Cisco 877 WAN - HELP!!!

Unanswered Question
Mar 31st, 2010

HI All,

I have the following problem

I have a cisco 877 which i am connecting very basically to my internal and external interfaces. The internal interface works fine, but the external interfaces does not ping. It is a direct Ethernet connection, NO ADSL INVOLVED is being used here. (running Cisco ISO 12.4(15)T10 advanced IP)

- The internal interface is on Vlan 2 (fa1)

- The external interface is on Vlan 1 (fa0)

-From the internal interface i can ping the internal gateway and the external IP address on the router.

- If i connect a laptop set with the external IP i can reach first hop. And if i set a laptop as a fake first hop i can reach the router

- if i connect everything to a switch, all devices set with an external IP work, but the Cisco 877 can still not be pinged.

All in all, the interfaces seem to be working fine, The internet connection is also working fine, it's just the ISP gateway that doesn't want to comunicate with the router.

Anyone with any ideas ???

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
no aaa new-model
clock timezone Beijing 8
!
crypto pki trustpoint TP-self-signed-2737135560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2737135560
revocation-check none
rsakeypair TP-self-signed-2737135560
!
!
crypto pki certificate chain TP-self-signed-2737135560
certificate self-signed 01
  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32373337 31333535 3630301E 170D3032 30333031 30303036
  34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37333731
  33353536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B7B9 6DD61537 18A45673 0F59A87A 3A7864A1 0C64307C DD9D5933 878A5421
  6205843C 0666536D 983EB28D A64FC1B5 061A9D65 DBCB5F6A 0C25715A 8EF3C91B
  B81515ED 5E27F902 96FBA376 6E4A0BE8 8FD0A478 0A0A29B8 C5426031 9A6B88C5
  834E2A3B 6339CF6F A47381E8 5A1A7290 3CBEC15C 83FDAA4E F4185599 58B6FFF6
  AB050203 010001A3  0F060355 1D130101 FF040530 030101FF 30100603
  551D1104 09300782 05434E43 4136301F 0603551D 23041830 1680141F 7BE723BA
  8FE58773 9BAF5CED 39B3B797 5D05E130 1D060355 1D0E0416 04141F7B E723BA8F
  E587739B AF5CED39 B3B7975D 05E1300D 06092A86 4886F70D 01010405 00038181
  00197A1B 705A539C A1C62071 62BC4E79 94DC810E 2459D8D9 FBC0DE09 B34042A2
  44F190AF E7F33995 D6F54F3D 2705824E F49D9DAB 1EF6BC36 05F3E6D1 93FDE519
  49E0683B A5A09185 62C8F82E 78F6DFF1 5C9757A7 8C4F09A7 577EFFA6 9CD9C8A0
  75E288CF 903A090B 7CA1A88B AEC237A4 93602F09 A228E820 208AD1B5 455855A5 24
        quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.199.20.1 10.199.20.2
ip dhcp excluded-address 10.199.20.61 10.199.20.62
!
ip dhcp pool ccp-pool
   import all
   network 10.199.20.0 255.255.255.192
   default-router 10.199.20.1
   domain-name test.test.com
   dns-server 10.199.15.10 10.199.20.10
   lease 8 2
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
!
crypto ipsec transform-set crypto-transform-test esp-3des esp-md5-hmac
!
crypto map crypto-map-test-FastEthernet0 1 ipsec-isakmp
description Tunnel to tes
set peer 122.41.88.162
set transform-set crypto-transform-test
set pfs group2
match address crypto-acl-test
reverse-route
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
ip address 119.118.126.234 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 10.199.20.1 255.255.255.192
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 119.118.126.233
ip route 10.199.20.0 255.255.255.192 Vlan2
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended crypto-acl-test
remark SDM_ACL Category=4
permit ip 10.199.39.0 0.0.0.63 10.0.0.0 0.255.255.255
permit ip 10.199.39.0 0.0.0.63 192.168.0.0 0.0.255.255
permit ip 10.199.39.0 0.0.0.63 172.0.0.0 0.255.255.255
!
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip 10.199.20.0 0.0.0.63 172.0.0.0 0.255.255.255
access-list 100 deny   ip 10.199.20.0 0.0.0.63 192.168.0.0 0.0.255.255
access-list 100 deny   ip 10.199.20.0 0.0.0.63 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.199.20.0 0.0.0.63 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
banner exec

!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 9999 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pompeychimes Wed, 03/31/2010 - 10:34

I don't understand what you are saying. Can you please clarify?

Thanks,

James

nathan.carroll@... Wed, 03/31/2010 - 13:48

Hi All,

I will clarify further.

  <---10.199.20.1--->fe1[Cisco 877] fe0<-----122.41.88.162---------------------122.41.88.163------> [Fiber box with Ethernet cable]

It has got to be the most basic of basic connections. two VLAN's - one with an internal, one with an external IP and a default route to first hop.

If i connect a laptop direct to the fiber box it works a treat and i get an internet connection. So at least i can confirm the connection is active and working.

