08-26-2009 11:16 AM - edited 03-06-2019 07:26 AM
Hi everyone, I'm a newbie in CISCO systems but i'm actually excited to work these brand. I have a router 2600 and I'm working in little lab testing, but I actually don't know that much about routing. I have a static IP 64.x.x.x provided by Verizon and I'm trying to connect to the Internet from the router. I made the basic configuratio but I couldn't solve it. Here's my show run:
RPrueba2#s
00:14:17: %SYS-5-CONFIG_I: Configured from console by consoleh run
Building configuration...
Current configuration : 1130 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RPrueba2
!
logging buffered 51200 warnings
enable secret 5 $1$oNw1$SQaqP.FazBuaiVZ3MHte70
!
username supervisor privilege 15 password 7 07062F49420C1A110513
voice-card 1
!
ip subnet-zero
!
!
ip name-server 198.x.x.x
ip name-server 198.x.x.x
!
!
call rsvp-sync
!
!
!
!
!
!
controller E1 1/0
!
!
!
interface FastEthernet0/0
ip address 192.168.250.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 64.x.x.x 255.x.x.x
ip access-group 1 out
ip nat outside
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
interface Serial0/2
no ip address
shutdown
!
!
ip default-gateway 64.x.x.x
ip classless
ip http server
!
!
!
!
!
!
!
!
!
access-list 1 permit 192.168.250.0 0.0.0.255
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
password 7 020F0A5E07030C355E4F
login
line aux 0
line vty 0 4
privilege level 15
password 7 12100B121E0E0F10382A
login
transport input telnet ssh
!
end
I think it has something to be with the nat addressing, but i'm not so sure. Any thoughts?
Thanks
Gustavo
08-26-2009 12:46 PM
Hi Gustavo,
What's the trouble? Also where is your nat statement which you applied yesterday?
ip nat inside source list 1 interface FastEthernet0/1 overload
08-26-2009 01:14 PM
Gustavo
I see several issues in your config:
- you have configured ip default-gateway but have not configured a default route. The default-gateway is used only if the router is acting as an IP host (if you configure no ip routing). Otherwise the router needs a default route. Probably it should look something like
ip route 0.0.0.0 0.0.0.0 64.x.x.x
- you are using unregistered/private addressing on your inside interface (192.168.250.0). For unregistered/private addresses to access the Internet you need to translate the addresses. You have the beginnings with ip nat inside and ip nat outside configured on the interfaces. But you need to configure a translation for the traffic (probably using overload to achieve PAT which needs only the single outside IP address to translate).
- the access list assigned to the outside interface will permit traffic only if the source address is the unregistered/private addresses
access-list 1 permit 192.168.250.0 0.0.0.255
but if the addresses are translated then they will not match the access list.
HTH
Rick
08-26-2009 01:56 PM
Ok guys, I apply all of the changes that you advise me. To make sure that there are no confusions, I will explain again. I have two routers, but now i'm configuring the one that need to access through a static IP addrees that Verizon provide us. The router I was configuring yesterday works perfect with the external ADSL (thanks a lot for that help). Now I applied the same configuration in this router except for the ip address in int FE0/1, which now it's static. This is how my actual show run looks:
RPrueba#sh run
Building configuration...
*Aug 26 21:41:32.763: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 1593 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RPrueba
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$vfRW$/6f78MDPeEJ.72MUuKaFs1
enable password 7 000D1D03085E08121D201C1D
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
memory-size iomem 15
no network-clock-participate wic 1
ip subnet-zero
!
!
ip cef
!
!
ip name-server 198.6.1.5
ip name-server 198.6.1.142
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username supervisor privilege 15 secret 5 $1$5KuU$Z2Q2HtUSLD2XP/QO/1Qpw.
!
!
controller E1 0/1/0
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.240.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 64.116.x.x
255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.116.x.x
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.240.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
password 7 151B0509082F28303A32
line aux 0
line vty 0 4
password 7 000D1D03085E08121D20
authorization exec local_author
login authentication local_authen
!
scheduler allocate 20000 1000
!
end
When I applied, it didn't work, I couldn't ping any address on the Internet. I know it doesn't make sense but that's the trouble I have.
Gustavo
08-26-2009 03:22 PM
Gustavo,few things.
From where you are sourcing your ping? First you should verify that you can ping internet addresses sourcing from your outside interface f0/1. This will verify connectivity with career. Next thing is to verify ping sourcing from inside interface f0/0. This will verify your NAT operation. Let us know which one is failing.
Also this is not mandatory but while doing NAT, I would prefer to use extended ACL(100 to 199) rather than standard ACL(0-99).
08-27-2009 04:31 AM
Gustavo
There are a couple of things in your follow up post that I do not understand. Perhaps you can help me to understand them. Your original post talked only about a single router. Now this post says you are working with 2 routers. What is the relationship between the routers? Do they connect to each other? Do you use them both at the same time or just use one or the other?
Your post makes a point about the static address from the provider. does this indicate that there is an option for a dynamic address learned for the router? Both of the configs show only a static address. Are both routers configured with the same address on the outward facing interface or are they different.
When you say that ping does not work are you talking about ping from the router or ping from a PC connected to the router? How we would troubleshoot the problem would vary depending on where the ping is being done.
