allow PING from outside to router vlan interface

Discussion in 'Cisco' started by jh0u@hotmail.com, Oct 23, 2008.

  1. Guest

    Hi,

    I am currently baffled as to why outside users cannot ping my router
    interface. I have a point to point link with my provider and I have
    configured it under a vlan and assigned that vlan id to a switchport.
    everything works great except that my p2p IP is not pingable from the
    outside world. I would like to make my P2P IP pingable, I have tried
    creating acl with permit ip any any and permit icmp any any as well
    and applied it to the vlan interface to no avail.

    any ideas?

    thanks
    , Oct 23, 2008
    #1
    1. Advertising

  2. Trendkill Guest

    On Oct 23, 2:20 pm, wrote:
    > Hi,
    >
    > I am currently baffled as to why outside users cannot ping my router
    > interface. I have a point to point link with my provider and I have
    > configured it under a vlan and assigned that vlan id to a switchport.
    > everything works great except that my p2p IP is not pingable from the
    > outside world. I would like to make my P2P IP pingable, I have tried
    > creating acl with permit ip any any and permit icmp any any as well
    > and applied it to the vlan interface to no avail.
    >
    > any ideas?
    >
    > thanks


    Take out the IPs and ID/Passwords and paste your config.
    Trendkill, Oct 23, 2008
    #2
    1. Advertising

  3. Guest

    en
    Password:
    2811#sh run
    Building configuration...

    Current configuration : 5658 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname 2811
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 x
    enable password 7 1c
    !
    no aaa new-model
    !
    resource policy
    !
    ip subnet-zero
    !
    !
    ip cef
    !
    !
    ip domain name yourdomain.com
    !
    !
    !
    crypto pki trustpoint TP-self-signed-280490789
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-280490789
    revocation-check none
    rsakeypair TP-self-signed-280490789
    !
    !
    crypto pki certificate chain TP-self-signed-280490789

    quit
    username admin secret xxxxxxxxxxx
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    lifetime 28800
    crypto isakmp key 6 xxxxxxxx address 1.1.1.1
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/0.5
    encapsulation dot1Q 5
    ip address xxxxxxxx 255.255.255.224
    ip policy route-map to_x
    no snmp trap link-status
    !
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.4
    encapsulation dot1Q 4
    ip address xxxxxxxxx 255.255.255.240
    ip policy route-map t_x
    no snmp trap link-status
    !
    interface FastEthernet0/0/0
    description xx
    switchport access vlan 100
    !
    interface FastEthernet0/0/1
    description x
    switchport access vlan 200
    !
    interface FastEthernet0/0/2
    shutdown
    !
    interface FastEthernet0/0/3
    shutdown
    !
    interface Vlan1
    no ip address
    !
    interface Vlan100
    ip address xxxxxxxx 255.255.255.252 - WAN ip
    !
    interface Vlan200
    ip address xxxxxxxxxxx 255.255.255.252- WAN ip
    !
    ip classless
    !
    no ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    access-list 1 permit 10.10.0.0 0.0.255.255
    access-list 199 permit ip any any
    access-list 199 permit icmp any any
    access-list 199 permit icmp any any echo-reply
    snmp-server community xxxxxxx RO
    snmp-server community public RO
    route-map to_1 permit 10
    set ip default next-hop xxxxxxxx
    !
    route-map to_2 permit 10
    set ip default next-hop xxxxxxxx
    !
    !
    !
    control-plane
    !
    !
    banner exec ^C
    % Password expiration warning.
    -----------------------------------------------------------------------

    Cisco Router and Security Device Manager (SDM) is installed on this
    device and
    it provides the default username "cisco" for one-time use. If you
    have already
    used the username "cisco" to login to the router and your IOS image
    supports the
    "one-time" user option, then this username has already expired. You
    will not be
    able to login to the router with this username after you exit this
    session.

    It is strongly suggested that you create a new username with a
    privilege level
    of 15 using the following command.

    username <myuser> privilege 15 secret 0 <mypassword>

    Replace <myuser> and <mypassword> with the username and password you
    want to
    use.

