Cannot ping a public address

mikavoid30 · ‎09-16-2013

Hello,

I really need your help, I'm a beginner.

I can't ping one (public) address with my Cisco 892 router. I can acces to the internet, DNS are good, my ACL is "permit any" and I still can't ping this address from my network.

But I can ping it with a computer on an other network. I'm sure you can acces to the webserver installed on this public address 81.56.213.177 but not me.

There is the config :

Thanks a lot... it's really important.

Config

Current configuration : 7652 bytes

!

! Last configuration change at 14:43:08 UTC Fri Sep 13 2013 by mickael

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname routeur

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3481302706

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3481302706

revocation-check none

rsakeypair TP-self-signed-3481302706

!

crypto pki certificate chain TP-self-signed-3481302706

certificate self-signed 01

xxx

quit

ip source-route

!

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 192.168.0.61

ip dhcp excluded-address 192.168.0.62

ip dhcp excluded-address 192.168.0.254

!

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

!

ip dhcp pool pool-bureaux-labos

network 192.168.0.0 255.255.255.192

default-router 192.168.0.62

dns-server 212.27.40.241

lease infinite

!

ip dhcp pool pool-production

network 192.168.0.64 255.255.255.192

default-router 192.168.0.126

dns-server 212.27.40.241

lease infinite

!

ip dhcp pool pool-materiel

network 192.168.0.128 255.255.255.192

default-router 192.168.0.190

dns-server 212.27.40.241

lease infinite

!

ip cef

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid CISCO892-K9 sn FC...

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

switchport access vlan 10

no ip address

!

interface FastEthernet1

switchport access vlan 20

no ip address

!

interface FastEthernet2

switchport access vlan 30

no ip address

!

interface FastEthernet3

switchport access vlan 40

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$

ip address 10.10.10.10 255.255.255.0

ip tcp adjust-mss 1452

!

interface Vlan2

ip address 1.2.3.4 255.255.255.0

!

interface Vlan10

ip address 192.168.0.62 255.255.255.192

ip nat inside

ip virtual-reassembly in

hold-queue 100 out

!

interface Vlan20

ip address 192.168.0.126 255.255.255.192

ip nat inside

ip virtual-reassembly in

!

interface Vlan30

ip address 192.168.0.190 255.255.255.192

ip nat inside

ip virtual-reassembly in

!

interface Vlan40

ip address 192.168.0.254 255.255.255.192

ip nat inside

ip virtual-reassembly in

!

ip default-gateway 81.56.134.1

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface GigabitEthernet0 overload

ip default-network 81.56.134.0

ip route 0.0.0.0 0.0.0.0 81.56.134.254

!

access-list 1 permit any

access-list 23 permit any

no cdp run

!

control-plane

!

mgcp profile default

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device.

This feature requires the one-time use of the username "cisco" with the

password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN

CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want

to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE

TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the

QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp

-----------------------------------------------------------------------

^C

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

end

cadet alain · ‎09-16-2013

Hi,

When you ping this IP from the router with "debug ip icmp " command enabled, what's the output ?

You can't ping it from a host located out which inside interface ?

Regards

Alain

Don't forget to rate helpful posts.

mikavoid30 · ‎09-16-2013

Thanks,

When I ping this address with "debug ip icmp" enabled, I get this :

Reply

Sep 16 12:06:47.904: ICMP: dst (81.56.134.135) port unreachable sent to 77.194.230.26...

Success rate is 0 percent (0/5)

routeur-sdtech#

Sep 16 12:07:38.052: ICMP: dst (81.56.134.135) port unreachable sent to 90.24.10.234

Sep 16 12:07:38.568: ICMP: dst (81.56.134.135) port unreachable sent to 217.128.93.68

Sep 16 12:07:39.408: ICMP: dst (81.56.134.135) port unreachable sent to 86.212.156.87

Sep 16 12:07:56.660: ICMP: dst (81.56.134.135) port unreachable rcv from 79.251.12.119

Sep 16 12:08:02.868: ICMP: dst (81.56.134.135) port unreachable rcv from 79.251.12.119

Sep 16 12:08:08.892: ICMP: dst (81.56.134.135) port unreachable rcv from 79.251.12.119

Sep 16 12:08:15.056: ICMP: dst (81.56.134.135) port unreachable rcv from 79.251.12.119

Sep 16 12:08:28.176: ICMP: dst (81.56.134.135) port unreachable sent to 83.112.190.172

It never stop..

I can't ping it from any hosts in the network..

subhojithalder198 · ‎09-16-2013

HI,

Any fw present on the network

Br/Subhojit

amabdelh · ‎09-16-2013

when you do the ping, can you try to enable debug ip nat and paste the logs here?

thanks

mikavoid30 · ‎09-17-2013

Ok thanks,

I enabled "debug ip nat" and I get this (beginning) .

My public address is 81.56.134.135

Header 1

Sep 17 07:49:22.055: NAT: expiring 81.56.134.135 (192.168.0.225) tcp 57937 (57937)

Sep 17 07:49:22.083: NAT*: s=192.168.0.28->81.56.134.135, d=92.103.223.17 [20356]

Sep 17 07:49:22.155: NAT*: s=192.168.0.28->81.56.134.135, d=92.103.223.17 [20357]

Sep 17 07:49:22.243: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35983]

Sep 17 07:49:22.351: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35984]

Sep 17 07:49:22.351: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35985]

Sep 17 07:49:22.351: NAT*: s=192.168.0.28->81.56.134.135, d=92.103.223.17 [20358]

Sep 17 07:49:22.351: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35986]

Sep 17 07:49:22.355: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35987]

Sep 17 07:49:22.355: NAT*: s=192.168.0.28->81.56.134.135, d=92.103.223.17 [20359]

Sep 17 07:49:22.375: NAT*: s=212.227.15.157, d=81.56.134.135->192.168.0.64 [33387]

Sep 17 07:49:22.443: NAT*: s=31.37.152.223, d=81.56.134.135->192.168.0.67 [31693]

Sep 17 07:49:22.443: NAT*: s=192.168.0.67->81.56.134.135, d=31.37.152.223 [32755]

Sep 17 07:49:22.471: NAT*: s=31.37.152.223, d=81.56.134.135->192.168.0.67 [31697]

Sep 17 07:49:22.471: NAT*: s=192.168.0.67->81.56.134.135, d=31.37.152.223 [32756]

Sep 17 07:49:22.483: NAT*: s=192.168.0.28->81.56.134.135, d=92.103.223.17 [20360]

Sep 17 07:49:22.535: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35988]

Sep 17 07:49:22.539: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35989]

Sep 17 07:49:22.539: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35990]

Sep 17 07:49:22.539: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35991]

Sep 17 07:49:22.539: NAT*: s=192.168.0.28->81.56.134.135, d=92.103.223.17 [20361]

Sep 17 07:49:22.543: NAT*: s=192.168.0.28->81.56.134.135, d=92.103.223.17 [20362]

Sep 17 07:49:22.543: NAT*: s=192.168.0.28->81.56.134.135, d=92.103.223.17 [20363]

Sep 17 07:49:22.563: NAT*: s=192.168.0.234->81.56.134.135, d=31.13.81.49 [52185]

Sep 17 07:49:22.563: NAT*: s=192.168.0.234->81.56.134.135, d=31.13.81.49 [52186]

Sep 17 07:49:22.599: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35992]

Sep 17 07:49:22.599: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35993]

Sep 17 07:49:22.599: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [35994]

Sep 17 07:49:22.599: NAT*: s=212.227.15.141, d=81.56.134.135->192.168.0.64 [3810]

Sep 17 07:49:22.599: NAT*: s=192.168.0.28->81.56.134.135, d=92.103.223.17 [20364]

Sep 17 07:49:22.607: NAT*: s=31.13.81.49, d=81.56.134.135->192.168.0.234 [59658]

Sep 17 07:49:22.607: NAT*: s=31.13.81.49, d=81.56.134.135->192.168.0.234 [59659]

Sep 17 07:49:22.607: NAT*: s=31.13.81.49, d=81.56.134.135->192.168.0.234 [59660]

Sep 17 07:49:22.607: NAT*: s=31.13.81.49, d=81.56.134.135->192.168.0.234 [59661]

Sep 17 07:49:22.611: NAT*: s=92.103.223.17, d=81.56.134.135->192.168.0.28 [46666]

...

Peter Koltl · ‎09-18-2013

Remove the manual default route

ip route 0.0.0.0 0.0.0.0 81.56.134.254

When the router acting as a DHCP client (configured with the

ip address dhcp

interface configuration command) receives the DHCP reply packet containing the default gateway option (option #3), it installs a static default route toward that next-hop. Even better, the default route is installed with the administrative distance 254 (floating static route)

amabdelh · ‎09-22-2013

Hello Maickael

Did you try to ping your next hop? please enable debug IP icmp and ping 81.56.134.254

also, please do a traceroute as well to the server 81.56.213.177

I suspect it is blocked somewhere else not at your router, but to verify this you can add an access-list with logging option for the first entry, the first ACE configure it to allow traffic going to 81.56.213.177 and the 2nd ACE is permit any any, duplicate this acl and put one on inbound direction and the other one in the outbound, and monitor the counters by doing "show access-list"

regards

Peter Koltl · ‎09-25-2013

Is it solved, Mickael?