06-06-2017 02:14 AM - edited 03-08-2019 10:52 AM
Hi,
i was setting up a new router but it looks impossible to ping outside. Here is my run conf.
Current configuration : 6548 bytes
!
! Last configuration change at 10:05:20 brussel Tue Jun 6 2017 by benny
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ....
enable password 7 ...
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone brussel 1 0
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.200
ip dhcp excluded-address 192.168.1.230 192.168.1.240
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool VZWLEEF
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.251 192.168.1.100
!
!
!
ip domain name leef.local
ip name-server 195.130.130.4
ip name-server 195.130.131.4
ip cef
no ipv6 cef
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3250918178
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3250918178
revocation-check none
rsakeypair TP-self-signed-3250918178
!
!
crypto pki certificate chain TP-self-signed-3250918178
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323530 39313831 3738301E 170D3137 30363031 31333036
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32353039
31383137 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ADCC 8BD7DB62 3058641D FBD5E8D4 EAC94844 41F6EE51 9F95B435 8E1FB09E
5DF6A7FF 80A25477 40C29EDB AEFCC20F FC96F4A4 0CFE6B6F 3D0058C3 03423957
F5395CDB 9FB55CDC F6B81BDF D153151F 755ADC8C 550D9315 94BE2610 55809EF8
A7693E75 9E49A7D2 A97723F2 1299DD18 B00A16C6 CFDF659C 16112181 E9274BFD
64A70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1487D54B 0E47AA08 164B3349 4A260602 305047AB 88301D06
03551D0E 04160414 87D54B0E 47AA0816 4B33494A 26060230 5047AB88 300D0609
2A864886 F70D0101 05050003 818100A5 A8F6B776 28BAAF23 797723AC B8312942
EBFCC51D 3955875C D0C52DD2 1E557582 20D975A0 6F5D8B1C FDB877A2 06435723
FBBF190D AE471B34 98193118 2A149DEC 99A1DE28 C70B73A2 A5099305 7E4440DD
38434D93 62C222A5 9B10E9B6 43F162C1 10F9505A 8720FF83 7AD66B87 B848D75F
DC4AACEE 796B3727 AF5A0AD0 6EE5CD
quit
license udi pid CISCO1941/K9 sn FCZ2112B0RG
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
!
object-group network vpn_remote_subnets
any
!
username benny privilege 15 password 7
!
redundancy
!
!
!
!
!
!
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect Web
inspect
class type inspect Others
inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
zone-member security LAN
!
interface GigabitEthernet0/1
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip ssh version 2
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended teamviewer
permit tcp any any eq 5938
permit udp any any eq 5938
permit tcp any any eq 443
!
!
!
access-list 1 permit any
!
!
!
control-plane
!
!
!
line con 0
login authentication local_access
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 0 0
privilege level 15
password 7 142717041C082F38047A606572
logging synchronous
login authentication local_access
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
!
end
anyone who have an idea where i'm wrong?
06-06-2017 02:24 AM
i already have taking my G0/1 out of the zone WAN but with no success. i can ping hosts outside in the same subnet but not to google.com or its nameservers 8.8.8.8 8.8.8.4.4
06-06-2017 02:33 AM
ok so can you ping the far side of your public ip address of the wan interface the provider side ?
did the provider tell you to setup that way , im just wondering as it looks like a standard edge internet setup but I don't see any pppoe or pppoa in place just default route , whats the ISP using as its connection to its network ?
06-06-2017 02:42 AM
We get ip trough DHCP and in the other routers that are using the same ISP i have not configured anything more than obtaining a ip address trough DHCP. I only create a default route and create accesslist, which i have set on permit anything for now, to allow nat.
the strange thing is that i can connect trough the ip over ssh from my remote desk but cant ping our IP.
