Solved: My Internet Router (2901) is not pinging the Internet

Abdullah Net · ‎01-21-2013

Everything in my network works as a charm. Every host in my vlans can access and ping the internet with no problems. But, my main router does not ping the internet (Pinging either ip "173.194.71.104" or domain "www.google.com" do not work). I don't know how is that possible since my hosts can ping the internet. Below is my main router confiurations

!

hostname Internet_Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $2$/nHM$yvyxg0xJcN4NDZmArp1yK1

!

no aaa new-model

!

no ipv6 cef

ip source-route

ip cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

voice-card 0

!

hw-module pvdm 0/0

!

hw-module pvdm 0/1

!

redundancy

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description ISP_WAN_INTERFACE

no ip address

load-interval 600

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/1

description LAN_INTERFACE

ip address 192.168.1.1 255.255.255.0

ip nbar protocol-discovery

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

load-interval 600

duplex auto

speed auto

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly in

encapsulation ppp

load-interval 60

dialer pool 1

ppp authentication pap callin

ppp pap sent-username 14356868 password 0 14356868

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.4.0 255.255.255.0 192.168.1.2

ip route 192.168.10.0 255.255.255.0 192.168.1.2

ip route 192.168.20.0 255.255.255.0 192.168.1.2

ip route 192.168.30.0 255.255.255.0 192.168.1.2

ip route 192.168.40.0 255.255.255.0 192.168.1.2

ip route 192.168.88.0 255.255.255.0 192.168.1.2

!

access-list 1 permit any

access-list 104 permit ip any 192.168.4.0 0.0.0.255

access-list 110 permit ip any 192.168.10.0 0.0.0.255

access-list 120 permit ip any 192.168.20.0 0.0.0.255

access-list 130 permit ip any 192.168.30.0 0.0.0.255

access-list 140 permit ip any 192.168.40.0 0.0.0.255

access-list 188 permit ip any 192.168.88.0 0.0.0.255

!

control-plane

!

mgcp profile default

!

gatekeeper

shutdown

!

alias exec traffic show ip nbar protocol-discovery stats byte-count top-n 25

alias exec policy show policy-map

alias exec classmap show class-map

!

line con 0

logging synchronous

login

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

exec-timeout 30 0

login

transport input all

!

end

cadet alain · ‎01-21-2013

Hi,

then modify the ACL to take into account the other subnets reachable out 192.168.1.2:

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.30.0 0.0.0.255

access-list 1 permit 192.168.40.0 0.0.0.255

access-list 1 permit 192.168.88.0 0.0.0.255

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

stephen.stack · ‎01-21-2013

I think firstly pinging the domain www.google.com will not work as the router does not have any name servers configured. I don't know about the ip you gave but try pinging 8.8.8.8 and let us know the results

Regards

Stephen

===============================
Free network configuration management software at www.rconfig.com

Sent from Cisco Technical Support iPhone App

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Abdullah Net · ‎01-21-2013

Stephen,

Internet_Router#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

stephen.stack · ‎01-21-2013

try a traceroute to 8.8.8.8

also send the output of a 'show int di1' and 'show ip nat trans'

Regards

==========================
http://www.rConfig.com

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Abdullah Net · ‎01-21-2013

Stephen,

Internet_Router#tracerout 8.8.8.8

Type escape sequence to abort.

