Re: Ping doesn't work

mkhzouz · ‎11-29-2006

I have an cisco 831 router that is configured for high speed internet. For some reason I am not able to ping the outside ip address of the router 38.x.x.198 (times-out) even if I remove the 108 access list. I am able though to ping the nat'd ip addresses of my servers 38.x.x.42 and 38.x.x.43. Any idea

below is the config

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname MyRouter

!

boot-start-marker

boot-end-marker

!

memory-size iomem 25

enable secret 5 hidden

!

no aaa new-model

!

resource policy

!

no ip source-route

!

ip cef

no ip domain lookup

ip domain name nextlink.net

ip name-server x.x.x.x

ip name-server x.x.b.b

!

interface Ethernet0

ip address 10.0.0.1 255.0.0.0 secondary

ip address 10.10.10.1 255.0.0.0

ip nat inside

ip virtual-reassembly

no cdp enable

hold-queue 32 in

!

interface Ethernet1

ip address 38.102.x.x.255.255.252

ip access-group 108 in

ip nat outside

ip virtual-reassembly

duplex auto

no cdp enable

!

interface Ethernet2

no ip address

shutdown

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

ip route 0.0.0.0 0.0.x.x.102.194.197

no ip http server

no ip http secure-server

ip http max-connections 4

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip nat pool nat-1 38.97.x.x.97.68.41 netmask 255.255.255.248

ip nat inside source list 2 pool nat-1 overload

ip nat inside source static 10.0.0.6 38.97.68.42

ip nat inside source static 10.0.0.7 38.97.68.43 extendable

!

access-list 2 permit any

access-list 108 permit icmp any any

access-list 108 permit tcp any any established

access-list 108 permit udp any eq domain any

access-list 108 permit udp any any eq domain

access-list 108 permit tcp any host 38.x.x.42 eq 4899

access-list 108 permit tcp any host 38.97.x.43 eq 4899

access-list 108 permit ip host 67.x.x.166 any

access-list 108 permit ip host 70.x.x.41 any

access-list 108 deny ip any host 38.x.x.42

access-list 108 deny ip any host 38.x.x.43

access-list 108 permit ip any any

no cdp run

!

control-plane

!

line con 0

exec-timeout 0 0

password 7 anotherpassword

login

no modem enable

stopbits 1

line aux 0

line vty 0 4

exec-timeout 120 0

password 7 telnetpassword

login

!

scheduler max-task-time 5000

sourabhagarwal · ‎11-29-2006

from where you are trying to ping 38.102.194.198 and natted IP of servers? is it from inside LAN or from outside?

also can u put output of sh ip route from your router?

mkhzouz · ‎11-29-2006

From outside the network and have tried from different locations.

here is the show ip routes

#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B -

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA exter

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L

ia - IS-IS inter area, * - candidate default, U - pe

o - ODR, P - periodic downloaded static route Gateway of last resort is 38.102.194.197 to network 0.0.0.0

38.0.0.0/30 is subnetted, 1 subnets

C 38.102.194.196 is directly connected, Ethernet1

C 10.0.0.0/8 is directly connected, Ethernet0

S* 0.0.0.0/0 [1/0] via 38.102.194.197

jolmo · ‎11-29-2006

Hi

Where are you trying to ping from? Where is the source of the ping packets?

zubairjalal · ‎11-29-2006

As a suggestion please do not share your actual ip addresses.

Also, if you are trying to ping this ip from outside it should work. Becuase i tried to ping it and it is working.

Pinging 38.102.194.198 with 32 bytes of data:

Reply from 38.97.68.41: bytes=32 time=246ms TTL=240

Reply from 38.97.68.41: bytes=32 time=366ms TTL=240

Reply from 38.97.68.41: bytes=32 time=411ms TTL=240

Reply from 38.97.68.41: bytes=32 time=346ms TTL=240

If you are trying from outside, please let us know what is the source ip that the packet is taking.

--Pls rate all helpful posts--

mkhzouz · ‎11-29-2006

thanks for the suggustion.

I am trying to ping from outside. I tried from three different sites and it's time out or getting "expired in transit"

if you look at the replies you got you'll see there were not coming from e1 38.102.194.198 but insteadfrom 38.97.68.41.

Any ideas?

ajagadee · ‎11-29-2006

Maher,

The reason you are getting a respone from 38.97.68.41 is because of your NAT configuration.

In the NAT Configuration, you have

ip nat inside source list 2 pool nat-1 overload

access-list 2 permit any

The access-list 2 NAT's any traffic source from the router and that is why when you ping 38.102.97.198 you get a response from 38.97.68.41 the NATed ip address.

I am pretty confident that if you reconfigure the NAT Statements, you will see the router respond on the .198 IP Address.

Configure NAT with an extended access-list. For example:

ip nat inside source list 150 pool nat-1 overload

access-list 150 permit ip 10.0.0.0 0.255.255.255 any

Let me know how it goes.

Regards,

Arul

** Please rate all helpful posts **

mkhzouz · ‎11-30-2006

THANKS SO MUCH!!!! That worked.

zubairjalal · ‎11-29-2006

Hi.

Try the follwoing under ethernet1

no ip proxy-arp

--Pls rate all helpful posts--

mkhzouz · ‎11-29-2006

I am still getting the time-out. I am so curious to know.

The reason why I would like e1 to be pingable because our ISP would like to monitor the Internet status consistantly and they use ICMP to do that...

any other ideas?

ajagadee · ‎11-29-2006

Maher,

Are you saying that you reconfigured the NAT as per my previous e mail and still having problems.

Regards,

Arul

mkhzouz · ‎11-30-2006

Thanks Arul,

I will try it and let you know.

mkhzouz · ‎12-02-2006

THANKS SO MUCH!!!! That worked.