Solved

Cisco 1841T-1 Router - Need Help Allowing ISP to ping Serial0/0/0.

Posted on 2006-06-28
24
440 Views
Last Modified: 2010-05-18
My client's ISP needs to run some tests on the T-1 circuit.  He cannot ping (and therefore run his ISP tests) on the serial IP 68.160.89.138.

He is asking whether ICMP blocking is turned on or whether NAT is enabled.  He wants me to temporarily disable ICMP blocking and/or turn off NAT so that he can perform his testing on the serial IP.

I am new to Cisco so please try to be easy on me with idiot-proof instructions on identifying whether ICMP blocking is enabled on 68.160.89.138 and/or whether the ISP can't ping it because NAT is enabled.  I need instructions on temporarily allowing the ISP to ping the serial interface and setting everything back to its original configuration after the ISP is done.

Here's the Router config:

Using 1342 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname C1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$.li9$R0sK62syH2MKFEuHIaH/Q/
enable password 7 070228085A060902021C5A
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time edt recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
ip domain name domainname.com
!
username routeadm privilege 15 secret 5 $1$$2fo8$yeJGOKSJ72eEhBVRutxTWP/
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 141.155.64.12 255.255.255.240
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.160.89.138
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input none
!
ntp server 128.59.16.20 prefer
end
0
Comment
Question by:taki1gostek
  • 13
  • 11
24 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
From your configuration, there is nothing blocking it, but you need to check if the interface is up or not. So just get the output of 'show interface Serial0/0/0' and paste the output here;

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
Serial0/0/0 is up, line protocol is up
  Hardware is GT96K with integrated T1 CSU/DSU
  Internet address is 68.160.89.137/30
  MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation HDLC, loopback not set
  Keepalive set (10 sec)
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/10/256 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 1158 kilobits/sec
  5 minute input rate 2000 bits/sec, 4 packets/sec
  5 minute output rate 2000 bits/sec, 4 packets/sec
     298108 packets input, 191594615 bytes, 0 no buffer
     Received 18263 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     246109 packets output, 40045849 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 output buffer failures, 0 output buffers swapped out
     1 carrier transitions
     DCD=up  DSR=up  DTR=up  RTS=up  CTS=up
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
Should I also mention that there's a PIX firewall connected to the Router as well?  I wouldn't think that the Pix would intervene though if we're trying to ping the serial port on the router, correct?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
>> Serial0/0/0 is up, line protocol is up

Looks like your interface has got no problems and it is up. Try pinging this ip address (Serial) from your inside and also from internet.

I assume your network setup is like this;

-------Router(68.160.89.137)----------------------------(68.160.89.138)ISP

Tell the ISP that there is no ICMP blocking or NATTing on your side. He has to check the circuit, If this is a new circuit have him make sure that he turned it on...

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
The internet is up and running fine and so the circuit is fully provisioned.  I cannot VPN into the site right now to ping both of the IP's; however, I PDM'med into the Cisco PIX 506E and did a ping on both of the IP's.  Here's the output of the ping command when I tried pinging both IPs from the outside interface on the Pix firewall:

                68.160.89.138 NO response received -- 1000ms
      68.160.89.138 NO response received -- 1000ms
      68.160.89.138 NO response received -- 1000ms

 
      68.160.89.137 response received -- 0ms
      68.160.89.137 response received -- 0ms
      68.160.89.137 response received -- 0ms

I'm getting responses from 68.160.89.137, what I am assuming is the ISP WAN IP.

Can you explain to me, if you can tell from the config, what both of these IP's mean?  I'm sort of confused here.  The ISP seems to believe that 138 is the Serial0/0/0 IP that he cannot ping from the outside.  

If I understand correctly, INTERNET CLOUD-->T-1 CIRCUIT 68.160.89.137-->SERIAL0/0/0 ON ROUTER 68.160.89.137-->ETHERNET0/1-->FIREWALL, am I correct?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Ahh jeez, man you need to tell that :-) Can you draw up a diagram on how your network is fit ? If the PIX is on the inside of your router then there is nothing pix will do. But if PIX sits infront of the router, it might block and you'll need to provide the configuration of pix to analyze that.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
Pix sits behind the router.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
The network diagram, you need to confirm with your client. If it is the way you have it there, then pix won't interfere.

Now my doubts are that the ISP guys are playing around with you. See they allocate the addresses to you and if he thinks .138 is your serial address, he doesn't know what he is doing.

I'll tell you how it is as per your configuration;

.137 is configured on your router and your default gateway is .138 (which is ISP). So anything leaving your network will go to .138 to get to internet.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
IP INFO FOR YOUR REFERENCE:
LAN      141.155.64.12/24 (16 IPs, 13 usable)
WAN     68.160.89.137 (Verizon side)
             68.160.89.138 (customer side) subnet mask: 255.255.255.252
 
DNS     151.202.0.84 & 151.202.0.85  
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Your side, everything seems to be right. You are getting responses for the ip configured on your router (the second ping trace). But you are not getting any for .138 which ISP => which means, ISP is blocking ping requests and not YOU.

Cheers,
Rajesh
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
okay hold on there.

The IP info you provided there, is that correct ? I would assume it is not. Because in it the customer side is .138 and that is not what is configured on your router and still you have the internet connection.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
I know, exactly!  This is what's bugging me.  

I guess I will have to reconfigure the router with the correct Serial IP info!  It is extremely weird that the Internet is up!  I thought there was something wrong.  This info is most definitely correct.

I will need help in configuring this in a way that the Internet connection does not go down.  Please understand this is a small business client, I am supporting them, I'm in Mass and they're in NYC.

I can't afford to have them go down.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
I have enabled telnet on the router & so I can telnet into it.  Now, how will changing the Serial0/0/0's IP affect everything else?

I guess I should take these lines:

interface Serial0/0/0
 ip address 68.160.89.137 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.160.89.138

and switch them around a little bit?

interface Serial0/0/0
 ip address 68.160.89.138 255.255.255.252
!
ip classless
ip route 0.0.0.0 0.0.0.0 68.160.89.137
?????????????
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
All you need to get it changed is;

interface Serial0/0/0
 ip address 68.160.89.138 255.255.255.252
 no shut
!
ip route 0.0.0.0 0.0.0.0 68.160.89.137

Just login to the router and go to the 'conf t' mode, copy the above and paste it there. The connection will be lost for sure for that moment and if everything is correct on the ISP side, it will come up in seconds.

Basically what the above does is swap the ip addresses on interface and on default gateway route.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
how can i paste "into host" in telnet window?  Can i write these lines line-by-line and then do end, write mem?

0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Just follow as below;

Telnet to the router;

do conf t

copy those lines above and paste it in the window there. If you are connecting from remote place, your connection will be lost, so better to have someone there to do it.

If there is none that can do it, the only option is to proceed as above and don't do 'write mem'. Once you do it, have your customer try internet and see if it works fine. If so, you can telnet again and save the config with 'write mem'. If not, then just have somebody there to 'reboot' (by power) the router and your old configuration would be back up.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
I guess we're good to go.  I switched the IP's around and I can still telnet into it which would also mean that they're online :)

I did a write mem command and prayed.

Prayers were heard and I was able to reconnect.  

You forgot to mention that I should also do a no ip route 0.0.0.0 0.0.0.0 68.160.89.138 and then write mem but all in all it seems to be working.

Still can't ping 68.260.89.138 or .137 from the outside.

Nothing on the router that we can set so that the ISP can ping .138?
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Nothing! Your configuration is just the simplest it can get. The only thing to check now is to see if you can ping the ISP from the router itself and if yes, call him up and tell him.

If not, then tell me where exactly the PIX is sitting.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
.138, being that it's assigned to the Serial0/0/0 on our router should be pingable from the outside unless there's a setting in the Router that controls this, correct?  It can't now have anything to do with the ISP's T-1 circuit, am I right?
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
I can ping the ISP with no problems.
0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
Comment Utility
Not necessarily, your ISP could block ICMP requests from internet, that is a different story altogether.

I just pinged both the ip addresses and it isn't working. So ISP is blocking it. Call up your ISP and have him ping now, it should work for the reason that you're able to ping ISP ip address. The problem is the changed ip addresses.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
Thanks for your help.  I haven't gotten a response from the ISP yet but I think that may be a good sign.  I wasn't able to ping either of the IP's from three different networks I had remoted into and so I'm guessing it's not ISP ICMP blocking.

I'm giving you credit for catching the IP mess up though.
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
Thnx for the points but the reason that you were not able to ping from 3 remote sites is because your ISP is blocking ICMP for sure. Once it is confirmed, post it here. I would like to know though.

Cheers,
Rajesh
0
 
LVL 2

Author Comment

by:taki1gostek
Comment Utility
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21902488.html

New question if you're familiar with Pix506e.

Thanks!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Resolve DNS query failed errors for Exchange
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now