01-21-2013 05:22 AM - edited 03-07-2019 11:12 AM
Everything in my network works as a charm. Every host in my vlans can access and ping the internet with no problems. But, my main router does not ping the internet (Pinging either ip "173.194.71.104" or domain "www.google.com" do not work). I don't know how is that possible since my hosts can ping the internet. Below is my main router confiurations
!
hostname Internet_Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $2$/nHM$yvyxg0xJcN4NDZmArp1yK1
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
voice-card 0
!
hw-module pvdm 0/0
!
hw-module pvdm 0/1
!
!
!
!
redundancy
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP_WAN_INTERFACE
no ip address
load-interval 600
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
description LAN_INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
load-interval 600
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
load-interval 60
dialer pool 1
ppp authentication pap callin
ppp pap sent-username 14356868 password 0 14356868
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.4.0 255.255.255.0 192.168.1.2
ip route 192.168.10.0 255.255.255.0 192.168.1.2
ip route 192.168.20.0 255.255.255.0 192.168.1.2
ip route 192.168.30.0 255.255.255.0 192.168.1.2
ip route 192.168.40.0 255.255.255.0 192.168.1.2
ip route 192.168.88.0 255.255.255.0 192.168.1.2
!
access-list 1 permit any
access-list 104 permit ip any 192.168.4.0 0.0.0.255
access-list 110 permit ip any 192.168.10.0 0.0.0.255
access-list 120 permit ip any 192.168.20.0 0.0.0.255
access-list 130 permit ip any 192.168.30.0 0.0.0.255
access-list 140 permit ip any 192.168.40.0 0.0.0.255
access-list 188 permit ip any 192.168.88.0 0.0.0.255
!
control-plane
!
mgcp profile default
!
gatekeeper
shutdown
!
!
alias exec traffic show ip nbar protocol-discovery stats byte-count top-n 25
alias exec policy show policy-map
alias exec classmap show class-map
!
line con 0
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 30 0
login
transport input all
!
end
Solved! Go to Solution.
01-21-2013 10:05 AM
Hi,
then modify the ACL to take into account the other subnets reachable out 192.168.1.2:
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.88.0 0.0.0.255
Regards.
Alain
Don't forget to rate helpful posts.
01-21-2013 05:29 AM
I think firstly pinging the domain www.google.com will not work as the router does not have any name servers configured. I don't know about the ip you gave but try pinging 8.8.8.8 and let us know the results
Regards
Stephen
===============================
Free network configuration management software at www.rconfig.com
Sent from Cisco Technical Support iPhone App
01-21-2013 06:43 AM
Stephen,
Internet_Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
01-21-2013 06:49 AM
try a traceroute to 8.8.8.8
also send the output of a 'show int di1' and 'show ip nat trans'
Regards
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful
01-21-2013 08:49 AM
Stephen,
Internet_Router#tracerout 8.8.8.8
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 * * *
3 * * *
4 * * * (goes on like that to about 30)
Internet_Router#show interface di1
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address is 178.62.224.43/32
MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 255/255, rxload 255/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 1 seconds on reset
Interface is bound to Vi2
Last input never, output never, output hang never
Last clearing of "show interface" counters 04:10:22
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 42 kilobits/sec
1 minute input rate 5693000 bits/sec, 714 packets/sec
1 minute output rate 3134000 bits/sec, 705 packets/sec
7096261 packets input, 1513576238 bytes
7562390 packets output, 2080280258 bytes
Bound to:
Virtual-Access2 is up, line protocol is up
Hardware is Virtual Access interface
MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 255/255, rxload 255/255
Encapsulation PPP, LCP Open
Stopped: CDPCP
Open: IPCP
PPPoE vaccess, cloned from Dialer1
Vaccess status 0x44, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 5 seconds on reset
Interface is bound to Di1 (Encapsulation PPP)
Last input 00:00:00, output never, output hang never
Last clearing of "show interface" counters 04:10:10
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 5066000 bits/sec, 666 packets/sec
5 minute output rate 2922000 bits/sec, 681 packets/sec
7083831 packets input, 1497574540 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
7562410 packets output, 2080291194 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
Internet_Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 178.62.224.43:64788 192.168.30.11:64788 157.55.236.84:443 157.55.236.84:443
tcp 178.62.224.43:64797 192.168.30.11:64797 95.25.74.4:51413 95.25.74.4:51413
tcp 178.62.224.43:65104 192.168.30.11:65104 195.169.216.49:23877 195.169.216.49:23877
