cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12420
Views
3
Helpful
12
Replies

Can ping from Router, but not from Client PC

ddevecka
Level 1
Level 1

I configure routers about once or twice a year, so I am a noob.

I just set up a basic config on a 2600 series router, but I can't get to the internet through the router. From the router I can ping 4.2.2.2 and next hop, but from client PC I can inside and outside interfaces but not next hop router or 4.2.2.2. Here is a copy of my config.

Thanks for any pointers.

 

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-Loaner
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******
enable password ******
!
no network-clock-participate slot 1
no network-clock-participate wic 0
no aaa new-model
ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 172.18.0.1 172.18.127.255
!
ip dhcp pool NET-POOL
   network 172.18.0.0 255.255.0.0
   default-router 172.18.0.1
   dns-server 1.8.13.144 1.8.15.10
   lease 10
!
ip audit po max-events 100
!
!
!
!
interface FastEthernet0/0
 ip address 1.18.54.2 255.255.255.192
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.18.0.1 255.255.0.0
 duplex auto
 speed auto
!
!
ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 1.18.54.1
!
!
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
 password ******
 login
!
!
end

 

12 Replies 12

hbackus
Level 1
Level 1

Do you have an access list to permit traffic.

 

ip access-list extended acl-Internet-In

permit icmp any host 1.18.54.2 echo-reply
 permit icmp any host 1.18.54.2 unreachable
 permit icmp any host 1.18.54.2 source-quench
 permit icmp any host 1.18.54.2 redirect
 permit icmp any host 1.18.54.2 echo
 permit icmp any host 1.18.54.2 time-exceeded
 permit icmp any host 1.18.54.2 parameter-problem
 permit icmp any host 1.18.54.2 timestamp-request
 permit icmp any host 1.18.54.2 timestamp-reply
 permit icmp any host 1.18.54.2 information-request
 permit icmp any host 1.18.54.2 information-reply

!
interface FastEthernet0/0
 ip address 1.18.54.2 255.255.255.192
 ip access-group acl-Internet-in in
 duplex auto
 speed auto

!

 

Marvin Rhoads
Hall of Fame
Hall of Fame

No access-list is necessary since there is no security setup on this router (by the way it's wide open to all sorts of hacking in many ways).

As to why your hoist cannot reach the internet while the router can, you don't have any NAT setup. Without it, your host's private IP address will pass unchanged via the router and your provider will not route private IP address ranges.

The configuration details vary according to whether you want to simply allow outbound (inside-initiated) or inbound traffic.

RDGamm
Level 1
Level 1

I have the same issue.  I can reply with captured CLI info.

show run
Building configuration...

Current configuration : 2596 bytes
!
! Last configuration change at 15:34:43 Central Tue Aug 29 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DNCEF
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ############################
!
no aaa new-model
clock summer-time Central recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.30.254
!
ip dhcp pool INTERNET
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.254
 dns-server 192.168.20.187 192.168.20.254 8.8.8.8
 netbios-name-server 192.168.30.254
 domain-name 192.168.30.254
 lease 0 2
!
!
!
ip name-server 195.202.128.2
ip name-server 195.202.128.3
ip name-server 192.168.20.254
ip cef
login on-success log every 12
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
!
license udi pid CISCO1921/K9 sn
!
!
!
redundancy
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
 interface GigabitEthernet0/0
 ip address 192.168.30.254 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.21
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1/0
 ip address 192.168.20.187 255.255.255.0
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
!
ip default-gateway 192.168.20.254
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 3 interface GigabitEthernet0/1/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.20.254
!
!
!
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
!
control-plane
!
!
banner motd ^C


-------------------------------------------------------

Unauthorized is prohibited.  You must contact the administrator for more
details.  Please disconnect and call the local administrator.

______________________________________________________________

^C
!
line con 0
 exec-timeout 20 30
 password 7 ###############
 logging synchronous
 login
line aux 0
line 2
 exec-timeout 20 30
 password 7 ###############
 logging synchronous
 login
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 20 30
 password 7 #################
 logging synchronous
 login
 transport input none
!
scheduler allocate 20000 1000
!
end

DNCEF#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.20.254 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.20.254
      192.168.20.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.20.0/24 is directly connected, GigabitEthernet0/1/0
L        192.168.20.187/32 is directly connected, GigabitEthernet0/1/0
      192.168.30.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.30.0/24 is directly connected, GigabitEthernet0/0
L        192.168.30.254/32 is directly connected, GigabitEthernet0/0
DNCEF#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.1.1.1                -   885a.9264.74a1  ARPA   GigabitEthernet0/1
Internet  192.168.20.96          57   0024.508e.10c0  ARPA   GigabitEthernet0/1/0
Internet  192.168.20.187          -   885a.9264.74b0  ARPA   GigabitEthernet0/1/0
Internet  192.168.20.254          0   c8d7.1924.3417  ARPA   GigabitEthernet0/1/0
Internet  192.168.30.1            0   34e6.d70c.f059  ARPA   GigabitEthernet0/0
Internet  192.168.30.254          -   885a.9264.74a0  ARPA   GigabitEthernet0/0

DNCEF#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (192.168.20.254) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.139.180.149, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/48 ms
DNCEF#ping 192.168.30.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
DNCEF#

Hello RDGamm

You have both domain and domain-less nat enabled however that shouldn’t cause nat to fail, it will just nat on the defined nat statement you specify. However your access-list encompass the outside interface ip range so try amending that.

no access-list 3
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.30.0 0.0.0.255
access-list 3 permit 10.1.1.0.0 0.0.0.255

res
Paul

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks! That seems to have it up and working.

Hello,

try the configuration below (changes and additions are marked in bold):

Current configuration : 2596 bytes
!
! Last configuration change at 15:34:43 Central Tue Aug 29 2017
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DNCEF
!
boot-start-marker
boot-end-marker
!
enable secret 5 ############################
!
no aaa new-model
clock summer-time Central recurring last Sun Mar 1:00 last Sun Oct 2:00
!
ip dhcp excluded-address 192.168.30.254
!
ip dhcp pool INTERNET
network 192.168.30.0 255.255.255.0
default-router 192.168.30.254
dns-server 192.168.20.187 192.168.20.254 8.8.8.8
netbios-name-server 192.168.30.254
domain-name 192.168.30.254
lease 0 2
!
ip name-server 195.202.128.2
ip name-server 195.202.128.3
ip name-server 192.168.20.254
ip cef
login on-success log every 12
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
license udi pid CISCO1921/K9 s
redundancy
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.30.254 255.255.255.0
ip nat inside
no ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.21
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
ip address 192.168.20.187 255.255.255.0
ip nat outside
no ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
no ip default-gateway 192.168.20.254
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/1/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.20.254
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
!
control-plane
!
banner motd ^C

Thanks, very helpful!

Hello

@georg
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any <----- this isnt required as it the wan interface subnet
access-list 100 permit ip 192.168.30.0 0.0.0.255 any

 

res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

My WAN interface is Gi0/1/0, so it does matter in this case.  I may use the .20 network in a subinterface scenario.

 

R

Hello,

you have the same problem...can you post the configuration of your router ? In the initial post, there is a mixup of NVI NAT and traditional NAT, do you also have 'nat enable' and 'ip nat inside' configured on your interfaces ?

The interfaces I'm using are Gi0/0 and Gi0/1/0 and I have NAT enabled on both.  From the router I can ping the Internet (www.yahoo.com) and I can ping my machine at 192.168.30.1.  The machine at 192.168.30.1 can ping the router at 192.168.20.187 but cannot get to the Internet.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco