cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1408
Views
0
Helpful
5
Replies

No Outbound Traffic, but ping from router works

datacubesystems
Level 1
Level 1

Attached is the config of a firewall we have. (External IP addresses changed to protect the innocent :-))

We are able to ping using the ping command on the router, but devices on 10.10.11.x subnet are unable to ping, browse, or do anything.

Can someone help me out?

Thank you so much!

 

HFC_SR520

Home    Exec    Configure

 


Output

Command base-URL was: /level/15/exec/-
Complete URL was:/level/15/exec/-/show/running-config/CR
Command was: show running-config


Building configuration...

Current configuration : 10278 bytes
!
version 12.4
no service pad
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname HFC_SR520
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$RLcN$e9XyVs5S6vsGOte/325L01
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3043343413
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3043343413
 revocation-check none
 rsakeypair TP-self-signed-3043343413
!
!
crypto pki certificate chain TP-self-signed-3043343413
 certificate self-signed 01
  30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303433 33343334 3133301E 170D3132 31303233 31383030
  32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30343333
  34333431 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100DA3E A85D8767 B93153E2 9F9AF221 5195E075 BA8DD306 0D6FE2CD E0E1FE47
  86F442CC A7306FCE 291E6E53 7AB8CABE 6D090304 AA152E96 2AB1450A 74691AC0
  F5A712CD 9E1C8F6F F7893600 678A2CA4 A1A883C9 C6B29943 39579073 904F0D2B
  5ECA6733 108600EF CC54483C 72DA9682 5D8B271D 6C7F9C38 1748544E C64A99CF
  1D630203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
  551D1104 22302082 1E484643 5F535235 32302E68 65726261 66616D69 6C796368
  69726F2E 636F6D30 1F060355 1D230418 30168014 650180BE 280E80DE C62AFE04
  E156724A CCA93517 301D0603 551D0E04 16041465 0180BE28 0E80DEC6 2AFE04E1
  56724ACC A9351730 0D06092A 864886F7 0D010104 05000381 810023B9 34449631
  74E7158C 9B2FDFF4 89F1AB17 5BB48BE5 791735EA 1D7C52A2 6CA72B47 E014566E
  69EBA8C6 BCCB1912 E2563D5B D82121E2 6FD689F7 F3E0B24F 112E1A4C CD62B46E
  E73F8861 B03CC461 C4A31950 4C29A0DA 2CF6BBCC D6F0BAE7 676BE319 12DA71F6
  07175AA1 25F8BA75 544AFF73 0E3635BC CAEC05F7 5C563CA7 1211
      quit
dot11 syslog
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.11.1 10.10.11.10
!
ip dhcp pool workstations
   network 10.10.11.0 255.255.255.128
   domain-name test.local
   netbios-node-type h-node
   default-router 10.10.11.1
   dns-server 10.10.11.5 8.8.8.8 8.8.4.4
!
ip dhcp pool telco
   network 192.168.10.0 255.255.255.128
   domain-name sillyonline.com
   netbios-node-type h-node
   default-router 192.168.10.1
   dns-server 8.8.8.8 8.8.4.4
!
!
ip cef
ip domain name testcustomer.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name INSP100 appfw IMApps
ip inspect name INSP100 cuseeme
ip inspect name INSP100 dns
ip inspect name INSP100 ftp
ip inspect name INSP100 h323
ip inspect name INSP100 https
ip inspect name INSP100 icmp
ip inspect name INSP100 imap reset
ip inspect name INSP100 pop3 reset
ip inspect name INSP100 netshow
ip inspect name INSP100 rcmd
ip inspect name INSP100 realaudio
ip inspect name INSP100 rtsp
ip inspect name INSP100 esmtp
ip inspect name INSP100 sqlnet
ip inspect name INSP100 streamworks
ip inspect name INSP100 tftp
ip inspect name INSP100 tcp
ip inspect name INSP100 udp
ip inspect name INSP100 vdolive
login block-for 1800 attempts 3 within 300
login quiet-mode access-class RemoteSSH
login on-failure log
no ipv6 cef
!
appfw policy-name IMApps
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$zyQh$UAbs83OaXkKPNMr2SfYHx/