Tracing the route to 8.8.8.8

VRF info: (vrf in name/id, vrf out name/id)

1 * * *

2 * * *

3 * * *

4 * * * (goes on like that to about 30)

Internet_Router#show interface di1

Dialer1 is up, line protocol is up (spoofing)

Hardware is Unknown

Internet address is 178.62.224.43/32

MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,

reliability 255/255, txload 255/255, rxload 255/255

Encapsulation PPP, LCP Closed, loopback not set

Keepalive set (10 sec)

DTR is pulsed for 1 seconds on reset

Interface is bound to Vi2

Last input never, output never, output hang never

Last clearing of "show interface" counters 04:10:22

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: weighted fair

Output queue: 0/1000/64/0 (size/max total/threshold/drops)

Conversations 0/0/16 (active/max active/max total)

Reserved Conversations 0/0 (allocated/max allocated)

Available Bandwidth 42 kilobits/sec

1 minute input rate 5693000 bits/sec, 714 packets/sec

1 minute output rate 3134000 bits/sec, 705 packets/sec

7096261 packets input, 1513576238 bytes

7562390 packets output, 2080280258 bytes

Bound to:

Virtual-Access2 is up, line protocol is up

Hardware is Virtual Access interface

MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,

reliability 255/255, txload 255/255, rxload 255/255

Encapsulation PPP, LCP Open

Stopped: CDPCP

Open: IPCP

PPPoE vaccess, cloned from Dialer1

Vaccess status 0x44, loopback not set

Keepalive set (10 sec)

DTR is pulsed for 5 seconds on reset

Interface is bound to Di1 (Encapsulation PPP)

Last input 00:00:00, output never, output hang never

Last clearing of "show interface" counters 04:10:10

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 5066000 bits/sec, 666 packets/sec

5 minute output rate 2922000 bits/sec, 681 packets/sec

7083831 packets input, 1497574540 bytes, 0 no buffer

Received 0 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

7562410 packets output, 2080291194 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 unknown protocol drops

0 output buffer failures, 0 output buffers swapped out

0 carrier transitions

Internet_Router#show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 178.62.224.43:64788 192.168.30.11:64788 157.55.236.84:443 157.55.236.84:443

tcp 178.62.224.43:64797 192.168.30.11:64797 95.25.74.4:51413 95.25.74.4:51413

tcp 178.62.224.43:65104 192.168.30.11:65104 195.169.216.49:23877 195.169.216.49:23877

tcp 178.62.224.43:65503 192.168.30.11:65503 181.67.47.167:52291 181.67.47.167:52291

tcp 178.62.224.43:51919 192.168.40.14:51919 17.149.36.112:443 17.149.36.112:443

tcp 178.62.224.43:51923 192.168.40.14:51923 134.170.0.215:443 134.170.0.215:443

tcp 178.62.224.43:10845 192.168.40.25:10845 92.123.229.247:443 92.123.229.247:443

tcp 178.62.224.43:10846 192.168.40.25:10846 92.123.229.247:443 92.123.229.247:443

tcp 178.62.224.43:10847 192.168.40.25:10847 92.123.229.247:443 92.123.229.247:443

tcp 178.62.224.43:10849 192.168.40.25:10849 92.123.229.247:443 92.123.229.247:443

tcp 178.62.224.43:10850 192.168.40.25:10850 212.77.199.216:80 212.77.199.216:80

tcp 178.62.224.43:10851 192.168.40.25:10851 173.194.35.62:443 173.194.35.62:443

tcp 178.62.224.43:10852 192.168.40.25:10852 31.13.64.48:443 31.13.64.48:443

tcp 178.62.224.43:10853 192.168.40.25:10853 31.13.64.48:443 31.13.64.48:443

tcp 178.62.224.43:11623 192.168.40.25:11623 212.77.199.210:80 212.77.199.210:80

tcp 178.62.224.43:11734 192.168.40.25:11734 2.16.124.176:443 2.16.124.176:443

tcp 178.62.224.43:35282 192.168.40.26:35282 173.194.70.188:5228 173.194.70.188:5228

tcp 178.62.224.43:36110 192.168.40.26:36110 173.194.44.50:443 173.194.44.50:443

tcp 178.62.224.43:37610 192.168.40.26:37610 92.123.230.216:443 92.123.230.216:443

tcp 178.62.224.43:41203 192.168.40.26:41203 92.123.230.216:443 92.123.230.216:443

