Solved: Pinging from a router?

whiteford · ‎10-08-2007

From a routers console (Cisco 877) I can ping any server. The router is working as a VPN and working fine. I couldn't tftp to a server until I added "ip tftp source-interface ethernet 0" and it can now, however I still can't ping this tftp server, do I need to tell the router how to ICMP?

Richard Burts · ‎10-09-2007

Andy

Whether we need the config posted depends on whether there is still a question that is not answered. Your original question was about why the router was not able to ping the remote servers. I believe that we have now answered that question and it is because traffic originated from the router and using the default source address of the outbound interface is not included in traffic protected by the VPN.

I believe that the solution if you want the router to be able to ping the servers is to change the access list which identifies traffic to include in VPN to include traffic originated by the router.

So is there still a question that is not answered?

HTH

Rick

HTH

Rick

View solution in original post

Jon Marshall · ‎10-08-2007

Hi

Try using an extended ping eg.

server = 192.168.1.1

router interface is 10.5.1.10

router# ping

frameswitch#ping

Protocol [ip]:

Target IP address: 192.168.1.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 10.5.1.10

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

HTH

Jon

Richard Burts · ‎10-08-2007

Andy

I am a bit confused: your first sentence says that you can ping any server. But your last sentence says that you can not ping the tftp server.

The router will default to using as the source address the interface address of the outbound interface. You can change that for tftp by using the tftp source-interface command. You can change that for ping by using extended ping and in the extended commands you can specify the source address as ethernet 0.

My guess is that the default is some other interface as the outbound interface toward the tftp server and that using that address as the source causes (or prevents) traffic to go through the VPN and using ethernet 0 prevents (or causes) traffic to go through the VPN. Perhaps you can clarify the topology and whether the tftp server is reached through the VPN or not.

Based on the symptoms and without knowing what the topology is I am going to make a guess: my guess is that the tftp server is reached through the VPN, and I am going to guess that the access list that identifies traffic to be protected by the VPN specifies traffic with source address in the subnet that is on ethernet 0. If this is not right then please clarify the topology of the network.

HTH

Rick

HTH

Rick

whiteford · ‎10-08-2007

Sorry that was a typing error, I can't ping any servers through the VPN tunnel. I couldn't tftp either until I added ip tftp source-interface ethernet 0. The servers are all based at the remote site through the con tunnel. I can ping the servers from my laptop but not from the console of the router.

Richard Burts · ‎10-08-2007

Andy

That sounds very much like my guess was right. Can you verify that your VPN setup will process traffic with source address in the subnet of the Ethernet interface and does not process traffic sourced from other interfaces?

HTH

Rick

HTH

Rick

whiteford · ‎10-08-2007

Hi Rick, your assumption is correct again, let me know if you need the config posted.

Richard Burts · ‎10-09-2007

Andy

Whether we need the config posted depends on whether there is still a question that is not answered. Your original question was about why the router was not able to ping the remote servers. I believe that we have now answered that question and it is because traffic originated from the router and using the default source address of the outbound interface is not included in traffic protected by the VPN.

I believe that the solution if you want the router to be able to ping the servers is to change the access list which identifies traffic to include in VPN to include traffic originated by the router.

So is there still a question that is not answered?

HTH

Rick

HTH

Rick

Richard Burts · ‎10-09-2007

Andy

Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read about an issue and can know that they will read an answer that resolved the issue.

I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick

whiteford · ‎10-09-2007

You guys help me so much, this is the only real way I can say thanks. I do ask the most basic questions but I really do learn an awful lot.

I am hoping you can help on a netflow post which you have replied to now ;)