Cisco router configuration

I have a router with the below configuration. I can ping other IPs in my VPN from he router but I cannot pint them from a client connnected to this router.
What are the missing commands?

Router#      
Router#show run              
Building configuration...                        

Current configuration : 1440 bytes                                  
!
version 12.4            
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
no service password-encryption                              
!
hostname Router              
!
boot-start-marker                
boot-end-marker              
!
!
no aaa new-model                
dot11 syslog            
ip cef      
!
!
!
!
!
multilink bundle-name authenticated                                  
chat-script 3G "" "ATDT*99#" TIMEOUT 60 "CONNECT"                                                
!
!
!
!
archive      
 log config          
  hidekeys          
!
!
!
!
!
!
!
interface FastEthernet0/0                        
 no ip address              
 shutdown        
 duplex auto            
 speed auto          
!
interface FastEthernet0/1                        
 ip address 192.169.11.1 255.255.255.0                                      
 duplex auto            
 speed auto          
!
interface Cellular0/0/0                      
 no ip address              
 encapsulation ppp                  
 dialer in-band              
 dialer pool-member 1                    
 dialer-group 1              
 async mode interactive                      
!
interface Dialer1                
 ip address negotiated                      
 ip rip triggered                
 encapsulation ppp                  
 dialer pool 1              
 dialer idle-timeout 0                      
 dialer string 3G                
 dialer persistent                  
 dialer-group 1              
 no cdp enable              
 ppp authentication pap chap callin                                  
 ppp chap hostname 9222210023                              
 ppp chap password 0 922231                          
 ppp ipcp dns request accept2.4(13r)T, RELEASE SOFTWARE
!c
router rip          
 version 2          
 timers basic 30 180 0 240cal Support: http://www.ci
 network 172.24.0.0                  
 no auto-summary              
C
!y
ip forward-protocol nd Systems, Inc.        
ip route 0.0.0.0 0.0.0.0 Dialer1
PLD version 0x10              
!G
!
no ip http server                
no ip http secure-server 262144 Kbytes of main m
!o
dialer-list 1 protocol ip permit                
Main memory is
!
control-plane
!
!
line con 0
 password m111
 login
line aux 0
line 0/0/0
 script dialer 3G
 no exec
 rxspeed 3600000
 txspeed 384000
line vty 0 4
 password m111
 login
!
scheduler allocate 20000 1000
end

Router#
Router#
Router#
aldahanAsked:
Who is Participating?
 
Istvan KalmarConnect With a Mentor Head of IT Security Division Commented:
HI the ip nat ouside need to Dialer interface:

interface Dialer1    
 ip nat outside

ip nat indise source list 1 interface dialer1 overload

access-list 1 permit 192.168.1.0 0.0.0.255
0
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

the dialer interface is up?
0
 
aldahanAuthor Commented:
Yes it is up and I can ping the WAN IPs from the router. but I  cannot ping them from the computers connected tothe router. I think that the router is not routening the ping requists comming from ethernet interface to the cellulare interface.
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Aaron StreetInfrastructure ManagerCommented:
are you sure the fire wall is not stopping them. IT is normaly to stop all traffic coming from out side hitting the routers interfaces. so check your security settigns as well
0
 
aldahanAuthor Commented:
The firewall is not stopping them.
0
 
aldahanAuthor Commented:
I found that I can ping the router WAN IP from the other locations but I cannot ping the network internal IP of the router.
0
 
Istvan KalmarHead of IT Security Division Commented:
Hi,

Why you didn't configured NAT?
0
 
aldahanAuthor Commented:
how to configure it?
0
 
aldahanAuthor Commented:
the following nat confige does not work.

interface FastEthernet0/1
 ip address 192.169.11.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto

interface Cellular0/0/0
 no ip address
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer in-band
 dialer pool-member 1
 dialer-group 1
 async mode interactive
!
0
 
aldahanAuthor Commented:
it does not work. and the following is error message and followed by running configuration

Router(config-if)#ip nat indise source list 1 interface dialer1 overload
                           ^
% Invalid input detected at '^' marker.


Router#      
Router#      
Router#      
Router#      
Router#show run              
Building configuration...                        

Current configuration : 1596 bytes                                  
!
version 12.4            
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
no service password-encryption                              
!
hostname Router              
!
boot-start-marker                
boot-end-marker              
!
!
no aaa new-model                
dot11 syslog            
ip cef      
!
!
!
!
!
multilink bundle-name authenticated                                  
chat-script 3G "" "ATDT*99#" TIMEOUT 60 "CONNECT"                                                
!
!
!
!
archive      
 log config          
  hidekeys          
!
!
!
!
!
!
!
interface FastEthernet0/0                        
 no ip address              
 shutdown        
 duplex        
 speed auto          
!
interface FastEthernet0/1                        
 ip address 192.169.112.1 255.255.255.0                                      
 ip nat inside              
 ip virtual-reassembly                      
 duplex auto            
 speed auto          
!
interface Cellular0/0/0                      
 no ip address              
 ip nat outside              
 ip virtual-reassembly                      
 encapsulation ppp                  
 dialer in-band              
 dialer pool-member 1                    
 dialer-group 1              
 async mode interactive                      
!
interface Dialer1                
 ip address negotiated                      
 ip nat outside              
 ip rip triggered                
 ip virtual-reassembly                      
 encapsulation ppp                  
 dialer pool 1              
 dialer idle-timeout 0                      
 dialer string 3G                
 dialer persistent                  
 dialer-group          
 no cdp enable              
 ppp authentication pap chap callin                                  
 ppp chap hostname 966509310023                              
 ppp chap password 0 966509310023                                
 ppp ipcp dns request accept                            
!
router rip          
 version 2          
 timers basic 30 180 0 240                          
 network 172.22.0.0                  
 no auto-summary                
!
ip forward-protocol nd                      
ip route 0.0.0.0 0.0.0.0 Dialer1                                
!
!
ip http server              
no ip http secure-server                        
!
access-list 1 permit 192.168.1.0 0.0.0.255                                          
dialer-list 1 protocol ip permit                                
!
!
!
!
control-plane
!
!
line con 0
 password mohannad
 login
line aux 0
line 0/0/0
 script dialer 3G
 no exec
 rxspeed 3600000
 txspeed 384000
line vty 0 4
 password mohannad
 login
!
scheduler allocate 20000 1000
end

Router#
Router#
Router#
Router#
Router#
0
 
Istvan KalmarHead of IT Security Division Commented:
sorry I've misstiped::)

ip nat inside source 1 interface Dialer1 overload
0
 
aldahanAuthor Commented:
still same error:
Router(config-if)#ip nat inside source 1 interface Dialer1 overload                                                                  
                                ^                                
% Invalid input detected at '^' marker.
0
 
Aaron StreetInfrastructure ManagerCommented:
can you do a show ip interface brief as well

nat should not affect this, the internal private IP should be abel to ping the ip of the wan interface. as it is directly connected to the router so would not be natted.

the clients do have 192.169.11.1 as there default gate way yes ?
0
 
Aaron StreetInfrastructure ManagerCommented:
sorry one of you configs uses 11.1 and one has 112.1 on the fast ethernet interface
0
 
Aaron StreetInfrastructure ManagerCommented:
what router is it you are using ?

I assume it can run NAT?
0
 
aldahanAuthor Commented:
yes. the gateway is correct.

Router#show ip interface brief
Interface                  IP-Address      OK? Method Status                Prot
ocol
FastEthernet0/0            unassigned      YES NVRAM  administratively down down

FastEthernet0/1            192.169.11.1   YES NVRAM  up                    up

Cellular0/0/0              unassigned      YES NVRAM  up                    up

NVI0                       192.169.11.1   YES unset  up                    up

Dialer1                    172.22.76.3     YES IPCP   up                    up

Router#
0
 
aldahanAuthor Commented:
it is 192.169.11.1
0
 
Aaron StreetInfrastructure ManagerCommented:
the command is

IP NAT INSIDE SOURCE LIST 1 interface dialer1 overload


access-list 1 permit 192.168.1.0 0.0.0.255                                          
dialer-list 1 protocol ip permit

whats this  list for? 192.168.1.x ? is not going to let 192.168.11.x address through?
0
 
aldahanAuthor Commented:
also note that from a client connected to the router, I can ping 172.22.76.3
0
 
Aaron StreetInfrastructure ManagerCommented:
yer then it is the nat thats causing the issue
try that second command including the keyword "list"
0
 
aldahanAuthor Commented:
what should be
access-list 1 permit 192.168.1.0 0.0.0.255?
is it
access-list 1 permit 192.169.11.0 0.0.0.255?
0
 
aldahanAuthor Commented:
OK.
Now I can ping from router clients to other VPN locations. However from other locations I cannot ping the router internal IP or any clients connected to the router.
0
 
Aaron StreetInfrastructure ManagerCommented:
sorry I was asking why you had the access list 1 in the first place as it does not match with the ipaddress on your Fast ethernet interface.

If your clients are on the 192.168.11.0 network then you dont want to use the access list 1 that is for the 192.168.1.0 network.

for NAT you need an access lsit that permists the IP address you want to NAT (ie 192.168.11.0 0.0.0.255)

and secondly the command to enable NAT is

ip nat inside source [b]list[/b] 1 interface Dialer1 overload

not ip nat inside source 1 interface Dialer 1 overload as ikalmar typed (i'm assuming it was a miss type on his part)
0
 
Aaron StreetInfrastructure ManagerCommented:
tahts right you can ping back through a NAT'ed IP

this is becasues to the outside all your inside clients are using the single IP assigned to your dialer interface

ping a few outside address from a client, and then on the router types

show ip nat transulations. you will see how the address are all trasnlated to a single IP address.

Private IP's cant get routed across the internet. you need to do port forwarding.

so you woudl do something like

ip nat static 192.168.11.5 44 172.22.76.3 44 (this might not be the exact command)

this would then mean any traffic recived on port 44 sent to ip addresss 172.22.76.3 would be forwarded to the internal ip address 192.168.11.5 port 44.

it is not normal to do this apart from in the case of some thing like a webserver you need to be connected to rom out side.

if you want to do things like remoe desktop, then you need a proxy server. so all incoming connectings are sent to this serve and it forwards them on to the correct internal device.

however I suggest you do a bit of reading up on NAT and how it works, cisco site has a lot of data on it. NAT works for outgoing connections but does not realy handely incomming connections well. (but then that gives you a lot of securiy)
0
 
Aaron StreetInfrastructure ManagerCommented:
can we see you running config now ?
0
 
Aaron StreetInfrastructure ManagerCommented:
oh and that other post should have started you [b]cant[/b] ping back theough a NAT'ed IP.
0
 
Istvan KalmarHead of IT Security Division Commented:
sorry I have a hangover:)

do that DewilWAH said.....
0
 
aldahanAuthor Commented:
The link that I am using should connect me to my IP-VPN. So I think it should allow me to ping all the IPs connected to the router. This is not an internet connection.
The following is the running config

Router#      
Router#show run              
Building configuration...                        

Current configuration : 1674 bytes                                  
!
version 12.4            
service timestamps debug datetime msec                                      
service timestamps log datetime msec                                    
no service password-encryption                              
!
hostname Router              
!
boot-start-marker                
boot-end-marker              
!
!
no aaa new-model                
dot11 syslog            
ip cef      
!
!
!
!
!
multilink bundle-name authenticated                                  
chat-script 3G "" "ATDT*99#" TIMEOUT 60 "CONNECT"                                                
!
!
!
!
archive      
 log config          
  hidekeys          
!
!
!
!
!
!
!
interface FastEthernet0/0                        
 no ip address              
 shutdown        
 duplex auto            
 speed auto          
!
interface FastEthernet0/1                        
 ip address 192.169.11.1 255.255.255.0                                      
 ip nat inside              
 ip virtual-reassembly                      
 duplex auto            
 speed auto          
!
interface Cellular0/0/0                      
 no ip address              
 ip nat outside              
 encapsulation ppp                  
 dialer in-band              
 dialer pool-member 1                    
 dialer-group 1              
 async mode interactive                      
!
interface Dialer1                
 ip address negotiated                      
 ip nat outside              
 ip rip triggered                
 ip virtual-reassembly                      
 encapsulation ppp                  
 dialer pool 1              
 dialer idle-timeout 0                      
 dialer string 3G                
 dialer persistent                  
 dialer-group            
 no cdp enable              
 ppp authentication pap chap callin                                  
 ppp chap hostname 110023                              
 ppp chap password 0 110023                                
 ppp ipcp dns request accept                            
!
router rip          
 version 2          
 timers basic 30 180 0 240                          
 network 172.22.0.0                  
 no auto-summary                
!
ip forward-protocol nd                      
ip route 0.0.0.0 0.0.0.0 Dialer1                                
!
!
ip http server              
no ip http secure-server                        
ip nat inside source list 1 interface Dialer1 overload                                                      
!
access-list 1 permit 192.169.11.0 0.0.0.255                                          
dialer-list 1 protocol ip permit                                
!
!
!
!
control-plane
!
!
line con 0
 password mo111
 login
line aux 0
line 0/0/0
 script dialer 3G
 no exec
 rxspeed 3600000
 txspeed 384000
line vty 0 4
 password mo111
 login
!
scheduler allocate 20000 1000
end

Router#
Router#
0
 
Istvan KalmarHead of IT Security Division Commented:
if it is a VPN colud you not need to NAT am I right?
This sim card belongs to a special APN?
0
 
Aaron StreetConnect With a Mentor Infrastructure ManagerCommented:
well taht really depends how you have your VPN's set up. but you could well be right ikalmar,

i think the

access-list 1 permit 192.169.11.0 0.0.0.255                                          
dialer-list 1 protocol ip permit    

was the problem when you had is set to 192.168.1.0. as you where then blocking all address apart from the 192.168.1.0 address to you dialer interface.

you could try takeing the nat of

no ip nat source list.......

and see if it still works
0
 
aldahanAuthor Commented:
It does not work after removing the NAT
0
 
Aaron StreetInfrastructure ManagerCommented:
ok in which case you do need NAT,

with VPN's you should be able to get it to work with out NAT but thats something you would have to take some time studying.

so many ways to implement it and so many factors to consider. espicaly what is olding public / private IP address and how these are routed between the networks.
0
 
aldahanAuthor Commented:
Thank You
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.