Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3560
Views
0
Helpful
6
Replies

2911 unable to ping from LAN to WAN

Go to solution
Jobin Varghese
Level 1
Level 1

‎04-27-2012 08:57 AM - edited ‎03-04-2019 04:10 PM

I have the following setup where the Cisco ME 3400 provided by the ISP.

2911v2.jpg

My Cisco 2911 is configured as below:

CORE_Router#sh run
Building configuration...
Current configuration : 6075 bytes
!
! No configuration change since last restart
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CORE_Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip name-server x.x.6.5
ip name-server x.x.57.230
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-144954112
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-144954112
 revocation-check none
 rsakeypair TP-self-signed-144954112
!
!
crypto pki certificate chain TP-self-signed-144954112
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31343439 35343131 32301E17 0D313131 31303931 33303530 
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3134 34393534 
  31313230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  C38A912D 28B9AE50 2C06404B 1EEB4432 26DA3B69 103D3735 4CA8293F 18D6C6AB 
  183651BD 9239325D C0DB7135 254D1D37 30AAACE5 1E790F33 C2AC17CB A303ABFA 
  5AB4BB97 730A8E6D 24316CD1 B3B11A60 134FBF0E DDFAA8ED 3CB9CCEE 501A7BF8 
  F5389DFB DA56CBF2 DF121536 A36F4103 F334765E B7F0B13D BA48D64C 10522737 
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 
  23041830 16801410 8B600649 CA9DA530 D9156962 7D57B5F0 A6621A30 1D060355 
  1D0E0416 0414108B 600649CA 9DA530D9 1569627D 57B5F0A6 621A300D 06092A86 
  4886F70D 01010505 00038181 00B5290D 23ADB708 4EBBF167 19BF47BC FB395CEA 
  AB86BFE6 DC3CC6C1 2A225D9A 74EA410C 505CB6FA 3E1DE766 575A1DD0 8A8DFDA2 
  93D4B206 2C9510E3 8F9A11E5 E91A65AE BCD2715A 352E361F 4963BC78 08DAF006 
  1B2F910A AB68D182 9A639D77 12E26BAF 1CCD138B F72A019B 596FBB44 A38ED3D0 
  B5ACFBA0 2EB3CDB5 2A936E6A 40
        quit
license udi pid CISCO2911/K9 sn FCZ154670GK
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.2400
 description $STC_DIA6$
 encapsulation dot1Q 2400
 ip address x.x.88.5 255.255.255.252
!
interface GigabitEthernet0/1
 description $VPN_LAN$
 ip address 128.1.0.200 255.255.248.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 ip address 192.168.6.254 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 x.x.88.6
!
!
!
!
control-plane
!
!
!
line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

However I am not able to ping WAN from LAN

CORE_Router#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/99/104 ms
CORE_Router#ping 4.2.2.2 source 192.168.6.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.6.254 
.....
Success rate is 0 percent (0/5)
CORE_Router#ping 192.168.6.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.6.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
CORE_Router#ping 192.168.6.1 source x.x.88.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.6.1, timeout is 2 seconds:
Packet sent with a source address of x.x.88.5 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
CORE_Router#ping x.x.88.6 source 192.168.6.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to x.x.88.6, timeout is 2 seconds:
Packet sent with a source address of 192.168.6.254 
.....
Success rate is 0 percent (0/5)

Is there anything yet to be added to the configuration ?

Labels:
Preview file
70 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Jobin Varghese

‎04-27-2012 09:16 AM

The easiest is something like the following:

access-list 10 permit 192.168.6.0 0.0.0.255

ip nat inside source list 10 interface GigabitEthernet0/0.2400 overload

interface GigabitEthernet0/0.2400

ip nat outsi

int g0/2

ip nat insid

HTH,

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
6 Replies 6

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎04-27-2012 09:01 AM

Skimming over the config looks like you can ping wan addresses from the wan, lan addresses from the lan, but if you source from an inside address to the outside you can't? If that's the case, you'll need to configure natting on this router.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Jobin Varghese
Level 1
Level 1
In response to John Blakley

‎04-27-2012 09:06 AM

Yes John, That's the issue. I did apply ip nat on WAN and LAN interfaces. But still i was unable to, hence revert back to this configuration.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Jobin Varghese

‎04-27-2012 09:10 AM

This config won't work without natting though. Can you post the natted config so we can see it?

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Jobin Varghese
Level 1
Level 1
In response to John Blakley

‎04-27-2012 09:14 AM

Out of work now, but can you specify as to whta changes with natting should i make to this configuration.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to Jobin Varghese

‎04-27-2012 09:16 AM

The easiest is something like the following:

access-list 10 permit 192.168.6.0 0.0.0.255

ip nat inside source list 10 interface GigabitEthernet0/0.2400 overload

interface GigabitEthernet0/0.2400

ip nat outsi

int g0/2

ip nat insid

HTH,

John

Please rate useful posts...

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
Jobin Varghese
Level 1
Level 1
In response to John Blakley

‎04-28-2012 12:03 AM

Thanks a lot John. Indeed I hat not added 

ip nat inside source list 10 interface GigabitEthernet0/0.2400 overload
CORE_Router#sh run
Building configuration...
Current configuration : 6445 bytes
!
! Last configuration change at 06:09:51 UTC Sat Apr 28 2012 by netadmin
! NVRAM config last updated at 06:09:53 UTC Sat Apr 28 2012 by netadmin
! NVRAM config last updated at 06:09:53 UTC Sat Apr 28 2012 by netadmin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CORE_Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef    
!
!
!
!
!
no ip domain lookup
ip name-server x.x.6.5
ip name-server x.x.57.230
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-144954112
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-144954112
 revocation-check none
 rsakeypair TP-self-signed-144954112
!
!
crypto pki certificate chain TP-self-signed-144954112
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31343439 35343131 32301E17 0D313131 31303931 33303530 
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3134 34393534 
  31313230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  C38A912D 28B9AE50 2C06404B 1EEB4432 26DA3B69 103D3735 4CA8293F 18D6C6AB 
  183651BD 9239325D C0DB7135 254D1D37 30AAACE5 1E790F33 C2AC17CB A303ABFA 
  5AB4BB97 730A8E6D 24316CD1 B3B11A60 134FBF0E DDFAA8ED 3CB9CCEE 501A7BF8 
  F5389DFB DA56CBF2 DF121536 A36F4103 F334765E B7F0B13D BA48D64C 10522737 
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 
  23041830 16801410 8B600649 CA9DA530 D9156962 7D57B5F0 A6621A30 1D060355 
  1D0E0416 0414108B 600649CA 9DA530D9 1569627D 57B5F0A6 621A300D 06092A86 
  4886F70D 01010505 00038181 00B5290D 23ADB708 4EBBF167 19BF47BC FB395CEA 
  AB86BFE6 DC3CC6C1 2A225D9A 74EA410C 505CB6FA 3E1DE766 575A1DD0 8A8DFDA2 
  93D4B206 2C9510E3 8F9A11E5 E91A65AE BCD2715A 352E361F 4963BC78 08DAF006 
  1B2F910A AB68D182 9A639D77 12E26BAF 1CCD138B F72A019B 596FBB44 A38ED3D0 
  B5ACFBA0 2EB3CDB5 2A936E6A 40
        quit
license udi pid CISCO2911/K9 sn FCZ154670GK
!
!
!
!         
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.2400
 description $STC_DIA6$
 encapsulation dot1Q 2400
 ip address x.x.88.5 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 description $VPN_LAN$
 ip address 128.1.0.200 255.255.248.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 description $WAN_LAN$
 ip address 192.168.6.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/0.2400 overload
ip route 0.0.0.0 0.0.0.0 x.x.88.6
!
access-list 10 permit 192.168.6.0 0.0.0.255
!
!
!         
control-plane
!
!
!
line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card