cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3009
Views
0
Helpful
22
Replies

2951 Routing Issues

jbatchos1
Level 1
Level 1

I have a 2951 and I'm trying to consolidate from 2 ISP connections down to 1. Current setup is 1 ISP is strictly for guest access, the other is for internal office access.

From the console I can ping all interfaces, clients on each interface and I can ping to the outside world. If I put my computer on the guest interface (gig0/1) or the office interface (gig0/2), I can ping only to the local interface I am connected to.

Example. When connected to interface gig0/1 I can ping 10.1.8.1 (ip of int gig0/1) and that's it.

The router config is vanilla, no access-lists, etc. I pulled it out ,configured the hostname, interfaces, and set an IP route.

Show IP route and Show Run to follow.

Gateway of last resort is 192.168.10.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.10.1

      10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks

C        10.1.0.0/24 is directly connected, GigabitEthernet0/2

L        10.1.0.7/32 is directly connected, GigabitEthernet0/2

C        10.1.8.0/21 is directly connected, GigabitEthernet0/1

L        10.1.8.1/32 is directly connected, GigabitEthernet0/1

      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.10.0/24 is directly connected, GigabitEthernet0/0

L        192.168.10.2/32 is directly connected, GigabitEthernet0/0

Building configuration...

Current configuration : 4487 bytes

!

! Last configuration change at 09:22:28 Eastern Thu Nov 7 2013 by admin

! NVRAM config last updated at 09:24:02 Eastern Thu Nov 7 2013 by admin

! NVRAM config last updated at 09:24:02 Eastern Thu Nov 7 2013 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XXXX

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

!

clock timezone Eastern -5 0

clock summer-time Eastern recurring

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3345044724

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3345044724

revocation-check none

rsakeypair TP-self-signed-3345044724

!

!

crypto pki certificate chain TP-self-signed-3345044724

certificate self-signed 01

  <REMOVED>

        quit

no ipv6 cef

ip source-route

ip cef

!

!

ip domain name <REMOVED>

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

multilink bundle-name authenticated

!

!

voice-card 0

!

!

license udi pid CISCO2951/K9 sn <REMOVED>

hw-module pvdm 0/0

!

username <REMOVED>

username <REMOVED>

!

redundancy

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description GATEWAY

ip address 192.168.10.2 255.255.255.0

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description GUEST Network

ip address 10.1.8.1 255.255.248.0

duplex auto

speed auto

!

interface GigabitEthernet0/2

description OFFICE Network

ip address 10.1.0.7 255.255.255.0

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 192.168.10.1

!

!

access-list 199 permit ip any any

!

!

nls resp-timeout 1

cpd cr-id 1

!

!

control-plane

!

!

mgcp profile default

!

!

gatekeeper

shutdown

!

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp server 64.113.32.5 prefer

ntp server 216.171.148.102

end

22 Replies 22

Richard Burts
Hall of Fame
Hall of Fame

The first thing that I notice is that there is not any address translation configured. Typically when you are connected through an ISP you would translate your inside traffic as it went through the interface to the ISP. But I also notice that your interface to the ISP is using private address space. So perhaps the ISP is handing the address translation?

I am not clear about part of the problem that you describe. If you put your PC in the guest network (perhaps with address 10.1.8.10) you can ping only 10.1.8.1? Am I correct in understanding that you could not ping the office network interface at 10.1.0.7? If that is the case then it suggests that your problem is that your PC does not have a correct default gateway configured (which should have been 10.1.8.1 in the example that I suggest).

HTH

Rick

HTH

Rick

Rick,

You are correct, the Comcast Modem handles the address translation.

Yes, I connected to directly to gig0/1 to rule out any other equipment issues.

I assigned the following to my NIC:

IP: 10.1.8.2

Mask: 255.255.248.0

Gateway: 10.1.8.1

I could only ping 10.1.8.1, if tired to ping the IP address of any of the other router interface IP's it would timeout.

Thanks,

Jason

Jason

Thank you for the additional information. This does seem odd. I have several things that I would like you to post in hopes that they might help us find the reason for this. Please post the output for the following commands

show run | include route

show ip protocol

show ip interface brief

HTH

Rick

HTH

Rick

Router#sh run | include route

ip route 0.0.0.0 0.0.0.0 192.168.10.1

Router#sh ip protocol

*** IP Routing is NSF aware ***

Router#sh ip int brief

Interface                  IP-Address      OK? Method Status                Protocol

Embedded-Service-Engine0/0 unassigned      YES NVRAM  administratively down down   

GigabitEthernet0/0         192.168.10.2    YES manual up                    up     

GigabitEthernet0/1         10.1.8.1        YES NVRAM  down                  down   

GigabitEthernet0/2         10.1.0.7        YES NVRAM  up                    up     

Guardian#

Gig0/1 is down because I had it plugged directly into my computer and when I left I forgot to plug back in.

Jason

Thank you for the information that I requested. Unfortunately it does not show me the issue. So I have another request. Please connect your PC and configure as before. Try the ping to all 3 router interface addresses. Then from the router do show arp and post the output.

HTH

Rick

HTH

Rick

Rick,

I was able to ping each router interface but nothing past the interface.

Here's output of Show arp. Bolded line is the machine I was on to when I pinged the interface IPs.

Router#sh arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.1.0.2                0   0016.e021.6da1  ARPA   GigabitEthernet0/2

Internet  10.1.0.7                -   10f3.11cb.a662  ARPA   GigabitEthernet0/2

Internet  10.1.0.8                0   20fd.f182.8801  ARPA   GigabitEthernet0/2

Internet  10.1.0.14              95   a44c.111d.cc90  ARPA   GigabitEthernet0/2

Internet  10.1.0.30               1   3c07.543d.4e5a  ARPA   GigabitEthernet0/2

Internet  10.1.0.36              16   5855.ca4c.503d  ARPA   GigabitEthernet0/2

Internet  10.1.0.78              59   f81e.dfe6.bb12  ARPA   GigabitEthernet0/2

Internet  10.1.0.88             129   109a.ddb3.0f0d  ARPA   GigabitEthernet0/2

Internet  10.1.0.90              74   68a8.6d4e.1ff2  ARPA   GigabitEthernet0/2

Internet  10.1.0.96               0   001c.b3bd.2aa7  ARPA   GigabitEthernet0/2

Internet  10.1.0.101              0   001b.6305.332d  ARPA   GigabitEthernet0/2

Internet  10.1.0.107            233   0016.cb06.804e  ARPA   GigabitEthernet0/2

Internet  10.1.0.120             16   98d6.bb1d.eab9  ARPA   GigabitEthernet0/2

Internet  10.1.0.121              4   e4ce.8f53.c42d  ARPA   GigabitEthernet0/2

Internet  10.1.0.123             55   c8e0.eb18.b193  ARPA   GigabitEthernet0/2

Internet  10.1.0.127             73   b8e8.5632.269a  ARPA   GigabitEthernet0/2

Internet  10.1.0.129             17   f4f1.5a21.f8f7  ARPA   GigabitEthernet0/2

Internet  10.1.0.134              3   a820.664c.b49c  ARPA   GigabitEthernet0/2

Internet  10.1.0.140              0   0019.e3d9.c1f7  ARPA   GigabitEthernet0/2

Internet  10.1.0.156             55   28cf.e91c.f493  ARPA   GigabitEthernet0/2

Internet  10.1.0.159             51   64a3.cb39.07f4  ARPA   GigabitEthernet0/2

Internet  10.1.0.161             92   7cc5.3707.0c76  ARPA   GigabitEthernet0/2

Internet  10.1.0.163             76   001e.641d.c750  ARPA   GigabitEthernet0/2

Internet  10.1.0.164             94   c86f.1d4c.d095  ARPA   GigabitEthernet0/2

Internet  10.1.0.165              6   189e.fcc5.a1a6  ARPA   GigabitEthernet0/2

Internet  10.1.0.167             34   d023.db76.0aae  ARPA   GigabitEthernet0/2

Internet  10.1.0.174             16   b878.2e57.bc46  ARPA   GigabitEthernet0/2

Internet  10.1.0.192              7   786c.1ca7.d461  ARPA   GigabitEthernet0/2

Internet  10.1.0.208             74   8c2d.aa3b.d8e3  ARPA   GigabitEthernet0/2

Internet  10.1.0.219            130   a888.08a2.4dc0  ARPA   GigabitEthernet0/2

Internet  10.1.8.1                -   10f3.11cb.a661  ARPA   GigabitEthernet0/1

Internet  10.1.8.2                0   0010.4bc6.08aa  ARPA   GigabitEthernet0/1

Internet  10.1.8.7               23   b817.c211.4faf  ARPA   GigabitEthernet0/1

Internet  10.1.8.8                0   9027.e442.be6f  ARPA   GigabitEthernet0/1

Internet  10.1.8.10              35   5c96.9d47.e04e  ARPA   GigabitEthernet0/1

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.1.8.11               1   3423.ba77.db85  ARPA   GigabitEthernet0/1

Internet  10.1.8.12               0   101c.0c9b.87ba  ARPA   GigabitEthernet0/1

Internet  10.1.8.15               0   f0cb.a134.c1ab  ARPA   GigabitEthernet0/1

Internet  10.1.8.16              79   9072.40b0.2f51  ARPA   GigabitEthernet0/1

Internet  10.1.8.20              44   c86f.1d4c.d095  ARPA   GigabitEthernet0/1

Internet  10.1.8.21              68   8485.0677.ef5b  ARPA   GigabitEthernet0/1

Internet  10.1.8.23              12   b817.c23d.4705  ARPA   GigabitEthernet0/1

Internet  10.1.8.25               0   2cb4.3a64.b49c  ARPA   GigabitEthernet0/1

Internet  10.1.8.26               0   30f7.c5ce.56ef  ARPA   GigabitEthernet0/1

Internet  10.1.8.27               0   1cab.a7a6.21c2  ARPA   GigabitEthernet0/1

Internet  10.1.8.28               0   e4ce.8f1a.8ebc  ARPA   GigabitEthernet0/1

Internet  10.1.8.29               0   6420.0c54.c724  ARPA   GigabitEthernet0/1

Internet  10.1.8.30               0   d023.db76.0aae  ARPA   GigabitEthernet0/1

Internet  10.1.8.31               0   9494.2680.71c8  ARPA   GigabitEthernet0/1

Internet  10.1.8.33               0   7cc5.3707.0c76  ARPA   GigabitEthernet0/1

Internet  10.1.8.34              54   189e.fcc5.a1a6  ARPA   GigabitEthernet0/1

Internet  10.1.8.35               0   24ab.81b6.22f8  ARPA   GigabitEthernet0/1

Internet  10.1.8.36               6   bc52.b70f.3a71  ARPA   GigabitEthernet0/1

Internet  192.168.10.1           75   78cd.8e65.75e2  ARPA   GigabitEthernet0/0

Internet  192.168.10.2            -   10f3.11cb.a660  ARPA   GigabitEthernet0/0

Internet  192.168.10.11          84   0008.c71b.2837  ARPA   GigabitEthernet0/0

Jason

Thank you for this additional information.

In a previous post you told us (or at least that is what I understood) that you could ping only the router interface to which you were connected. If now you ping the other router interfaces then we are making progress.

Just to make sure that I am understanding correctly - this time you were on a different interface and with a different address than in your previous post. You could ping any of the router interfaces but could not ping anything beyond the router interface.

So you were using address 10.1.0.30 and if you tried to ping 10.1.8.7 it would fail? If so then I have something I would like you to try.

- from the router ping 10.1.8.7. (just to verify that this device does answer to ping)

- from the router do an extended ping. In the extended ping the target address is 10.1.8.7 and the source address should be 10.1.0.7. This will validate whether the device will respond to ping from a remote address.

HTH

Rick

HTH

Rick

Rick,

Yes you are correct, we are 1 step further than before as I could not ping the interface IPs but I can now.

and now we're getting even closer....

If I sit on computer 10.1.0.30 and I ping 10.1.8.2 I do in fact get a reply!

If I do an extended ping on the router and ping 10.1.0.30 and set the interface to gig0/1(10.1.8.1) I get a reply!!

If I do an extended ping to 10.1.0.30 and set the interface to gig0/0 (192.168.10.2, and this is my gateway connection) it fails.

so I have an issue with gig0/0..

Jason

It certainly does seem like we are making progress. Though I am quite surprised at the recent iteration of the problem. I am not sure that gig0/0 is the problem. It is specified as the source address but is not really involved in sending the ping and only indirectly involved in receiving the response. Would you please post these outputs from your PC

ipconfig /all 

route print

HTH

Rick

HTH

Rick

Rick,

Agreed but one other thing to add is that I cannot ping any address on the other side of gig0/0 from the other 2 router interfaces, or from my connected mac.

Couple of things. I'm using a mac and in order to keep the office working I had to leave them connected as is.

So what I did was create a couple of static routes on the mac;

I did a netstat-r on the mac and here's the information for the 2 routes I added:

Destination        Gateway            Flags        Refs      Use   Netif     Expire

10.1.8/21           10.1.0.7            UGSc            0        38      en0

192.168.10         10.1.0.7            UGSc            0        30      en0

Jason

Thanks. I am not sure that creating the routes gives us anything significant. I was hoping to get some clarification of whether there might be some issue on the PC (bad mask, bad gateway, some route that made 192.168 unreachable, etc). (and I certainly had my Windows set of assumptions in place as I asked for PC information - sorry)

Let me take a somewhat different tack. Am I correct in assuming that traffic is going from your network out to the Internet successfully? And that perhaps this issue has more to do with ping operatoin than it does with basic IP connectivity?

HTH

Rick

HTH

Rick

Rick,

I wish I could say that's true but it's not. I have a pc on the 10.1.8.0 network with Logmein installed on it. In the console, it's been offline ever since I switched the network over to go through the router. So I know that no traffic is getting passed through.

Jason

Jason

I am noticing your phrase that it has not worked since you switched the network over to the router. Which leads me to assume that this router and/or the connection to Comcast is new. Is that correct?

I have read through the thread again and see that in your original post you say that you are able to ping to resources in the Internet from the router itself but not from other devices. This gives me an idea about what the problem may be. I am thinking that Comcast is doing address translation for network 192.168.10.0 but not translating for addresses in network 10. You might ask them about it. Or you might just try configuring address translation on your router. It could be quite simple and might look something like this

access-list 10 permit 10.1.0.0 0.0.0.255

access-list 10 permit 10.1.8.0 0.0.7.255

ip nat inside source list 10 interface gi0/0 overload

HTH

Rick

HTH

Rick

Rick,

That's a good thought...and I configured it and tried it, but still no luck.

We have a big conference we're putting on today and services saturday and sunday so I had to put things "back the way they were" for now. I'll have to pick this back up Monday. If you think of anything else I should try, let me know and I'll try it out on Monday morning.

Thanks for all your hlep

Jason

Review Cisco Networking for a $25 gift card