Cisco 2800 - simple routing

s.srivas · ‎03-04-2008

Hello,

I'm stuck with a simple routing problem in Cisco 2811.

Extended ping tests from fas0/1 to host in fas0/0 side fails

but, extended ping from fas0/0 to host in fas0/1 side pass.

no additional modules installed, (only builtin fas0/0 and fas0/1 used.

Could some advice please.

Additional info

ip classles, ip routing configured.

more info below

2811 router 12.4, (crypto not used immediately)

Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(17), RELEASE SOFTWARE (fc1)

|------------| Router |----------|

192.168.212.0/24 10.203.48.0/26

Fas0/0 192.168.212.4 fas0/1 10.203.48.1

(a device 212.2) (a device 48.2)

from router ping 192.168.212.2 (OK) another switch/router

from router ping 10.203.48.2 (ok) another switch/router

from router, extended ping

one direction extended ping ok (ping 10.203.48.2 from 192.168.212.4 ok)

other direction extended ping fails (ping 192.168.212.2 from 10.203.48.1 fail)

abstracts

!

interface FastEthernet0/0

description Vlan555 to Donabulan Gi1/1 from Fleet PACS

ip address 192.168.212.4 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

description LES10 to Fleet-PACS

ip address 10.203.48.1 255.255.255.192

duplex full

speed 10

!

ip forward-protocol nd

ip route 10.203.48.0 255.255.255.192 FastEthernet0/1

ip route 192.168.212.0 255.255.255.0 FastEthernet0/0

!

aijaz802 · ‎03-04-2008

HI,

Pls post the output of show ip route....

Thanks...

s.srivas · ‎03-04-2008

Show IP route and other info pasted

=======================

Router#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C 192.168.212.0/24 is directly connected, FastEthernet0/0

10.0.0.0/26 is subnetted, 1 subnets

C 10.203.48.0 is directly connected, FastEthernet0/1

Router#

=======================

Router#sh ver

Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(17), RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Fri 07-Sep-07 16:46 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

frm-tucr-dr-dorado uptime is 4 days, 16 hours, 24 minutes

System returned to ROM by power-on

System restarted at 16:38:57 UTC Thu Feb 28 2008

System image file is "flash:c2800nm-spservicesk9-mz.124-17.bin"

This product contains cryptographic features and is subject to United

States and local country laws governing import, export, transfer and

use. Delivery of Cisco cryptographic products does not imply

third-party authority to import, export, distribute or use encryption.

Importers, exporters, distributors and users are responsible for

compliance with U.S. and local country laws. By using this product you

agree to comply with applicable laws and regulations. If you are unable

to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:

http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to

export@cisco.com.

Cisco 2811 (revision 53.51) with 251904K/10240K bytes of memory.

Processor board ID FCZ114872EA

2 FastEthernet interfaces

DRAM configuration is 64 bits wide with parity enabled.

239K bytes of non-volatile configuration memory.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Router#

aijaz802 · ‎03-04-2008

Hi,

Please check the gateway and subnet mask of the PC 192.168.212.2

HTH

s.srivas · ‎03-04-2008

The host 192.168.212.2

g/w 192.168.212.4

ping from 10.203.48.1 not working.

Thanks

(I do not expect the crypto image (not used at present) in the router to do something in one direction!!)

aijaz802 · ‎03-04-2008

Hi,

you mean to say the whole network 10.203.48.0/192 is not able to reach/ping the other network...???

did u have any ACL activated..Would u pls. post the running configuration.... May be some other experts might have a look into this.

s.srivas · ‎03-04-2008

Sho runn attached

(passwords renamed)

aijaz802 · ‎03-04-2008

Hi,

I'm not seeing any problem in router configuration. please check n answer these queries..

1. what is the device "192.168.212.2" is this switch/PC...

2. Are you able to ping(ext) to other IPs in 192.168.212.x segment from router. If yes, then the problem might be in the device with IP 192.168.212.2 with either the gateway or some ip routing issue.

3. Are u able to ping from any device/PC in 192.168.212.x network to PCs in 10.203.48.x network.

4. Same above but vice versa...

s.srivas · ‎03-04-2008

i disconnected the real 192...

I connected the laptop to fas0/0

192.168.212.49

g/w 192.168.212.4

i can ping and telnet from laptop (192) to 10.203.48.2 and .1

but,

I can not ping 192.168.212.49 from 10.203.48.1 or .2

thanks

s.srivas · ‎03-04-2008

in addition to above,

i'm going to disable firewall in my laptop and repeat the above test.

I'll report, once completed.

Thanks

Richard Burts · ‎03-04-2008

Sinnathurai

Replacing some device with a laptop certainly introduces the possibility that a firewall is part of the issue. You are correct that you should disable the firewall and test again.

The symptoms that you describe of being able to do normal ping from the router to the device demonstrates several things including the fact that you have basic connectivity to the device (its interfaces are working, ARP is working, etc).

When normal ping does work and extended ping with a different source address does not work it usually indicates a routing problem. And aside from the possibility of access lists (which clearly are not present based on the config that you posted) the problem is more often on the remote device than on the router. In my experience the problem is frequently an incorrect default gateway or an incorrect subnet mask. But your post seems to indicate that these are correct. The next thing that I would check are the possibility of access lists or firewall on the device, which you are doing. I would also suggest checking for routes entered on the remote device. If it is a Windows PC would you post the output of route print?

One other thought is that it is my understanding that 12.4(17) is a pretty buggy release. According to this link it is deferred:

http://tools.cisco.com/support/downloads/go/SftAdvisory.x?defAdv=N&sftAdv=Y&filepath=/swc/esd/02/crypto/3DES/279120819/contract&filename=c2800nm-spservicesk9-mz.124-17.bin&advUrl=http://www.cisco.com/kobayashi/library/iosplanner/SA/12.4.17.c.html&isk...

and the suggestion is to use 12.4(17b). You may need a login with download privilege to access that link. I am not sure that this problem is a software problem but I would suggest that you think about changing software before you put this router into a live network.

HTH

Rick

HTH

Rick

s.srivas · ‎03-04-2008

The test Laptop now works ok, after disabling the firewall in the laptop.

Thanks to Aijaz and Rick

I can close this now.

Later,

I'll be raising another question, how to divert at pix 192.168.212.1 (inside) to (inside) 10.203.48.0 (as pix is the current g/w for devices on 192.168.212.0 and I do not plan to change gateways on servers.