Solved: Hi Richard,Yes it is the ACLs

stc.leahy · ‎10-22-2014

Hi all,

It has been a long time since I configured a Cisco router but have been asked to as I am the only one with any sort of background in this in our organisation.

I have put a Cisco 1921 on our network for once specific server to access an external network via a serial connection. However I have configured this and is on a switch that the server in question is on.

I am accessing the router via a console cable and cannot ping anything on this network however the arp table is being populated by devices on the network.

Sorry if this is an obvious mistake, but I am a bit stumped myself.

Thanks for any advice

The config is -

xxxxxxxxx#show run
Building configuration...

Current configuration : 2610 bytes
!
! Last configuration change at 12:39:01 UTC Wed Oct 22 2014 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxx
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 4 xxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1802C4VH
!
!
object-group network Ext_svr
host x.x.x.5
!
object-group network Int_svr
host 10.10.9.10
!
username admin secret 4 xxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address 10.10.9.100 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
description Link to xxxxxx
ip address 10.x.x.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static 10.x.x.x.5 10.10.9.100
ip route x.x.x.199 255.255.255.255 10.x.x.6
!
access-list 101 permit tcp object-group Int_svr object-group Ext_svr eq 6006
access-list 101 permit icmp object-group Int_svr object-group Ext_svr echo
access-list 101 deny ip any any
!
!
!
control-plane
!
!
banner login ^CCCCC
-----------------------------------------------------------------------
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
-----------------------------------------------------------------------
^C
!
line con 0
login local
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 xxxxxxxxxxxxxxx
login
transport input all
!
scheduler allocate 20000 1000
!
end

Richard Burts · ‎10-22-2014

Let me start with an observation. I understand the need to sometimes obscure addressing when posting in public forums. But since you are already using private network 10.0.0.0 what are you protecting by doing 10.x.x.5? It makes it more difficult to read and understand the config and does not increase the security of your network.

The reason why you can not ping anything is that when you send the ping request you expect to receive a ping reply. But your access list on the interface is not allowing the ping reply.

HTH

Rick

HTH

Rick

View solution in original post

aedamasceno · ‎10-22-2014

Hello friend

If I were you I'd start over.

1 - Save that config in the flash "copy running-config flash:current-config"

1 - Configure your interface with the intended IP.

2 - Create a static route pointing to the Gateway of that IP's network.

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX (where the Xs you put the gateway of that network).

3 - After establishing that config, start pinging your network. If it pings, which I believe it will, then you add your access-lists, NATs and such. If you can be more specific about your NATs, I can help you out with it. Please let me know what you're trying to accomplish, and I will be glad to point you in the right direction.

I will be following this issue with you.

Richard Burts · ‎10-22-2014

Let me start with an observation. I understand the need to sometimes obscure addressing when posting in public forums. But since you are already using private network 10.0.0.0 what are you protecting by doing 10.x.x.5? It makes it more difficult to read and understand the config and does not increase the security of your network.

The reason why you can not ping anything is that when you send the ping request you expect to receive a ping reply. But your access list on the interface is not allowing the ping reply.

HTH

Rick

HTH

Rick

stc.leahy · ‎10-23-2014

Hi Richard,

Yes it is the ACLs, I have just put in a permit any in there and all is up, so I will build the ACLs again now.

Thanks

Cisco 1921 cannot see internal network