Re: acl issue

shenmaia24 · ‎01-08-2019

Cisco C819G-LTE-LA-K9 (revision 6.0) with 883788K/33715K bytes of memory.
Processor board ID FGL212190NG
4 FastEthernet interfaces
1 Gigabit Ethernet interface
1 Serial(sync/async) interface
3 terminal lines
1 Virtual Private Network (VPN) Module
2 Cellular interfaces
DRAM configuration is 32 bits wide
255K bytes of non-volatile configuration memory.

Hi im facing problem to ping my core router from laptop ip that connected to cisco C819G-LTE-LA-K9.

inside cisco router C819G-LTE-LA-K9 able to ping core router

from laptop able to ping cisco router connection lan fastethernet 0.

From core router able to ping cisco router

from core failed to ping laptop ip.

when do tracert from laptop to ip core router it stuck at fastethernet gateway ip.

*already check laptop firewall already turn off

*connection between cisco to my core router using ipsec

below my config

interface FastEthernet0
switchport access vlan 2
no ip address

interface Vlan2
description to laptop
ip address 10.60.107.222/30

my core router ip 192.168.x.x/24

Please someone guide me

Deepak Kumar · ‎01-08-2019

Hi,

As per your below configuration:

below my config

interface FastEthernet0
switchport access vlan 2
no ip address

interface Vlan2
description to laptop
ip address 10.60.107.222/30

where is 192.168.x.x/24 configuration?

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

shenmaia24 · ‎01-08-2019

Hi Deepak

192.168.x.x/24 is my remote address(core router) that connected cisco router using ipsec.im able to ping remote address from cisco. only failed when ping from laptop to remote ip(core router)

Deepak Kumar · ‎01-08-2019

Hi,

Share your VPN ACL and NAT Acl configuration.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

shenmaia24 · ‎01-08-2019

Below ACL that only i config on my cisco

VPN ACL

ip access-list extended cisco
permit ip host 20.0.0.110 any
permit ip 10.60.0.0 0.0.0.255 any
permit ip host 10.17.19.249 any

Deepak Kumar · ‎01-08-2019

Hi,

ip access-list extended cisco
permit ip host 20.0.0.110 any
permit ip 10.60.0.0 0.0.0.255 any
permit ip host 10.17.19.249 any
PERMIT ip 10.60.107.220 0.0.0.3 any

Please add missing ACL entry and try. I hope it will resolve otherwise please share full router configuration.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

shenmaia24 · ‎01-09-2019

Hi,

still no work. after run config as per advice connectivity between cisco and core router lost.

Below full config

Building configuration...

Current configuration : 9982 bytes
!

!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname shen
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
!
!
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!

!
controller Cellular 0
lte sim data-profile 1 attach-profile 1 slot 0
lte sim data-profile 2 attach-profile 2 slot 1
lte failovertimer 1
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
track 10 ip sla 10
delay down 150 up 150
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXX address XXXX
crypto isakmp nat keepalive 20
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set test esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map myalif 10 ipsec-isakmp
set peer XXXX
set transform-set alif
match address alif
!
dlsw local-peer peer-id 20.0.0.110
dlsw remote-peer 0 tcp 30.2.2.251
dlsw remote-peer 0 tcp 30.2.2.250
dlsw remote-peer 0 tcp 10.123.1.2
dlsw remote-peer 0 tcp 30.2.2.253
dlsw remote-peer 0 tcp 20.2.1.138
dlsw remote-peer 0 tcp 30.2.2.254
dlsw remote-peer 0 tcp 20.2.1.147
dlsw remote-peer 0 tcp 20.2.1.145
dlsw remote-peer 0 tcp 30.1.1.2
dlsw remote-peer 0 tcp 30.1.1.3
dlsw remote-peer 0 tcp 10.125.1.2
dlsw bridge-group 1
!
!
!
!
!
interface Loopback0
ip address 20.0.0.110 255.255.255.255
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
no ip route-cache cef
load-interval 60
dialer in-band
dialer pool-member 2
dialer-group 1
async mode interactive
!
interface Cellular1
no ip address
encapsulation slip
no ip route-cache cef
!
interface FastEthernet0
switchport access vlan 2
no ip address
!

interface GigabitEthernet0
description test-ip
ip address 10.180.8.1 255.255.255.240
duplex auto
speed auto
!
interface Serial0

!
interface Vlan1
description $ETH_LAN$
ip address 10.10.10.1 255.255.255.128
ip tcp adjust-mss 1452
!
interface Vlan2
description laptop LAN
ip address 10.60.107.222 255.255.255.252
!
interface Dialer1
description << Dialer associated with Cellular Interface >>
ip address negotiated
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
dialer pool 2
dialer string lte
dialer watch-group 1
dialer-group 1
no cdp enable
crypto map test
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended alif
permit ip host 20.0.0.110 any
permit ip 10.60.0.0 0.0.0.255 any
permit ip host 10.17.19.249 any

!
ip sla auto discovery
ip sla 10
icmp-echo 192.168.14.26 source-interface Loopback0
timeout 15000
ip sla schedule 10 life forever start-time now
dialer watch-list 1 ip 1.1.1.1 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 10
dialer watch-list 1 delay disconnect 20
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
event manager applet sim_toggle
event tag e1 track 10 state down
event tag e2 timer countdown time 120
trigger
correlate event e1 or event e2
action 1.0 track read 10
action 1.1 if $_track_state eq "down"
action 1.2 info type snmp oid 1.3.6.1.4.1.9.9.661.1.3.2.1.18.12 get-type exact
action 1.3 syslog msg "Carrier is "
action 1.4 set x "$_info_snmp_value"
action 1.5 cli command "enable"
action 1.6 if $x eq "celcom" goto primary
action 1.7 syslog msg "XXXXX Network Issue. Switching to YYYYY"
action 1.8 cli command "clear interface cellular 0"
action 1.9 cli command "cellular 0 LTE sim activate slot 1"
action 2.0 else
action 2.1 syslog msg "YYYY Network Issue. Switching to YYYY"
action 2.2 cli command "clear interface cellular "
action 2.3 cli command "cellular 0 LTEsim activate slot 0"
action 2.4 end
action 2.5 cli command "do clear ip route *"
action 2.6 cli command "do show ip sla statistics"
action 2.7 cli command "do show ip route"
action 2.8 cli command "do show ip interface brief"
action 2.9 end
event manager applet Failback
event timer watchdog time 3600
action 1.0 info type snmp oid 1.3.6.1.4.1.9.9.661.1.3.2.1.18.12 get-type exact
action 1.1 syslog msg "Carrier is $_info_snmp_value"
action 1.2 set x "$_info_snmp_value"
action 1.3 cli command "enable"
action 1.4 if $x eq "YYYYY"
action 1.5 syslog msg "Activating DIGI Sim Card"
action 1.6 cli command "clear interface cellular "
action 1.7 cli command "cellular 0 LTE sim activate slot 0"
action 1.8 cli command "do clear ip route *"
action 1.9 cli command "do show ip sla statistics"
action 2.0 cli command "do show ip route"
action 2.1 cli command "do show ip interface brief"
action 2.2 end
!
end