Solved: newbie networking question?

chrish346 · ‎01-24-2008

Hey Guys,

Well i'm stumped. After turning on debugging, running wireshark, i'm lost at why this is happening. Basic setup, just must not be seeing something.

Here is my small home network running cisco devices (trying to practice for my ccna)

1) Cisco 1721 Router (192.168.1.1)

2) Cisco 2950 Switch (192.168.1.2)

3) Laptop (192.168.1.10)

Everything is on a /24 subnet.

What is odd here is when I try to ping an ip address on the internet from my laptop, I don't get a response. I also can't view webpages or have any contectivity outside my router.

However, if I ssh into my router, I can ping google.com no problem, and i can do pretty much anything. So I know there has to be something on my router that is stopping anything on my network to be going out.

From my laptop, I can ping:

192.168.1.2 (Switch)

192.168.1.1 (Router)

64.19.14.13 (ISP Static IP assigned to me)

I can't ping:

72.14.207.104 (Google.com)

show ip route:

206.53.49.0/32 is subnetted, 1 subnets

C 206.53.49.10 is directly connected, Dialer1

64.0.0.0/32 is subnetted, 1 subnets

C 64.89.19.19 is directly connected, Dialer1

C 192.168.1.0/24 is directly connected, FastEthernet0

S* 0.0.0.0/0 is directly connected, Dialer1

Richard Burts · ‎01-24-2008

Chris

If you can access the router and from the router you can access Internet resources, then we can mostly rule out routing problems. My first guess is that you are not translating the addresses of your inside network as it goes through the router and to the Internet.

Can you tell us whether you are translating the addresses? Even better would be to post the config of the router.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎01-24-2008

Chris

If you can access the router and from the router you can access Internet resources, then we can mostly rule out routing problems. My first guess is that you are not translating the addresses of your inside network as it goes through the router and to the Internet.

Can you tell us whether you are translating the addresses? Even better would be to post the config of the router.

HTH

Rick

HTH

Rick

smitty6504 · ‎01-24-2008

Some sites do block icmp from the internet. I can ping the site with no issue, so i'm going to say it is an ACL issue. Are you allowing ICMP in your ACL? It would help if you post your config or at least your access-list.

chrish346 · ‎01-24-2008

Current configuration : 2629 bytes

!

version 12.3

no parser cache

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

no service dhcp

!

hostname mav

!

boot-start-marker

boot-end-marker

!

enable secret 5 <>

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

!

ip name-server <>60.10

ip name-server <>48.23

!

ip cef

ip audit po max-events 100

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

username admin privilege 15 password 7 1D091623282F

username user password 7 <>

interface Ethernet0

description Physical ADSL Interface (Facing the ISP)

no ip address

no ip mroute-cache

full-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet0

description My LAN Interface

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip mroute-cache

speed auto

full-duplex

no cdp enable

!

interface Dialer1

description Logical ADSL Interface

ip address negotiated

ip mtu 1492

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1452

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname <>

ppp chap password 7 <>

ppp pap sent-username <> password 7 <>

!

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.140 22 64.89.19.19 22 extendable

ip nat inside source static tcp 192.168.1.133 222 64.89.19.19 222 extendable

ip nat inside source static tcp 192.168.1.139 221 64.89.19.19 221 extendable

ip nat inside source static tcp 192.168.1.140 904 64.89.19.19 904 extendable

ip nat inside source static tcp 192.168.1.140 905 64.89.19.19 905 extendable

ip nat inside source static tcp 192.168.1.140 903 64.89.19.19 903 extendable

ip nat inside source static tcp 192.168.1.140 902 64.89.19.19 902 extendable

ip nat inside source static tcp 192.168.1.141 3387 64.89.19.19 3387 extendable

ip nat inside source static tcp 192.168.1.142 3390 64.89.19.19 3390 extendable

ip nat inside source static tcp 192.168.1.143 80 64.89.19.19 80 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

dialer-list 1 protocol ip permit

no cdp run

!

line con 0

exec-timeout 120 0

password 7 070

login local

stopbits 1

line aux 0

password 7 110

login local

line vty 0 4

exec-timeout 0 0

password 7 104

login local

length 0

!

scheduler max-task-time 5000

end

chrish346 · ‎01-24-2008

WHOOO hoo! Got it! Thanks for the hint!

Was missing:

access-list 10 permit 192.168.1.0 0.0.0.255

Richard Burts · ‎01-24-2008

Chris

Thanks for posting the router config. I believe that the problem is an address translation problem. In your original post you identified the PC address as 192.168.1.10. There are some static translations, but not for the PC address. There is a dynamic translation but it references access list 10 and I do not see access list 10 in the config. I am guessing that this is the source of the problem. If you configure access list 10 to permit 192.168.1.0/24 I believe that it would work.

HTH

Rick

HTH

Rick

smitty6504 · ‎01-24-2008

Add the following to your dialer 1 acl

access-list 121 permit icmp any any

access-list 121 permit icmp any any echo

access-list 121 permit icmp any any echo-reply

access-list 121 permit icmp any any packet-too-big

access-list 121 permit icmp any any time-exceeded

access-list 121 permit icmp any any unreachable

This should allow your to see the echo from the sites.

Richard Burts · ‎01-24-2008

Chris

I am glad that we were able to help you to find the solution to your problem. Thank you for using the rating system to indicate that your problem was solved (and thanks for the rating). It makes the forum more useful when people can read about a problem and can know that they will read what successfully solved the problem.

The forum is an excellent place to learn more about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

HTH

Rick

chrish346 · ‎01-24-2008

I plan too ;) I just got my CCENT .. going the cisco track .. might have more questions in the future (or at least harder ones) ;)