A silly question

Unanswered Question
Aug 4th, 2008

I have a Cisco 871 router and its F4 interface connects to the Internet and vlan 10 interface connects to the internal network (10.0.0.0/24). I can't ping internal network which is sourced from interface F4. I don't think it's normal, right? Can anybody please let me know why? Thanks!

CCSPHOMERTR#ping 10.0.0.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

CCSPHOMERTR#ping 10.0.0.3 source f4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:

Packet sent with a source address of 70.64.2.22

.....

Success rate is 0 percent (0/5)

CCSPHOMERTR#

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
johnakeating Mon, 08/04/2008 - 20:00

Do you have an ACL blocking traffic from the outside network? If so then yes this would not work

Difan Zhao Tue, 08/05/2008 - 11:39

Thank you for your reply John. I don't have any ACL at all. Here is the config:

interface FastEthernet4

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map VPN_MAP

end

!

!

interface Vlan10

ip address 10.0.0.254 255.255.255.0

ip nat inside

no ip virtual-reassembly

end

johnakeating Wed, 08/06/2008 - 09:11

NAT will not allow traffic from the outside port to the inside.. for security reason im sure....

I checked it on my 871 and it does the same thing and works fine. I would suggest leaving blocked as that could make a big security hole.

John

Difan Zhao Wed, 08/06/2008 - 12:32

However I have a 2851 router and they can ping inside interfaces... The reason why I want to fix it is because I have EZVPN configured and the remote client can't ping internal computers because of the same reason...

Difan Zhao Tue, 08/05/2008 - 11:43

Sure! Here it is:

CCSPHOMERTR#sh ip int brief

Interface IP-Address OK? Method Status Prot ocol

FastEthernet0 unassigned YES unset up up

FastEthernet1 unassigned YES unset up up

FastEthernet2 unassigned YES unset up down

FastEthernet3 unassigned YES unset up down

FastEthernet4 70.64.22.2 YES DHCP up up

Vlan1 unassigned YES NVRAM up down

NVI0 unassigned NO unset up up

Vlan10 10.0.0.254 YES NVRAM up up

Difan Zhao Tue, 08/05/2008 - 11:46

(Because it's too long, I deleted the line configuration part... Hope it won't affect your troubleshooting)

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CCSPHOMERTR

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

aaa new-model

!

!

aaa authentication login LOGIN_AUTHEN local

aaa authorization console

aaa authorization exec EXEC_AUTHOR local

aaa authorization network NETWORK_AUTHOR local

!

!

aaa session-id common

!

!

!

!

crypto isakmp policy 100

encr aes

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group EZVPN_GROUP

key XXXXXXXX

dns 10.0.0.254

domain pc-pro.ca

pool IPPOOL_EZVPN

acl 101

banner ^CIf you are not Vicky, logout immediately ^C

!

!

crypto ipsec transform-set IPSEC_TRANS_EZVPN esp-aes esp-md5-hmac

!

crypto dynamic-map EZVPN_DYNAMIC_MAP 1

set transform-set IPSEC_TRANS_EZVPN

reverse-route

!

!

crypto map VPN_MAP client authentication list LOGIN_AUTHEN

crypto map VPN_MAP isakmp authorization list NETWORK_AUTHOR

crypto map VPN_MAP client configuration address respond

crypto map VPN_MAP 65535 ipsec-isakmp dynamic EZVPN_DYNAMIC_MAP discover

!

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1 10.0.0.3

ip dhcp excluded-address 10.0.0.254

!

ip dhcp pool VLAN10_IP_POOL

network 10.0.0.0 255.255.255.0

default-router 10.0.0.254

dns-server 10.0.0.254

domain-name pc-pro.ca

!

ip dhcp pool VISTA_IP_POOL

host 10.0.0.3 255.255.255.0

client-identifier 0100.1a92.d12a.de

default-router 10.0.0.254

dns-server 10.0.0.254

domain-name pc-pro.ca

!

