Solved: Re: Cannot ping out

Tazio4436 · ‎10-30-2021

Hi,

I have configured a VPN tunnel between Fortinet device and a Cisco 881 device.

The phase1 and phase 2 came up and tunnel is up.

It was a requirement by Fortinet to make the configuration in Aggressive Mode.

The Cisco 881 will be configured on the office and shipped to remote users working from home. The user will just need to connect the Cisco 881 to his/her modem at home on port F4 which is the WAN port and then plug his Cisco phone on either Port0 or Port1 which does PoE and then plug the laptop in any other Port.

Phone should come up and at the same time the laptop will be connected to network as the Cisco 881 will be doing the hardware VPN.

Right now everything seems ok but cannot test as it is not in production but some basic routing seems not working.

I ping 8.8.8.8 from the Cisco router.

The phone is getting a correct ip address as well as he laptop

But from the laptop i cannot ping 8.8.8.8

I am attaching the sh run of Cisco 881 as well as a brief topology of the interconnection.

Also ip address cannot be configured on physical interface getting % IP addresses may not be configured on L2 links even though i do ip routing under interface.

Any kind of help will be appreciated.

Thanks

Tazio

Georg Pauwen · ‎10-30-2021

Hello,

Vlan 1 should be configured like this:

interface Vlan1
ip address 10.88.120.1 255.255.255.248
ip nat inside
ip virtual-reassembly in

View solution in original post

Georg Pauwen · ‎10-30-2021

Hello,

make the changes marked in bold:

CISCO-881_01#sh run
Building configuration...

Current configuration : 2095 bytes
!
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname CISCO-881_01
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no aaa new-model
clock timezone EST -5 0
clock summer-time DST recurring
!
no ip dhcp conflict logging
ip dhcp excluded-address 10.88.120.0 10.88.120.2
!
ip dhcp pool INTERNAL
network 10.88.120.0 255.255.255.248
default-router 10.88.120.1
dns-server 8.8.8.8
!
ip domain name test.com
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
crypto isakmp policy 1
encr aes 256
hash sha384
authentication pre-share
group 21
lifetime 28800
crypto isakmp key XXXXXXXXX address A.A.A.A(FORTINET WAN IP ADD)
!
crypto isakmp peer address A.A.A.A(FORTINET WAN IP ADD)
set aggressive-mode password XXXXXXXXX
set aggressive-mode client-endpoint fqdn CISCO-881_01
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha384-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TSET
!
interface Tunnel0
ip address dhcp
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel destination A.A.A.A(FORTINET WAN IP ADD)
tunnel protection ipsec profile IPSEC-PROFILE
!
interface FastEthernet0------>Phone is connected
no ip address
!
interface FastEthernet1------>Laptop is connected
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
no cdp enable
spanning-tree portfast
!
interface FastEthernet4-------->connected to home modem
ip address dhcp
--> ip nat outside
duplex auto
speed auto
!
interface Vlan1
ip address 10.88.120.2 255.255.255.248
--> ip nat inside
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
--> ip nat inside source list 1 interface FastEthernet4 overload
!
ip route 10.21.64.7 255.255.255.255 Tunnel0 (ONE IP ADD ON FORTINET LAN FOR TESTING PURPOSES)
--> ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
!
--> access-list 1 permit 10.88.120.0 0.0.0.7
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

Tazio4436 · ‎10-30-2021

Hi ,

Thanks for your reply. Unfortunately it is not working. Sill cannot ping out from laptop to 8.8.8.8.

From Cisco 881 cannot even ping 10.88.120.3 which is the ip add of laptop but can ping the phone which is 10.88.120.4

CISCO-881_01#ping 10.88.120.4---->phone
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.88.120.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/12 ms
CISCO-881_01#ping 10.88.120.3----->laptop
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.88.120.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

But from laptop can ping phone

I have attached the new sh run

Thanks

Tazio

Dan Frey · ‎10-30-2021

There is an issue with addressing on vlan1 and the address you have listed as the default gateway in the dhcp pool.

Tazio4436 · ‎10-30-2021

Hi ,

Thanks for your reply

The subnet I am using is 10.88.120.0/29 and the ip range will be 10.88.120.0 to .7 and I have 6 usable ip address.

I excluded 3 ip address from the dhcp pool that i have configured manually on the device .0, .1and .2.

Int vlan 1

ip address 10.88.120.2 255.255.255.248

Which ip address i should be using on Int vlan 1?Is there any kind of rule that i need to pick specific ip address?

Please let me know

Thanks

Tazio

Georg Pauwen · ‎10-30-2021

Hello,

Vlan 1 should be configured like this:

interface Vlan1
ip address 10.88.120.1 255.255.255.248
ip nat inside
ip virtual-reassembly in

Georg Pauwen · ‎10-30-2021

Also, what is the output of:

ipconfig /all

from your laptop ?

Tazio4436 · ‎10-30-2021

Thank you very much.

Working great now.

Changing the ip address on Vlan 1 to .1 helped

Regards

Tazio