cannot ping/connect through 2651 outside to inside

Unanswered Question
Mar 15th, 2009
User Badges:

I've tried searching around these forums and google, but apparently I can't phrase my searches right. Here's the issue:


I recently added another T1 and combined them with multilink ppp. This works great from inside my network: internet access is fast and stable. From outside, however, traffic cannot come in. I can ping the external interface of my router from off network, but cannot ping the internal interface, nor any other public IP on the inside of the 2651. I should note that I inherited this network and am kind of new to Cisco routers. Here is the config of the router; if anyone could tell me if anything is suspect or point me in a direction to look next, I'd greatly appreciate it. Thanks:


interface Multilink1

description TWTC MLPPP

ip address 66.193.28.242 255.255.255.252

ip nat outside

ppp multilink

ppp multilink fragment delay 500

ppp multilink group 1

!

interface FastEthernet0/0

description Connected to LAN

ip address 64.128.125.58 255.255.255.248

ip nat inside

duplex auto

speed auto

!

interface Serial0/0

description TWTC Multilink Interface #1

no ip address

encapsulation ppp

service-module t1 timeslots 1-24

ppp multilink

ppp multilink group 1

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/1

description TWTC multilink interface #2

no ip address

encapsulation ppp

service-module t1 timeslots 1-24

ppp multilink

ppp multilink group 1

!

ip nat inside source list 100 interface Multilink1 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 66.193.28.241

ip route 192.168.0.0 255.255.0.0 64.128.125.59

!

ip access-list extended protocol

access-list 1 permit 64.128.125.59

access-list 23 permit 64.128.125.59

access-list 100 permit ip any any


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Sun, 03/15/2009 - 13:55
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bryan


I would start my response by asking if access initiated from the Internet worked before you changed the configuration to use multilink? The phrasing of the question seems to believe that the problem has to do with multilink. But I believe that the configuration of address translation would not have permitted access to be initiated from the Internet no matter whether it was multilink or dedicated serial interface or whatever.


Your config sets up address translation with FastEther0/0 as interface inside, with the multilink as interface outside, and a dynamic translation with overload using the multilink address for all traffic coming from FastEther0/0. The result of this type of translation is that when any device inside sends traffic to the Internet the router sets up a translation for that device, ad the entry in the translate table allows traffic from the Internet to reach the correct inside device. But when traffic is initiated from the Internet, it gets to the router and the router is not sure which device should receive it because there is not an existing translation. For the Internet to initiate traffic to inside devices the typical solution is to provide a static translation for any device inside which should be reachable for traffic initiated from the Internet.


And in reading the post over again, I believe that I see another problem (which may or may not be related). You say:"cannot ping the internal interface, nor any other public IP on the inside of the 2651". This suggests that who ever you connect to on the multilink is not routing the 64.128.125.56/29 block of addresses to you. If you can get that issue resolved, and if you change the address translation so that traffic from that address block is not translated then devices in that address block should be reachable from the Internet.



HTH


Rick

bryanlakatos Sun, 03/15/2009 - 14:07
User Badges:

Thank you very much for your help, Rick. Would you be able to guide me in how to set the NATing up correctly? I'm pretty new at Cisco IOS.


Indeed, access initiated from the Internet worked just fine before multilink, though I don't think it's the multilink that's the problem, since the external multilink1 interface seems to be doing its job just fine.

Richard Burts Sun, 03/15/2009 - 14:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Bryan


Did you make changes in the router other than adding a second serial link and configuring multilink? If so please explain what else you changed.


Do you have a copy of the router config before the changes for multilink were made? If so can you post that config for comparison?


We might be able to advise you about the changes in address translation if we knew more details about your situation. For starters, if you are not going to translate the 64.128.125.56/29 address block, then what addresses are you going to want to translate?


HTH


Rick

Actions

This Discussion