Unable to ping internal interface

c.leighland · ‎12-04-2011

Hello all,

I've come across a VERY odd situation that seems to have just started over the last day.

I've got a 2621 configured as my main gateway to the internet - right now it's obtaining a DHCP ip from a the ISP's proprietary router set to bridged mode.

As of now, I'm unable to ping the internal interface of the router. I can ping external IP's only, even though I have DNS servers listed, i am unable to resolve host names. I'm running a few servers to which people are able to connect to my web server, among other services. I even have a crypto map setup to another 2621 across the country and can ping all internal ips on the other end... I JUST CANNOT PING THE INTERNAL INTERFACE of the router!! It's so frustrating.

I've noticed that when I ping the router during it's boot process (using linux un-interupted) I get a response in a very short window, then dies again. I'll post my config below, ANY help would be greatly appreciated - I'm at my wits end!

Thank you in advance.

Current configuration : 4229 bytes

!

! Last configuration change at 02:34:00 EST Sun Dec 4 2011 by chris

! NVRAM config last updated at 02:36:29 EST Sun Dec 4 2011 by chris

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Limbo

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

!

aaa new-model

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

clock timezone EST -5

clock summer-time EST recurring

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

no ip bootp server

ip multicast-routing

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key PASSWORD address XXX.XXX.XXX.XXX no-xauth

!

crypto ipsec transform-set STRONG esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set STRONG

reverse-route

!

crypto map Limbo_to_NAT client authentication list sdm_vpn_xauth_ml_1

crypto map Limbo_to_NAT isakmp authorization list sdm_vpn_group_ml_1

crypto map Limbo_to_NAT client configuration address respond

crypto map Limbo_to_NAT 10 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set transform-set STRONG

set pfs group2

match address 106

!

interface FastEthernet0/0

description ++++ INTERNAL NETWORK ++++

ip address 192.168.1.1 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip pim dense-mode

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

description ++++ INTERNET CONNECTION ++++

ip address dhcp

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

speed auto

half-duplex

crypto map Limbo_to_NAT

crypto ipsec df-bit clear

!

interface Serial0/1

no ip address

shutdown

!

no ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 75.155.56.1

!

ip http server

ip http authentication local

ip http secure-server

!

logging trap debugging

logging facility local2

access-list 1 permit any

access-list 1 remark SDM_ACL Category=16

access-list 1 deny any log

access-list 100 remark SDM_ACL Category=2

access-list 100 deny ip 192.168.1.0 0.0.0.127 192.168.1.128 0.0.0.127

access-list 100 permit ip any any

access-list 106 permit ip 192.168.1.0 0.0.0.127 192.168.1.128 0.0.0.127

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

control-plane

!

ntp clock-period 17180228

ntp server 209.167.68.100

ntp server 216.234.161.11

ntp server 209.172.32.214

ntp server 205.189.158.228

!

end

Richard Burts · ‎12-04-2011

Chris

Your post says that you have listed DNS servers, but I do not see any name server configuration in the posted config. The interfaces have ip nat inside and ip nat outside, but I do not see any nat configuration in the posted config. Are they really in the config and for some reason you did not post them?

Your post says that you can not ping the internal interface. But you do not tell us whether this is attempting to ping from outside or attempting to ping from inside, or is it both? Clarification would be appreciated.

HTH

Rick

HTH

Rick

c.leighland · ‎12-04-2011

Rick,

My apologies - my frustration is getting the best of me. I forgot to mention that I have another 2600 running as DHCP server. All computers attached to the network (after a confirmed MAC Address) is assigned an IP Address along with the DNS Servers 208.67.222.222 and 208.67.220.220.

As for the NAT I didn't post them - right now my ip nat inside is just running some simple port forwarding to different computers inside the network. When pinging the interface, I'm simply trying to ping 192.168.1.1 (fa0/0) from within the network. I'm able to ping all other devices on the network. just not 1.1. The interface is able to ping itself so I'm pretty confident it's not a hardware issue. I'm also able to ping the internal interface from the external interface using an extended ping.

any other questions you might have would be greatly appreciated.

Thank you again in advance.

Richard Burts · ‎12-04-2011

Chris

Thanks for the clarification. Here are some more questions:

- when you are attempting to ping the router from inside, what is the IP address of the host from which you are trying the ping?

- can you ping from this router to the host that is trying to ping?

HTH

Rick

HTH

Rick

c.leighland · ‎12-04-2011

Rick, from the router I am unable to ping any other devices on the network. As for pinging the router, all devices from which I attempting are from the same subnet 192.168.1.X/25 however all other devices can ping each other. It's just this one interface...

Richard Burts · ‎12-04-2011

Chris

Can we be a little more specific than 192.168.1.x? In particular can you verify that x is less than 127?

It might also be helpful if you would post the output of show arp from the router.

HTH

Rick

HTH

Rick

c.leighland · ‎12-04-2011

I'm not home right now, so I can't post the arp output, but as for which devices I've pinged from:

1.2, 3, 4, 11, 21, 24, 30

Thanks.

Richard Burts · ‎12-04-2011

Chris

I am interested that you have pinged from .1 since .1 is the address of the router.

If the addresses that you are attempting to ping from should all be in the subnet connected to the router interface then the output of show arp would be quite helpful. It might also be helpful if you post the output of show ip interface brief.

HTH

Rick

HTH

Rick

Kishore Chennupati · ‎12-04-2011

Try turning of CEF and turning it on. Do if after hours or something if its a production network

HTH

c.leighland · ‎12-05-2011

Thank you for your help guys,

After a write erase, and a reload the router seems to work even though I re-copied the EXACT same config file as before. I'm now able to ping the router like nothing happened...

Thanks again for all your help - I'm sure I'll be back with other questions/problems.

Cheers!