Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2595
Views
4
Helpful
4
Replies

Cisco 1921 can't ping from internal interface

Go to solution
toothlessdr4gon
Level 1
Level 1

‎11-13-2013 12:00 PM - edited ‎03-04-2019 09:34 PM

Hi Everyone,

I'm having trouble configuring a Cisco 1921 router to provide internet access through our Comcast Business modem. From the console I can ping www.google.com, I can ping the google dns 8.8.8.8, and I can ping other devices that are plugged into the comcast modem (which is connected via the GigabitEthernet 0/1), but I can't ping the comcast dns servers 75.75.75.75 or 75.75.76.76

When trying to configure it throught the CPP application, I tried running a "test connection" on the 'outside' interface which is successful, but running a ping test on the 'inside' interface fails on the "Checking exit interface" and suggests: "Selecte 'User-specified' option or add a 'host specific/network specific/default' route through this interface and retest connection".

Any help is Greatly appreciated and I'll be sure and rate any/all helpful posts!

Here's my running config:

Building configuration...

Current configuration : 8664 bytes

!

! Last configuration change at 19:09:44 UTC Wed Nov 13 2013 by admin

! NVRAM config last updated at 19:00:30 UTC Wed Nov 13 2013 by admin

! NVRAM config last updated at 19:00:30 UTC Wed Nov 13 2013 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco1921

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

ip domain name yourdomain.com

ip name-server 50.*.*.126

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3493286146

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3493286146

revocation-check none

rsakeypair TP-self-signed-3493286146

!

!

crypto pki certificate chain TP-self-signed-3493286146

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33343933 32383631 3436301E 170D3133 31313132 32313538

  35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34393332

  38363134 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A035 6535C8CE D3D8AAC8 3EF62D40 A959747B 3EAE4254 B043F333 39DE9A3A

  C8A6CE75 FB637218 E228A2AF B590CC52 D058A449 7AD9CF5F 8B16A7FA EE118335

  5D6DB996 71C5B10C A3D1EDA6 71EB8EBF F35BDA97 E9A1FAC9 52E63898 0BBA1C02

  3AB4EB18 68CDB957 A03B6EE8 9BC0897D 432053B5 9C5DE96F CFA9D634 9AADB3FE

  AA6D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 144CCBCB 206F65C5 C5D03E32 52520352 AEA6CA13 83301D06

  03551D0E 04160414 4CCBCB20 6F65C5C5 D03E3252 520352AE A6CA1383 300D0609

  2A864886 F70D0101 05050003 81810036 A9530BFB 4EB1AAA2 B80CC4D2 4F5201B3

  938F6BC9 46A50B9D 52BF8890 CB35D131 637D16A0 58CDDE40 B2BBB99A 960FCDE0

  209207AF A414CBA8 0E706F9D 0B694AC7 1EC9BF19 D9EE5F96 C1871FCE 2C385389

  538137F8 DEE25686 9D8BA891 7DDC5360 460CCEF9 E5168F2F D67AA44C 4F2ADA6F

  E133AAA6 05DC8C68 FC09B229 E84C51

            quit

license udi pid CISCO1921/K9 sn FTX1637810Q

!

!

username admin privilege 15 secret 4 O93TqN1DZfLJEmVUW78Kx961yfx/6d6NqkHjYA8I4iA

username jost privilege 15 secret 4 S3GgPN01m4oSTi7Usr/wj4mf58eOZAUeIOCuyy7rc7c

!

redundancy

!

!

!

!

!

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

policy-map type inspect ccp-pol-outToIn

class type inspect CCP_PPTP

  pass

class class-default

  drop log

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$

ip address 10.10.10.129 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$

ip address 50.*.*.124 255.255.255.240

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 50.193.37.126

!

ip access-list standard FOR_NAT

permit 10.10.10.0 0.0.0.255

!

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 50.*.*.112 0.0.0.15 any

!

!

!

!

!

!

control-plane

!

!

banner exec ^C

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abzal
Level 7
Level 7

‎11-13-2013 08:07 PM

Hi,

You should NAT rule to translate internal subnet 10.10.10.0/24 to public IP address.

Just add this:

ip nat inside source list FOR_NAT interface g0/1 overload

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Abzal
Level 7
Level 7

‎11-13-2013 08:07 PM

Hi,

You should NAT rule to translate internal subnet 10.10.10.0/24 to public IP address.

Just add this:

ip nat inside source list FOR_NAT interface g0/1 overload

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal
0 Helpful

Go to solution
toothlessdr4gon
Level 1
Level 1
In response to Abzal

‎11-14-2013 09:51 AM

Abzal, YOU ARE MY CISCO HERO!!!

That was exactly what I needed!

I'm still having a strange issue of not being able to ping the comcast dns servers though (75.75.75.75 and 75.75.76.76). But I have internet now which is WAY more than I had yesterday! Now I to sort out port forwarding... Don't suppose you have the easy answer for that too? I think I just need to do this:

ip nat inside source static tcp   extendable

Does that look about right?

Thanks!

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to toothlessdr4gon

‎11-14-2013 10:14 AM

Hi,

yes this is correct syntax for static PAT aka port forwarding.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Go to solution
toothlessdr4gon
Level 1
Level 1
In response to cadet alain

‎11-14-2013 02:12 PM

Thanks for confirming that Alain, worked like a charm

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card