03-05-2014 10:57 AM - edited 03-04-2019 10:30 PM
Router model: C819-HWD-A-K9
IOS ver. 15.2(4)
Public IP address: 12.34.56.78 255.255.255.252 (interface GigabitEthernet0)
Gateway: 12.34.56.77
Private network address: 10.1.1.0 255.255.255.0
Inside interface: 10.1.1.1 (interface FastEthernet0)
From inside of the network, I can ping the inside interface, outside WAN interface and gateway address but nothing beyond that.
From outside the network, I can ping the gateway address but not the outside WAN interface.
My ISP can see my router in their ARP table. But they cannot ping my outside WAN interface. There is probably either a NAT issue, an ACL issue, or both.
I have a minimal configuration. Basically default settings except for DNS, DHCP, and interface settings.
I am a newb. And am sure I am missing something obvious. Any help would be greatly appreciated.
Config is:
ip cef
!
!
ip dhcp pool dpool1
import all
network 10.1.1.0 255.255.255.0
dns-server 24.196.64.53 68.115.71.53
default-router 10.1.1.1
!
!
ip domain name chrisconway.net
ip name-server 24.196.64.53
ip name-server 68.115.71.53
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid C819HWD-A-K9 sn FTX174380LX
!
!
username conway privilege 15 password 0 zeroaccess
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
ip address 12.34.56.78 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 199 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
!
access-list 199 permit ip any any
no cdp run
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Solved! Go to Solution.
03-05-2014 11:05 AM
The first thing I would do is tighten up the acl 199 from:
permit ip any any
to:
permit ip 10.1.1.0 0.0.0.255 any
You said they can't ping your wan address on g0? You don't have acls on the interface, so they should be able to. If they can't do that, it's not a natting issue. That's for things going through the router. Can you ping your gateway from the router? Is there anything in front of this router?
HTH,
John
*** Please rate all useful posts ***
03-05-2014 11:06 AM
Hi,
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 12.34.56.77
no access-list 199 permit ip any any
access-list 199 permit ip 10.1.1.0 0.0.0.255 any
Regards
Alain
Don't forget to rate helpful posts.
03-05-2014 01:17 PM
When router receives the packet from inside host, it looks in a routing table for a match based on a destination IP address. It finds the only route (0.0.0.0/0) with next hop interface gigabit0/1. Because this not a point to point link like xDSL router does't know where to send the packet.
So you need to reconfigure the router as you've been already instructed (no ip route...., ip route.....).
Regarding ACL: you should always define the most restrictive ACL rules as you can to harden the device, network, data.
03-05-2014 01:18 PM
Hi,
1) setting a static route with an ougoing multipoint interface( like ethernet ) can only work if the next-hop is doing proxy-arp and even if it did it is highly discouraged for performance issues.
2) NAT ACLs permitting any can cause problems on some IOS versions/platforms
Regards
Alain
Don't forget to rate helpful posts.
03-05-2014 01:19 PM
The default route should point to the next hop IP if at all possible and not out of an interface. With ethernet pointing the default route out of an interface means it ARPs for every remote address which is ineffecient as it only needs to know the mac address of the next hop.
Using the source as "any" in a NAT acl can cause issue. Certainly if you used a standard acl with just "any" that can stop NAT working.
So i would change it to the one Alain suggested where you specify the source subnet(s). Using "any" for the destination is fine and is in fact needed for internet access.
Jon
03-05-2014 01:20 PM
Sorry Alain, didn't realise you were online, otherwise i wouldn't have responded.
Jon
03-05-2014 01:42 PM
Hi Jon,
No problem
Regards
Alain
Don't forget to rate helpful posts.
03-05-2014 11:05 AM
The first thing I would do is tighten up the acl 199 from:
permit ip any any
to:
permit ip 10.1.1.0 0.0.0.255 any
You said they can't ping your wan address on g0? You don't have acls on the interface, so they should be able to. If they can't do that, it's not a natting issue. That's for things going through the router. Can you ping your gateway from the router? Is there anything in front of this router?
HTH,
John
*** Please rate all useful posts ***
03-05-2014 12:39 PM
I understand the concern about tightening up the ACL. I am just trying to use the most permissive statement to get online first. Then I will harden. Also "permit ip any any" is the default setting of this IOS.
Yes, I can ping the gateway from the router.
Not exactly sure what you mean about anything in front of the router. I just have an ISP modem. Nothing between that and the single router we are discussing.
I too, wonder why I cannot ping my WAN interface from an outside network.
Thanks for your reply.
03-05-2014 11:06 AM
Hi,
no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 12.34.56.77
no access-list 199 permit ip any any
access-list 199 permit ip 10.1.1.0 0.0.0.255 any
Regards
Alain
Don't forget to rate helpful posts.
03-05-2014 12:47 PM
From my limited knowledge, it appears that you are recommending setting a "gateway of last resort" with the ip route statement (ip route 0.0.0.0 0.0.0.0 12.34.56.77).
I thought about this. Did not set this as I am not having any issue pinging the gateway from either the inside or outside.
Also, you are recommending "access-list 199 permit ip 10.1.1.0 0.0.0.255 any".
I thought about this as well. But isn't my existing "access-list 199 permit ip any any" more permissive?
I am very willing and able to try your suggestions. And I really appreciate your help.
I am just curious why my existing config is not working.
03-05-2014 01:17 PM
When router receives the packet from inside host, it looks in a routing table for a match based on a destination IP address. It finds the only route (0.0.0.0/0) with next hop interface gigabit0/1. Because this not a point to point link like xDSL router does't know where to send the packet.
So you need to reconfigure the router as you've been already instructed (no ip route...., ip route.....).
Regarding ACL: you should always define the most restrictive ACL rules as you can to harden the device, network, data.
03-05-2014 01:18 PM
Hi,
1) setting a static route with an ougoing multipoint interface( like ethernet ) can only work if the next-hop is doing proxy-arp and even if it did it is highly discouraged for performance issues.
2) NAT ACLs permitting any can cause problems on some IOS versions/platforms
Regards
Alain
Don't forget to rate helpful posts.
03-05-2014 01:20 PM
Sorry Alain, didn't realise you were online, otherwise i wouldn't have responded.
Jon
03-05-2014 01:42 PM
Hi Jon,
No problem
Regards
Alain
Don't forget to rate helpful posts.
03-06-2014 04:48 PM
That was it!
Thanks Cadet!
03-05-2014 01:27 PM
Thanks for the explaination.
I never doubted for a moment that your original response was valid, I just needed for it to make sense to me. Hope you understand.
I am very grateful for your help.
I will apply the fix and let you know the outcome. I will also give you proper credit for your fast and courteous response.
Thank you!!!
03-05-2014 01:28 PM
Thanks for the explaination.
I never doubted for a moment that your original response was valid, I just needed for it to make sense to me. Hope you understand.
I am very grateful for your help.
I will apply the fix and let you know the outcome. I will also give you proper credit for your fast and courteous response.
Thank you!!!
03-05-2014 01:19 PM
The default route should point to the next hop IP if at all possible and not out of an interface. With ethernet pointing the default route out of an interface means it ARPs for every remote address which is ineffecient as it only needs to know the mac address of the next hop.
Using the source as "any" in a NAT acl can cause issue. Certainly if you used a standard acl with just "any" that can stop NAT working.
So i would change it to the one Alain suggested where you specify the source subnet(s). Using "any" for the destination is fine and is in fact needed for internet access.
Jon
03-06-2014 04:51 PM
That was it!
Thanks Jon!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide