cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
943
Views
0
Helpful
12
Replies

Trouble stablishing router connection with static IP

gustavo-salazar
Level 1
Level 1

Hi everyone, I'm a newbie in CISCO systems but i'm actually excited to work these brand. I have a router 2600 and I'm working in little lab testing, but I actually don't know that much about routing. I have a static IP 64.x.x.x provided by Verizon and I'm trying to connect to the Internet from the router. I made the basic configuratio but I couldn't solve it. Here's my show run:

RPrueba2#s

00:14:17: %SYS-5-CONFIG_I: Configured from console by consoleh run

Building configuration...

Current configuration : 1130 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname RPrueba2

!

logging buffered 51200 warnings

enable secret 5 $1$oNw1$SQaqP.FazBuaiVZ3MHte70

!

username supervisor privilege 15 password 7 07062F49420C1A110513

voice-card 1

!

ip subnet-zero

!

!

ip name-server 198.x.x.x

ip name-server 198.x.x.x

!

!

call rsvp-sync

!

!

!

!

!

!

controller E1 1/0

!

!

!

interface FastEthernet0/0

ip address 192.168.250.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 64.x.x.x 255.x.x.x

ip access-group 1 out

ip nat outside

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

!

interface Serial0/2

no ip address

shutdown

!

!

ip default-gateway 64.x.x.x

ip classless

ip http server

!

!

!

!

!

!

!

!

!

access-list 1 permit 192.168.250.0 0.0.0.255

!

!

dial-peer cor custom

!

!

!

!

!

line con 0

password 7 020F0A5E07030C355E4F

login

line aux 0

line vty 0 4

privilege level 15

password 7 12100B121E0E0F10382A

login

transport input telnet ssh

!

end

I think it has something to be with the nat addressing, but i'm not so sure. Any thoughts?

Thanks

Gustavo

12 Replies 12

yagnesh_tel
Level 1
Level 1

Hi Gustavo,

What's the trouble? Also where is your nat statement which you applied yesterday?

ip nat inside source list 1 interface FastEthernet0/1 overload

Gustavo

I see several issues in your config:

- you have configured ip default-gateway but have not configured a default route. The default-gateway is used only if the router is acting as an IP host (if you configure no ip routing). Otherwise the router needs a default route. Probably it should look something like

ip route 0.0.0.0 0.0.0.0 64.x.x.x

- you are using unregistered/private addressing on your inside interface (192.168.250.0). For unregistered/private addresses to access the Internet you need to translate the addresses. You have the beginnings with ip nat inside and ip nat outside configured on the interfaces. But you need to configure a translation for the traffic (probably using overload to achieve PAT which needs only the single outside IP address to translate).

- the access list assigned to the outside interface will permit traffic only if the source address is the unregistered/private addresses

access-list 1 permit 192.168.250.0 0.0.0.255

but if the addresses are translated then they will not match the access list.

HTH

Rick

HTH

Rick

Ok guys, I apply all of the changes that you advise me. To make sure that there are no confusions, I will explain again. I have two routers, but now i'm configuring the one that need to access through a static IP addrees that Verizon provide us. The router I was configuring yesterday works perfect with the external ADSL (thanks a lot for that help). Now I applied the same configuration in this router except for the ip address in int FE0/1, which now it's static. This is how my actual show run looks:

RPrueba#sh run

Building configuration...

*Aug 26 21:41:32.763: %SYS-5-CONFIG_I: Configured from console by console

Current configuration : 1593 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname RPrueba

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$vfRW$/6f78MDPeEJ.72MUuKaFs1

enable password 7 000D1D03085E08121D201C1D

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

!

resource policy

!

memory-size iomem 15

no network-clock-participate wic 1

ip subnet-zero

!

!

ip cef

!

!

ip name-server 198.6.1.5

ip name-server 198.6.1.142

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username supervisor privilege 15 secret 5 $1$5KuU$Z2Q2HtUSLD2XP/QO/1Qpw.