!

no ip bootp server

ip domain name pc-pro.ca

!

multilink bundle-name authenticated

!

!

username support privilege 15 secret 5 $1$pKI2$9rPzlEdfn8OW1lNTutHY7/

archive

log config

hidekeys

!

!

ip ssh rsa keypair-name RSA_SSH

!

class-map type inspect match-all CMAP_OUT2IN

match access-group name ACL_OUT2IN

class-map type inspect match-any CMAP_IN2OUT

match protocol http

match protocol https

match protocol icmp

match protocol ftp

match protocol tcp

match protocol udp

!

!

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 10

!

interface FastEthernet2

switchport access vlan 10

!

interface FastEthernet3

switchport access vlan 10

!

interface FastEthernet4

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map VPN_MAP

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 10.0.0.254 255.255.255.0

ip nat inside

no ip virtual-reassembly

!

ip local pool IPPOOL_EZVPN 10.200.200.1 10.200.200.253

ip route 10.0.0.0 255.255.255.0 Vlan10

!

!

no ip http server

no ip http secure-server

ip dns server

ip nat inside source static tcp 10.0.0.2 22 interface FastEthernet4 2222

ip nat inside source route-map ROUTE_MAP_NAT interface FastEthernet4 overload

!

ip access-list extended ACL_EZVPN_SPLIT

permit ip 10.0.0.0 0.0.0.255 10.255.255.0 0.0.0.255

ip access-list extended ACL_NAT

deny ip 10.0.0.0 0.0.0.255 10.200.200.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended ACL_OUT2IN

permit ip 10.200.200.0 0.0.0.255 any

!

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

access-list 199 permit ip 10.200.200.0 0.0.0.255 any

!

!

!

route-map ROUTE_MAP_NAT permit 10

match ip address ACL_NAT

!

!

!

scheduler max-task-time 5000

!

webvpn cef

end

Difan Zhao Tue, 08/05/2008 - 11:40

Will try it tonight. It's my home router and I turned off all computers so I have nothing to ping now...

Difan Zhao Tue, 08/05/2008 - 13:25

Thanks for the reply Rupesh. How to enable reverse routing? I did some research on Google but didn't find anything... Thanks!

Difan Zhao Wed, 08/06/2008 - 12:23

Here is the output of debug.

CCSPHOMERTR#debug ip packet 101

IP packet debugging is on for access list 101

CCSPHOMERTR#ping 10.0.0.3 repeat 1 source fastEthernet 4

Type escape sequence to abort.

Sending 1, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:

Packet sent with a source address of 70.64.22.2

*Aug 6 20:18:25.281: IP: tableid=0, s=70.64.22.2 (local), d=10.0.0.3 (Vlan10), routed via FIB

*Aug 6 20:18:25.285: IP: s=70.64.22.2 (local), d=10.0.0.3 (Vlan10), len 100, sending.

Success rate is 0 percent (0/1)

The access-list is:

CCSPHOMERTR#sh access-list 101

Extended IP access list 101

10 permit ip 10.0.0.0 0.0.0.255 any (4 matches)

20 permit ip any 10.0.0.0 0.0.0.255 (4 matches)

harish.ab Wed, 08/06/2008 - 09:06

Create a default route towards your F4 ip address from your internal network

Difan Zhao Wed, 08/06/2008 - 12:28

Like this?

ip route 0.0.0.0 0.0.0.0 fastEthernet 4

After I did this I lost my connection to my router (I was ssh into the router) and I can't connect with it anymore...

nikhil.engineer Wed, 08/06/2008 - 23:45

Hi,

Can you ping to 70.64.22.2 with source as Vlan 10 ?

From internal are you able to ping 70.64.22.2?

Please post your show ip route o/p. Also post sh ip nat translations output.

I think there is no reverse path available.

HTH.

Cheers,

Nikhil E.

Actions

This Discussion