Solved

Can't ping any public IPs... except for ISP's gateway.

Posted on 2006-07-01
5
475 Views
Last Modified: 2012-08-14
Hello folks,

I've got a cisco 1811W router I'm setting up. It works fine, except for one little problem - I can't get to any public IP addresses from it. I can, however, ping my ISP's gateway (this is a DSL line, and there is no encapsulation in use). Any ping attempts beyond the gateway time out, however (or any other kind of traffic, for that matter).

I've spent about 30 hours now on this over the last two months - I've reloaded to factory defaults about seven times now. Before I rip out my last strand of hair, I thought I'd post here. This is the latest config - i just went through the SDM's configurator after resetting to factory defaults.

Router#sho run
Building configuration...

Current configuration : 6997 bytes
!
! Last configuration change at 10:55:55 PCTime Sat Jul 1 2006 by david
! NVRAM config last updated at 10:43:29 PCTime Sat Jul 1 2006 by cisco
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$TFKJ$Y3kwg2vF1RX.gC8MIQx6S1
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name X.X
ip name-server X.X.X.X
ip name-server X.X.X.X
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
!
!
crypto pki trustpoint TP-self-signed-4097243757
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4097243757
 revocation-check none
 rsakeypair TP-self-signed-4097243757
!
!
crypto pki certificate chain TP-self-signed-4097243757
 certificate self-signed 01
      [Certificate]
  quit
username david privilege 15 secret 5 XXXXXXXXXX
!
!
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 !
 ssid XXXXXX
    authentication open
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface Dot11Radio1
 no ip address
 !
 ssid XXXXXX
    authentication open
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface FastEthernet0
 description $ES_WAN$$FW_OUTSIDE$
 ip address X.X.X.X 255.255.255.0
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 no ip address
 bridge-group 1
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 10.43.9.1 255.255.255.192
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.43.9.0 0.0.0.63
access-list 100 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip X.X.X.X 0.0.0.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host X.X.X.X eq domain host [F0]
access-list 101 permit udp host 10.43.9.11 eq domain host [F0]
access-list 101 deny   ip 10.43.9.0 0.0.0.63 any
access-list 101 permit icmp any host [F0] echo-reply
access-list 101 permit icmp any host [F0] time-exceeded
access-list 101 permit icmp any host [F0] unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
no cdp run
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end

Router#sho ip rout
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     X.X.X.X/24 is subnetted, 1 subnets
C       X.X.X.X is directly connected, FastEthernet0
     10.0.0.0/26 is subnetted, 1 subnets
C       10.43.9.0 is directly connected, BVI1
S*   0.0.0.0/0 is directly connected, FastEthernet0

I have two other routers that have worked here with no problems (a Linksys BEFSX41 and a Cisco 1605), so the DSL line is okay. I'm assuming either that my configs have all been bad or the router is broken.

Any ideas?
0
Comment
Question by:dmkocot
  • 2
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 17024623
>ip route 0.0.0.0 0.0.0.0 FastEthernet0
For one thing, it is not recommended to use a broadcast interface (Ethernet) as a gateway. Recommend that you use the actual IP of the ISP.
   ip route 0.0.0.0 0.0.0.0 a.b.c.d

>ip access-group 101 in
Access-list 101 is too restrictive. Try removing the acl from the interface and see if that helps. If yes, then we can refine the acl to make it work.

0
 
LVL 15

Expert Comment

by:wingatesl
ID: 17024759
The ACL 101 is fine inbound on your external interface. You do need to change the  ip route 0.0.0.0 0.0.0.0 fa0 to your isp's gateway address. I made a tutorial on the SDM and SDM express in powerpoint here http://www.inacom-sby.com/sdm.ppt When it gets to the question about the next hop you selected interface instead of putting your ISP's gateway in. Otherwise the config is fine
Shawn
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 17024767
Because the firewall is using CBAC there is no reason to change ACL 101
0
 

Author Comment

by:dmkocot
ID: 17059730
>ip route 0.0.0.0 0.0.0.0 FastEthernet0
For one thing, it is not recommended to use a broadcast interface (Ethernet) as a gateway. Recommend that you use the actual IP of the ISP.
   ip route 0.0.0.0 0.0.0.0 a.b.c.d

That was it!

Funny, I've set up about a half dozen cisco routers and I've always set my default route with the interface instead of the gateway IP and have never had a problem. Go figure!

I'm not having any ACL problems with the listed config.

Thanks a bunch!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 17060968
As long as the interface is Serial it's OK but still preferable to use next hop IP. If it is Ethernet, you almost always have to provide the next hop.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Dyndns Configuration 3 49
solarwind tftp server 2 32
Cisco layer 3 ring topology 1 55
EIGRP  router failure 14 30
New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now