11-20-2013 12:04 PM - edited 03-07-2019 04:42 PM
Hi Everyone,,,
I hope I will get some help here if not atleast a direction,,,
I am configuring cisco 881 router with Layer-3 switch SG500-52,,,with Vlan configuration
Vlan1: 192.168.10.0/24
Vlan2: 192.168.0.0/24
Problem : For some reason I can't ping google.ca from switch:
switch013294#ping google.ca
Pinging google.ca (74.125.225.215) with 18 bytes of data:
PING: no reply from 74.125.225.215
PING: timeout
PING: no reply from 74.125.225.215
PING: timeout
PING: no reply from 74.125.225.215
PING: timeout
PING: no reply from 74.125.225.215
PING: timeout
----74.125.225.215 PING Statistics----
4 packets transmitted, 0 packets received, 100% packet loss
switch013294#tracero ip google.ca
Tracing the route to google.ca (74.125.225.215) from , 30 hops max, 18 byte packets
Type Esc to abort.
1 192.168.10.1 (192.168.10.1) <20 ms <20 ms <20 ms
2 * * *
3 *
Trace aborted.
I can ping router public IP but not router's public gateway from Switch:(from Router I can ping
switch013294#tracero ip 24.XX.XX.XXX
Tracing the route to 24.XX.XX.XX (24.XX.XX.XXX) from , 30 hops max, 18 byte packets
Type Esc to abort.
1 192.168.10.1 (192.168.10.1) <20 ms <20 ms <20 ms
Trace complete.
switch013294#tracero ip 24.XX.XX.1
Tracing the route to 24.XX.XX.1 (24.XX.XX.1) from , 30 hops max, 18 byte packets
Type Esc to abort.
1 192.168.10.1 (192.168.10.1) <20 ms <20 ms <20 ms
2 * * *
3 * *
Trace aborted.
NAT Debug:
I have also tested with debug ip NAT and it shows following:
Tried pinging from Switch:
Nov 18 04:16:55.794: NAT*: s=192.168.10.2->24.XX.XX.XX, d=74.125.225.183 [2206]
Nov 18 04:16:55.866: NAT*: s=74.125.225.183, d=24.XX.XX.XX->192.168.10.2 [13679]
Nov 18 04:16:58.034: NAT*: s=192.168.10.2->24.XX.XX.XX, d=74.125.225.183 [37854]
Nov 18 04:16:58.114: NAT*: s=74.125.225.183, d=24.XX.XX.XX->192.168.10.2 [13680]
Tried pinging from Host on Vlan-2:
Nov 18 04:20:30.862: NAT*: s=192.168.0.54->24.XX.XX.XX, d=74.125.225.169 [23980]
Nov 18 04:20:30.958: NAT*: s=74.125.225.169, d=24.XX.XX.XX->192.168.0.54 [40901]
Nov 18 04:20:31.122: NAT*: s=192.168.0.54->24.XX.XX.XX, d=74.125.225.169 [23981]
Nov 18 04:20:31.194: NAT*: s=74.125.225.169, d=24.XX.XX.XX->192.168.0.54 [3341]
Router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 24.xx.xx.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 24.xx.xx.1
24.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 24.xx.xx.0/24 is directly connected, FastEthernet4
L 24.XX.XX.XXx/32 is directly connected, FastEthernet4
S 192.168.0.0/24 [1/0] via 192.168.10.2
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan1
L 192.168.10.1/32 is directly connected, Vlan1
switch013294#show ip route
Maximum Parallel Paths: 1 (1 after reset)
IP Forwarding: enabled
Codes: > - best, C - connected, S - static
S 0.0.0.0/0 [1/1] via 192.168.10.1, 01:21:05, vlan 1
C 192.168.0.0/24 is directly connected, vlan 2
C 192.168.10.0/24 is directly connected, vlan 1
C 192.168.30.0/24 is directly connected, vlan 3
Router Running Config:
Router#sh running-config
Building configuration...
Current configuration : 9565 bytes
!
! Last configuration change at 14:11:21 PCTime Mon Nov 18 2013 by XXXXXXX
! NVRAM config last updated at 23:59:41 PCTime Sat Nov 16 2013 by XXXXXXX
! NVRAM config last updated at 23:59:41 PCTime Sat Nov 16 2013 by XXXXXXX
version 15.1
parser view CCP_EasyVPN_Remote
secret 5 $1$xXXT$at0nd7EXXX8s7iXNd5bJ1
commands interface include all crypto
commands interface include all no crypto
commands interface include no
commands configure include end
commands configure include all access-list
commands configure include all ip nat
commands configure include ip dns server
commands configure include ip dns
commands configure include all interface
commands configure include all identity policy
commands configure include identity profile
commands configure include identity
commands configure include all dot1x
commands configure include all ip domain lookup
commands configure include ip domain
commands configure include ip
commands configure include all crypto
commands configure include all aaa
commands configure include no end
commands configure include all no access-list
commands configure include all no ip nat
commands configure include no ip dns server
commands configure include no ip dns
commands configure include all no interface
commands configure include all no identity policy
commands configure include no identity profile
commands configure include no identity
commands configure include all no dot1x
commands configure include all no ip domain lookup
commands configure include no ip domain
commands configure include no ip
commands configure include all no crypto
commands configure include all no aaa
commands configure include no
commands exec include dir all-filesystems
commands exec include dir
commands exec include crypto ipsec client ezvpn connect
commands exec include crypto ipsec client ezvpn xauth
commands exec include crypto ipsec client ezvpn
commands exec include crypto ipsec client
commands exec include crypto ipsec
commands exec include crypto
commands exec include write memory
commands exec include write
commands exec include all ping ip
commands exec include ping
commands exec include configure terminal
commands exec include configure
commands exec include all terminal width
commands exec include all terminal length
commands exec include terminal
commands exec include all show
commands exec include all debug appfw
commands exec include all debug ip inspect
commands exec include debug ip
commands exec include debug
commands exec include all clear
commands exec include no
!
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authentication login ciscocp_vpn_xauth_ml_4 local
aaa authentication login ciscocp_vpn_xauth_ml_5 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa authorization network ciscocp_vpn_group_ml_3 local
aaa authorization network ciscocp_vpn_group_ml_4 local
aaa authorization network ciscocp_vpn_group_ml_5 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime -6 0
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3187996699
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3187996699
revocation-check none
rsakeypair TP-self-signed-3187996699
!
!
crypto pki certificate chain TP-self-signed-3187996699
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313837 39393636 3939301E 170D3133 31313039 32303531
30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31383739
39363639 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB7B FE64ED81 5853FF1C DAEE4727 BBCFA1DD AB5002CE BC9E0DB2 A6920BE9
51CBDB48 720EAC77 D2B5EAB0 AF78F0D3 0A0583F0 EDB53C02 76264762 52AA0B89
B96458A3 FCED1C48 4E2F687A 0D72663C 1F118888 099ECDBA 7AD48215 5D18DFA0
A769EA45 E893009A 73C0D6E8 74EBED75 B63E12C5 123C1112 9BB90C86 9433A1CB
44290203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 148472F2 203DD224 6B71B287 185DEEAE D156C1A4 A9301D06
03551D0E 04160414 8472F220 3DD2246B 71B28718 5DEEAED1 56C1A4A9 300D0609
2A864886 F70D0101 05050003 818100A0 F431211C 3540849F BF8E0DCE 7DC8E2F1
A3349CF5 60B7A233 BD6F457E 6E53DE58 63DA9DB9 040FD35F 7D8D8BA5 8BB9D0E4
F3DF92EC EEA7A912 7F60BC55 E9173147 E21114BC A7ADDBF1 489E7A1D DAB4CE98
039CC0CF 84A2F3FE 5DD8E88D 81738972 E23E0D82 89B3F470 19405095 6D8803BD
500867E7 A3582A1C AD3151BD FCAAAE
quit
ip source-route
!
!
!
!
!
ip cef
ip domain name int.ccs-sk.ca
ip name-server XX.87.XXX.4
ip name-server XX.87.XXX.5
ip name-server 192.168.0.5
ip port-map user-protocol--1 port tcp 587
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL171020FH
!
!
username XXXXX privilege 15 secret 4 4TdGW32lppiywk7GXXXXXXqppUKotcC3qw35q7NbGx0o
username XXXXXX privilege 15 view CCP_EasyVPN_Remote secret 4 Cq2gROSp/6XXXXXXXSIjyGphSJe9KdkL/kxeMwZuIv6
username XXXX privilege 15 secret 4 qPLpXkgs4XXXXXZlVZcI/oxNuuXXXXXXtFwRblxZs
!
!
!
!
!
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 103
match protocol smtp
!
zone security Outside
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ccsvpn
key Logmein123
dns 192.168.0.5 65.87.230.4
domain int.ccs-sk.ca
pool SDM_POOL_1
acl 101
max-users 25
netmask 255.255.255.0
!
crypto isakmp client configuration group ccsvpn1
key Logmein123
dns 192.168.0.5 65.87.230.4
domain int.ccs-sk.ca
pool SDM_POOL_1
acl 102
max-users 25
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-2
match identity group ccsvpn1
client authentication list ciscocp_vpn_xauth_ml_5
isakmp authorization list ciscocp_vpn_group_ml_5
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile2
set security-association idle-time 43200
set transform-set ESP-3DES-SHA4
set isakmp-profile ciscocp-ike-profile-2
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface FastEthernet0
description Internal
switchport mode trunk
no ip address
spanning-tree portfast
!
interface FastEthernet1
switchport trunk native vlan 3
switchport mode trunk
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$
ip address dhcp client-id FastEthernet4
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly in
zone-member security Outside
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
router rip
version 2
network 24.0.0.0
network 192.168.10.0
no auto-summary
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.25
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 24.XX.XX.1
ip route 192.168.0.0 255.255.255.0 192.168.10.2
!
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.30.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.0.100
access-list 104 remark SMTP
access-list 104 remark CCP_ACL Category=64
access-list 104 remark Mail SMTP
access-list 104 permit tcp host 24.XX.XX.159 eq smtp 192.168.0.0 0.0.0.255 eq smtp established log
access-list 107 remark outsideSMTP
access-list 107 remark CCP_ACL Category=16
access-list 107 remark SMTP
access-list 107 permit tcp any eq smtp 192.168.0.0 0.0.0.255 eq smtp established log
access-list 112 permit ip 192.168.0.0 0.0.255.255 any log
!
!
!
!
route-map outside permit 10
match ip address 112
set ip default next-hop 24.XX.XX.1
!
!
!
!
line con 0
password Marketel123
no modem enable
line aux 0
line vty 0 4
password Marketel123
transport input all
!
ntp update-calendar
ntp server 192.168.0.5 prefer source FastEthernet0
end
Router#