Solved

Cisco 1841T-1 Router - Need Help Allowing ISP to ping Serial0/0/0.

Posted on 2006-06-28
24
467 Views
Last Modified: 2010-05-18
My client's ISP needs to run some tests on the T-1 circuit.  He cannot ping (and therefore run his ISP tests) on the serial IP 68.160.89.138.

He is asking whether ICMP blocking is turned on or whether NAT is enabled.  He wants me to temporarily disable ICMP blocking and/or turn off NAT so that he can perform his testing on the serial IP.

I am new to Cisco so please try to be easy on me with idiot-proof instructions on identifying whether ICMP blocking is enabled on 68.160.89.138 and/or whether the ISP can't ping it because NAT is enabled.  I need instructions on temporarily allowing the ISP to ping the serial interface and setting everything back to its original configuration after the ISP is done.

Here's the Router config:

Using 1342 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$.li9$R0sK62syH2MKFEuHIaH/Q/
enable password 7 070228085A060902021C5A
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name domainname.com
!
username routeadm privilege 15 secret 5 $1$$2fo8$yeJGOKSJ72eEhBVRutxTWP/
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 141.155.64.12 255.255.255.240
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.160.89.138
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input none
!
ntp server 128.59.16.20 prefer
end
0
Comment
Question by:taki1gostek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 11
24 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17002932
From your configuration, there is nothing blocking it, but you need to check if the interface is up or not. So just get the output of 'show interface Serial0/0/0' and paste the output here;

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17002957
Serial0/0/0 is up, line protocol is up
  Hardware is GT96K with integrated T1 CSU/DSU
  Internet address is 68.160.89.137/30
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/10/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 2000 bits/sec, 4 packets/sec
  5 minute output rate 2000 bits/sec, 4 packets/sec
     298108 packets input, 191594615 bytes, 0 no buffer
     Received 18263 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     246109 packets output, 40045849 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 output buffer failures, 0 output buffers swapped out
     1 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17002982
Should I also mention that there's a PIX firewall connected to the Router as well?  I wouldn't think that the Pix would intervene though if we're trying to ping the serial port on the router, correct?
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17003023
>> Serial0/0/0 is up, line protocol is up

Looks like your interface has got no problems and it is up. Try pinging this ip address (Serial) from your inside and also from internet.

I assume your network setup is like this;

-------Router(68.160.89.137)----------------------------(68.160.89.138)ISP

Tell the ISP that there is no ICMP blocking or NATTing on your side. He has to check the circuit, If this is a new circuit have him make sure that he turned it on...

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003118
The internet is up and running fine and so the circuit is fully provisioned.  I cannot VPN into the site right now to ping both of the IP's; however, I PDM'med into the Cisco PIX 506E and did a ping on both of the IP's.  Here's the output of the ping command when I tried pinging both IPs from the outside interface on the Pix firewall:

                68.160.89.138 NO response received -- 1000ms
      68.160.89.138 NO response received -- 1000ms
      68.160.89.138 NO response received -- 1000ms

 
      68.160.89.137 response received -- 0ms
      68.160.89.137 response received -- 0ms
      68.160.89.137 response received -- 0ms

I'm getting responses from 68.160.89.137, what I am assuming is the ISP WAN IP.

Can you explain to me, if you can tell from the config, what both of these IP's mean?  I'm sort of confused here.  The ISP seems to believe that 138 is the Serial0/0/0 IP that he cannot ping from the outside.  

If I understand correctly, INTERNET CLOUD-->T-1 CIRCUIT 68.160.89.137-->SERIAL0/0/0 ON ROUTER 68.160.89.137-->ETHERNET0/1-->FIREWALL, am I correct?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17003130
Ahh jeez, man you need to tell that :-) Can you draw up a diagram on how your network is fit ? If the PIX is on the inside of your router then there is nothing pix will do. But if PIX sits infront of the router, it might block and you'll need to provide the configuration of pix to analyze that.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003156
Pix sits behind the router.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17003159
The network diagram, you need to confirm with your client. If it is the way you have it there, then pix won't interfere.

Now my doubts are that the ISP guys are playing around with you. See they allocate the addresses to you and if he thinks .138 is your serial address, he doesn't know what he is doing.

I'll tell you how it is as per your configuration;

.137 is configured on your router and your default gateway is .138 (which is ISP). So anything leaving your network will go to .138 to get to internet.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003160
IP INFO FOR YOUR REFERENCE:
LAN      141.155.64.12/24 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17003170
Your side, everything seems to be right. You are getting responses for the ip configured on your router (the second ping trace). But you are not getting any for .138 which ISP => which means, ISP is blocking ping requests and not YOU.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17003194
okay hold on there.

The IP info you provided there, is that correct ? I would assume it is not. Because in it the customer side is .138 and that is not what is configured on your router and still you have the internet connection.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003231
I know, exactly!  This is what's bugging me.  

I guess I will have to reconfigure the router with the correct Serial IP info!  It is extremely weird that the Internet is up!  I thought there was something wrong.  This info is most definitely correct.

I will need help in configuring this in a way that the Internet connection does not go down.  Please understand this is a small business client, I am supporting them, I'm in Mass and they're in NYC.

I can't afford to have them go down.
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003245
I have enabled telnet on the router & so I can telnet into it.  Now, how will changing the Serial0/0/0's IP affect everything else?

I guess I should take these lines:

interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.160.89.138

and switch them around a little bit?

interface Serial0/0/0
 ip address 68.160.89.138 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.160.89.137
?????????????
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17003255
All you need to get it changed is;

interface Serial0/0/0
 ip address 68.160.89.138 255.255.255.252
 no shut
!
ip route 0.0.0.0 0.0.0.0 68.160.89.137

Just login to the router and go to the 'conf t' mode, copy the above and paste it there. The connection will be lost for sure for that moment and if everything is correct on the ISP side, it will come up in seconds.

Basically what the above does is swap the ip addresses on interface and on default gateway route.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003261
how can i paste "into host" in telnet window?  Can i write these lines line-by-line and then do end, write mem?

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17003284
Just follow as below;

Telnet to the router;

do conf t

copy those lines above and paste it in the window there. If you are connecting from remote place, your connection will be lost, so better to have someone there to do it.

If there is none that can do it, the only option is to proceed as above and don't do 'write mem'. Once you do it, have your customer try internet and see if it works fine. If so, you can telnet again and save the config with 'write mem'. If not, then just have somebody there to 'reboot' (by power) the router and your old configuration would be back up.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003369
I guess we're good to go.  I switched the IP's around and I can still telnet into it which would also mean that they're online :)

I did a write mem command and prayed.

Prayers were heard and I was able to reconnect.  

You forgot to mention that I should also do a no ip route 0.0.0.0 0.0.0.0 68.160.89.138 and then write mem but all in all it seems to be working.

Still can't ping 68.260.89.138 or .137 from the outside.

Nothing on the router that we can set so that the ISP can ping .138?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17003426
Nothing! Your configuration is just the simplest it can get. The only thing to check now is to see if you can ping the ISP from the router itself and if yes, call him up and tell him.

If not, then tell me where exactly the PIX is sitting.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003438
.138, being that it's assigned to the Serial0/0/0 on our router should be pingable from the outside unless there's a setting in the Router that controls this, correct?  It can't now have anything to do with the ISP's T-1 circuit, am I right?
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003450
I can ping the ISP with no problems.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17003510
Not necessarily, your ISP could block ICMP requests from internet, that is a different story altogether.

I just pinged both the ip addresses and it isn't working. So ISP is blocking it. Call up your ISP and have him ping now, it should work for the reason that you're able to ping ISP ip address. The problem is the changed ip addresses.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003578
Thanks for your help.  I haven't gotten a response from the ISP yet but I think that may be a good sign.  I wasn't able to ping either of the IP's from three different networks I had remoted into and so I'm guessing it's not ISP ICMP blocking.

I'm giving you credit for catching the IP mess up though.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17003597
Thnx for the points but the reason that you were not able to ping from 3 remote sites is because your ISP is blocking ICMP for sure. Once it is confirmed, post it here. I would like to know though.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
ID: 17003901
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21902488.html

New question if you're familiar with Pix506e.

Thanks!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
An article on effective troubleshooting
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question