!
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh maxstartups 3
ip ssh time-out 10
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet4
ip ssh logging events
ip ssh version 2
!
class-map match-any Download
 match protocol http
 match protocol ftp
class-map match-any Voice
 match  dscp ef
 match protocol rtcp
 match protocol sip
 match protocol rtp audio
 match protocol h323
 match ip rtp 10000 2000
class-map match-any Streaming
 match protocol rtsp
 match protocol gnutella
 match protocol fasttrack
 match protocol kazaa2
 match protocol rtp video
 match protocol bittorrent
 match protocol cuseeme
!
!
policy-map Limit-In
 class Voice
   police rate 1000000
     conform-action set-dscp-transmit ef
     exceed-action set-dscp-transmit default
     violate-action set-dscp-transmit default
 class Streaming
    police 60000
 class Download
    police 6000000
policy-map QoS
 class Voice
    priority 600
  set dscp ef
 class class-default
    police 800000
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description WAN Interface
 ip address 71.45.52.194 255.255.255.248
 ip access-group WanACL in
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 service-policy input Limit-In
 service-policy output QoS
!
interface Vlan1
 description Inside Interface
 ip address 10.10.11.1 255.255.255.128
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
!
interface Vlan10
 description Telco Interface
 ip address 192.168.10.1 255.255.255.128
 ip nat inside
 ip virtual-reassembly
!
ip local pool SSLVPN 10.10.15.5 10.10.15.15
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 71.45.52.193
!
no ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.11.5 6900 interface FastEthernet4 6900
ip nat inside source static tcp 10.10.11.5 80 interface FastEthernet4 80
ip nat inside source static tcp 10.10.11.1 443 interface FastEthernet4 443
!
ip access-list extended RemoteSSH
 permit tcp 10.10.11.0 0.0.0.255 any range 22 telnet
 permit tcp 192.168.10.0 0.0.0.127 any range 22 telnet
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 permit tcp host 71.41.125.40 any eq 22
 deny   ip any any log
 permit tcp 10.10.11.0 0.0.0.127 any range 22 telnet
 permit tcp host 24.173.169.102 any eq 22
ip access-list extended WanACL
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 permit udp host 192.43.244.18 eq ntp any
 permit udp 72.21.26.0 0.0.0.31 eq ntp any gt 1023
 permit udp host 8.8.8.8 eq domain any gt 1023
 permit udp host 8.8.4.4 eq domain any gt 1023
 permit udp any gt 1023 any range 1024 5060
 permit udp any gt 1023 any range 10000 12000
 permit gre any any
 permit tcp host 71.41.125.40 any eq 22
 permit tcp any host 71.45.52.194 eq 6900
 permit tcp any any established
 permit icmp any any echo log
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   ip any any log
!
logging trap debugging
!
!
!
!
!
control-plane
!
banner login ^C
----------------------------------------------------------------
Cisco Integrated Services Router
Unauthorized access prohibited.  All User access will be logged.
----------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 192.43.244.18 prefer source FastEthernet4
!
webvpn gateway Test-SSL-VPN
 hostname Test-SSL_881
 ip address 71.45.52.194 port 443  
 ssl trustpoint TP-self-signed-2371334855
 inservice
 !
webvpn install svc flash:/webvpn/macosx.pkg sequence 2
 !
webvpn context TestPortal
 title "Test VPN Portal"
 ssl authenticate verify all
 !
 !
 policy group SSLVPN_1
   functions svc-enabled
   hide-url-bar
   svc address-pool "SSLVPN"
   svc keep-client-installed
   svc split include 10.10.11.0 255.255.255.128
 default-group-policy SSLVPN_1
 gateway Test-SSL-VPN
 max-users 10
 inservice
!
end
command completed.

 

5 Replies 5

jpl861
Level 4
Level 4
Where is your access-list 1 that is being used for NAT?

I am honestly not sure. Is it possible to have a login that you hide a list from? That was gotten from logging in as admin, but, there are two other logins that the previous guy put in there too, that i removed from the config to hide the usernames :-)

I don't think so. Your configuration points to local login and there are no priviledge exec level etc. Configurations so I guess this is the complete configuration, not unless it was accidentally removed.

No, the only two lines I removed were the other admin accts.

Its really bizarre. i can ping from the router, but anything behind it i cant. Default gateway is set correctly on machines behind it, cant ping ip or a hostname.

Here's what you can do, do a non stop ping from a workstation then check show ip nat translation on the router to see if it is doing NAT.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco