11-11-2016 09:49 PM - edited 03-05-2019 07:28 AM
I've been puzzled with this issue for a couple of days now. I am stuck on what the issue might be. The issue is that I can ping from my router,
Router 1:
version 15.1
THIS IS A PRIVATE COMPUTER SYSTEM.
All computer systems may be monitored for all lawful purposes, including Monitoring includes active attacks by authorized personnel and their All information including personal information, placed on or sent over Unauthorized use may subject you to criminal prosecution. Evidence of |
Router 2:
version 15.1 THIS IS A PRIVATE COMPUTER SYSTEM. This computer system including all related equipment, network devices All computer systems may be monitored for all lawful purposes, including Monitoring includes active attacks by authorized personnel and their All information including personal information, placed on or sent over Unauthorized use may subject you to criminal prosecution. Evidence of |
Switch:
version 12.2 no service pad service service service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname LAN_Switch ! boot-start-marker boot-end-marker ! ! username ******privilege 15 secret 5 *************************** ! ! ! no aaa new-model clock timezone CST -6 switch 1 provision ws-c3750-24ts system ip name-server 8.8.8.8 ! ! ! ! ! ! ! ! ! spanning-tree mode rapid- spanning-tree logging spanning-tree extend system-id ! ! ip ssh version 2 ! ! interface Loopback0 ! interface FastEthernet1/0/1 spanning-tree ! interface FastEthernet1/0/2 spanning-tree ! interface FastEthernet1/0/3 shutdown spanning-tree ! interface FastEthernet1/0/4 shutdown spanning-tree ! interface FastEthernet1/0/5 shutdown spanning-tree ! interface FastEthernet1/0/6 shutdown spanning-tree ! interface FastEthernet1/0/7 shutdown spanning-tree ! interface FastEthernet1/0/8 shutdown spanning-tree ! interface FastEthernet1/0/9 shutdown spanning-tree ! interface FastEthernet1/0/10 shutdown spanning-tree ! interface FastEthernet1/0/11 shutdown spanning-tree ! interface FastEthernet1/0/12 shutdown spanning-tree ! interface FastEthernet1/0/13 shutdown spanning-tree ! interface FastEthernet1/0/14 shutdown spanning-tree ! interface FastEthernet1/0/15 shutdown spanning-tree ! interface FastEthernet1/0/16 shutdown spanning-tree ! interface FastEthernet1/0/17 shutdown spanning-tree ! interface FastEthernet1/0/18 shutdown spanning-tree ! interface FastEthernet1/0/19 description ## PC ## spanning-tree ! interface FastEthernet1/0/20 description ## X_BOX ## shutdown spanning-tree ! interface FastEthernet1/0/21 spanning-tree ! interface FastEthernet1/0/22 ! interface FastEthernet1/0/23 switchport access ! interface FastEthernet1/0/24 switchport access ! interface GigabitEthernet1/0/1 shutdown ! interface GigabitEthernet1/0/2 shutdown ! interface Vlan1 no shutdown ! interface Vlan5 ! interface Vlan10 ! interface Vlan17 ! interface Vlan52 ! interface Vlan94 ! router router-id 192.168.254.5 log-adjacency-changes network 192.168.0.5 0.0.0.0 area 1 network 192.168.10.2 0.0.0.0 area 2 network 192.168.17.17 0.0.0.0 area 2 network 192.168.52.1 0.0.0.0 area 2 network 192.168.94.33 0.0.0.0 area 2 network 192.168.254.5 0.0.0.0 area 0 ! ip route 0.0.0.0 0.0.0.0 192.168.0.4 permanent no ip http server no ! ! permit permit permit permit permit permit permit deny ! ! banner login ^C W A R N I N G THIS IS A PRIVATE COMPUTER SYSTEM. This computer system including all related equipment, network devices (specifically including Internet access), are provided only for authorized used. All computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for facilitate protection against unauthorized access, and to verify security procedures, survivability and operational security. Monitoring includes active attacks by authorized personnel and their entities to test or verify the security of the system. During monitoring, information may be examined, recorded, copied and used for authorized purposes. All information including personal information, placed on or sent over this system may be monitored. unauthorized, constitutes consent to monitoring of this system. Unauthorized use may subject you to criminal prosecution. Evidence of any such unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. Use of this system constitutes consent to ^C ! line con 0 session-timeout 60 exec-timeout 60 0 logging synchronous login local line access-class SSH_IN in login local line access-class SSH_IN in login line access-class SSH_IN in login ! event manager environment suspend_ports_config flash:/susp_ports.dat event manager environment suspend_ports_days 7 event manager directory user policy "flash:/policies/" event manager session event manager policy sl_suspend_ports.tcl event manager policy tm_suspend_ports.tcl event manager applet SaveRunConfig event timer action 1.0 action 2.0 |
Solved! Go to Solution.