    -----------------------------------------------------------------------
    ^C
    banner login ^C
    -----------------------------------------------------------------------
    Cisco Router and Security Device Manager (SDM) is installed on this
    device.
    This feature requires the one-time use of the username "cisco"
    with the password "cisco". The default username and password have a
    privilege level of 15.

    Please change these publicly known initial credentials using SDM or
    the IOS CLI.
    Here are the Cisco IOS commands.

    username <myuser> privilege 15 secret 0 <mypassword>
    no username cisco

    Replace <myuser> and <mypassword> with the username and password you
    want to use.

    For more information about SDM please follow the instructions in the
    QUICK START
    GUIDE for your router or go to http://www.cisco.com/go/sdm
    -----------------------------------------------------------------------
    ^C
    !
    line con 0
    login local
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    password 7 xxxxxxxxxxxxxxx
    login local
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
    login local
    transport input telnet ssh
    !
    scheduler allocate 20000 1000
    !
    end
    2811#




    On Oct 24, 3:02 am, Trendkill <> wrote:
    > On Oct 23, 2:20 pm, wrote:
    >
    > > Hi,

    >
    > > I am currently baffled as to why outside users cannot ping my router
    > > interface. I have a point to point link with my provider and I have
    > > configured it under a vlan and assigned that vlan id to a switchport.
    > > everything works great except that my p2p IP is not pingable from the
    > > outside world. I would like to make my P2P IP pingable, I have tried
    > > creating acl with permit ip any any and permit icmp any any as well
    > > and applied it to the vlan interface to no avail.

    >
    > > any ideas?

    >
    > > thanks

    >
    > Take out the IPs and ID/Passwords and paste your config.
    , Oct 24, 2008
    #3
  4. Trendkill Guest

    On Oct 24, 5:43 am, wrote:
    > en
    > Password:
    > 2811#sh run
    > Building configuration...
    >
    > Current configuration : 5658 bytes
    > !
    > version 12.4
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > service password-encryption
    > !
    > hostname 2811
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > logging buffered 51200 warnings
    > enable secret 5 x
    > enable password 7 1c
    > !
    > no aaa new-model
    > !
    > resource policy
    > !
    > ip subnet-zero
    > !
    > !
    > ip cef
    > !
    > !
    > ip domain name yourdomain.com
    > !
    > !
    > !
    > crypto pki trustpoint TP-self-signed-280490789
    >  enrollment selfsigned
    >  subject-name cn=IOS-Self-Signed-Certificate-280490789
    >  revocation-check none
    >  rsakeypair TP-self-signed-280490789
    > !
    > !
    > crypto pki certificate chain TP-self-signed-280490789
    >
    >   quit
    > username admin secret xxxxxxxxxxx
    > !
    > !
    > !
    > crypto isakmp policy 10
    >  encr 3des
    >  hash md5
    >  authentication pre-share
    >  lifetime 28800
    > crypto isakmp key 6 xxxxxxxx address 1.1.1.1
    > !
    > !
    > !
    > interface FastEthernet0/0
    >  no ip address
    >  duplex auto
    >  speed auto
    > !
    > interface FastEthernet0/0.5
    >  encapsulation dot1Q 5
    >  ip address xxxxxxxx 255.255.255.224
    >  ip policy route-map to_x
    >  no snmp trap link-status
    > !
    > interface FastEthernet0/1
    >  no ip address
    >  duplex auto
    >  speed auto
    > !
    > interface FastEthernet0/1.4
    >  encapsulation dot1Q 4
    >  ip address xxxxxxxxx 255.255.255.240
    >  ip policy route-map t_x
    >  no snmp trap link-status
    > !
    > interface FastEthernet0/0/0
    >  description xx
    >  switchport access vlan 100
    > !
    > interface FastEthernet0/0/1
    >  description x
    >  switchport access vlan 200
    > !
    > interface FastEthernet0/0/2
    >  shutdown
    > !
    > interface FastEthernet0/0/3
    >  shutdown
    > !
    > interface Vlan1
    >  no ip address
    > !
    > interface Vlan100
    >  ip address xxxxxxxx 255.255.255.252 - WAN ip
    > !
    > interface Vlan200
    >  ip address xxxxxxxxxxx 255.255.255.252- WAN ip
    > !
    > ip classless
    > !
    > no ip http server
    > ip http access-class 23
    > ip http authentication local
    > ip http secure-server
    > ip http timeout-policy idle 60 life 86400 requests 10000
    > !
    > access-list 1 permit 10.10.0.0 0.0.255.255
    > access-list 199 permit ip any any
    > access-list 199 permit icmp any any
    > access-list 199 permit icmp any any echo-reply
    > snmp-server community xxxxxxx RO
    > snmp-server community public RO
    > route-map to_1 permit 10
    >  set ip default next-hop xxxxxxxx
    > !
    > route-map to_2 permit 10
    >  set ip default next-hop xxxxxxxx
    > !
    > !
    > !
    > control-plane
    > !
    > !
    > banner exec ^C
    > % Password expiration warning.
    > -----------------------------------------------------------------------
    >
    > Cisco Router and Security Device Manager (SDM) is installed on this
    > device and
    > it provides the default username "cisco" for  one-time use. If you
    > have already
    > used the username "cisco" to login to the router and your IOS image
    > supports the
    > "one-time" user option, then this username has already expired. You
    > will not be
    > able to login to the router with this username after you exit this
    > session.
    >
    > It is strongly suggested that you create a new username with a
    > privilege level
    > of 15 using the following command.
    >
    > username <myuser> privilege 15 secret 0 <mypassword>
    >
    > Replace <myuser> and <mypassword> with the username and password you
    > want to
    > use.
    >
    > -----------------------------------------------------------------------
    > ^C
    > banner login ^C
    > -----------------------------------------------------------------------
    > Cisco Router and Security Device Manager (SDM) is installed on this
    > device.
    > This feature requires the one-time use of the username "cisco"
    > with the password "cisco". The default username and password have a
    > privilege level of 15.
    >
    > Please change these publicly known initial credentials using SDM or
    > the IOS CLI.
    > Here are the Cisco IOS commands.
    >
    > username <myuser>  privilege 15 secret 0 <mypassword>
    > no username cisco
    >
    > Replace <myuser> and <mypassword> with the username and password you
    > want to use.
    >
    > For more information about SDM please follow the instructions in the
    > QUICK START
    > GUIDE for your router or go tohttp://www.cisco.com/go/sdm
    > -----------------------------------------------------------------------
    > ^C
    > !
    > line con 0
    >  login local
    > line aux 0
    > line vty 0 4
    >  access-class 23 in
    >  privilege level 15
    >  password 7 xxxxxxxxxxxxxxx
    >  login local
    >  transport input telnet ssh
    > line vty 5 15
    >  access-class 23 in
    >  privilege level 15
    >  password 7 xxxxxxxxxxxxxxxxxxxxxxxxxx
    >  login local
    >  transport input telnet ssh
    > !
    > scheduler allocate 20000 1000
    > !
    > end
    > 2811#
    >
    > On Oct 24, 3:02 am, Trendkill <> wrote:
    >
    > > On Oct 23, 2:20 pm, wrote:

    >
    > > > Hi,

    >
    > > > I am currently baffled as to why outside users cannot ping my router
    > > > interface. I have a point to point link with my provider and I have
    > > > configured it under a vlan and assigned that vlan id to a switchport.
    > > > everything works great except that my p2p IP is not pingable from the
    > > > outside world. I would like to make my P2P IP pingable, I have tried
    > > > creating acl with permit ip any any and permit icmp any any as well
    > > > and applied it to the vlan interface to no avail.

    >
    > > > any ideas?

    >
    > > > thanks

    >
    > > Take out the IPs and ID/Passwords and paste your config.


    Which physical interface is the internet/WAN coming in on? Why do the
    vlans say WAN IP? Generally speaking, WAN/ISP comes in on a point to
    point, where the external interface (serial or ethernet) shares a
    network segment with the upstream router. Based on your original
    post, you are using the vlans and assigning them to physical
    interfaces, but I thought that 0/0/1 and 0/0/2 were the same physical
    interface.

    Also, I assume the p2p IP is in a public range and not a private
    range? If you do a traceroute into the network, where does it stop?
    It is entirely possible that the p2p is private, and the address range
    they give you behind it is public. First two octets would help for
    all of these networks if you don't mind sharing.
    Trendkill, Oct 24, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page