Ive never played much with VLAN trunking, could this be an issue connecting to the ISP first hop ? ( just a random stab in the dark... )

So yea.... never had this kind of problem in the past, just wondering if anyone has ever seen anything similar

Thanks,

Nathan

pompeychimes Thu, 04/01/2010 - 00:10
I'm still unsure as to what your actual problem is. I think you are saying that your Routers Internet facing interface (119.118.126.234) cannot be pinged from the Internet and you want to know why?Is this correct?James
nathan.carroll@... Thu, 04/01/2010 - 00:22

Yes James, that is correct. We cannot ping the internet facing interface from the internet.

But like i said before, the internet connection is active and working, we tested using a laptop

pompeychimes Thu, 04/01/2010 - 00:36

OK. So everything works, your just curious as to why the interface wont ping.

When you replaced the Router with the laptop where you able to ping the laptop from the Internet?

James

pompeychimes Thu, 04/01/2010 - 00:56

Follow Neeraj's suggestion to create VLAN 2 and you should be all set.

James

smitty6504 Wed, 03/31/2010 - 11:27

remove ip route 10.199.20.0 255.255.255.192 Vlan2

add under vlan 1
ip nat outside


Then try to ping your ISP gateway with an extended ping.

Neeraj Arora Wed, 03/31/2010 - 21:47

Nathan,

three things to take care in the config:

1. "ip nat outside" is required on interface Vlan1

2. "ip route 10.199.20.0 255.255.255.192 Vlan2" is really not required as its a directly connected subnet

3. "ip nat inside source route-map SDM_RMAP_1 interface vlan1 overload" statement is missing which will enable NAT for inside users

After making the above changes, try pinging 119.118.126.233 from the router as well as from a host connected on inside interface.

Hope it helps.

Neeraj

nathan.carroll@... Wed, 03/31/2010 - 22:21

Hi Neeraj,

I will test what you have said shortly.

Also, why do you say that "ip nat outside" is required. I would have through the interface would ping from the external regardless of any NAT settings ?

Neeraj Arora Wed, 03/31/2010 - 22:30

well that was something which was not very clear with the problem description.. whether you are trying to ping the ISP gateway ip or another public ip (as depicted in your explanation)

Yes, you are correct that NAT is not required when simply pinging the next hop from the router as it's in the same subnet and logically it should ping.

I just remembered another possible reason for this, you are using Vlan2 as outside interface. Did you create a layer two vlan corresponding to Interface vlan2?

Issue "sh ip interface brief" and check if protocol status of vlan2 is showing as "down". If yes, then issue "sh vlan-sw" and confirm if you have vlan2 present in vlan databse or not.

If its not there, then you would need the following commands:

router#vlan database

router(vlan)#vlan 2

router(vlan)#exit

nathan.carroll@... Thu, 04/01/2010 - 02:31

Ok guys, here is the latest running config, still not working

Current configuration : 5755 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TEST
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
!
no aaa new-model
clock timezone Beijing 8
!
crypto pki trustpoint TP-self-signed-2737135560
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2737135560
revocation-check none
rsakeypair TP-self-signed-2737135560
!
!
crypto pki certificate chain TP-self-signed-2737135560
certificate self-signed 01
  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32373337 31333535 3630301E 170D3032 30333031 30323338
  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37333731
  33353536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B7B9 6DD61537 18A45673 0F59A87A 3A7864A1 0C64307C DD9D5933 878A5421
  6205843C 0666536D 983EB28D A64FC1B5 061A9D65 DBCB5F6A 0C25715A 8EF3C91B
  B81515ED 5E27F902 96FBA376 6E4A0BE8 8FD0A478 0A0A29B8 C5426031 9A6B88C5
  834E2A3B 6339CF6F A47381E8 5A1A7290 3CBEC15C 83FDAA4E F4185599 58B6FFF6
  AB050203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
  551D1104 09300782 05434E43 4136301F 0603551D 1680141F 7BE723BA
  8FE58773 9BAF5CED 39B3B797 5D05E130 1D060355 1D0E0416 04141F7B E723BA8F
  E587739B AF5CED39 B3B7975D 05E1300D 06092A86 4886F70D 01010405 00038181
  00A679F8 689FBD53 6C49806F C9A906BD 706F9B94 6012CCDE B0C05D78 E755DCC1
  C8E81303 347D1002 F14D2A85 B72D1919 47FAE550 D05F6614 5214494E 5FA53969
  58D4E5D4 70096AF1 1D06C630 60DD9EAC 736268DA 31456AFF 96E2E66E 394C8CF1
  E209FE8E 51682E81 60177A65 20FD342A 3D084709 E2178302 D40DB5C6 02622B86 01
        quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.199.20.1 10.199.20.2
ip dhcp excluded-address 10.199.20.61 10.199.20.62
!
ip dhcp pool ccp-pool
   import all
   network 10.199.20.0 255.255.255.192
   default-router 10.199.20.1
   domain-name test.test.com
   dns-server 10.199.15.10 10.199.20.10
   lease 8 2
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
!
crypto ipsec transform-set crypto-transform-test esp-3des esp-md5-hmac
!
crypto map crypto-map-test-FastEthernet0 1 ipsec-isakmp
description Tunnel to test
set peer 122.41.88.162
set transform-set crypto-transform-test
set pfs group2
match address crypto-acl-test
reverse-route
!
archive
log config
  hidekeys
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 119.118.126.234 255.255.255.248
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 10.199.20.1 255.255.255.192
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 119.118.126.233
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Vlan1 overload
!
ip access-list extended crypto-acl-test
remark SDM_ACL Category=4
permit ip 10.199.20.0 0.0.0.63 10.0.0.0 0.255.255.255
permit ip 10.199.20.0 0.0.0.63 192.168.0.0 0.0.255.255
permit ip 10.199.20.0 0.0.0.63 172.0.0.0 0.255.255.255
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.199.20.0 0.0.0.63
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip 10.199.20.0 0.0.0.63 172.0.0.0 0.255.255.255
access-list 100 deny   ip 10.199.20.0 0.0.0.63 192.168.0.0 0.0.255.255
access-list 100 deny   ip 10.199.20.0 0.0.0.63 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.199.20.0 0.0.0.63 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 9999 0
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end

Connected as follows:

<---10.199.20.1--->fe1[Cisco 877] fe0<-----122.41.88.162---------------------122.41.88.163------> [Fiber  box with Ethernet cable]

Cannot ping gateway from router using extended ping

Cannot ping gateway going through the router from the internal network

Command 'sh ip interface brief' showed FE0, FE1, VLAN1 and VLAN2 ans up/up

We just tested a Linksys router in place of the Cisco and it worked fine!

Any new ideas ?

Thanks,

Nathan

nathan.carroll@... Thu, 04/01/2010 - 02:42

TEST#sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
ATM0                       unassigned      YES NVRAM  administratively down down
FastEthernet0              unassigned      YES unset  up                    up
FastEthernet1              unassigned      YES unset  up                    up
FastEthernet2              unassigned      YES unset  up                    down
FastEthernet3              unassigned      YES unset  up                    down
NVI0                       119.118.126.234 YES unset  up                    up
Vlan1                      119.118.126.234 YES NVRAM  up                    up
Vlan2                      10.199.20.1     YES NVRAM  up                    up
TEST#sh vlan-sw

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Fa0, Fa3
2    VLAN0002                         active    Fa1, Fa2
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        1002   1003
2    enet  100002     1500  -      -      -        -    -        0      0
1002 fddi  101002     1500  -      -      -        -    -        1      1003
1003 tr    101003     1500  1005   0      -        -    srb      1      1002
1004 fdnet 101004     1500  -      -      1        ibm  -        0      0
1005 trnet 101005     1500  -      -      1        ibm  -        0      0

Neeraj Arora Thu, 04/01/2010 - 03:03

Now this is becoming Strange... hmmmm...

Okay here are my final suggestions (I am out of ideas after these):

- disable CEF using the command "no ip cef" and check again

- Try changing the cable, I assume that you must be using Straight cable

right now as you mentioned in your original post that connecting a PC to Fa0

works fine, so try using a crossover cable with ISP's device and Fa0 port

- Shut - no shut the Fa0 and vlan1

- try another port, test with Fa3

- try Reload of the router

- If still it does not work, then try issuing the debugs "debug ip packet

detail" assuming that no other traffic is traversing. You can also use a ACL

in this debug command to limit the debugs.

If you see anything such as "Encapsulation failed" in the debugs then most

probably the hardware is bad, either the Port itself or router's backplane.

But that's something I cannot confirm.

I hope something from the above options work for you.

nathan.carroll@... Thu, 04/01/2010 - 03:45

*Mar  1 05:01:07.270: IP: tableid=0, s=119.118.126.234 (local), d=119.118.126.233 (Vlan1), routed via RIB
*Mar  1 05:01:07.270: IP: s=119.118.126.234 (local), d=119.118.126.233 (Vlan1),
*Mar  1 05:01:07.270:     ICMP type=8, code=0
*Mar  1 05:01:07.270: IP: s=119.118.126.234 (local), d=119.118.126.233 (Vlan1),len 100, encapsulation failed

Encapsulation Failed .....

You were right Neeraj

nathan.carroll@... Thu, 04/01/2010 - 03:54

Protocol  Address          Age (min)  Hardware Addr   Type   Interf
Internet  10.199.20.1             -   9caf.ca44.4998  ARPA   Vlan2
Internet  10.199.20.3             0   0003.9d75.20a5  ARPA   Vlan2
Internet  119.118.126.233         0   Incomplete      ARPA
Internet  119.118.126.234         -   9caf.ca44.4998  ARPA   Vlan1

So can anyone shed some light to why i'm not getting an entry in the ARP table ?

Keeping in mind it is only a problem with the Cisco router, all other devices we have plugged into test have worked.

Actions

This Discussion