×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cannot ping public ip address

Unanswered Question
Jan 29th, 2014
User Badges:

Hi,


Can anyone please help me on this? All internal routes are working but cannot ping outside the internet.

Strange things is the tunnel is UP. But the router cannot ping the modem or any public ip.


Here's the config on the router:


interface Tunnel65

description ipsec vti to sgsineqnix-gw-2

ip address 10.255.255.14 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

tunnel source 177.244.222.58

tunnel destination 176.215.93.246


interface FastEthernet0/0

description ADSL WAN Interface

ip address 177.244.222.58 255.255.255.248

ip access-group firewall in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

duplex auto

speed auto


interface FastEthernet0/1

description internal

ip address 10.160.1.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

duplex auto

speed auto


router eigrp 89

redistribute static

network 10.160.0.0 0.0.31.255

network 10.255.255.12 0.0.0.3

network 10.255.255.32 0.0.0.3

network 10.255.255.40 0.0.0.3

network 10.255.255.92 0.0.0.3

network 10.255.255.100 0.0.0.3

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 177.244.222.57

ip route 10.160.0.0 255.255.224.0 10.160.1.254

!

no ip http server

ip nat translation tcp-timeout 42300

ip nat translation udp-timeout 150

ip nat translation finrst-timeout 45

ip nat translation syn-timeout 45

ip nat translation dns-timeout 45

ip nat translation icmp-timeout 45

ip nat translation max-entries 4000

ip nat pool nat 177.244.222.58 177.244.222.58 netmask 255.255.255.248

ip nat inside source route-map nat pool nat overload

!

ip access-list extended firewall

permit ip any host 177.244.222.58

permit ip any host 177.244.222.57

permit icmp any any

ip access-list extended nat

permit ip 10.160.0.0 0.0.31.255 any

!

route-map nat permit 10

match ip address nat



FastEthernet0/0            177.244.222.58  YES manual up                    up 

FastEthernet0/1            10.160.1.1      YES NVRAM  up                    up 

Serial0/3/0                10.252.160.2     YES NVRAM  down                  down

NVI0                       unassigned      NO  unset  up                    up 

Tunnel61                   10.255.255.102  YES NVRAM  up                    up 

Tunnel65                   10.255.255.14   YES NVRAM  up                    up 

Tunnel152                  10.255.255.42   YES NVRAM  up                    up 

Tunnel6301                 10.255.255.94   YES NVRAM  up                    up 

Tunnel8601                 10.255.255.34   YES NVRAM  up                    up 


Please have a look on my config and check if I'm missing something.


Regards,

Jenna

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Forbes Jenalyn Rose Wed, 01/29/2014 - 06:36
User Badges:

I forgot to mention that the modem can ping public ip so I don't think the problem is the modem.

cadet alain Wed, 01/29/2014 - 06:51
User Badges:
  • Purple, 4500 points or more

Hi,

which subnets can't communicate with outside ? Can the 10.160.1.0/24  subnet go out and not others?

If so change your NAT ACL like this:

ip access-list extended nat

no 10

10 permit ip 10.0.0.0 0.255.255.255


Trell us if it solved the problem.


Regards


Alain




Don't forget to rate helpful posts.

Forbes Jenalyn Rose Wed, 01/29/2014 - 07:15
User Badges:

Hi Cadet,


The subent 10.160.0.0/19 and 10.160.1.0/24 cannot communicate with outside. Even the router cannot ping 4.2.2.2.

I tried to enter the config you gave but still no luck.

Jon Marshall Wed, 01/29/2014 - 07:22
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jenna


What traffic is meant to go via the tunnel ?


Can you post full config of the router.


Jon

Forbes Jenalyn Rose Wed, 01/29/2014 - 07:42
User Badges:

Hi Jon,


The inter-office traffic is meant to go via tunnels.


Here's the full-config:


Building configuration...


Current configuration : 3719 bytes

!

version 12.4

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname gw-1

!

boot-start-marker

boot system flash C2801-ipbase-mz.124-7a.bin

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

--More--         !

no ip dhcp use vrf connected

!

ip dhcp pool my-data

   network 10.160.3.0 255.255.255.0

   domain-name domain.net

   dns-server 10.65.20.4

   default-router 10.160.3.254

   lease 0 8

   class vlan30-range

      address range 10.160.3.30 10.160.3.223

!

!

ip dhcp class vlan30-range

!

ip dhcp class my-data

   relay agent information

      relay-information hex 0000000000000a3e03fe mask ffffffffffff00000000

!

ip domain name domain.net

ip name-server 203.121.65.65

login block-for 60 attempts 3 within 30

login delay 10

--More--         !

!

!

!

interface Tunnel61

description ipsec vti to aunsweqnix-gw-3

ip address 10.255.255.102 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

tunnel source 177.244.222.58

tunnel destination 176.215.109.14

!

interface Tunnel65

description ipsec vti to sgsineqnix-gw-2

ip address 10.255.255.14 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

tunnel source 177.244.222.58

tunnel destination 176.215.93.246

!

interface Tunnel152

description ipsec vti to hkhkgdcent-gw-1

ip address 10.255.255.42 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

--More--          tunnel source 177.244.222.58

tunnel destination 176.215.122.5

!

interface Tunnel6301

description ipsec vti to phmnlccent-gw-3

ip address 10.255.255.94 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

tunnel source 177.244.222.58

tunnel destination 176.215.104.4

!

interface Tunnel8601

description ipsec vti to cnshaccent-gw-3

ip address 10.255.255.34 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

tunnel source 177.244.222.58

tunnel destination 176.215.110.4

!

interface FastEthernet0/0

description ADSL WAN Interface

ip address 177.244.222.58 255.255.255.248

ip access-group firewall in

no ip redirects

no ip unreachables

--More--          no ip proxy-arp

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description internal

ip address 10.160.1.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

duplex auto

speed auto

!

interface Serial0/3/0

bandwidth 1984

ip address 10.252.160.2 255.255.255.252

encapsulation ppp

fair-queue 64 256 256

!

router eigrp 89

network 10.160.0.0 0.0.31.255

network 10.255.255.12 0.0.0.3

--More--          network 10.255.255.32 0.0.0.3

network 10.255.255.40 0.0.0.3

network 10.255.255.92 0.0.0.3

network 10.255.255.100 0.0.0.3

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 177.244.222.57

ip route 10.160.0.0 255.255.224.0 10.160.1.254

!

no ip http server

ip nat translation tcp-timeout 42300

ip nat translation udp-timeout 150

ip nat translation finrst-timeout 45

ip nat translation syn-timeout 45

ip nat translation dns-timeout 45

ip nat translation icmp-timeout 45

ip nat translation max-entries 4000

ip nat pool nat 177.244.222.58 177.244.222.58 netmask 255.255.255.248

ip nat inside source route-map nat pool nat overload

!

ip access-list extended firewall

permit ip any host 177.244.222.58

permit ip any host 177.244.222.57

--More--          permit icmp any any

ip access-list extended nat

permit ip 10.160.0.0 0.0.31.255 any

!

route-map nat permit 10

match ip address nat

!

!

control-plane

!

!

Jon Marshall Wed, 01/29/2014 - 07:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jenna


If you do a tracroute from a client what is it showing ?


Jon

Forbes Jenalyn Rose Wed, 01/29/2014 - 07:52
User Badges:

Hi Jon,


Here's a tracerote from the switch:


sw-1# traceroute 4.2.2.2

traceroute to 4.2.2.2 ,

              1 hop min, 30 hops max, 5 sec. timeout, 3 probes

1 10.160.1.1             0 ms       0 ms       0 ms

2  *  *  *

3  *  *  *

4  *  *  *

5  *  *  *

6  *  *  *

7  *  *  *

8  *  *  *

9  *  *  *

Jon Marshall Wed, 01/29/2014 - 07:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jenna


Can you ping 177.244.222.57 from the router and then post the output of "sh arp" from the router.


Jon

Forbes Jenalyn Rose Wed, 01/29/2014 - 07:58
User Badges:

gw-1#ping 177.244.222.57


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 177.244.222.57, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)


gw-1#show arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.160.1.254           12   0023.4797.6640  ARPA   FastEthernet0/1

Internet  10.160.1.1              -   0017.e023.c7ab  ARPA   FastEthernet0/1

Internet  177.244.222.58          -   0017.e023.c7aa  ARPA   FastEthernet0/0

Internet  177.244.222.57          0   c8d3.a3de.b846  ARPA   FastEthernet0/0

Jon Marshall Wed, 01/29/2014 - 08:04
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jenna


Apologies for all the outputs requested. Can you post "sh ip route" from the router ?


Jon

Forbes Jenalyn Rose Wed, 01/29/2014 - 08:25
User Badges:

show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route


Gateway of last resort is 177.244.222.57 to network 0.0.0.0


     177.244.0.0/29 is subnetted, 1 subnets

C       177.244.222.56 is directly connected, FastEthernet0/0

     172.16.0.0/24 is subnetted, 4 subnets

D EX    172.16.28.0 [170/297247232] via 10.255.255.13, 05:30:08, Tunnel65

D EX    172.16.29.0 [170/297247232] via 10.255.255.13, 05:30:08, Tunnel65

D EX    172.16.24.0 [170/297247232] via 10.255.255.13, 05:30:08, Tunnel65

D EX    172.16.10.0 [170/297247232] via 10.255.255.13, 05:30:08, Tunnel65

     172.31.0.0/24 is subnetted, 1 subnets

D EX    172.31.31.0 [170/297246976] via 10.255.255.93, 05:13:39, Tunnel6301

     192.168.200.0/32 is subnetted, 1 subnets

D EX    192.168.200.3 [170/297246976] via 10.255.255.13, 05:30:08, Tunnel65

--More--              10.0.0.0/8 is variably subnetted, 54 subnets, 4 masks

C       10.255.255.12/30 is directly connected, Tunnel65

D       10.0.0.0/30 [90/297244672] via 10.255.255.13, 05:30:09, Tunnel65

D EX    10.1.0.0/16 [170/297246976] via 10.255.255.13, 05:30:09, Tunnel65

D       10.255.255.4/30 [90/310044416] via 10.255.255.13, 05:30:09, Tunnel65

D       10.0.0.4/30 [90/298526976] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.28/30 [90/310044416] via 10.255.255.41, 05:15:34, Tunnel152

                         [90/310044416] via 10.255.255.33, 05:15:34, Tunnel8601

D       10.255.255.16/30 [90/310044416] via 10.255.255.41, 05:35:58, Tunnel152

                         [90/310044416] via 10.255.255.13, 05:35:58, Tunnel65

C       10.255.255.40/30 is directly connected, Tunnel152

D       10.255.255.44/30

           [90/299804416] via 10.255.255.93, 08:18:04, Tunnel6301

C       10.255.255.32/30 is directly connected, Tunnel8601

D       10.255.255.36/30

           [90/299804416] via 10.255.255.93, 08:18:07, Tunnel6301

D       10.63.0.0/19 [90/297246976] via 10.255.255.93, 05:13:39, Tunnel6301

D       10.255.255.60/30

           [90/299804416] via 10.255.255.93, 00:28:16, Tunnel6301

D       10.255.255.48/30

           [90/299804416] via 10.255.255.93, 08:18:04, Tunnel6301

D       10.55.0.0/19 [90/298526976] via 10.255.255.93, 08:18:04, Tunnel6301

D       10.255.255.72/30

--More--                    [90/299804416] via 10.255.255.93, 05:14:50, Tunnel6301

D       10.255.255.76/30

           [90/299804416] via 10.255.255.93, 05:14:50, Tunnel6301

D       10.66.0.0/19 [90/298526976] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.64/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.65.0.0/19 [90/297244672] via 10.255.255.13, 05:30:09, Tunnel65

D       10.255.255.68/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.255.255.88/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

C       10.255.255.92/30 is directly connected, Tunnel6301

D       10.82.0.0/19 [90/298526976] via 10.255.255.93, 05:14:50, Tunnel6301

D       10.255.255.80/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.81.0.0/19 [90/298526976] via 10.255.255.93, 05:13:38, Tunnel6301

D       10.86.0.0/19 [90/297246976] via 10.255.255.33, 05:13:21, Tunnel8601

D       10.255.255.84/30

           [90/298524416] via 10.255.255.93, 00:28:25, Tunnel6301

D       10.255.255.104/30

           [90/310044416] via 10.255.255.33, 05:30:08, Tunnel8601

           [90/310044416] via 10.255.255.13, 05:30:08, Tunnel65

D       10.255.255.108/30

--More--                    [90/298524416] via 10.255.255.93, 05:15:33, Tunnel6301

D       10.255.255.96/30

           [90/298524416] via 10.255.255.93, 08:18:05, Tunnel6301

D EX    10.65.32.0/19 [170/310044416] via 10.255.255.13, 05:30:10, Tunnel65

C       10.255.255.100/30 is directly connected, Tunnel61

D       10.255.255.120/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.255.255.124/30

           [90/310044416] via 10.255.255.33, 05:13:21, Tunnel8601

D       10.255.255.112/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.116/30

           [90/299804416] via 10.255.255.93, 05:13:38, Tunnel6301

D       10.255.255.136/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.140/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.128/30

           [90/299804416] via 10.255.255.93, 05:13:38, Tunnel6301

D       10.255.255.132/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.152.0.0/19 [90/297246976] via 10.255.255.41, 05:15:10, Tunnel152

D       10.255.255.144/30

--More--                    [90/299804416] via 10.255.255.93, 05:14:51, Tunnel6301

D EX    10.171.0.0/16 [170/297246976] via 10.255.255.13, 05:30:10, Tunnel65

D       10.255.255.160/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

S       10.160.0.0/19 [1/0] via 10.160.1.254

C       10.160.1.0/24 is directly connected, FastEthernet0/1

D       10.255.255.184/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.255.255.188/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.176/30

           [90/299804416] via 10.255.255.93, 00:28:17, Tunnel6301

D       10.255.255.180/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.61.224.0/19 [90/298526976] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.248/30

           [90/297246976] via 10.255.255.41, 05:15:11, Tunnel152

D       10.255.255.252/30 [90/297247232] via 10.255.255.13, 05:30:10, Tunnel65

S*   0.0.0.0/0 [1/0] via 177.244.222.57

D EX 192.168.0.0/17 [170/297247232] via 10.255.255.13, 05:30:10, Tunnel65

Jon Marshall Wed, 01/29/2014 - 08:41
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jenna


So the tunnels are up and you are receiving routes from the remote destinations, is that correct ?


I just tried tracerouting to your fa0/0 IP address and it stops after three hops only. I also cannot ping that IP.


Do you have any spare IPs from the 177.244.222.56/29 subnet ?


Jon

Forbes Jenalyn Rose Wed, 01/29/2014 - 08:53
User Badges:

Hi Jon,


Yes, the tunnels are up and can access the router remotely.

We are only using 177.244.222.57 on the modem and .58 on this router.

Jon Marshall Wed, 01/29/2014 - 09:27
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jenna


I am wondering if it is something to do with your NAT config. Is there any chance you could change the nat pool to use a spare IP from the public IPs instead of the fa0/0 interface IP you have and then tie that new NAT pool to your NAT statement.


You may need to clear any existing translations on your router.


It may not work but i think it is worth a try.


Jon

Forbes Jenalyn Rose Wed, 01/29/2014 - 09:47
User Badges:

Hi Jon,


I changed the NAT pool to use 177.244.222.59 and clear the nat translation.

But still no luck.

Jon Marshall Wed, 01/29/2014 - 09:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jenna


Is this a normal internet connection ?


I have just used ping and traceroute to some of your tunnel destination IPs and they are all fine.  But when i traceroute to your 177.244.222.58 address it's not that is getting lost when it gets to your modem,  it is getting lost after only three hops.


It is as though this public IP block has not been advertised to the rest of the internet but your tunnels are working so i am wondering whether this is a standard internet connection or whether it something specific to the provider.


Jon

Actions

This Discussion