Can ping from router but unable to ping from client machines

[FONT=Arial]Hi All,[/FONT]
[FONT=Arial]I am having a weird issue with my Cisco 7200 router. From the router I am able to ping and reach out to the internet but from the client I am able to reach out to the internet but unable to ping
sad.gif
I am not sure where is the issue but when I traceroute to it my packets are dropped at my routers interface. All my pings from the client time out. I checked the Access list to make sure ICMP is not blocked.
[/FONT]
[FONT=Arial]Following is my running conf[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]ip audit notify log[/FONT]
[FONT=Arial]ip audit po max-events 100[/FONT]
[FONT=Arial]ip ssh break-string ~[/FONT]
[FONT=Arial]ipv6 unicast-routing[/FONT]
[FONT=Arial]no ftp-server write-enable[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]no scripting tcl init[/FONT]
[FONT=Arial]no scripting tcl encdir[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]no voice hpi capture buffer[/FONT]
[FONT=Arial]no voice hpi capture destination[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]interface Loopback0[/FONT]
[FONT=Arial]description *** abc ***[/FONT]
[FONT=Arial]ip address 192.168.2.2 255.255.255.255[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]interface FastEthernet0/0[/FONT]
[FONT=Arial]description * Connection to officeswitch *[/FONT]
[FONT=Arial]ip address 10.0.2.1 255.255.255.240[/FONT]
[FONT=Arial]duplex full[/FONT]
[FONT=Arial]speed 100[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]ipv6 rip abc enable[/FONT]
[FONT=Arial]no ipv6 mfib fast[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]interface FastEthernet0/1[/FONT]
[FONT=Arial]description * ISP1 *[/FONT]
[FONT=Arial]ip address 172.16.17.2 255.255.255.248[/FONT]
[FONT=Arial]ip access-group ISP1-IN in[/FONT]
[FONT=Arial]ip access-group ISP1-OUT out[/FONT]
[FONT=Arial]ip route-cache flow[/FONT]
[FONT=Arial]duplex full[/FONT]
[FONT=Arial]speed auto[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]interface Serial3/0[/FONT]
[FONT=Arial]description * ISP2 *[/FONT]
[FONT=Arial]ip address 10.23.21.2 255.255.255.252[/FONT]
[FONT=Arial]ip access-group Verio-IN in[/FONT]
[FONT=Arial]ip access-group Verio-OUT out[/FONT]
[FONT=Arial]ip route-cache flow[/FONT]
[FONT=Arial]serial restart-delay 0[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]interface Serial3/1[/FONT]
[FONT=Arial]no ip address[/FONT]
[FONT=Arial]shutdown[/FONT]
[FONT=Arial]serial restart-delay 0[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]interface Serial3/2[/FONT]
[FONT=Arial]no ip address[/FONT]
[FONT=Arial]shutdown[/FONT]
[FONT=Arial]serial restart-delay 0[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]interface Serial3/3[/FONT]
[FONT=Arial]no ip address[/FONT]
[FONT=Arial]shutdown[/FONT]
[FONT=Arial]serial restart-delay 0[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]router ospf 00000[/FONT]
[FONT=Arial]log-adjacency-changes[/FONT]
[FONT=Arial]network 192.168.0.0 0.0.31.255 area 0[/FONT]
[FONT=Arial]default-information originate[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]router bgp 00000[/FONT]
[FONT=Arial]no synchronization[/FONT]
[FONT=Arial]bgp log-neighbor-changes[/FONT]
[FONT=Arial]network 192.168.0.0.0 mask 255.255.224.0[/FONT]
[FONT=Arial]aggregate-address 192.168.0.0 255.255.224.0 summary-only[/FONT]
[FONT=Arial]no auto-summary[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]ip classless[/FONT]
[FONT=Arial]ip flow-export source Loopback0[/FONT]
[FONT=Arial]ip flow-export version 5[/FONT]
[FONT=Arial]ip flow-aggregation cache protocol-port[/FONT]
[FONT=Arial]enabled[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]ip flow-aggregation cache prefix[/FONT]
[FONT=Arial]enabled[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]no ip http server[/FONT]
[FONT=Arial]no ip http secure-server[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]ip as-path access-list 5 permit ^$[/FONT]
[FONT=Arial]ip as-path access-list 5 deny .*[/FONT]
[FONT=Arial]ip as-path access-list 10 permit ^$[/FONT]
[FONT=Arial]ip as-path access-list 20 permit ^00000[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]ip as-path access-list 30 permit ^00000[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]ip as-path access-list 30 permit ^00000[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]ip as-path access-list 30 permit ^00000[/FONT]
[FONT=Arial]ip as-path access-list 30 permit ^00000[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]ip access-list standard Access[/FONT]
[FONT=Arial]permit 192.168.0.0 0.0.31.255[/FONT]
[FONT=Arial]deny any log[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]ip access-list extended ISP1-IN[/FONT]
[FONT=Arial]permit tcp host 192.168.1.2 any eq www log[/FONT]
[FONT=Arial]permit icmp any any log[/FONT]
[FONT=Arial]deny ip 10.0.0.0 0.255.255.255 any log[/FONT]
[FONT=Arial]deny tcp any any eq ftp log[/FONT]
[FONT=Arial]deny tcp any any eq smtp log[/FONT]
[FONT=Arial]deny tcp any any eq 443 log[/FONT]
[FONT=Arial]deny ip 192.168.0.0 0.0.255.255 any log[/FONT]
[FONT=Arial] permit ip any any[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]ip access-list extended ISP1-OUT[/FONT]
[FONT=Arial]permit icmp any any log[/FONT]
[FONT=Arial]permit ip any any[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]ip access-list extended ISP2-IN[/FONT]
[FONT=Arial] permit icmp any any log[/FONT]
[FONT=Arial]deny ip 10.0.0.0 0.255.255.255 any log[/FONT]
[FONT=Arial]deny tcp any any eq ftp log[/FONT]
[FONT=Arial]deny tcp any any eq smtp log[/FONT]
[FONT=Arial]deny tcp any any eq 443[/FONT]
[FONT=Arial]deny ip 192.168.0.0 0.0.255.255 any log[/FONT]
[FONT=Arial] permit ip any any[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]ip access-list extended ISP2-OUT[/FONT]
[FONT=Arial]permit ip any any[/FONT]
[FONT=Arial]permit icmp any any[/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]logging trap debugging[/FONT]
[FONT=Arial]logging source-interface Loopback0[/FONT]
[FONT=Arial]snmp-server community apricot RO 1[/FONT]
[FONT=Arial]snmp-server trap-source Loopback0[/FONT]
[FONT=Arial]snmp-server location 101 S Ellsworth Ave Suite 350[/FONT]
[FONT=Arial]snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart[/FONT]
[FONT=Arial]snmp-server enable traps tty[/FONT]
[FONT=Arial]snmp-server enable traps config[/FONT]
[FONT=Arial]snmp-server enable traps envmon fan shutdown supply temperature[/FONT]
[FONT=Arial]snmp-server enable traps bgp[/FONT]
[FONT=Arial]redistribute static[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]route-map ISP1PATH permit 5[/FONT]
[FONT=Arial]match as-path 30[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]route-map ISP1PATH permit 10[/FONT]
[FONT=Arial]match as-path 20[/FONT]
[FONT=Arial]set as-path prepend 00000[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial]route-map SETPATH permit 10[/FONT]
[FONT=Arial]match as-path 10[/FONT]
[FONT=Arial]set as-path prepend 00001[/FONT]
[FONT=Arial]![/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial] [/FONT]
[FONT=Arial]I will appreciate any input to help me solve this problem.[/FONT]
 
[FONT=Arial] I am able to reach out to the internet but unable to ping
sad.gif
[/FONT]
ping is not required to have connectivity - - it is only a test & traceroute tool.

From the client, get a command prompt (or in Linux a Terminal) use nslookup google.com
If it returns the IP address of google, then you can ignore the ping problem
 
Thanks for your reply. I understand Ping is not required for connectivity but its the quickest way to troubleshoot connectivity from client to internet. Plus you cant trace-route which provides the exact location of where the packages are dropping which helps in narrowing down the problem while troubleshooting. Do you see anything in my conf which might be blocking the ICMP(ping)?
 
Let's be clear;

case A: client a <-->client b on your router should ping correctly and if not then the NIC or FW on those systems
needs investigation.

case B: client a -->ping or tracert to a website like google.com should work

case C: ping from me to your router is configurable as to if you want your router to respond

case D: ping from me to some client x attached to your router should always fail

my tracert (the PC name) to techspot is attached
 

Attachments

  • TS-tracert-results.txt
    1.4 KB · Views: 4
All clients inside our LAN that is xyz.com can ping each other. (e.g. can ping from 192.168.1.1 <---> 192.168.1.255 or any IP in our IP block). But it fails if when I ping outside our IP block or domain (e.g. 192.168.1.1 --> 8.8.8.8 google public IP). I cant tracert/traceroute to ourside public IP's. We dont have a firewall just a couple of rules in access list which I have included in my post at the beginning. Hope I was able to elaborate this better. Thanks for replying!!
 
Actually thats not true at all. Pings are never blocked to these as they are public DNS. You can verify this if you want to ;)
Google DNS was just something I used as an example. I am unable to ping any public WAN IP to make it shorter. Any thoughts?
 
Let's slow down a bit. Your problem is client ping/traceroute crossing the gateway router - -
Both of these use the ICMP protocol (ie: not related to ports).

ICMP is described here

Your router/firewall needs to allow ICMP Type 8 (ping) and apparently Type 30.
To allow error replies, also include Type 3.

By carefully reading the Traceroute Protocol here, you can see what needs to be done.
 
We dont have a firewall and instead we use access lists to block the traffic. Currently I dont have any acess control rules applied may block ICMP traffic. any clue?
 
Yes, I mentioned the FW to highlight components "of interest" to your problem.

Your config looks good to me, but I'm not a Cisco guy. Perhaps this blog might give you some insight.
 
Btw: all those cfg rules are FIREWALL settings - - eg:
[FONT=Arial]deny tcp any any eq ftp log[/FONT]
[FONT=Arial]deny tcp any any eq smtp log[/FONT]
[FONT=Arial]deny tcp any any eq 443[/FONT]​
 
Thanks you guys.. I figured out it required some changes in the access control list on both layer 3 server and router. seems to be working now :)
 
Super. Why not share the new router config for those that might follow?
 
Back