06-06-2017 02:49 AM
the strange thing is that i can connect trough the ip over ssh from my remote desk but cant ping our IP.
that's sounds as if the isp or the device in front of you has some type of filter in place , denying icmp traffic like a firewall
if all you configure is dhcp and a default route same as your other sites then speak to your ISP as that's what you have done , usually though unless theses are private lines you need some form of configuration for the ISP connection like pppoe but if your saying you don't , then I would speak to the ISP and ask them why its not working , compare the working routing table to the non working router see what your retrieving off the ISP differently
there's nothing wrong with your config in whats in place but only the ISP your connecting too can tell you what exactly is required per their connection
what happens whan you trace out from the source of the router to google , trace from lan interface
traceroute 8.8.8.8 source g0/0
06-06-2017 03:12 AM
I did the trace from G0/0.1 because g0/0 does not have an ip configured. but i looks like the trace not even got trough the G0/1 outside.
R1#traceroute 8.8.8.8 source g0/0.1
Type escape sequence to abort.
Tracing the route to 8.8.8.8
VRF info: (vrf in name/id, vrf out name/id)
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
06-06-2017 03:17 AM
ye that's what I meant sorry you cant trace off an int with no ip it l2 , you don't have ip service there with your ISP your not breaking out at all from what its showing , np routing available
the dhcp ip address on the wan g0/1 is it up / up yes ? can you ping that ip address and also the far side of it even the next hop of the dhcp ip ?
what device is conned to the router is it a ISP modem ?
06-06-2017 03:21 AM
I can ping my own IP and also IP's within the subnet.
GigabitEthernet0/0.1 192.168.1.1 YES NVRAM up up
GigabitEthernet0/0.10 192.168.10.1 YES NVRAM up up
GigabitEthernet0/0.20 192.168.20.1 YES NVRAM up up
GigabitEthernet0/0.30 192.168.30.1 YES NVRAM up up
GigabitEthernet0/1 81.82.234.241 YES DHCP up up
NVI0 unassigned YES unset up up
R1#ping 81.82.234.241
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 81.82.234.241, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R1#ping 81.82.234.245
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 81.82.234.245, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 20/22/24 ms
R1#
maybe you learn more from the output show ip int g0/1
GigabitEthernet0/1 is up, line protocol is up
Internet address is 81.82.234.241/18
Broadcast address is 255.255.255.255
Address determined by DHCP
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP multicast fast switching is enabled
IP multicast distributed fast switching is disabled
IP route-cache flags are Fast, CEF
Router Discovery is disabled
IP output packet accounting is disabled
IP access violation accounting is disabled
TCP/IP header compression is disabled
RTP/IP header compression is disabled
Policy routing is disabled
Network address translation is enabled, interface in domain outside
BGP Policy Mapping is disabled
Input features: Common Flow Table, Stateful Inspection, Virtual Fragment Reassembly, Virtual Fragment Reassembly After IPSec Decryption, NAT Outside, MCI Check
Output features: Post-routing NAT Outside, Common Flow Table, Stateful Inspection, CCE Post NAT Classification, Firewall (firewall component), NAT ALG proxy
IPv4 WCCP Redirect outbound is disabled
IPv4 WCCP Redirect inbound is disabled
IPv4 WCCP Redirect exclude is disabled
06-06-2017 03:27 AM
If you can reach the far end of your subnet not directly connected to the router that's public Ip but you cant reach Google then the issue is something to do with the isp or your connected modem or what ever is giving you the dhcp ip address as your default router is breaking you out that far which shows your ip path is working to that point
can you take a show ip route of the working router you were saying is identical and working in setup and the show ip route of this non working table , to see what the difference is
the only thing that could change on the router side is the g0/1 to the actual next hop ip address , other than your config is right
if the running config is identical to an already working router its the isp or the device in front of the router causing the issue
06-06-2017 03:40 AM
That devices are not in the same building. i also forgot to mention that last friday this config have worked for about an hour or so ( while i was testing) than i was home trying again and it stopped working.
Are there any logs we can learn from what is changed at that moment?
06-06-2017 03:46 AM
If what your saying is right then no as its all controlled by the ISP , usually you would have some form of connection medium , mpls , atm etc but all your using is a default route and pushing everything out to the ISP once you get your address, if that's the correct case then all your routing etc is handled by the ISP not you guys locally
there is nothing to troubleshoot as its a default route , if it was pppoe or something else you could check authentication etc , I would check if you do have that correct as you would rarely see a customer with just a default route , that means anyone that connects up to that circuit can access their network by just pointing to their network ? doesn't seem right
personally I think your missing config off the router to work with the ISP circuit , the reason I think that is you can break out as far as there next hop but no further into the actual internet
from designs I have seen previously quite a lot like yours m the modem in front of you should be in bridge mode , you should get the public ip address and the pppoe or pppoa should be on the local cisco router instead of the modem
06-06-2017 04:00 AM
i have looked for it and our provider Telenet is not using PPPOE or PPPOA. i contacted them and that guy think it has something to do with the fixed IP that they provide trough dhcp and mac address.
I must connect a laptop to the modem and use that mac to give the fixed IP to this device than they are going to look for issues on their side.
Hope they solve this verry quick :-) thanks a lot, and maybe i come back on this when its not their problem.
06-06-2017 04:02 AM
If your not using their service then it can only be them or the modem as I was saying , you cant tshoot a default route it just pushes everything to them to look after and route , good luck
06-06-2017 01:58 PM
i have since about 10 hours a laptop connected with the dedicated IP getting trough DCHP an mac address. it looks like that keeps working fine on the moment so.
this are the tracert on that machine and also the IP and DNS data from the machine.
Microsoft Windows [versie 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle rechten voorbehouden.
C:\Users\a.kevin>tracert 8.8.8.8
Traceren van de route naar google-public-dns-a.google.com [8.8.8.8]
via maximaal 30 hops:
1 9 ms 13 ms 11 ms d5152c001.static.telenet.be [81.82.192.1]
2 10 ms 9 ms 9 ms dD5E0CB39.access.telenet.be [213.224.203.57]
3 19 ms 11 ms 10 ms dD5E0FA6F.access.telenet.be [213.224.250.111]
4 12 ms 12 ms 16 ms nl-ams05a-rd1-te-6-0-0.aorta.net [213.46.183.101
]
5 15 ms 20 ms 20 ms 74.125.51.52
6 14 ms 17 ms 13 ms 108.170.241.236
7 15 ms 23 ms 20 ms 209.85.241.49
8 19 ms 15 ms 20 ms 72.14.234.214
9 15 ms 17 ms 16 ms 108.170.232.7
10 * * * Time-out bij opdracht.
11 19 ms 17 ms 21 ms google-public-dns-a.google.com [8.8.8.8]
De trace is voltooid.
C:\Users\a.kevin>ipconfig /all
Windows IP-configuratie
Hostnaam . . . . . . . . . . . . : L-20
Primair DNS-achtervoegsel . . . . : leef.local
Knooppunttype . . . . . . . . . . : hybride
IP-routering ingeschakeld . . . . : nee
WINS-proxy ingeschakeld . . . . . : nee
DNS-achtervoegselzoeklijst. . . . : leef.local
telenet.be
Ethernet-adapter voor LAN-verbinding:
Verbindingsspec. DNS-achtervoegsel: telenet.be
Beschrijving. . . . . . . . . . . : Realtek PCIe GBE Family Controller
Fysiek adres. . . . . . . . . . . : B8-6B-23-6A-77-B7
DHCP ingeschakeld . . . . . . . . : ja
Autom. configuratie ingeschakeld : ja
IPv4-adres. . . . . . . . . . . . : 81.82.234.241(voorkeur)
Subnetmasker. . . . . . . . . . . : 255.255.192.0
Lease verkregen . . . . . . . . . : dinsdag 6 juni 2017 13:40:16
Lease verlopen. . . . . . . . . . : woensdag 7 juni 2017 0:21:50
Standaardgateway. . . . . . . . . : 81.82.192.1
DHCP-server . . . . . . . . . . . : 195.130.137.21
DNS-servers . . . . . . . . . . . : 195.130.130.4
195.130.131.4
NetBIOS via TCPIP . . . . . . . . : ingeschakeld
06-08-2017 02:48 AM
I looks like i resolved the issue. i added a static route 0.0.0.0 0.0.0.0 81.82.192.1
and deleted static route 0.0.0.0 0.0.0.0 g0/1
for now this did the trick.
Is it an option to enter dhcp at the end of the first static route.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide