08-17-2012 06:37 AM - edited 03-04-2019 05:18 PM
I'm fairly new to Cisco routing, and I'm a bit lost on this issue. I have a 1921 that is going to be a WAN router for a fiber Internet connection. It will sit in front of the network firewall and needs to route all traffic to the Internet. I thought I had the config set right with a default route of '0.0.0.0 0.0.0.0 <wan gateway>' but it doesn't seem to be working. Config is below.
The router can ping from itself to hosts on both sides and hosts on the Internet with no problem, but a laptop connected to the "LAN" side and assigned a public IP address can ping both sides of the router but no further.
I've done a bit of searching on the forums but every similar issue I've found seems to involve NAT - I have another device doing NAT so I don't want to do NAT on this router (traffic needs to be able to reach the public IP addresses on the "LAN" side).
hsw-comcast-rtr1#show run
Building configuration...
Current configuration : 5806 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hsw-comcast-rtr1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
enable secret 5 $1$KBXN$nCauuQhWW/hWlyVZHi94e1
!
no aaa new-model
clock timezone PCTime -6 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name comcast.net
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-27425356
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-27425356
revocation-check none
rsakeypair TP-self-signed-27425356
!
!
crypto pki certificate chain TP-self-signed-27425356
certificate self-signed 01
<snip>
quit
license udi pid CISCO1921/K9 sn FTX161582TB
!
!
username routeradmin privilege 15 secret 5 $1$e/pA$p#SbrqCTS*7NiyKxbt0De/
!
!
ip tcp synwait-time 10
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description LAN
ip address 50.202.39.222 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description WAN
ip address 50.202.39.210 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 50.202.39.209
!
logging trap debugging
access-list 23 permit 50.202.39.216 0.0.0.3
!
no cdp run
!
!
control-plane
!
!
banner exec ^C
<snip> (Cisco CP stuff)
^C
banner login ^C
<snip> (more Cisco CP stuff)
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
08-17-2012 09:03 AM
James,
can you add auto mdix to the wan interface?
also can you check which kind of cable is connecting the 1941 to the ciena switch and reloading your router too?
thanks
Alessio
PS: yb the way i can't ping 50.202.39.209 nor .210
can you give me a temp. login?
08-17-2012 06:46 AM
Hi James,
hardcode the speeds and duplex mode otherwise it won't come up.
After that check again the ACL 23. It has a different wild mask from the one you defined below the interface...
May you share
show interface g0/1 ?
Alessio
08-17-2012 06:57 AM
Alessio,
I hardcoded the speed and duplex on both interfaces, no change.
On the ACL - the interface I'm allowing Telnet from (Gi0/0) is on a /29 subnet. I thought with the ACLs the mask needed to be the inverse of this, which I thought was a /3. Am I supposed to specify the /29 mask?
Here is the output of 'show int Gi0/1', after I made the change to hardcode speed/duplex:
hsw-comcast-rtr1#show int Gi0/1
GigabitEthernet0/1 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 5057.a8a3.1ac1 (bia 5057.a8a3.1ac1)
Description: WAN
Internet address is 50.202.39.210/30
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 100Mbps, media type is RJ45
output flow-control is unsupported, input flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:03, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 1000 bits/sec, 2 packets/sec
15865 packets input, 318440 bytes, 0 no buffer
Received 15850 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
7567 packets output, 497079 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
2 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
Thanks,
James
08-17-2012 07:01 AM
Hi,
could you post your topology specifying the devices and their roles.
Regards.
Alain.
Don't forget to rate helpful posts.
08-17-2012 07:17 AM
Alain,
The ISP has installed a Ciena 3930 switch to convert the fiber to copper, which is connected to Gi0/1. I have not connected the router to my firewall yet (I want to get the routing problem fixed first) so for now the Gi0/0 interface is connected to a small 10/100 switch, to which I have connected my laptop which is assigned the IP address 50.202.39.217. Is that what you're looking for?
James
08-17-2012 07:02 AM
you need to hard code 1000 Mbps and not 100...
try and let me know..
for a /29 you need a 0.0.0.7 wild card
for a /30 you need a 0.0.0.3
alessio
08-17-2012 07:09 AM
Alessio,
As far as hard-coding 1000 - the switch port it's connected to is not a gigabit port, it's a 10/100. If I hardcode 1000M it will not be able to connect, right?
I see what I did wrong on the mask. Thanks for the correction.
James
08-17-2012 08:49 AM
08-17-2012 08:53 AM
Yes, that is correct, with one exception - I have since removed the switch in between the laptop and g0/0, so the laptop is now connected directly to g0/0.
08-17-2012 09:03 AM
James,
can you add auto mdix to the wan interface?
also can you check which kind of cable is connecting the 1941 to the ciena switch and reloading your router too?
thanks
Alessio
PS: yb the way i can't ping 50.202.39.209 nor .210
can you give me a temp. login?
08-17-2012 09:13 AM
Okay, I misclicked there. I didn't mean to flag that as the answer. I'm not sure how to undo that.
I tried setting auto mdix, but it didn't work.
Specifically, I did the following:
config t
int g0/1
mdix auto
When I typed the command 'mdix auto' it came back with an Invalid Input error. I also tried the command 'auto mdix' with the same result.
The 1921 is connected to the switch with a standard Cat-5e patch cable. I've tried switching out the cable, no effect. I've also reloaded the router with no effect.
08-17-2012 10:50 AM
http://www.cisco.com/en/US/docs/routers/access/1900/hardware/installation/guide/1940_HIG.pdf
keep this and if you have specs about your ios read them. i am sorry but i must leave my building otherwise they will close me in and fire on monday!!!
I'll read from home what is going on ok?
Meantime i'll score you 5 points to give you a smile
Bye
08-17-2012 10:51 AM
Thanks for all the help today, Alessio.
08-17-2012 11:51 AM
Success!
You were right, the problem was on the ISP's end. They did not have the routing table set up properly on their end. I was going to flag that post as the correct answer but it appears to have been deleted.
Thanks again for all your help today!
James
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide