cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1958
Views
5
Helpful
3
Replies
Highlighted
Beginner

Internal hosts cannot ping outside, but router can

I'm having an issue where internal hosts cannot access the internet but I am able to ping external hosts when I console into the router. The router is a 2800 series. Does anyhting jump out at you?

Thanks in advance.

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname rtr

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

enable secret 5 $1$okjq$nzEJtcQA.jMAxu4XJuzTu0

!

no aaa new-model

clock timezone PST -8

clock summer-time PDT recurring

dot11 syslog

no ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.48.10.1 10.48.10.63

ip dhcp excluded-address 10.48.9.1 10.48.9.63

!

ip dhcp pool voice

   network 10.48.10.0 255.255.255.0

   default-router 10.48.10.1

   option 42 ip 10.48.255.9 10.48.255.254

   option 2 hex ffff.8f80

   option 156 ascii "ftpservers=10.48.2.16, country=1, language=1, layer2tagging=1, vlanid=102"

   dns-server 8.8.8.8

!

ip dhcp pool data

   network 10.48.9.0 255.255.255.0

   default-router 10.48.9.1

   option 156 ascii "ftpservers=10.48.2.16, country=1, language=1, layer2tagging=1, vlanid=102"

   dns-server 8.8.8.8

!

ip dhcp pool data-bw-hb-01

   host 10.48.9.32 255.255.255.0

   client-identifier 68b5.9990.97a2

   default-router 10.48.9.1

   dns-server 8.8.8.8

!

ip dhcp pool data-bw-hb-02

   host 10.48.9.33 255.255.255.0

   client-identifier 68b5.9990.5503

   default-router 10.48.9.1

   dns-server 8.8.8.8

!

ip dhcp pool data-clr-bh-01

   host 10.48.9.40 255.255.255.0

   client-identifier 0000.854e.777d

   default-router 10.48.9.1

   dns-server 8.8.8.8

!

ip dhcp pool data-bh-staff-01

   host 10.48.9.39 255.255.255.0

   client-identifier 68b5.9990.cd2f

   default-router 10.48.9.1

   dns-server 8.8.8.8

!

ip dhcp pool data-bh-ptr-mb

   host 10.48.9.50 255.255.255.0

   client-identifier 0100.8077.84f7.76

   default-router 10.48.9.1

   dns-server 8.8.8.8

!

ip dhcp pool data-bh-chk-01

   host 10.48.9.38 255.255.255.0

   hardware-address 0025.b3fc.7cf2

   default-router 10.48.9.1

   dns-server 10.48.254.16 68.94.156.1

!

ip dhcp pool data-bh-ptr-sc

   host 10.48.9.49 255.255.255.0

   hardware-address 0013.21c1.8cc0

   default-router 10.48.9.1

   dns-server 8.8.8.8

!

!

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 smtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip inspect name DEFAULT100 icmp

no ip bootp server

ip domain lookup source-interface FastEthernet0/0.997

ip domain name jag.intra

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

!

!        

crypto pki trustpoint TP-self-signed-295269958

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-295269958

revocation-check none

rsakeypair TP-self-signed-295269958

!

!

crypto pki certificate chain TP-self-signed-295269958

certificate self-signed 01 nvram:IOS-Self-Sig#2.cer

!

!

username sitetech privilege 15 secret 5 $1$NNKm$MC8mPimeV9RRKoyJz5cZv0

archive

log config

  hidekeys

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key *********************** address 0.0.0.0 0.0.0.0

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10 periodic

!

!

crypto ipsec transform-set jag-trans esp-aes 256 esp-md5-hmac

!

crypto ipsec profile jag-dmvpn

set transform-set jag-trans

!

!

!

!

!

track 1 ip sla 1 reachability

!

track 2 ip sla 2 reachability

!

class-map match-any Call-Signaling

match ip dscp cs3

match ip dscp af31

class-map match-any Voice

match ip dscp ef

match access-group 161

!        

!

policy-map WAN-EDGE

class Voice

    priority percent 33

class Call-Signaling

    bandwidth percent 5

class class-default

    fair-queue

!

!

!

!

interface Loopback0

ip address 10.48.255.9 255.255.255.255

ip nat inside

ip virtual-reassembly

load-interval 30

!

interface Loopback1

no ip address

!

interface Tunnel0

description DMVPN via ATT DSL

bandwidth 1000

ip address 10.255.48.10 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip nhrp authentication DMVPN_NW

ip nhrp map multicast x.x.x.230

ip nhrp map 10.255.48.254 x.x.x.230

ip nhrp network-id 100000

ip nhrp holdtime 30

ip nhrp nhs 10.255.48.254

ip tcp adjust-mss 1360

ip summary-address eigrp 1048 10.48.8.0 255.255.252.0 5

delay 1000

shutdown

qos pre-classify

tunnel source FastEthernet0/0.998

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile jag-dmvpn

!        

interface Tunnel1

description DMVPN via XO EoC

bandwidth 10000

ip address 10.255.48.9 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip flow ingress

ip nhrp authentication DMVPN_NW

ip nhrp map 10.255.48.254 x.x.x.230

ip nhrp map multicast x.x.x.230

ip nhrp network-id 100000

ip nhrp holdtime 30

ip nhrp nhs 10.255.48.254

ip tcp adjust-mss 1360

ip summary-address eigrp 1048 10.48.8.0 255.255.252.0 5

delay 1000

qos pre-classify

tunnel source FastEthernet0/0.997

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile jag-dmvpn

!

interface Tunnel2

description DMVPN test

bandwidth 10000

ip address 10.254.48.254 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_JA

ip nhrp map multicast dynamic

ip nhrp network-id 20000

ip nhrp holdtime 30

ip virtual-reassembly

ip tcp adjust-mss 1360

no ip mroute-cache

load-interval 60

delay 400

shutdown

qos pre-classify

keepalive 5 4

tunnel source FastEthernet0/0.997

tunnel mode gre multipoint

tunnel key 20000

tunnel protection ipsec profile jag-dmvpn

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description Outside Trunk

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

no cdp enable

no mop enabled

service-policy output WAN-EDGE

!

interface FastEthernet0/0.997

description XO EoC

encapsulation dot1Q 997

ip address y.y.y.110 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

no cdp enable

!

interface FastEthernet0/0.998

description AT&T DSL

encapsulation dot1Q 998

ip address dhcp

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

shutdown

no cdp enable

!        

interface FastEthernet0/1

description Inside Trunk

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1.101

encapsulation dot1Q 101

ip address 10.48.9.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

!        

interface FastEthernet0/1.102

encapsulation dot1Q 102

ip address 10.48.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

!

router eigrp 1048

redistribute static route-map redist-static

passive-interface FastEthernet0/0

passive-interface FastEthernet0/0.997

passive-interface FastEthernet0/0.998

network 10.48.0.0 0.0.255.255

network 10.254.48.0 0.0.0.255

network 10.255.48.0 0.0.0.255

network 10.255.49.0 0.0.0.255

network 10.0.0.0

no auto-summary

!

no ip forward-protocol nd

no ip forward-protocol udp tftp

no ip forward-protocol udp nameserver

no ip forward-protocol udp domain

no ip forward-protocol udp time

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

no ip forward-protocol udp tacacs

ip route 0.0.0.0 0.0.0.0 a.a.a.62 100 track 1

ip route 0.0.0.0 0.0.0.0 b.b.b.109 track 2

ip route 10.48.20.0 255.255.252.0 10.48.9.15

ip route 10.48.255.21 255.255.255.255 10.48.9.15

ip route a.a.a.56 255.255.255.248 FastEthernet0/0.998

ip route b.b.b.108 255.255.255.252 FastEthernet0/0.997

ip http server

ip http access-class 90

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map NAT-Map-ATT interface FastEthernet0/0.998 overload

ip nat inside source route-map Nat-Map-XO interface FastEthernet0/0.997 overload

!

ip access-list extended NATIP

deny   ip 10.48.0.0 0.0.255.255 10.0.0.0 0.0.0.255

permit ip 10.48.0.0 0.0.255.255 any

!

ip sla 1

icmp-echo a.a.a.62

timeout 30000

frequency 30

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo b.b.b.109

frequency 8

access-list 10 permit 10.48.255.21

access-list 10 remark redist-static allowed

access-list 10 permit 10.48.20.0 0.0.3.255

access-list 90 remark HTTP Server ACL

access-list 90 permit 10.255.48.0 0.0.0.255

access-list 90 permit 10.48.0.0 0.0.255.255

access-list 90 permit 10.20.0.0 0.3.255.255

access-list 90 permit 10.16.1.0 0.0.0.255

access-list 90 permit 206.82.221.224 0.0.0.15

access-list 90 deny   any

access-list 90 permit 0.0.0.0 255.255.255.0

access-list 90 permit 10.254.48.0 0.0.0.255

access-list 110 permit ip 10.48.0.0 0.0.255.255 any

access-list 111 permit ip 10.48.0.0 0.0.255.255 any

access-list 161 remark : ShoreTel Voice over IP Ports

access-list 161 permit udp any any eq 2427

access-list 161 permit udp any any eq 2727

access-list 161 permit udp any any range 5440 5446

access-list 161 permit udp any any eq 5004

access-list 161 permit udp any any eq 5060

access-list 161 permit tcp any any eq 5060

access-list 161 permit udp host 10.48.10.16 gt 1024 any gt 1024

access-list 161 permit udp 10.48.10.0 0.0.0.255 any

!

!

!

route-map Nat-Map-XO permit 10

match ip address NATIP

match interface FastEthernet0/0.997

!

route-map redist-static permit 10

match ip address 10

!        

route-map redist-static deny 20

!

route-map NAT-Map-ATT permit 10

match ip address NATIP

match interface FastEthernet0/0.998

!

!

snmp-server community $jag-net-stats$ RO 90

!

control-plane

!

banner login ^CC

This system is considered private and proprietary and is subject to audit.

The unauthorized access, use or modification of this or any other computer

systems or networks or of the data contained therein or in transit

thereto/therefrom is a criminal violation of federal and state laws and will

be prosecuted to the fullest extent of the law.

Disconnect IMMEDIATELY if you are not an authorized user!

^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

access-class 103 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 103 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 10.20.253.1

ntp server 192.12.19.20

ntp server 164.67.62.194

end

3 REPLIES 3
Highlighted
Enthusiast

Hi Kris,

When you say you can ping from the firewall what is the source address you are using? Can you try an extended ping and specify the inside interface and see if that works. "debug IP nat" will probably help too.

Highlighted

This ended up resolving itself. The internet carrier had a routing issue and I was able to ping normally once they resolved it. Thanks for taking a look though.

Kris

Highlighted

Hello Kris,

Thank you for sharing the solution with the community.

Some Kudos to you..

Please mark the question as answered so future users can learn from this..

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC