Solved

Cisco 1841 - unable to ping internal address from outside

Posted on 2008-10-18
14
1,313 Views
Last Modified: 2012-05-05
I have a Cisco 1841 router, F0/1 is connected direct to ISP while F0/0 is connected to a switch. From the switch I have connected also a computer with IP address same range with F0/0. I am able to ping from router and computer to any public ip address but I could not ping from external network to the computer. Can anyone take a look on the configuration if I've missed out anything?

Below are the IP address used:
ISP -  10.0.0.1/30
FastEthernet 0/1 - 10.0.0.2/30
FastEthernet 0/0 - 192.168.0.1/29
Computer - 192.168.0.2/29
Building configuration...
 
Current configuration : 1819 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1841
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
logging console critical
enable secret 5 @#!$%^&*()$#@@
enable password 7 9845765424567890
aaa new-model
!
!
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
!
!
login block-for 120 attempts 10 within 120
!
username administrator password 7 9845765424567890
!
!
!
interface FastEthernet0/0
 ip address 192.168.0.1 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 ip address 10.0.0.2 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
no ip http server
!
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner motd ^CCisco 1841 Router^C
!
line con 0
 login authentication local_auth
 transport output telnet
line aux 0
 exec-timeout 15 0
 transport output telnet
line vty 0 4
 password 7 050656012A1F575C
 login authentication local_auth
 transport input telnet
!
end

Open in new window

0
Comment
Question by:tdic_syap
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 5

Expert Comment

by:rexxus
ID: 22748101
When you say that you are unable to ping from external are you ping'ing from the 10 network or from a public IP address on the internet?

If you are trying to ping the internal 192 range from an address on the internet you won't get a response as the 192.168.0.x address range is not routable across the internet.

If you are ping'ing from something on the other side of the 10 network is there a route to the 192 network (is this a home lab network?)
0
 

Author Comment

by:tdic_syap
ID: 22749078
I'm  trying to ping from a public IP address on the internet and also on the cisco router. If I try to do tracert from a computer on another network (public ip, internet) it only can trace until WAN Gateway (customer side) which is FastEthernet0/1 could not pass thru it.

I could not give you the exact public IP ranges that my ISP gave me. 192.168.0.x is only a representation of the IP ranges same as with 10.0.0.x.

WAN Gateway (ISP side) - X.X.X.A/30
WAN Gateway (customer side) - X.X.X.B/30

Ethernet IP (isp given ip ranges) - Y.Y.Y.C/29 - Y.Y.Y.J/29
0
 
LVL 10

Expert Comment

by:cstosgale
ID: 22750093
Is the internal interface physically up? If it is not plugged in, you won't be able to ping it!

To confirm, if you are on the cisco router, and you ping the IP on fa0/0 you get no response?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Expert Comment

by:leonjs
ID: 22751232
What is the default gateway on the computer set to ?
0
 

Author Comment

by:tdic_syap
ID: 22751313
Interface F0/0 and F0/1 is up, Protocol for F0/0 and F0/1 is up as well. I could ping from router and even on the computer (internal network) to any public internet ip.

The default gateway for the computer (internal network) is the IP of F0/0. F0/1 (WAN gateway customer side going to ISP) while F0/0 is (IP address taken from the IP Ranges given by ISP).
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22751325
Can you post the running config?
0
 

Author Comment

by:tdic_syap
ID: 22751439
Please refer to code snippet on the above post, that's the current configuration but I've changed the IP.
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22751496
Are you able to ping the IP address of the internal network from  the internet?

Is there a firewall anywhere in the setup?  Hardware or software?
0
 

Author Comment

by:tdic_syap
ID: 22751577
I cannot ping any internal network from the internet. I could only ping up to the cisco router F0/0 interface. There's no firewall setup, please refer to below diagram.

     Internet (ISP)
          |
       F0/1 (ip add X.X.X.A/30)
(Cisco Router)
       F0/0 (ip add Y.Y.Y.C/29)
          |
Internal Network (default route, 0.0.0.0 0.0.0.0 F0/1)
0
 
LVL 3

Expert Comment

by:leonjs
ID: 22752558
I beleive factory settings allow this but for testing try adding these . .

 allow pings into the network
 access-list 100 permit icmp any any echo
 
allow ping responses
 access-list 100 permit icmp any any echo-reply

 allow ICMP source-quench
 access-list 100 permit icmp any any source-quench

 allow path MTU discovery
 access-list 100 permit icmp any any packet-too-big

 allow time-exceeded, which is useful for traceroute
 access-list 100 permit icmp any any time-exceeded

 deny all other ICMP packets
 access-list 100 deny icmp any any
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22785434
From the router can you issue an extended ping using the following:

ping
ip
source  <ip address of fa0/1>
destination <ip address of computer>
enter through the remainder of questions

and let us know the outcome?
0
 

Author Comment

by:tdic_syap
ID: 22807103
I've done the extended ping and ACL on icmp, still having the same problem.
0
 
LVL 5

Expert Comment

by:rexxus
ID: 22829188
If the extended ping failed then there is something wrong with either the interface addressing or something in the interface configuration that is missing.

Can you paste the output from "show ip route" please.  Sanitised to the match above.

Also check all ip addressing and subnet masks to make sure they match as appropriate.
0
 
LVL 10

Accepted Solution

by:
cstosgale earned 500 total points
ID: 22839352
One thing I did notice in the config above is your default route is pointing to fastethernet 0/1. I'm pretty sure this won't work as it is not a point to point interface. Try setting your default route to the gateway's IP address and see if that resolves the issue.

Without any access lists everything including ping is allowed through.

If the above does not fix it, the only other possibility is the ISP is not routing the traffic correctly for the internal range.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question