11-12-2016 01:40 PM
Well, I totally forgot about the 'log' keyword and NAT:
Does Cisco IOS NAT support ACLs with a "log" keyword?
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html
So your problem is not the wildcard mask, but the 'log' command...
11-12-2016 01:34 AM
Hello,
I think the problem is with your GLBP configuration. Try to configure host dependent load balancing (do that on the other GLBP router as well):
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.248
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
glbp 100 ip 192.168.0.4
glbp 100 priority 115
glbp 100 preempt
glbp 100 load-balancing host-dependent
duplex auto
speed auto
media-type rj45
11-12-2016 06:42 AM
Thanks for pointing out the host-dependent for me. I did forget to add it when I was setting up
LAN_Router_2#show run int g0/1 Current configuration : 280 bytes LAN_Router_2#ping google.com source 192.168.0.2 Type escape sequence to abort. [Connection to 192.168.0.4 closed by foreign host] Translating "google.com"...domain server (8.8.8.8) (8.8.4.4) LAN_Switch#show int vl 5 |
11-12-2016 11:04 AM
Hello,
I am not sure if the syntax is right:
LAN_Switch#ping google.com source vl 5
try
LAN_Switch#ping google.com source 192.168.0.5
11-12-2016 11:08 AM
I get the same error when typing the IP address into the syntax.
LAN_Switch#ping google.com source 192.168.0.5
Translating "google.com"...domain server (8.8.8.8) (8.8.4.4)
^
% Invalid input detected at '^' marker.
11-12-2016 11:17 AM
Hello,
can you do an extended traceroute with 192.168.0.5 as the source ? I am curious to know where the address is being routed...
11-12-2016 11:21 AM
Sure, when I did
LAN_Switch#traceroute 1 192.168.0.3 0 msec 0 msec 0 msec |
11-12-2016 11:36 AM
What device is 192.168.0.3 configured on ? It is not one of of the routers or the switch...
11-12-2016 11:56 AM
Not really sure why it went to 192.168.0.3, but I'll post
version 15.1 THIS IS A PRIVATE COMPUTER SYSTEM. This computer system including all related equipment, network devices All computer systems may be monitored for all lawful purposes, including Monitoring includes active attacks by authorized personnel and their All information including personal information, placed on or sent over Unauthorized use may subject you to criminal prosecution. Evidence of |
11-12-2016 12:04 PM
Some more useful information, maybe? I did a show
Router 1:
LAN_Router_1#ping google.com source 192.168.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.220.112.153, timeout is 2 seconds: Packet sent with a source address of 192.168.0.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/36 ms LAN_Router_1#show ip nat trans LAN_Router_1#show ip nat translations Pro Inside global Inside local Outside local Outside global tcp 24.***.***.***:22 192.168.0.1:22 192.168.0.3:59415 192.168.0.3:59415 |
Router 2:
LAN_Router_2#ping google.com source 192.168.0.2 Type escape sequence to abort. |
Router 3:
LAN_Router_3#ping google.com source 192.168.0.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 24.220.112.24, timeout is 2 seconds: Packet sent with a source address of 192.168.0.3 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/24 ms LAN_Router_3#show ip nat trans Pro Inside global Inside local Outside local Outside global icmp 96.***.***.***:3 192.168.0.3:3 24.220.112.24:3 24.220.112.24:3 LAN_Router_3# |
11-12-2016 12:36 PM
Hello,
how is the switch connected to the router, that is, what interfaces on both devices are being used ?
11-12-2016 12:43 PM
The interfaces of how the devices are connected:
11-12-2016 01:18 PM
Not sure what was really wrong with my access-list, but that seemed to be the problem.
Here's what my access-list looked like:
access-list 10 permit 192.168.94.32 0.0.0.15 log
access-list 10 permit 192.168.17.0 0.0.0.7 log
access-list 10 permit 192.168.52.0 0.0.0.7 log
access-list 10 permit 192.168.0.0 0.0.0.7 log
access-list 10 deny any log
Here's what I changed it too:
access-list 10 permit 192.168.0.0 0.0.255.255
Can someone elaborate on what the issue is with my previous access-list? Also, if I use the same access-list 10 permit 192.168.0.0 0.0.255.255 with a log and access-list 10 deny any log, I will get the same result of no internet access.
11-12-2016 01:40 PM
Well, I totally forgot about the 'log' keyword and NAT:
Does Cisco IOS NAT support ACLs with a "log" keyword?
A. When you configure Cisco IOS NAT for dynamic NAT translation, an ACL is used to identify packets that can be translated. The current NAT architecture does not support ACLs with a "log" keyword.
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/26704-nat-faq-00.html
So your problem is not the wildcard mask, but the 'log' command...
11-12-2016 01:47 PM
I appreciate that little inside note. I never knew that. I could have sworn my ACL always had a deny any log and work. (Apparently not) Thanks for all your help with this issue, it is greatly appreciated and even learned something new. The wonders of troubleshooting.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide