×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco 1921 cannot see internal network

Answered Question
Oct 22nd, 2014
User Badges:

Hi all,

 

It has been a long time since I configured a Cisco router but have been asked to as I am the only one with any sort of background in this in our organisation.

I have put a Cisco 1921 on our network for once specific server to access an external network via a serial connection. However I have configured this and is on a switch that the server in question is on.

I am accessing the router via a console cable and cannot ping anything on this network however the arp table is being populated by devices on the network.

Sorry if this is an obvious mistake, but I am a bit stumped myself.

 

Thanks for any advice

 

The config is -

 

xxxxxxxxx#show run
Building configuration...

Current configuration : 2610 bytes
!
! Last configuration change at 12:39:01 UTC Wed Oct 22 2014 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxx
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 4 xxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FCZ1802C4VH
!
!
object-group network Ext_svr
 host x.x.x.5
!
object-group network Int_svr
 host 10.10.9.10
!
username admin secret 4 xxxxxxxxxxxxxxxxxxxxxxxx
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
!
interface GigabitEthernet0/0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 shutdown
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0/1
 ip address 10.10.9.100 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface Serial0/0/0
 description Link to xxxxxx
 ip address 10.x.x.5 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 no cdp enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static 10.x.x.x.5 10.10.9.100
ip route x.x.x.199 255.255.255.255 10.x.x.6
!
access-list 101 permit tcp object-group Int_svr object-group Ext_svr eq 6006
access-list 101 permit icmp object-group Int_svr object-group Ext_svr echo
access-list 101 deny   ip any any
!
!
!
control-plane
!
!
banner login ^CCCCC
-----------------------------------------------------------------------
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 transport output telnet
line aux 0
 transport output telnet
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 xxxxxxxxxxxxxxx
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

Correct Answer by Richard Burts about 2 years 10 months ago

Let me start with an observation. I understand the need to sometimes obscure addressing when posting in public forums. But since you are already using private network 10.0.0.0 what are you protecting by doing 10.x.x.5? It makes it more difficult to read and understand the config and does not increase the security of your network.

 

The reason why you can not ping anything is that when you send the ping request you expect to receive a ping reply. But your access list on the interface is not allowing the ping reply.

 

HTH

 

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
aedamasceno Wed, 10/22/2014 - 07:04
User Badges:

Hello friend

If I were you I'd start over.

 

1 - Save that config in the flash "copy running-config flash:current-config"

1 - Configure your interface with the intended IP.

2 - Create a static route pointing to the Gateway of that IP's network.

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX (where the Xs you put the gateway of that network).

3 - After establishing that config, start pinging your network. If it pings, which I believe it will, then you add your access-lists, NATs and such. If you can be more specific about your NATs, I can help you out with it. Please let me know what you're trying to accomplish, and I will be glad to point you in the right direction.

I will be following this issue with you.

Correct Answer
Richard Burts Wed, 10/22/2014 - 07:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Let me start with an observation. I understand the need to sometimes obscure addressing when posting in public forums. But since you are already using private network 10.0.0.0 what are you protecting by doing 10.x.x.5? It makes it more difficult to read and understand the config and does not increase the security of your network.

 

The reason why you can not ping anything is that when you send the ping request you expect to receive a ping reply. But your access list on the interface is not allowing the ping reply.

 

HTH

 

Rick

stc.leahy Thu, 10/23/2014 - 03:30
User Badges:

Hi Richard,

Yes it is the ACLs, I have just put in a permit any in there and all is up, so I will build the ACLs again now.

 

Thanks

Actions

This Discussion