tcp 178.62.224.43:65503 192.168.30.11:65503 181.67.47.167:52291 181.67.47.167:52291
tcp 178.62.224.43:51919 192.168.40.14:51919 17.149.36.112:443 17.149.36.112:443
tcp 178.62.224.43:51923 192.168.40.14:51923 134.170.0.215:443 134.170.0.215:443
tcp 178.62.224.43:10845 192.168.40.25:10845 92.123.229.247:443 92.123.229.247:443
tcp 178.62.224.43:10846 192.168.40.25:10846 92.123.229.247:443 92.123.229.247:443
tcp 178.62.224.43:10847 192.168.40.25:10847 92.123.229.247:443 92.123.229.247:443
tcp 178.62.224.43:10849 192.168.40.25:10849 92.123.229.247:443 92.123.229.247:443
tcp 178.62.224.43:10850 192.168.40.25:10850 212.77.199.216:80 212.77.199.216:80
tcp 178.62.224.43:10851 192.168.40.25:10851 173.194.35.62:443 173.194.35.62:443
tcp 178.62.224.43:10852 192.168.40.25:10852 31.13.64.48:443 31.13.64.48:443
tcp 178.62.224.43:10853 192.168.40.25:10853 31.13.64.48:443 31.13.64.48:443
tcp 178.62.224.43:11623 192.168.40.25:11623 212.77.199.210:80 212.77.199.210:80
tcp 178.62.224.43:11734 192.168.40.25:11734 2.16.124.176:443 2.16.124.176:443
tcp 178.62.224.43:35282 192.168.40.26:35282 173.194.70.188:5228 173.194.70.188:5228
tcp 178.62.224.43:36110 192.168.40.26:36110 173.194.44.50:443 173.194.44.50:443
tcp 178.62.224.43:37610 192.168.40.26:37610 92.123.230.216:443 92.123.230.216:443
tcp 178.62.224.43:41203 192.168.40.26:41203 92.123.230.216:443 92.123.230.216:443
tcp 178.62.224.43:45749 192.168.40.26:45749 173.194.44.51:443 173.194.44.51:443
tcp 178.62.224.43:51346 192.168.40.26:51346 8.29.153.21:80 8.29.153.21:80
tcp 178.62.224.43:60093 192.168.40.26:60093 216.74.41.14:80 216.74.41.14:80
tcp 178.62.224.43:60635 192.168.40.26:60635 173.194.44.52:443 173.194.44.52:443
01-21-2013 09:28 AM
Few more things to try. Please send results
Ping 8.8.8.8 source gig0/1 (ISP connection)
Ping 8.8.8.8 source di1
Ping 8.8.8.8 source gig0/0 (LAN connection)
If none of these work turn on imp debugging with debug ip icmp and run the tests again
Regards
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful
Sent from Cisco Technical Support iPhone App
01-21-2013 09:35 AM
Stephen,
Internet_Router#Ping 8.8.8.8 source gig0/1 (SUCCESSFUL)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/136/136 ms
Internet_Router#Ping 8.8.8.8 source di1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 178.61.224.43
.....
Success rate is 0 percent (0/5)
Internet_Router#Ping 8.8.8.8 source gig 0/0
% Invalid source interface - IP not enabled or interface is down
Regards,
01-21-2013 09:38 AM
Stephen,
Just a correction, Gig 0/1 is LAN CONNECTION and Gig0/0 is ISP.
Regards,
01-21-2013 09:47 AM
Hi,
no access-list 1
access-list 1 permit 192.168.1.0 0.0.0.255
Regards.
Alain
Don't forget to rate helpful posts.
01-21-2013 09:52 AM
Alain,
Internet_Router(config)#no access-list 1
Internet_Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
Internet_Router(config)#exit
Internet_Router#ping 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 136/136/140 ms
Problem now is hosts cannot access internet.
01-21-2013 10:05 AM
Hi,
then modify the ACL to take into account the other subnets reachable out 192.168.1.2:
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 1 permit 192.168.88.0 0.0.0.255
Regards.
Alain
Don't forget to rate helpful posts.
01-21-2013 10:10 AM
Alain,
Thank you very much it works along with using "access-list 1 permit 192.168.0.0 0.0.255.255" as a shorter command. Can you explain what the problem was? Why "access-list 1 permit any" did not work?
According to my understanding, "access-list 1 permit any" should allow all subnets to access the internet including those i specified above.
Thanks,
01-21-2013 09:54 AM
Be careful applying this. It will likely break Internet for your other subnets. May well be correct answer but Please provide complete ACL 1 based on full configuration and remaining subnets
==========================
http://www.rConfig.com
A free, open source network device configuration management tool, customizable to your needs!
- Always vote on an answer if you found it helpful
Sent from Cisco Technical Support iPhone App
01-21-2013 10:00 AM
Alain,
Subnets include (all subnet mask /24)
192.168.4.0
192.168.10.0
192.168.20.0
192.168.30.0
192.168.40.0
I changed your command from "access-list 1 permit 192.168.1.0 0.0.0.255" to "access-list 1 permit 192.168.0.0 0.0.255.255" and everything works perfectly now as i wanted but can you explain what the problem was? According to my understanding, "access-list 1 permit any" should allow all subnets to access the internet including those i specified above.
Regards,
01-21-2013 10:10 AM
Hi,
taken from here:http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml
"
Cisco highly recommends that you do not configure access lists referenced by NAT commands with permit any
. Using permit anycan result in NAT consuming too many router resources which can cause network problems."
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide