Why can't I ping internally on network with Cisco 871?

[ktuimala]

This is driving me insane. I used to use Linksys and Dlink, but due to their issues I decided to buy a Cisco 871. When I first set it up I was able to ping all the computers in my house connected to it. However, now I cannot. I can't figure out why. I have tried so many settings with no success that I am about to pull the old Linksys POS out of the closet and hook it up.

I am using the Cisco 871 as my DHCP server. It connects to my cable modem via the FastEthernet4 interface as DHCP with my ISP. I have nat setup so all computers on my network can get to the internet. I had some external to internal nat rules for UVNC, but have since removed them.

All PCs on my internal network have firewalls turned off by default (Why have individual firewalls?!?). I can ping my router (10.10.10.1) and I can ping my computer via it's own IP address, but I can't ping any other IP address on my network. WHY!?!?!?!?!?!?

Here is my current config.....


Building configuration...

Current configuration : 6402 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$.OxT$oF1CLxm1yOJxNamsXr7Om/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
ip dhcp smart-relay
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
dns-server 24.213.60.93 68.115.71.53
default-router 10.10.10.1
!
ip dhcp pool N11108-2K2
host 10.10.10.10 255.255.255.0
client-identifier 0100.1de0.3747.b1
client-name N11108-2K2
!
ip dhcp pool kalebsnewbeast
host 10.10.10.11 255.255.255.0
client-identifier 0100.904b.ff0e.0c
client-name kalebsnewbeast
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 24.213.60.93
ip name-server 68.115.71.53
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4214358964
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4214358964
revocation-check none
rsakeypair TP-self-signed-4214358964
!
!
crypto pki certificate chain TP-self-signed-4214358964
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323134 33353839 3634301E 170D3038 30313230 30323139
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313433
35383936 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C697 CA7127C7 94732D64 39381575 EA647C17 A4B7FF2F 324FAFD8 ED9A9E94
0C22856F 407ACC91 F5F916ED BAFBADF4 A4F1B2EF 10E37997 27004003 7E66223C
B7629845 5DAD619C DD60363E 13693484 593EFC49 E73E22AE B96F19CF 44700AB4
041A6186 583F822E 6BAA3F14 E6979802 A4CA8C1F 53C32E02 8604DD47 E14F46E9
086D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1492B546 CC15C801 ECCAF87B 0698700A 1FF611BF
8A301D06 03551D0E 04160414 92B546CC 15C801EC CAF87B06 98700A1F F611BF8A
300D0609 2A864886 F70D0101 04050003 81810046 455CBAE9 B0DE8F0E 4147F36A
504498AF 0026BE65 BEEC9488 1EDE9C7E 88ACB03C 80D4D4B5 A210F6A3 0EA39C79
37AB9952 074CA14E 443B6812 F813B8FD 5D6D9F4E 4BF0B4E4 1C9DDB1F EDED6F08
292CDF67 A56B9DB7 88CD776E 0E13520C 2C6F217F 5F2DBC77 B895FD32 5A15E035
F1BA8485 7F03F0D0 CCB91095 2A555468 036D2D
quit
username admin privilege 15 secret 5 $1$8.Ra$8xj.xoQz5.Jf6kSKkuG6d.
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
ssid we-net
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip default-gateway 10.10.10.1
ip classless
ip route 10.0.0.0 255.0.0.0 10.10.10.0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 68.115.71.53 eq domain any
access-list 101 permit udp host 24.213.60.93 eq domain any
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

What the hell am I doing wrong!?!?!? How hard is it to ping internally? I can ping every website on the web, but can't ping my own computers by their IP addresses....

Also I can't even ping them by host name because the 871 wants to ask my ISP DNS servers for resolution of the host name, but that is for another topic.

 

[fwre01]

can you paste the output from sh ip int brief

 

[burtsbees]

Why is this there?

ip route 10.0.0.0 255.0.0.0 10.10.10.0

Also, are these computers Windows boxes? What does arp -a show? Are they all in the same domain (so you can try My Network Places)?