!

!

controller E1 0/1/0

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.240.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 64.116.x.x

255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

clock rate 2000000

!

interface Serial0/0/1

no ip address

shutdown

clock rate 2000000

!

ip classless

ip route 0.0.0.0 0.0.0.0 64.116.x.x

!

!

ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/1 overload

!

access-list 1 permit 192.168.240.0 0.0.0.255

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

password 7 151B0509082F28303A32

line aux 0

line vty 0 4

password 7 000D1D03085E08121D20

authorization exec local_author

login authentication local_authen

!

scheduler allocate 20000 1000

!

end

When I applied, it didn't work, I couldn't ping any address on the Internet. I know it doesn't make sense but that's the trouble I have.

Gustavo

Gustavo,few things.

From where you are sourcing your ping? First you should verify that you can ping internet addresses sourcing from your outside interface f0/1. This will verify connectivity with career. Next thing is to verify ping sourcing from inside interface f0/0. This will verify your NAT operation. Let us know which one is failing.

Also this is not mandatory but while doing NAT, I would prefer to use extended ACL(100 to 199) rather than standard ACL(0-99).

Gustavo

There are a couple of things in your follow up post that I do not understand. Perhaps you can help me to understand them. Your original post talked only about a single router. Now this post says you are working with 2 routers. What is the relationship between the routers? Do they connect to each other? Do you use them both at the same time or just use one or the other?

Your post makes a point about the static address from the provider. does this indicate that there is an option for a dynamic address learned for the router? Both of the configs show only a static address. Are both routers configured with the same address on the outward facing interface or are they different.

When you say that ping does not work are you talking about ping from the router or ping from a PC connected to the router? How we would troubleshoot the problem would vary depending on where the ping is being done.

HTH

Rick

HTH

Rick

Ok Rick,

I was trying to solve 1 isuue at the time but since I mention the second router, I will explain the hold picture. I have 2 routers, 1 2811 and 1 2600. I have two Internet Service Providers (Verizon and a local ISP). With the first one, I was able to obtain a static address from the provider (64.116.x.x). The second one offers a connection to the Internet through an ADSL modem and it work by DHCP, so the address I get from this one are dynamic. The idea is to stablish a DMVPN, where the first router (the hub) has an static public IP address and the second (spoke) has a dynamic assignned IP address.

PC -> R1 -> ISP1 (static IP) -> Internet -> ISP2 (dhcp) -> modem ADSL -> R2 -> PC

So there is no straight connection between the routers. I'm trying to stablish the tunnel through the Internet (PSTN). As I mentioned on the other post, the second router (2600) it's ok, I can stablish the connection with the internet. I try to aplly the same configuration on the first router (2811) but with the static IP addrees. It didnt work.

So far I have made all the changes that you guys recommend me. This is my actual configuration on the router 2811:

Current configuration : 1650 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname RPrueba

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$vfRW$/6f78MDPeEJ.72MUuKaFs1

enable password 7 000D1D03085E08121D201C1D

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

!

resource policy

!

memory-size iomem 15

no network-clock-participate wic 1

ip subnet-zero

!

!

ip cef

!

!

ip name-server 198.6.1.5

ip name-server 198.6.1.142

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username supervisor privilege 15 secret 5 $1$5KuU$Z2Q2HtUSLD2XP/QO/1Qpw.

!

!

controller E1 0/1/0

!

!

!

!

!

interface FastEthernet0/0

description $FW_INSIDE$

ip address 192.168.240.1 255.255.255.0

ip nat inside

no ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description $FW_OUTSIDE$

ip address 64.116.x.x 255.255.x.x

ip nat outside

no ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

clock rate 2000000

!

interface Serial0/0/1

no ip address

shutdown

clock rate 2000000

!

ip classless

ip route 0.0.0.0 0.0.0.0 64.116.x.x

!

