Solved: Re: Cisco 1921 not passing traffic

wtijames · ‎08-17-2012

I'm fairly new to Cisco routing, and I'm a bit lost on this issue. I have a 1921 that is going to be a WAN router for a fiber Internet connection. It will sit in front of the network firewall and needs to route all traffic to the Internet. I thought I had the config set right with a default route of '0.0.0.0 0.0.0.0 <wan gateway>' but it doesn't seem to be working. Config is below.

The router can ping from itself to hosts on both sides and hosts on the Internet with no problem, but a laptop connected to the "LAN" side and assigned a public IP address can ping both sides of the router but no further.

I've done a bit of searching on the forums but every similar issue I've found seems to involve NAT - I have another device doing NAT so I don't want to do NAT on this router (traffic needs to be able to reach the public IP addresses on the "LAN" side).

hsw-comcast-rtr1#show run

Building configuration...

Current configuration : 5806 bytes

!

! No configuration change since last restart

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname hsw-comcast-rtr1

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$KBXN$nCauuQhWW/hWlyVZHi94e1

!

no aaa new-model

clock timezone PCTime -6 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

no ip source-route

ip cef

!

no ip bootp server

no ip domain lookup

ip domain name comcast.net

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-27425356

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-27425356

revocation-check none

rsakeypair TP-self-signed-27425356

!

crypto pki certificate chain TP-self-signed-27425356

certificate self-signed 01

<snip>

quit

license udi pid CISCO1921/K9 sn FTX161582TB

!

username routeradmin privilege 15 secret 5 $1$e/pA$p#SbrqCTS*7NiyKxbt0De/

!

ip tcp synwait-time 10

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description LAN

ip address 50.202.39.222 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description WAN

ip address 50.202.39.210 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

duplex auto

speed auto

no mop enabled

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip route 0.0.0.0 0.0.0.0 50.202.39.209

!

logging trap debugging

access-list 23 permit 50.202.39.216 0.0.0.3

!

no cdp run

!

control-plane

!

banner exec ^C

<snip> (Cisco CP stuff)

^C

banner login ^C

<snip> (more Cisco CP stuff)

^C

!

line con 0

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Alessio Andreoli · ‎08-17-2012

James,

can you add auto mdix to the wan interface?

also can you check which kind of cable is connecting the 1941 to the ciena switch and reloading your router too?

thanks

Alessio

PS: yb the way i can't ping 50.202.39.209 nor .210

can you give me a temp. login?

View solution in original post

Alessio Andreoli · ‎08-17-2012

Hi James,

hardcode the speeds and duplex mode otherwise it won't come up.

After that check again the ACL 23. It has a different wild mask from the one you defined below the interface...

May you share

show interface g0/1 ?

Alessio

wtijames · ‎08-17-2012

Alessio,

I hardcoded the speed and duplex on both interfaces, no change.

On the ACL - the interface I'm allowing Telnet from (Gi0/0) is on a /29 subnet. I thought with the ACLs the mask needed to be the inverse of this, which I thought was a /3. Am I supposed to specify the /29 mask?

Here is the output of 'show int Gi0/1', after I made the change to hardcode speed/duplex:

hsw-comcast-rtr1#show int Gi0/1

GigabitEthernet0/1 is up, line protocol is up

Hardware is CN Gigabit Ethernet, address is 5057.a8a3.1ac1 (bia 5057.a8a3.1ac1)

Description: WAN

Internet address is 50.202.39.210/30

MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

Keepalive set (10 sec)

Full Duplex, 100Mbps, media type is RJ45

output flow-control is unsupported, input flow-control is unsupported

ARP type: ARPA, ARP Timeout 04:00:00

Last input 00:00:03, output 00:00:01, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 4

Queueing strategy: fifo

Output queue: 0/40 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 1000 bits/sec, 2 packets/sec

15865 packets input, 318440 bytes, 0 no buffer

Received 15850 broadcasts (0 IP multicasts)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

0 watchdog, 0 multicast, 0 pause input

7567 packets output, 497079 bytes, 0 underruns

0 output errors, 0 collisions, 2 interface resets

0 unknown protocol drops

0 babbles, 0 late collision, 0 deferred

2 lost carrier, 0 no carrier, 0 pause output

0 output buffer failures, 0 output buffers swapped out

Thanks,

James

cadet alain · ‎08-17-2012

Hi,

could you post your topology specifying the devices and their roles.

Regards.

Alain.

Don't forget to rate helpful posts.

wtijames · ‎08-17-2012

Alain,

The ISP has installed a Ciena 3930 switch to convert the fiber to copper, which is connected to Gi0/1. I have not connected the router to my firewall yet (I want to get the routing problem fixed first) so for now the Gi0/0 interface is connected to a small 10/100 switch, to which I have connected my laptop which is assigned the IP address 50.202.39.217. Is that what you're looking for?

James

Alessio Andreoli · ‎08-17-2012

you need to hard code 1000 Mbps and not 100...

try and let me know..

for a /29 you need a 0.0.0.7 wild card

for a /30 you need a 0.0.0.3

alessio

wtijames · ‎08-17-2012

Alessio,

As far as hard-coding 1000 - the switch port it's connected to is not a gigabit port, it's a 10/100. If I hardcode 1000M it will not be able to connect, right?

I see what I did wrong on the mask. Thanks for the correction.

James

Alessio Andreoli · ‎08-17-2012

Is what i have designed correct?

Alessio

wtijames · ‎08-17-2012

Yes, that is correct, with one exception - I have since removed the switch in between the laptop and g0/0, so the laptop is now connected directly to g0/0.

Alessio Andreoli · ‎08-17-2012

James,

can you add auto mdix to the wan interface?

also can you check which kind of cable is connecting the 1941 to the ciena switch and reloading your router too?

thanks

Alessio

PS: yb the way i can't ping 50.202.39.209 nor .210

can you give me a temp. login?

wtijames · ‎08-17-2012

Okay, I misclicked there. I didn't mean to flag that as the answer. I'm not sure how to undo that.

I tried setting auto mdix, but it didn't work.

Specifically, I did the following:

config t

int g0/1

mdix auto

When I typed the command 'mdix auto' it came back with an Invalid Input error. I also tried the command 'auto mdix' with the same result.

The 1921 is connected to the switch with a standard Cat-5e patch cable. I've tried switching out the cable, no effect. I've also reloaded the router with no effect.

Alessio Andreoli · ‎08-17-2012

http://www.cisco.com/en/US/docs/routers/access/1900/hardware/installation/guide/1940_HIG.pdf

keep this and if you have specs about your ios read them. i am sorry but i must leave my building otherwise they will close me in and fire on monday!!!

I'll read from home what is going on ok?

Meantime i'll score you 5 points to give you a smile

Bye

wtijames · ‎08-17-2012

Thanks for all the help today, Alessio.

wtijames · ‎08-17-2012

Success!

You were right, the problem was on the ISP's end. They did not have the routing table set up properly on their end. I was going to flag that post as the correct answer but it appears to have been deleted.

Thanks again for all your help today!

James