192.168.2.1 - bc26.c78f.0d11 ARPA GigabitEthernet0/0/1
Internet 192.168.2.146 0 2c30.33e7.00bf ARPA GigabitEthernet0/0/1
Internet 192.168.2.147 0 00e0.4c41.ba07 ARPA GigabitEthernet0/0/1
Internet 192.168.2.148 2 5c26.0a18.403d ARPA GigabitEthernet0/0/1
Internet 194.28.115.245 0 Incomplete ARPA
Internet 216.58.192.228 0 Incomplete ARPA

 

 

Thanks for the additional information. It is good to know that this is real equipment. I am curious what you are using to test with (when you tested the ping to 8.8.8.8 provided information that admin status was up, that line protocol was up and what is the address assigned, that DNS is configured and what addresses, and that ping failed). I asked that you ping the gateway next hop and you pinged your own address. Now would you ping 47.26.248.1?

 

The output of show arp has several interesting things. It does have an entry for 47.26.248.1 which tells us that at least at layer 2 we have successful communication. The ping will verify that we have layer 3 communication. There are also quite a few entries that show as Incomplete. This means that your router has sent an arp request for them and has not received any response. 

Internet 71.10.216.1 0 Incomplete ARPA
Internet 71.10.216.2 0 Incomplete ARPA

Internet 131.78.200.85 0 Incomplete ARPA
Internet 140.153.76.75 0 Incomplete ARPA
Internet 172.217.8.206 0 Incomplete ARPA
Internet 172.217.9.35 0 Incomplete ARPA
Internet 185.176.26.39 0 Incomplete ARPA

I am curious why there has been attempts to access these public IPs. There are also attempts to access a bunch of hosts in network 192.168.0.0. These entries seem to suggest that the router still has the default route as ip route 0.0.0.0 0.0.0.0 Gig0/0/0. Perhaps a fresh copy of the config might be helpful.

 

HTH

 

Rick

HTH

Rick

In order to move from from my currently functional setup to my aspiring design I have to move some cables.  I have a WAP/router that is working properly.  I have it set up as a DHCP client and I either have it connected to my ISP or to the "inside" of my ISR, attached to my first OPS switch.

 

I do have a functioning lab on the far side of the switches as well.  Some ESX servers, NAS, as well as a small IOT environment. 

 

I did a quick cataloged for the IP addresses,  Two are work related, two are Google resources and the other is a cloud service IP that will receive some more research. 

 

That one IP is a task that is now on my list.  Once the router is talking properly to the Internet, it is my intent to do a router on a stick configuration and augment with some VLAN segmentation to keep some of the lab servers and items cordoned off.  That is the next term goal.  Again, once I get the basics thing working.

 

Reference

 

The 71.10.216.1 & 71.10.216.2 addresses are my ISP DNS servers

 

v/r

Timothy

 

! Last configuration change at 19:18:33 UTC Fri Dec 28 2018 by xxxxxx
!
version 16.8
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname NEW_Router_Edge
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 <hash>
!
no aaa new-model
clock timezone UTC -5 0
!
ip name-server 71.10.216.1 71.10.216.2
ip dhcp excluded-address 192.168.1.1 192.168.1.128
ip dhcp excluded-address 192.168.2.1 192.168.2.128
!
ip dhcp pool TEMP
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
lease 9
!
ip dhcp pool PCs
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
lease 9
!
ip dhcp pool PHONES
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
lease 9
!
ip dhcp pool INFRA
network 192.168.5.0 255.255.255.0
default-router 192.168.5.1
lease 9
!
ip dhcp pool TEMP1
network 192.168.1.0 255.255.255.0
default-router 192.168.2.1
lease 9
!
!
!
!
!
!
!
!
!
!
subscriber templating
ipv6 unicast-routing
!
!
multilink bundle-name authenticated
passthru-domain-list NEW
match ABCDEFGHIJKLM.COM
!
!
!
crypto pki trustpoint TP-self-signed-3004460203
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3004460203
revocation-check none
rsakeypair TP-self-signed-3004460203
!
!
crypto pki certificate chain TP-self-signed-3004460203
certificate self-signed 01 nvram:IOS-Self-Sig#3.cer
!
license udi pid ISR4221/K9 sn FGLAAAAAAAA
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
username <hide_user> privilege 15 secret 9 <hash>
username <hide-user> secret 9 <hash>
!
redundancy
mode none
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description Facing ISP
ip dhcp relay information trusted
ip address dhcp hostname NEW_Router_EDGE
ip nat outside
negotiation auto
!
interface GigabitEthernet0/0/1
description Facing OPS Switches
ip dhcp relay information trusted
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip access-group NEW-PRIV-NETS out
negotiation auto
!
!
router eigrp NEW
!
address-family ipv4 unicast autonomous-system 9
!
topology base
exit-af-topology
exit-address-family
!
ip nat inside source list NEW-PRIV-NETS interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip ftp source-interface GigabitEthernet0/0/1
ip ftp username rogerst
ip ftp password Sierra
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip tftp source-interface GigabitEthernet0/0/1
!
!
!
ip access-list extended NEW-PRIV-NETS
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any
!
!
route-map track-primary-if permit 1
match ip address 197
set interface GigabitEthernet0/0/0
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
password xxxxxxx
login
length 0
!
ntp server ip time.nist.gov prefer source GigabitEthernet0/0/0
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify
!
!
end

Thanks for the fresh copy of the config. There are a couple of items that I would comment on.

You have configured this for address translation

ip nat inside source list NEW-PRIV-NETS interface GigabitEthernet0/0/1 overload

Did you intentionally use Gig0/0/1 as the interface to use? I would have expected that you would use the outside interface rather than the inside interface.

 

I notice that you are using the same acl for both address translation and applied to the interface using access-group. I would suggest that you not use the same acl for both address translation and for access-group. For address translation I would suggest that you use a standard access list rather than use the extended access list. And there is an error in logic in the way that you have applied the acl. 

ip access-list extended NEW-PRIV-NETS
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.2.0 0.0.0.255 any

in this version of the acl 192.168.1.0 and 192.168.2.0 are source addresses. But to process the acl as out these should be destination addresses. To process the acl as you have configured it the access-group should specify in rather than out

ip access-group NEW-PRIV-NETS out

 

I see that you are configuring EIGRP as your routing protocol. But I do not see any statements specifying the networks to process.

 

Can you clarify for us what is working now and what is not working now?

 

HTH

 

Rick

HTH

Rick

Back of the napkin estimates that 185.176.26.39 is a port scan origin point in the former Eastern Bloc attrib via:

 

WHOIS; & 

https://psad.disloops.com/

 

Inferred, not known.

 

All the more motivation to get this set up.  Get a nice ACL set up and to drop/no log these packets at the perimeter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: