cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
623
Views
0
Helpful
7
Replies

Ping issues behind Gi ether interface

gmaccisco1
Level 1
Level 1

Hi guys,

I am having a little issue with ping behind a gi Interface of a router connected to another router via a pint to point T1.

at my end of the T1 I have two subnets connectedto two different physical Interface of a Cisco 3825 router. at the other end of the T1, I have a 1720 series (son to be replaced with a 3825) router. I can ping all the Interfaces whe I am on any of the routers but oin the remote router I cannot ping any hosts behind the hi0/0 interface at my end?

I can ping any host at my end while on the hosts at the remote location. only from the remote router prompt I cannot ping hosts at my end behind the GI interfcae.

any thoughts on this is greatly appreciated.

I have attached config for both routers and have put comments in te body of the config text file.

Thx,

Masood

1 Accepted Solution

Accepted Solutions

Hi Masood,

Good to know it worked. The reason is the normal ACLs implementation is different from ACLs which are used in class maps and route maps.

When you say route map permit and matches the ACLs configured it looks for the ACL and when ACL is permit it makes the condition TRUE for route map and route map will take the action as mentioned and in your case when you say permit in your ACL it matches the route map and condition set in route map is followed which will override the routing table routes and will follow the route set in your route map.

When you say deny in your ACL it fails the route map check and will follow the routes available in normal routing table and thats the trick.

HTH

Ankur

*Pls rate helpfull post

View solution in original post

7 Replies 7

ankbhasi
Cisco Employee
Cisco Employee

Hi Friend,

As you mentioned only from the remote router prompt you cannot ping hosts at my end router behind the GI interfcae and I bellive ethe reason for that is your policy route which will redirect the traffic to your firewall inside interface.

When you ping from remote router prompt the source will be your 10.222.222.2 and destination will be any host behind your gig interface which you ping but when the returen trffic goes back it will check the route map which you have configured and it will match the access list

"access-list 102 permit ip 10.1.1.0 0.0.0.255 any" due to which it will override the routing table and follow the route set in route map which will redirect the traffic to your firewall inside interface and I believe there is the problem.

So try changing the route map ACLS and see if that resolves the issue.

HTH

Ankur

Hi and thanks for getting back to me. you are right but I have put a permit statement both in router as you saw and it the Firewall to permit ICMP in general.

so whe you say check the ACL, in what sense I can add or remove from my ACL to accomodate for this? I need the ACLs to be in place but I need the ping too.

Thx,

Masood

Hi again,

you see, i can do extended ping alright but not the normal ping from the prompt of that remote router. I have put permit icmp any any frominside to outside and vice versa on mmy Firewall and Permit ACL for icmp from 10.5.1.0/24 (the subnet for that remote router whichis an extension to our office via a pint to point router so considered inside)on the router at my end of the T1 but still the normal ping fails but extended OK.

I am trying to copy tftp flash to that remote router with tftp being on my machine on 10.1.1.0/24 subnet and the remote router being on 10.5.1.0/24 subnet at the otherside of the T1 line and that tftp fails, time out.

the funny thing being I can ping that subnet as total from the DOS prompt of my machine and I can ping any machine at my end from that remote end.

this has really confused me.

any thoughts?

Thx,

Masood

Hi Masood,

Yeah you will be able to do the extended ping and even any machine behind the remote end router on fastethernet interface will be able to ping anywhere on your end router to machines behind gig interface.

The reason is simple because when you do extended ping your source is 10.5.1.1 and destination is for suppose somewhere behind gig interface like 10.1.1.x, this ping will cross remote end router and will reach your end routerand now there will be a returen traffic where source again will be 10.1.1.x and destination will be 10.5.1.1 because you did extended ping and now it will check teh route map configured on your gig interface for returen traffic.

And as per your route map you have a deny statement "access-list 102 deny ip 10.1.1.0 0.0.0.255 10.5.1.0 0.0.0.255" which means it will not follow a route set by your route map but wil lfollow a normal routing table so it will not hit your firewall and will straight go out from your router checking the route which you have configured

"ip route 10.5.1.0 255.255.255.0 10.222.222.2"

So I am sure when you traffic is coming from your remote end router from sourec of your serial interface to destination of your gis interface it will hit the firewall and there is some configuration issue with firewall.

Why don't you add two more deny statement to your ACL 102 something like this

access-list 102 deny ip 10.1.1.0 0.0.0.255 110.222.222.2 0.0.0.0

access-list 102 deny ip 10.1.4.0 0.0.0.255 110.222.222.2 0.0.0.0

And update me if this works and I believe it will work.

HTH

Ankur

*Pls rate helpfull post

Hey it did work!

sorry for my late respons. I was away on a busineess trip to remote site.

yes it did work but why? can you please explain why did worked? I was thinking of a permit statement and here a deny statement did the trick?

Please advise,

Masood

Hi Masood,

Good to know it worked. The reason is the normal ACLs implementation is different from ACLs which are used in class maps and route maps.

When you say route map permit and matches the ACLs configured it looks for the ACL and when ACL is permit it makes the condition TRUE for route map and route map will take the action as mentioned and in your case when you say permit in your ACL it matches the route map and condition set in route map is followed which will override the routing table routes and will follow the route set in your route map.

When you say deny in your ACL it fails the route map check and will follow the routes available in normal routing table and thats the trick.

HTH

Ankur

*Pls rate helpfull post

thanks man.

masood

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco