Ping from Router

[SF18C]

Simple question I hope!

What would stop a router from being able to ping anything?

I can not ping any IP addresses from my router, but other than that it seems to be working fine.

Here is my config:

Router#sh run
Building configuration...

Current configuration : 2016 bytes
!
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!

ip subnet-zero
ip domain-name aden.com
ip name-server 10.10.10.100
ip dhcp excluded-address 10.10.10.100
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
no ip address
ip nat outside
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXX
ppp chap password 7 XXXXX
ppp pap sent-username XXXX password 7 XXXX
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static 10.10.10.100 interface Dialer1
ip nat inside source static tcp 10.10.10.100 80 interface Dialer1 80
ip nat inside source static tcp 10.10.10.100 21 interface Dialer1 21
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
logging history debugging
logging trap debugging
logging source-interface Dialer1
logging 10.10.10.100
logging 10.10.10.5
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
banner incoming ^C Authorized Enrty Only ^C
banner login ^C Authorized Entry Only! ^C
banner motd ^C Authorized Entry Only! ^C
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
length 0
!
scheduler max-task-time 5000
end

 

[rseals]

Access List 102 states:

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

There is an implied deny all after that line. You would need to add an line to the access list to say permit icmp 10.10.10.0 0.0.0.255 any.

You should also see the ping getting denied. I see that you are syslogging to 2 machines on the inside of your network. You can use syslog to see where the icmp packets are getting dropped. You would see an entry in the log similar to this:

Dec 30 00:00:36 xxx.xxx.71.2 606725: 6w2d: %SEC-6-IPACCESSLOGDP: list internet-serial denied icmp 63.251.126.68 -> xxx.xxx.xxx.5 (8/0), 1 packet

Remember, syslog is your friend.

 

[svermill]

Can't say for sure just looking at your configs, but remember that unless you do an extended ping, the source IP of your ping will be the outgoing interface address. Sometimes it is necessary that you specify the source address (must be one of the router interfaces). And, of course, the target of the echo request must know a route back to that source address to properly formulate an ICMP reply.

rseals,

The access list was related to NAT and not applied to any interface. Also, when IP is permitted, ICMP is also permitted by default. You can specifically turn off ICMP and still have IP on, but the default is that ICMP is an integral part of IP and the two are considered to be one and the same.

Regards,

Scott

 

[SF18C]

Thanks I'll give those thoughts a try. I'm not sure changing the NAT ACL will do it but I'll try.

 

[svermill]

I don't think changing the NAT ACLs will do anything either. But just be mindful of what IP address your outgoing interface winds up getting and make sure that your target has a route back to that IP. With your address negotiation, strange unexpected things can sometimes happen.

 

[Reisinger]

What are you trying to ping first of all. A local subnet a remote subnet? The first thing you need to do is a sh ip route and see if the network you are trying to ping is in the table. I don't see any routing protocols in your config. You do have a default route out your dialer interface but whatever you are pinging needs to have a route back to you. If you are pinging from your local ether interface you need to verify the ipaddress, gateway and subnet mask of the workstation/server on that interface.

show ip route and show ip arp are your friends. Make sure that whatever you are trying to ping knows how to get back to you.