Hi,

IPT-sandbox#ping 10.10.20.1 source vlan1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.20.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.204.254

.....

Success rate is 0 percent (0/5)

And I try also with a laptop behind the router.

Do u wand i send you the conf?

Yes. Please attach it in here but remove the public IP, group/key entries and usernames

Joe

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2016.03.08 10:45:29 =~=~=~=~=~=~=~=~=~=~=~=

show run

Building configuration...

Current configuration : 6673 bytes

!

! Last configuration change at 08:13:21 UTC Tue Mar 8 2016 by XXXXXXXX

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname IPT-sandbox

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-701638184

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-701638184

revocation-check none

--More--                            rsakeypair TP-self-signed-701638184

!

--More--                                 quit

ip cef

!

!

!

ip dhcp excluded-address 192.168.204.1 192.168.204.210

ip dhcp excluded-address 192.168.204.254

!

ip dhcp pool SDM-POOL

network 192.168.204.0 255.255.255.0

default-router 192.168.204.254

domain-name abc.inc

dns-server 10.10.10.1

option 150 ip 10.10.20.1

!

!

!

no ip domain lookup

ip domain name yourdomain.com

ip name-server 195.238.2.21

ip name-server 195.238.2.22

ip inspect udp idle-time 180

ip inspect tcp synwait-time 180

--More--                           ip inspect name FromExternal udp

ip inspect name FromExternal tcp

ip inspect name FromExternal icmp

ip inspect name FromExternal ftp

ip inspect name ToExternal udp

ip inspect name ToExternal tcp

ip inspect name ToExternal icmp

ip inspect name ToExternal ftp

no ipv6 cef

!

!

license udi pid C881W-E-K9 sn FCZ1838C1TQ

!

!

username XXXXXXXXXXX privilege 15 secret 5 $1$e

username XXXXXXXXXXX privilege 15 secret 5 $1$h

!

!

!

!

!

!

!

--More--                           crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

!

!

!

!

!

crypto ipsec client ezvpn ivt

connect auto

group myTUNNEL key XXXXXXX

mode network-extension

peer 64.103.26.60

username XXXXXX password XXXXXXX

xauth userid mode local

!

!

!

!

!

!

--More--                           interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description WAN

ip address XXX.XXX.XXX.XXX 255.255.255.240

ip access-group FromExternal in

ip access-group ToExternal out

ip nat outside

ip inspect FromExternal in

ip inspect ToExternal out

ip virtual-reassembly in

no ip route-cache cef

duplex auto

--More--                            speed auto

crypto ipsec client ezvpn ivt

!

interface Virtual-Template1 type tunnel

no ip address

tunnel mode ipsec ipv4

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

no ip address

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.204.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1300

crypto ipsec client ezvpn ivt inside

!

--More--                           ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT interface FastEthernet4 overload

ip nat inside source route-map EZVPN interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX

!

ip access-list extended FromExternal

permit udp any any eq isakmp

permit tcp any any eq 4500

permit ahp any any

permit esp any any

permit gre any any

permit icmp any any

permit udp any any eq non500-isakmp

permit tcp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq 22

permit icmp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX

permit tcp host 64.103.37.6 host XXX.XXX.XXX.XXX

permit udp host 64.103.37.6 host XXX.XXX.XXX.XXX

--More--                            permit icmp host 64.103.37.6 host XXX.XXX.XXX.XXX

deny   ip any any log

ip access-list extended NAT

permit ip 192.168.125.0 0.0.0.255 any

ip access-list extended ToExternal

permit icmp any any log

permit ip any any

!

no cdp run

!

route-map EZVPN permit 10

match ip address 100

!

!

!

line con 0

login local

no modem enable

--More--                           line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

IPT-sandbox# 

Is this your own router or was this sent out to you by one of the sandbox team?

Joe

Our own router, bought specially for Cisco sandbox Labs. I think it's the third at least.

I will be available in about 30 mins for a webex if you wish. There seems to be a lot of configuration on that router that we do not need. Can you get a console to it (or telnet) and you can share the screen on the call?

Joe

Hello Joe,

Ok, no pb for a webex.

I sent the webex details to your personal email. I am on the bridge now.

Joe