Have a 2621 running 12.3
Got a new set of IPs and serial line(T1) from the console # prompt can't ping the first two but can the last one, f0/1 f0/0 s0/0 f0/1
I modified an existing config to reflect the new values for f0/0 and s0/0
ideas?
Should have added that f0/1 is on 10.x.x.x and the router is doing NAT
:
sh ip int brief
Your config may also be helpful.
On Thu, 29 May 2008 15:59:20 -0700, Trendkill wrote:
CISCO2#sho ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 12.70.58.129 YES manual up up Serial0/0 12.89.208.122 YES manual down down FastEthernet0/1 10.0.0.1 YES manual up up CISCO2#ping 12.70.58.129
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.70.58.129, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) CISCO2#ping 10.0.0.1
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms CISCO2#ping 12.89.208.122
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.89.208.122, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
CISCO2#sho config Using 3309 out of 29688 bytes ! ! Last configuration change at 14:27:47 PST Thu May 29 2008 ! NVRAM config last updated at 14:27:53 PST Thu May 29 2008 ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname CISCO2 ! boot-start-marker boot-end-marker ! logging buffered 65535 debugging logging console informational enable secret 5 $1$4TwO$cwJqY4fRqc2Yqvi8MpoHG0 ! clock timezone PST -8 no aaa new-model ip subnet-zero ip cef ! ! ip domain name Kednos.com ip name-server 12.70.58.130 ip name-server 12.70.58.132 ip name-server 12.70.58.133 ip name-server 12.70.58.134 ip name-server 12.70.58.135 ip name-server 12.70.58.137 ! ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 description OUTSIDE INTERFACE TO THE INTERNET ip address 12.70.58.129 255.255.255.128 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside speed auto full-duplex no cdp enable ! interface Serial0/0 ip address 12.89.208.122 255.255.255.252 ip access-group 101 in ip access-group 102 out ip nat outside no ip mroute-cache ! interface FastEthernet0/1 description INSIDE INTERFACE TO PRIVATE NETWORK ip address 10.0.0.1 255.0.0.0 ip nat inside duplex auto speed auto ! ip nat inside source list 1 interface FastEthernet0/0 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 12.89.208.121 ! ! access-list 1 permit 10.0.0.0 0.0.0.255 access-list 101 remark PREVENT UNWANTED ACCESS access-list 101 remark DENY RFC 1918 SOURCES access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.0.15.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 remark ANTI-SPOOFING PROTECTION access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 224.0.0.0 31.255.255.255 any access-list 101 remark DENY BROADCASTS access-list 101 deny ip 255.0.0.0 0.255.255.255 any access-list 101 deny ip any 255.0.0.0 0.255.255.255 access-list 101 remark PERMIT/DENY a few knowns access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 deny icmp any any echo access-list 101 remark PREVENT ANY INBOUND SNMP access-list 101 deny udp any any eq snmp access-list 101 deny udp any any eq snmptrap access-list 101 remark ICMP TYPES access-list 101 deny icmp any any access-list 101 remark PREVENT CISCO CODE VULNERABILITY access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny pim any any access-list 101 remark PERMIT everything else access-list 101 permit ip any any access-list 102 permit ip 12.70.58.128 0.0.0.127 any access-list 102 permit ip host 12.89.208.122 any access-list 102 deny ip any any dialer-list 1 protocol ip permit ! ! ! ! ! banner exec ^CC You have entered $(hostname).$(domain) on line $(line) ($(line-desc)) ^C ! line con 0 exec-timeout 0 0 stopbits 1 flowcontrol software line aux 0 line vty 0 4 password 7 000B03030A4D06151D2E4F451A login ! ntp clock-period 17181129 ntp server 192.83.249.28 ntp server 204.74.68.55 ntp server 216.27.190.202 ! end
Your first issue is that your serial interface to your provider is down, meaning the logical interface is down, meaning you will not be able to ping it. As to your other issue, I'm thinking it could be an ACL but I'm not totally sure yet. Can you source the ping from the
10.0.0.1 interface by typing ping, then enter, then pick the destination IP, and when it asks you for extended commands type yes and use 10.0.0.1 as the source interface. I don't think this will work either, but I'm wondering if that deny echo in ACL 101 is stopping it. I would consider yanking 101 for a minute to see what happens and make sure that is not what is blocking the ping. The only other thing could be the NAT itself, but a router should use its closest logical interface as the source for a ping, and therefore it really can't be a routing issue. So, fix the serial for starters, take off ACL 101 off the f0/0 interface and do the ping test, if that don't work, put it back, hopefully by then me or someone else will have some more ideas for f0/0.
to yank out I presume in configuring that interface I type no ip access-group 101 in
and then to put it back in just the opposite?
"ip access-group 101 in" will activate ACL
You have to do it in interface configuration. To see whether you're in the right context have a look at your prompt. It should look like
CISCO2(config-if)#
CISCO2#sho ip int brief Interface IP-Address OK? Method Status Protocol FastEthernet0/0 12.70.58.129 YES manual up up Serial0/0 12.89.208.122 YES NVRAM up down FastEthernet0/1 10.0.0.1 YES NVRAM up up
ATT hasn't turned on the T1 yet, but why is the method for F0/0 listed as manual, and what does it mean?
It means that it is up as a result of a CLI change, and did not come up because it was set that way in NVRAM. If you do a write mem and reboot, it will come up as NVRAM. I'm not sure how long it stays manual or if it only changes on boot, never really watched it that closely. Can you ping everything now, except for that serial interface of course which will stay up/down until the circuit comes up?
I did a wr mem, but did not reboot, that explains it. Thanks for the help.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.