HTH
Rick
08-27-2009 05:58 AM
Ok Rick,
I was trying to solve 1 isuue at the time but since I mention the second router, I will explain the hold picture. I have 2 routers, 1 2811 and 1 2600. I have two Internet Service Providers (Verizon and a local ISP). With the first one, I was able to obtain a static address from the provider (64.116.x.x). The second one offers a connection to the Internet through an ADSL modem and it work by DHCP, so the address I get from this one are dynamic. The idea is to stablish a DMVPN, where the first router (the hub) has an static public IP address and the second (spoke) has a dynamic assignned IP address.
PC -> R1 -> ISP1 (static IP) -> Internet -> ISP2 (dhcp) -> modem ADSL -> R2 -> PC
So there is no straight connection between the routers. I'm trying to stablish the tunnel through the Internet (PSTN). As I mentioned on the other post, the second router (2600) it's ok, I can stablish the connection with the internet. I try to aplly the same configuration on the first router (2811) but with the static IP addrees. It didnt work.
So far I have made all the changes that you guys recommend me. This is my actual configuration on the router 2811:
Current configuration : 1650 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RPrueba
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$vfRW$/6f78MDPeEJ.72MUuKaFs1
enable password 7 000D1D03085E08121D201C1D
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
memory-size iomem 15
no network-clock-participate wic 1
ip subnet-zero
!
!
ip cef
!
!
ip name-server 198.6.1.5
ip name-server 198.6.1.142
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username supervisor privilege 15 secret 5 $1$5KuU$Z2Q2HtUSLD2XP/QO/1Qpw.
!
!
controller E1 0/1/0
!
!
!
!
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.240.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address 64.116.x.x 255.255.x.x
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip classless
ip route 0.0.0.0 0.0.0.0 64.116.x.x
!
!
ip http server
no ip http secure-server
ip nat inside source list 101 interface FastEthernet0/1 overload
!
access-list 101 permit ip 192.168.240.0 0.0.0.255 any
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
password 7 151B0509082F28303A32
line aux 0
line vty 0 4
password 7 000D1D03085E08121D20
authorization exec local_author
login authentication local_authen
!
scheduler allocate 20000 1000
!
end
So the deal is, I made the ping from the router to the internal inerface fa0/0 and I get an answer, I also ping from a PC connected to the router and I get response from both interfaces (ping 192.168.240.1 success and ping 64.116.x.x success). But if I ping fron the router to an IP address in the Internet (ping 209.191.93.52) this is what I get:
Sending 5, 100-byte ICMP Echos to 201.191.93.52, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
And if I ping from the PC, this is what I get:
Pinging 201.191.93.52 with 32 bytes of data:
Reply from 192.168.240.1: Destination host unreachable.
Reply from 192.168.240.1: Destination host unreachable.
Reply from 192.168.240.1: Destination host unreachable.
Reply from 192.168.240.1: Destination host unreachable.
So I hope I explain myself, hope that you understand the situation better, I'm sorry about my grammar my English it's not perfect, and I hope you can help me with this.
Thanks
Gustavo
08-27-2009 07:33 AM
Gustavo,
Let's first focus on verifying connection between your router and career as you mentioned that you can't ping internet IP from your router. Please provide output of these two commands:
sh interface f0/1
sh arp interface f0/1
08-27-2009 07:54 AM
Ok,
here is my sh int fa0/1:
RPrueba#sh int fa0/1
FastEthernet0/1 is up, line protocol is up
Hardware is MV96340 Ethernet, address is 0013.c32c.d351 (bia 0013.c32c.d351)
Description: $FW_OUTSIDE$
Internet address is 64.116.x.x/28
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Half-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:09:08, output 00:00:09, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
645 packets input, 39064 bytes
Received 603 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
8503 packets output, 865362 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
and the sh arp:
Internet 64.116.129.x - 0013.c32c.d351 ARPA FastEthernet0/1
Internet 64.116.129.x 2 0090.7f3c.4d09 ARPA FastEthernet0/1
Internet 192.168.240.1 - 0013.c32c.d350 ARPA FastEthernet0/0
08-27-2009 08:54 AM
Gustavo
This information is helpful. The show interface does show that the interface is up/up and does show packets inbound and packets outbound. That is a good start.
The show arp does indicate that you are talking to the provider device and have learned its MAC address. This is a good next step.
Lets check the next step - can you access the provider next hop device? From the router can you ping the address of the provider next hop device (the one that shows up in the arp table)?
If the router can successfully ping the provider next hop device then I suggest try doing a trace from the router to the Internet address 201.191.93.52. Lets verify whether the router has access before we are concerned with access from the PC.
HTH
Rick
08-27-2009 10:19 AM
OK Rick,
I did the ping to the next hop router but I didn't get an answer. I also try this: I connect the PC to the FasEthernet link and configure the IP address on my PC and I ping the next hop router and did get and answer (64.116.128.201). I also ping the Internet and get an answer, and I did the tracert to 209.191.93.52 and the first hop on the list is the same 64.116.128.201. Then I connect the router again and I ping the same address and I didn't get any answer.
So I was thinking, maybe the problem it's with the way my router it's connected to ISP? Should I contact them?
Gustavo
08-27-2009 02:35 PM
Guys,
I talk to the server provider and they clerify all my doubts. The truth is that I didn't know that the IP addrees I was attempting to use is not pyshical accesible like I was doing it. I have to go to an intermdiate firewall and ask for the address. I'm sorry all the trouble I cause, but I actually learn a lot and now I know I can always try to post new doubts in here and expect to receive very good advises.
Thanks a lot,
Gustavo
08-27-2009 08:48 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide