stuart100
asked on
Cisco 3925 not routing traffic.
We currently installed a 100Mbps fiber line with Ethernet hand-off. I purchased a Cisco 3925 ISR to be the gateway for this connection. I am not going to use it for any security purposes. I have an ASA5520 that will do that work. Right now I am currently just trying to get the router online.
I know the following
Laptop <--->GB 0/1((()))GB0/0<---->Ethern et handoff from ISP.
I can ping and SSH to the outside interface of the router from outside the network. I can also ping and SSH to the router from the laptop that is directly attached to the routers GB0/1 port. From the Router's CLI I can ping IP addresses on the internet. From the laptop I can not.
I can not access the internet through the router though.
Here is my config.
Building configuration...
Current configuration : 3724 bytes
!
! Last configuration change at 02:17:03 UTC Tue Jan 15 2013 by ggsis
! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsis
! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsis
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXNAMEXXX
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXX XXXXX
!
no aaa new-model
memory-size iomem 20
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name XXXXXXXXXXXXXXDomainXXXXXX XXXXX
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-XXXXXXXXXXX XXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-XXXXX XXXXXXXX
revocation-check none
rsakeypair TP-self-signed-XXXXXXXXXXX XXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXXXXXX XXX
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXXXXX XXXXXXX
quit
license udi pid C3900-SPE100/K9 sn FOC16140N3N
!
!
username XXXXX privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip ssh time-out 60
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP Side of Router$ES_WAN$$ETH-WAN$
ip address 50.XXX.XX.XXX 255.255.255.252
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description My Side of Router$ES_LAN$$ETH-LAN$
ip address 50.YYY.YY.YYY 255.255.255.0
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 50.XXX.XX.NextHop
ip route 50.YYY.YY.0 255.255.255.0 GigabitEthernet0/1
!
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
I know the following
Laptop <--->GB 0/1((()))GB0/0<---->Ethern
I can ping and SSH to the outside interface of the router from outside the network. I can also ping and SSH to the router from the laptop that is directly attached to the routers GB0/1 port. From the Router's CLI I can ping IP addresses on the internet. From the laptop I can not.
I can not access the internet through the router though.
Here is my config.
Building configuration...
Current configuration : 3724 bytes
!
! Last configuration change at 02:17:03 UTC Tue Jan 15 2013 by ggsis
! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsis
! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsis
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXNAMEXXX
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
memory-size iomem 20
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
no ip domain lookup
ip domain name XXXXXXXXXXXXXXDomainXXXXXX
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-XXXXXXXXXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-XXXXXXXXXXX
!
!
crypto pki certificate chain TP-self-signed-XXXXXXXXXXX
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXX
quit
license udi pid C3900-SPE100/K9 sn FOC16140N3N
!
!
username XXXXX privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip ssh time-out 60
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description ISP Side of Router$ES_WAN$$ETH-WAN$
ip address 50.XXX.XX.XXX 255.255.255.252
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description My Side of Router$ES_LAN$$ETH-LAN$
ip address 50.YYY.YY.YYY 255.255.255.0
no ip redirects
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 50.XXX.XX.NextHop
ip route 50.YYY.YY.0 255.255.255.0 GigabitEthernet0/1
!
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
On the laptop' open a command line and Type ;
Tracert 8.8.8.8
And post results.
Also
ip route 50.YYY.YY.0 255.255.255.0 GigabitEthernet0/1
Might not be needed.
Tracert 8.8.8.8
And post results.
Also
ip route 50.YYY.YY.0 255.255.255.0 GigabitEthernet0/1
Might not be needed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I tracert to 8.8.8.8 I get the GB0/1 interface that responds and after that all stars...
I have contacted them. They gave me the IP block you would think that they would route it.
I have contacted them. They gave me the IP block you would think that they would route it.
You said you can ping internet from router. Can you ping the interent with source address of your inside interface?
ping 8.8.8.8 source gb0/0
ping 8.8.8.8 source gb0/0
ASKER
No I can not. Tried that earlier sorry that I did not post those results.
Sorry, I meant
ping 8.8.8.8 source gb0/1
ping 8.8.8.8 source gb0/1
Are you supposed to be announcing your block to your ISP? Are you sure the circuit is turned up? I 'd check with your ISP.
ASKER
Leeee the circuit is up. I can SSH to the GB0/0 interface of my router from the outside.
If you can not ping with ping 8.8.8.8 source gb0/1 command, it seems like your ISP does not route your inside network
ASKER
I would agree I have called to speak with them.
Based on all i've read, i'd assume you're expected to configure BGP on the router to advertise that 50.YY.YY.YY subnet of yours. That, or you've asked your ISP to do that for you on their backend.
Who owns that 50.yyy.yy.0/24 block?
I'd also go ahead an remove:
ip route 50.YYY.YY.0 255.255.255.0 GigabitEthernet0/1
Not that it matters since you'd already have a direct connect route via 0/1.
Who owns that 50.yyy.yy.0/24 block?
I'd also go ahead an remove:
ip route 50.YYY.YY.0 255.255.255.0 GigabitEthernet0/1
Not that it matters since you'd already have a direct connect route via 0/1.
ASKER
The ISP was not routing the IP block. Once they did that we were set.
ASKER