Burt

 

[burtsbees]

interface BVI1
no access-group 100 in

Then try it.

Burt

 

[ktuimala]

I don't know why ip route 10.0.0.0 255.0.0.0 10.10.10.0 is there. I never messed with the routes. I just kept them default with the 871 setup wizard.

arp -a output

Interface: 10.10.10.2 --- 0x5
Internet Address Physical Address Type
10.10.10.1 00-1e-13-9b-62-10 dynamic

Yes they are all Windows based PCs, I have Linux in a VM on my laptop, and it seems to have the same ping issues. I have the VM setup to get its own DHCP address from the network.

Before trying
interface BVI1
no access-group 100 in
i decided to run the SDM Firewall Basic wizard and had it merge the changes with my existing ACLs. After doing that I was instantly able to ping again. I am still confused why this happened and would like to know why.

Experts that you are, below is my config after the wizard made its changes to my ACLs. Can any of you tell from comparing the above config with this config, why I can now ping on my internal network but couldn't with the old config? I would like to know so I can fix it without such an obtuse method if it happens again.

 

[ktuimala]

Forgot to attach config...


Building configuration...

Current configuration : 6457 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$.OxT$oF1CLxm1yOJxNamsXr7Om/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
ip dhcp smart-relay
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool1
import all
network 10.10.10.0 255.255.255.0
dns-server 24.213.60.93 68.115.71.53
default-router 10.10.10.1
!
ip dhcp pool N11108-2K2
host 10.10.10.10 255.255.255.0
client-identifier 0100.1de0.3747.b1
client-name N11108-2K2
!
ip dhcp pool kalebsnewbeast
host 10.10.10.11 255.255.255.0
client-identifier 0100.904b.ff0e.0c
client-name kalebsnewbeast
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 24.213.60.93
ip name-server 68.115.71.53
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4214358964
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4214358964
revocation-check none
rsakeypair TP-self-signed-4214358964
!
!
crypto pki certificate chain TP-self-signed-4214358964
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323134 33353839 3634301E 170D3038 30313230 30323139
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313433
35383936 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C697 CA7127C7 94732D64 39381575 EA647C17 A4B7FF2F 324FAFD8 ED9A9E94
0C22856F 407ACC91 F5F916ED BAFBADF4 A4F1B2EF 10E37997 27004003 7E66223C
B7629845 5DAD619C DD60363E 13693484 593EFC49 E73E22AE B96F19CF 44700AB4
041A6186 583F822E 6BAA3F14 E6979802 A4CA8C1F 53C32E02 8604DD47 E14F46E9
086D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1492B546 CC15C801 ECCAF87B 0698700A 1FF611BF
8A301D06 03551D0E 04160414 92B546CC 15C801EC CAF87B06 98700A1F F611BF8A
300D0609 2A864886 F70D0101 04050003 81810046 455CBAE9 B0DE8F0E 4147F36A
504498AF 0026BE65 BEEC9488 1EDE9C7E 88ACB03C 80D4D4B5 A210F6A3 0EA39C79
37AB9952 074CA14E 443B6812 F813B8FD 5D6D9F4E 4BF0B4E4 1C9DDB1F EDED6F08
292CDF67 A56B9DB7 88CD776E 0E13520C 2C6F217F 5F2DBC77 B895FD32 5A15E035
F1BA8485 7F03F0D0 CCB91095 2A555468 036D2D
quit
username admin privilege 15 secret 5 $1$8.Ra$8xj.xoQz5.Jf6kSKkuG6d.
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
ssid we-net
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip default-gateway 10.10.10.1
ip classless
ip route 10.0.0.0 255.0.0.0 10.10.10.0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 68.115.71.53 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp host 24.213.60.93 eq domain any
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[fwre01]

It appears the only difference between the two is

access-list 101 permit udp any eq bootps any eq bootpc

which has been added to ACL 101 (which is inbound on your on your outside interface) on your amended config

...which wouldnt of affected pinging an internal host