tcp 178.62.224.43:45749 192.168.40.26:45749 173.194.44.51:443 173.194.44.51:443

tcp 178.62.224.43:51346 192.168.40.26:51346 8.29.153.21:80 8.29.153.21:80

tcp 178.62.224.43:60093 192.168.40.26:60093 216.74.41.14:80 216.74.41.14:80

tcp 178.62.224.43:60635 192.168.40.26:60635 173.194.44.52:443 173.194.44.52:443

stephen.stack · ‎01-21-2013

Few more things to try. Please send results

Ping 8.8.8.8 source gig0/1 (ISP connection)
Ping 8.8.8.8 source di1
Ping 8.8.8.8 source gig0/0 (LAN connection)

If none of these work turn on imp debugging with debug ip icmp and run the tests again

Regards

==========================
http://www.rConfig.com

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

Sent from Cisco Technical Support iPhone App

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Abdullah Net · ‎01-21-2013

Stephen,

Internet_Router#Ping 8.8.8.8 source gig0/1 (SUCCESSFUL)

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 136/136/136 ms

Internet_Router#Ping 8.8.8.8 source di1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

Packet sent with a source address of 178.61.224.43

.....

Success rate is 0 percent (0/5)

Internet_Router#Ping 8.8.8.8 source gig 0/0

% Invalid source interface - IP not enabled or interface is down

Regards,

Abdullah Net · ‎01-21-2013

Stephen,

Just a correction, Gig 0/1 is LAN CONNECTION and Gig0/0 is ISP.

Regards,

cadet alain · ‎01-21-2013

Hi,

no access-list 1

access-list 1 permit 192.168.1.0 0.0.0.255

Regards.

Alain

Don't forget to rate helpful posts.

Abdullah Net · ‎01-21-2013

Alain,

Internet_Router(config)#no access-list 1

Internet_Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255

Internet_Router(config)#exit

Internet_Router#ping 8.8.8.8

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 136/136/140 ms

Problem now is hosts cannot access internet.

cadet alain · ‎01-21-2013

Hi,

then modify the ACL to take into account the other subnets reachable out 192.168.1.2:

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 1 permit 192.168.30.0 0.0.0.255

access-list 1 permit 192.168.40.0 0.0.0.255

access-list 1 permit 192.168.88.0 0.0.0.255

Regards.

Alain

Don't forget to rate helpful posts.

Abdullah Net · ‎01-21-2013

Alain,

Thank you very much it works along with using "access-list 1 permit 192.168.0.0 0.0.255.255" as a shorter command. Can you explain what the problem was? Why "access-list 1 permit any" did not work?

According to my understanding, "access-list 1 permit any" should allow all subnets to access the internet including those i specified above.

Thanks,

stephen.stack · ‎01-21-2013

Be careful applying this. It will likely break Internet for your other subnets. May well be correct answer but Please provide complete ACL 1 based on full configuration and remaining subnets

==========================
http://www.rConfig.com

A free, open source network device configuration management tool, customizable to your needs!

- Always vote on an answer if you found it helpful

Sent from Cisco Technical Support iPhone App

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Abdullah Net · ‎01-21-2013

Alain,

Subnets include (all subnet mask /24)

192.168.4.0

192.168.10.0

192.168.20.0

192.168.30.0

192.168.40.0

I changed your command from "access-list 1 permit 192.168.1.0 0.0.0.255" to "access-list 1 permit 192.168.0.0 0.0.255.255" and everything works perfectly now as i wanted but can you explain what the problem was? According to my understanding, "access-list 1 permit any" should allow all subnets to access the internet including those i specified above.

Regards,

cadet alain · ‎01-21-2013

Hi,

taken from here:http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml

"

Cisco highly recommends that you do not configure access lists referenced by NAT commands with permit any

. Using permit anycan result in NAT consuming too many router resources which can cause network problems."

Don't forget to rate helpful posts.