Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2924
Views
0
Helpful
19
Replies

can't ping anything outside.

bennyPeoples
Level 1
Level 1

‎06-06-2017 02:14 AM - edited ‎03-08-2019 10:52 AM

Hi,

i was setting up a new router but it looks impossible to ping outside. Here is my run conf.


Current configuration : 6548 bytes
!
! Last configuration change at 10:05:20 brussel Tue Jun 6 2017 by benny
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ....
enable password 7 ...
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone brussel 1 0
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.200
ip dhcp excluded-address 192.168.1.230 192.168.1.240
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool VZWLEEF
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 192.168.1.251 192.168.1.100
!
!
!
ip domain name leef.local
ip name-server 195.130.130.4
ip name-server 195.130.131.4
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
 match ipv4 source address
 match ipv4 destination address
 match application name
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp absolute first
 collect timestamp absolute last
!
!
flow monitor application-mon
 cache timeout active 60
 record nbar-appmon
!
parameter-map type inspect global
 max-incomplete low 18000
 max-incomplete high 20000
 nbar-classify
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3250918178
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3250918178
 revocation-check none
 rsakeypair TP-self-signed-3250918178
!
!
crypto pki certificate chain TP-self-signed-3250918178
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323530 39313831 3738301E 170D3137 30363031 31333036
  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32353039
  31383137 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100ADCC 8BD7DB62 3058641D FBD5E8D4 EAC94844 41F6EE51 9F95B435 8E1FB09E
  5DF6A7FF 80A25477 40C29EDB AEFCC20F FC96F4A4 0CFE6B6F 3D0058C3 03423957
  F5395CDB 9FB55CDC F6B81BDF D153151F 755ADC8C 550D9315 94BE2610 55809EF8
  A7693E75 9E49A7D2 A97723F2 1299DD18 B00A16C6 CFDF659C 16112181 E9274BFD
  64A70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1487D54B 0E47AA08 164B3349 4A260602 305047AB 88301D06
  03551D0E 04160414 87D54B0E 47AA0816 4B33494A 26060230 5047AB88 300D0609
  2A864886 F70D0101 05050003 818100A5 A8F6B776 28BAAF23 797723AC B8312942
  EBFCC51D 3955875C D0C52DD2 1E557582 20D975A0 6F5D8B1C FDB877A2 06435723
  FBBF190D AE471B34 98193118 2A149DEC 99A1DE28 C70B73A2 A5099305 7E4440DD
  38434D93 62C222A5 9B10E9B6 43F162C1 10F9505A 8720FF83 7AD66B87 B848D75F
  DC4AACEE 796B3727 AF5A0AD0 6EE5CD
        quit
license udi pid CISCO1941/K9 sn FCZ2112B0RG
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
 any
!
object-group network Others_src_net
 any
!
object-group service Others_svc
 ip
!
object-group network Web_dst_net
 any
!
object-group network Web_src_net
 any
!
object-group service Web_svc
 ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
!
object-group network vpn_remote_subnets
 any
!
username benny privilege 15 password 7
!
redundancy
!
!
!
!
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
 match protocol msnmsgr
 match protocol ymsgr
class-map type inspect match-any Others_app
 match protocol https
 match protocol smtp
 match protocol pop3
 match protocol imap
 match protocol sip
 match protocol ftp
 match protocol dns
 match protocol icmp
class-map type inspect match-any Web_app
 match protocol http
class-map type inspect match-all Others
 match class-map Others_app
 match access-group name Others_acl
class-map type inspect match-all Web
 match class-map Web_app
 match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
 class type inspect Web
  inspect
 class type inspect Others
  inspect
 class class-default
  drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect LAN-WAN-POLICY
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
!
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
!
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
!
interface GigabitEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.30.1 255.255.255.0
 zone-member security LAN
!
interface GigabitEthernet0/1
 description PrimaryWANDesc_
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security WAN
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip ssh version 2
!
ip access-list extended Others_acl
 permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
 permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
 permit ip object-group local_lan_subnets any
 deny   ip any any
ip access-list extended teamviewer
 permit tcp any any eq 5938
 permit udp any any eq 5938
 permit tcp any any eq 443
!
!
!
access-list 1 permit any
!
!
!
control-plane
!
!
!
line con 0
 login authentication local_access
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 0 0
 privilege level 15
 password 7 142717041C082F38047A606572
 logging synchronous
 login authentication local_access
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
!
end

anyone who have an idea where i'm wrong?

Labels:
0 Helpful
19 Replies 19

bennyPeoples
Level 1
Level 1
In response to Mark Malone

‎06-08-2017 12:31 AM

Hi,

i tested for 3 days with a laptop getting its IP trough DHCP from ISP. This device keeps having access and can ping to google, etc. i can trace like you see in the message below.

So there must be something i misconfigured i think. I hope that someone find the misconfiguration.

any suggestions?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to bennyPeoples

‎06-08-2017 03:02 AM

-

0 Helpful

bennyPeoples
Level 1
Level 1
In response to Jon Marshall

‎06-08-2017 03:18 AM

I know but for resolving the issue i had permit any. I already changed it back. Thank you for the reply!

Benny

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni

‎06-06-2017 02:25 AM

Hi

Have you got your public ip address on G0/1 off the ISP  ? can you ping that ip

I would remove the zone security until you have your internet connection up and running off the g0/1 interface

0 Helpful

bennyPeoples
Level 1
Level 1
In response to Mark Malone

‎06-08-2017 01:07 AM

i have disabled the zone security for G0/1 and G0/0.1

i have set a static route to the gateway of the ISP. I can ping outside now but have a successrate of 40% or sometimes 60%. any idea ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card