dmkocot
asked on
Can't ping any public IPs... except for ISP's gateway.
Hello folks,
I've got a cisco 1811W router I'm setting up. It works fine, except for one little problem - I can't get to any public IP addresses from it. I can, however, ping my ISP's gateway (this is a DSL line, and there is no encapsulation in use). Any ping attempts beyond the gateway time out, however (or any other kind of traffic, for that matter).
I've spent about 30 hours now on this over the last two months - I've reloaded to factory defaults about seven times now. Before I rip out my last strand of hair, I thought I'd post here. This is the latest config - i just went through the SDM's configurator after resetting to factory defaults.
Router#sho run
Building configuration...
Current configuration : 6997 bytes
!
! Last configuration change at 10:55:55 PCTime Sat Jul 1 2006 by david
! NVRAM config last updated at 10:43:29 PCTime Sat Jul 1 2006 by cisco
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$TFKJ$Y3kwg2vF1RX.gC8MIQ
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name X.X
ip name-server X.X.X.X
ip name-server X.X.X.X
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
!
!
crypto pki trustpoint TP-self-signed-4097243757
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-4097243757
!
!
crypto pki certificate chain TP-self-signed-4097243757
certificate self-signed 01
[Certificate]
quit
username david privilege 15 secret 5 XXXXXXXXXX
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
!
ssid XXXXXX
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
!
ssid XXXXXX
authentication open
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address X.X.X.X 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.43.9.1 255.255.255.192
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.43.9.0 0.0.0.63
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip X.X.X.X 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host X.X.X.X eq domain host [F0]
access-list 101 permit udp host 10.43.9.11 eq domain host [F0]
access-list 101 deny ip 10.43.9.0 0.0.0.63 any
access-list 101 permit icmp any host [F0] echo-reply
access-list 101 permit icmp any host [F0] time-exceeded
access-list 101 permit icmp any host [F0] unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
Router#sho ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
X.X.X.X/24 is subnetted, 1 subnets
C X.X.X.X is directly connected, FastEthernet0
10.0.0.0/26 is subnetted, 1 subnets
C 10.43.9.0 is directly connected, BVI1
S* 0.0.0.0/0 is directly connected, FastEthernet0
I have two other routers that have worked here with no problems (a Linksys BEFSX41 and a Cisco 1605), so the DSL line is okay. I'm assuming either that my configs have all been bad or the router is broken.
Any ideas?
I've got a cisco 1811W router I'm setting up. It works fine, except for one little problem - I can't get to any public IP addresses from it. I can, however, ping my ISP's gateway (this is a DSL line, and there is no encapsulation in use). Any ping attempts beyond the gateway time out, however (or any other kind of traffic, for that matter).
I've spent about 30 hours now on this over the last two months - I've reloaded to factory defaults about seven times now. Before I rip out my last strand of hair, I thought I'd post here. This is the latest config - i just went through the SDM's configurator after resetting to factory defaults.
Router#sho run
Building configuration...
Current configuration : 6997 bytes
!
! Last configuration change at 10:55:55 PCTime Sat Jul 1 2006 by david
! NVRAM config last updated at 10:43:29 PCTime Sat Jul 1 2006 by cisco
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$TFKJ$Y3kwg2vF1RX.gC8MIQ
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name X.X
ip name-server X.X.X.X
ip name-server X.X.X.X
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
!
!
crypto pki trustpoint TP-self-signed-4097243757
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-4097243757
!
!
crypto pki certificate chain TP-self-signed-4097243757
certificate self-signed 01
[Certificate]
quit
username david privilege 15 secret 5 XXXXXXXXXX
!
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
!
ssid XXXXXX
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
!
ssid XXXXXX
authentication open
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address X.X.X.X 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.43.9.1 255.255.255.192
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.43.9.0 0.0.0.63
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip X.X.X.X 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host X.X.X.X eq domain host [F0]
access-list 101 permit udp host 10.43.9.11 eq domain host [F0]
access-list 101 deny ip 10.43.9.0 0.0.0.63 any
access-list 101 permit icmp any host [F0] echo-reply
access-list 101 permit icmp any host [F0] time-exceeded
access-list 101 permit icmp any host [F0] unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
Router#sho ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
X.X.X.X/24 is subnetted, 1 subnets
C X.X.X.X is directly connected, FastEthernet0
10.0.0.0/26 is subnetted, 1 subnets
C 10.43.9.0 is directly connected, BVI1
S* 0.0.0.0/0 is directly connected, FastEthernet0
I have two other routers that have worked here with no problems (a Linksys BEFSX41 and a Cisco 1605), so the DSL line is okay. I'm assuming either that my configs have all been bad or the router is broken.
Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Because the firewall is using CBAC there is no reason to change ACL 101
ASKER
>ip route 0.0.0.0 0.0.0.0 FastEthernet0
For one thing, it is not recommended to use a broadcast interface (Ethernet) as a gateway. Recommend that you use the actual IP of the ISP.
ip route 0.0.0.0 0.0.0.0 a.b.c.d
That was it!
Funny, I've set up about a half dozen cisco routers and I've always set my default route with the interface instead of the gateway IP and have never had a problem. Go figure!
I'm not having any ACL problems with the listed config.
Thanks a bunch!
For one thing, it is not recommended to use a broadcast interface (Ethernet) as a gateway. Recommend that you use the actual IP of the ISP.
ip route 0.0.0.0 0.0.0.0 a.b.c.d
That was it!
Funny, I've set up about a half dozen cisco routers and I've always set my default route with the interface instead of the gateway IP and have never had a problem. Go figure!
I'm not having any ACL problems with the listed config.
Thanks a bunch!
As long as the interface is Serial it's OK but still preferable to use next hop IP. If it is Ethernet, you almost always have to provide the next hop.
Shawn