!

ip http server

no ip http secure-server

ip nat inside source list 101 interface FastEthernet0/1 overload

!

access-list 101 permit ip 192.168.240.0 0.0.0.255 any

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

password 7 151B0509082F28303A32

line aux 0

line vty 0 4

password 7 000D1D03085E08121D20

authorization exec local_author

login authentication local_authen

!

scheduler allocate 20000 1000

!

end

So the deal is, I made the ping from the router to the internal inerface fa0/0 and I get an answer, I also ping from a PC connected to the router and I get response from both interfaces (ping 192.168.240.1 success and ping 64.116.x.x success). But if I ping fron the router to an IP address in the Internet (ping 209.191.93.52) this is what I get:

Sending 5, 100-byte ICMP Echos to 201.191.93.52, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

And if I ping from the PC, this is what I get:

Pinging 201.191.93.52 with 32 bytes of data:

Reply from 192.168.240.1: Destination host unreachable.

Reply from 192.168.240.1: Destination host unreachable.

Reply from 192.168.240.1: Destination host unreachable.

Reply from 192.168.240.1: Destination host unreachable.

So I hope I explain myself, hope that you understand the situation better, I'm sorry about my grammar my English it's not perfect, and I hope you can help me with this.

Thanks

Gustavo

Gustavo,

Let's first focus on verifying connection between your router and career as you mentioned that you can't ping internet IP from your router. Please provide output of these two commands:

sh interface f0/1

sh arp interface f0/1

Ok,

here is my sh int fa0/1:

RPrueba#sh int fa0/1

FastEthernet0/1 is up, line protocol is up

Hardware is MV96340 Ethernet, address is 0013.c32c.d351 (bia 0013.c32c.d351)

Description: $FW_OUTSIDE$

Internet address is 64.116.x.x/28

MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Half-duplex, 100Mb/s, 100BaseTX/FX

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:09:08, output 00:00:09, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

645 packets input, 39064 bytes

Received 603 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog

0 input packets with dribble condition detected

8503 packets output, 865362 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collision, 0 deferred

0 lost carrier, 0 no carrier

0 output buffer failures, 0 output buffers swapped out

and the sh arp:

Internet 64.116.129.x - 0013.c32c.d351 ARPA FastEthernet0/1

Internet 64.116.129.x 2 0090.7f3c.4d09 ARPA FastEthernet0/1

Internet 192.168.240.1 - 0013.c32c.d350 ARPA FastEthernet0/0

Gustavo

This information is helpful. The show interface does show that the interface is up/up and does show packets inbound and packets outbound. That is a good start.

The show arp does indicate that you are talking to the provider device and have learned its MAC address. This is a good next step.

Lets check the next step - can you access the provider next hop device? From the router can you ping the address of the provider next hop device (the one that shows up in the arp table)?

If the router can successfully ping the provider next hop device then I suggest try doing a trace from the router to the Internet address 201.191.93.52. Lets verify whether the router has access before we are concerned with access from the PC.

HTH

Rick

HTH

Rick

OK Rick,

I did the ping to the next hop router but I didn't get an answer. I also try this: I connect the PC to the FasEthernet link and configure the IP address on my PC and I ping the next hop router and did get and answer (64.116.128.201). I also ping the Internet and get an answer, and I did the tracert to 209.191.93.52 and the first hop on the list is the same 64.116.128.201. Then I connect the router again and I ping the same address and I didn't get any answer.

So I was thinking, maybe the problem it's with the way my router it's connected to ISP? Should I contact them?

Gustavo

Guys,

I talk to the server provider and they clerify all my doubts. The truth is that I didn't know that the IP addrees I was attempting to use is not pyshical accesible like I was doing it. I have to go to an intermdiate firewall and ask for the address. I'm sorry all the trouble I cause, but I actually learn a lot and now I know I can always try to post new doubts in here and expect to receive very good advises.

Thanks a lot,

Gustavo

Not applicable

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco