Cannot ping VLAN interface on 857 Router from Outside

Unanswered Question
May 22nd, 2008

Hi, I have replaced an ISP's ADSL Modem Router with a Cisco 857 with the config below.

Now incoming access seems to be blocked, I cannot ping the Vlan interface from the outside although I can ping the PPP side of the router OK.

Clients on the inside can still access the Internet successfully.

Does anyone have any ideas as to why this is?

Many Thanks,

Chris

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco857

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 xxxxxxxxxxxxx

!

no aaa new-model

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-xxxxxxxxxx

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxx

revocation-check none

rsakeypair TP-self-signed-xxxxxxxxx

!

!

crypto pki certificate chain TP-self-signed-xxxxxxxxxxx

certificate self-signed 01

3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32383339 38313839 3236301E 170D3038 30353230 30363135

33335A17 0(truncated)

dot11 syslog

no ip source-route

!

!

ip cef

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip bootp server

ip domain name xxxxxxxx

ip name-server xxx.xxx.32.1

ip name-server xxx.xxx.32.13

!

!

!

username admin privilege 15 secret 5 xxxxxxxxxxxxxxxx

!

!

archive

log config

hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$$FW_OUTSIDE$

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address xxx.xxx.119.145 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1452

!

interface Dialer0

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname [email protected]

ppp chap password 7 xxxxxxxxxxxxx

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit xxx.xxx.119.144 0.0.0.7

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

banner login Authorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Paolo Bevilacqua Thu, 05/22/2008 - 06:34

Hi, nat works so that you can ping from inside to outside, but not viceversa. Remember that inside address are private, that is not routable on the internet. That is also a good thing for security. All network activity should work normally however.

Hope this helps, please rate post if it does!

shaw.chris Thu, 05/22/2008 - 06:41

Thanks but NAT was set up on the old Modem Router and I could connect using SMTP, ICMP, HTTPS to servers on the inside without issues.

Behind this 857 is a PIX501 which has static NAT's set up for a couple of servers, these are now inaccessible.

Paolo Bevilacqua Thu, 05/22/2008 - 07:43

You have configured nat on the router. If your inside address in the router are not private ones, remove nat statements.

shaw.chris Thu, 05/22/2008 - 08:15

Thanks, so NAT doesn't need to be enabled even though I need to share the PPP connection between the inside clients?

Paolo Bevilacqua Thu, 05/22/2008 - 13:10

If your ISP has given you a range of public IP addresses to use on the LAN, NAT is not necessary.

hope this helps, please rate post if it does!

Actions

This Discussion