Hi,

which subnets can't communicate with outside ? Can the 10.160.1.0/24  subnet go out and not others?

If so change your NAT ACL like this:

ip access-list extended nat

no 10

10 permit ip 10.0.0.0 0.255.255.255

Trell us if it solved the problem.

Regards

Alain

Don't forget to rate helpful posts.

Hi Cadet,

The subent 10.160.0.0/19 and 10.160.1.0/24 cannot communicate with outside. Even the router cannot ping 4.2.2.2.

I tried to enter the config you gave but still no luck.

Jenna

What traffic is meant to go via the tunnel ?

Can you post full config of the router.

Jon

Hi Jon,

The inter-office traffic is meant to go via tunnels.

Here's the full-config:

Building configuration...

Current configuration : 3719 bytes

!

version 12.4

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname gw-1

!

boot-start-marker

boot system flash C2801-ipbase-mz.124-7a.bin

boot-end-marker

!

!

no aaa new-model

!

resource policy

!

ip cef

!

--More--         !

no ip dhcp use vrf connected

!

ip dhcp pool my-data

   network 10.160.3.0 255.255.255.0

   domain-name domain.net

   dns-server 10.65.20.4

   default-router 10.160.3.254

   lease 0 8

   class vlan30-range

      address range 10.160.3.30 10.160.3.223

!

!

ip dhcp class vlan30-range

!

ip dhcp class my-data

   relay agent information

      relay-information hex 0000000000000a3e03fe mask ffffffffffff00000000

!

ip domain name domain.net

ip name-server 203.121.65.65

login block-for 60 attempts 3 within 30

login delay 10

--More--         !

!

!

!

interface Tunnel61

description ipsec vti to aunsweqnix-gw-3

ip address 10.255.255.102 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

tunnel source 177.244.222.58

tunnel destination 176.215.109.14

!

interface Tunnel65

description ipsec vti to sgsineqnix-gw-2

ip address 10.255.255.14 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

tunnel source 177.244.222.58

tunnel destination 176.215.93.246

!

interface Tunnel152

description ipsec vti to hkhkgdcent-gw-1

ip address 10.255.255.42 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

--More--          tunnel source 177.244.222.58

tunnel destination 176.215.122.5

!

interface Tunnel6301

description ipsec vti to phmnlccent-gw-3

ip address 10.255.255.94 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

tunnel source 177.244.222.58

tunnel destination 176.215.104.4

!

interface Tunnel8601

description ipsec vti to cnshaccent-gw-3

ip address 10.255.255.34 255.255.255.252

ip summary-address eigrp 89 10.160.0.0 255.255.224.0 5

tunnel source 177.244.222.58

tunnel destination 176.215.110.4

!

interface FastEthernet0/0

description ADSL WAN Interface

ip address 177.244.222.58 255.255.255.248

ip access-group firewall in

no ip redirects

no ip unreachables

--More--          no ip proxy-arp

ip nat outside

duplex auto

speed auto

!

interface FastEthernet0/1

description internal

ip address 10.160.1.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

duplex auto

speed auto

!

interface Serial0/3/0

bandwidth 1984

ip address 10.252.160.2 255.255.255.252

encapsulation ppp

fair-queue 64 256 256

!

router eigrp 89

network 10.160.0.0 0.0.31.255

network 10.255.255.12 0.0.0.3

--More--          network 10.255.255.32 0.0.0.3

network 10.255.255.40 0.0.0.3

network 10.255.255.92 0.0.0.3

network 10.255.255.100 0.0.0.3

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 177.244.222.57

ip route 10.160.0.0 255.255.224.0 10.160.1.254

!

no ip http server

ip nat translation tcp-timeout 42300

ip nat translation udp-timeout 150

ip nat translation finrst-timeout 45

ip nat translation syn-timeout 45

ip nat translation dns-timeout 45

ip nat translation icmp-timeout 45

ip nat translation max-entries 4000

ip nat pool nat 177.244.222.58 177.244.222.58 netmask 255.255.255.248

ip nat inside source route-map nat pool nat overload

!

ip access-list extended firewall

permit ip any host 177.244.222.58

permit ip any host 177.244.222.57

--More--          permit icmp any any

ip access-list extended nat

permit ip 10.160.0.0 0.0.31.255 any

!

route-map nat permit 10

match ip address nat

!

!

control-plane

!

!

Jenna

If you do a tracroute from a client what is it showing ?

Jon

Hi Jon,

Here's a tracerote from the switch:

sw-1# traceroute 4.2.2.2

traceroute to 4.2.2.2 ,

              1 hop min, 30 hops max, 5 sec. timeout, 3 probes

1 10.160.1.1             0 ms       0 ms       0 ms

2  *  *  *

3  *  *  *

4  *  *  *

5  *  *  *

6  *  *  *

7  *  *  *

8  *  *  *

9  *  *  *

Jenna

Can you ping 177.244.222.57 from the router and then post the output of "sh arp" from the router.

Jon

gw-1#ping 177.244.222.57

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 177.244.222.57, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

gw-1#show arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.160.1.254           12   0023.4797.6640  ARPA   FastEthernet0/1

Internet  10.160.1.1              -   0017.e023.c7ab  ARPA   FastEthernet0/1

Internet  177.244.222.58          -   0017.e023.c7aa  ARPA   FastEthernet0/0

Internet  177.244.222.57          0   c8d3.a3de.b846  ARPA   FastEthernet0/0

Jenna

Apologies for all the outputs requested. Can you post "sh ip route" from the router ?

Jon

show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 177.244.222.57 to network 0.0.0.0

     177.244.0.0/29 is subnetted, 1 subnets

C       177.244.222.56 is directly connected, FastEthernet0/0

     172.16.0.0/24 is subnetted, 4 subnets

D EX    172.16.28.0 [170/297247232] via 10.255.255.13, 05:30:08, Tunnel65

D EX    172.16.29.0 [170/297247232] via 10.255.255.13, 05:30:08, Tunnel65

D EX    172.16.24.0 [170/297247232] via 10.255.255.13, 05:30:08, Tunnel65

D EX    172.16.10.0 [170/297247232] via 10.255.255.13, 05:30:08, Tunnel65

     172.31.0.0/24 is subnetted, 1 subnets

D EX    172.31.31.0 [170/297246976] via 10.255.255.93, 05:13:39, Tunnel6301

     192.168.200.0/32 is subnetted, 1 subnets

D EX    192.168.200.3 [170/297246976] via 10.255.255.13, 05:30:08, Tunnel65

--More--              10.0.0.0/8 is variably subnetted, 54 subnets, 4 masks

C       10.255.255.12/30 is directly connected, Tunnel65

D       10.0.0.0/30 [90/297244672] via 10.255.255.13, 05:30:09, Tunnel65

D EX    10.1.0.0/16 [170/297246976] via 10.255.255.13, 05:30:09, Tunnel65

D       10.255.255.4/30 [90/310044416] via 10.255.255.13, 05:30:09, Tunnel65

D       10.0.0.4/30 [90/298526976] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.28/30 [90/310044416] via 10.255.255.41, 05:15:34, Tunnel152

                         [90/310044416] via 10.255.255.33, 05:15:34, Tunnel8601

D       10.255.255.16/30 [90/310044416] via 10.255.255.41, 05:35:58, Tunnel152

                         [90/310044416] via 10.255.255.13, 05:35:58, Tunnel65

C       10.255.255.40/30 is directly connected, Tunnel152

D       10.255.255.44/30

           [90/299804416] via 10.255.255.93, 08:18:04, Tunnel6301

C       10.255.255.32/30 is directly connected, Tunnel8601

D       10.255.255.36/30

           [90/299804416] via 10.255.255.93, 08:18:07, Tunnel6301

D       10.63.0.0/19 [90/297246976] via 10.255.255.93, 05:13:39, Tunnel6301

D       10.255.255.60/30

           [90/299804416] via 10.255.255.93, 00:28:16, Tunnel6301

D       10.255.255.48/30

           [90/299804416] via 10.255.255.93, 08:18:04, Tunnel6301

D       10.55.0.0/19 [90/298526976] via 10.255.255.93, 08:18:04, Tunnel6301

D       10.255.255.72/30

--More--                    [90/299804416] via 10.255.255.93, 05:14:50, Tunnel6301

D       10.255.255.76/30

           [90/299804416] via 10.255.255.93, 05:14:50, Tunnel6301

D       10.66.0.0/19 [90/298526976] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.64/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.65.0.0/19 [90/297244672] via 10.255.255.13, 05:30:09, Tunnel65

D       10.255.255.68/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.255.255.88/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

C       10.255.255.92/30 is directly connected, Tunnel6301

D       10.82.0.0/19 [90/298526976] via 10.255.255.93, 05:14:50, Tunnel6301

D       10.255.255.80/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.81.0.0/19 [90/298526976] via 10.255.255.93, 05:13:38, Tunnel6301

D       10.86.0.0/19 [90/297246976] via 10.255.255.33, 05:13:21, Tunnel8601

D       10.255.255.84/30

           [90/298524416] via 10.255.255.93, 00:28:25, Tunnel6301

D       10.255.255.104/30

           [90/310044416] via 10.255.255.33, 05:30:08, Tunnel8601

           [90/310044416] via 10.255.255.13, 05:30:08, Tunnel65

D       10.255.255.108/30

--More--                    [90/298524416] via 10.255.255.93, 05:15:33, Tunnel6301

D       10.255.255.96/30

           [90/298524416] via 10.255.255.93, 08:18:05, Tunnel6301

D EX    10.65.32.0/19 [170/310044416] via 10.255.255.13, 05:30:10, Tunnel65

C       10.255.255.100/30 is directly connected, Tunnel61

D       10.255.255.120/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.255.255.124/30

           [90/310044416] via 10.255.255.33, 05:13:21, Tunnel8601

D       10.255.255.112/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.116/30

           [90/299804416] via 10.255.255.93, 05:13:38, Tunnel6301

D       10.255.255.136/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.140/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.128/30

           [90/299804416] via 10.255.255.93, 05:13:38, Tunnel6301

D       10.255.255.132/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.152.0.0/19 [90/297246976] via 10.255.255.41, 05:15:10, Tunnel152

D       10.255.255.144/30

--More--                    [90/299804416] via 10.255.255.93, 05:14:51, Tunnel6301

D EX    10.171.0.0/16 [170/297246976] via 10.255.255.13, 05:30:10, Tunnel65

D       10.255.255.160/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

S       10.160.0.0/19 [1/0] via 10.160.1.254

C       10.160.1.0/24 is directly connected, FastEthernet0/1

D       10.255.255.184/30

           [90/298524416] via 10.255.255.93, 05:13:40, Tunnel6301

D       10.255.255.188/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.176/30

           [90/299804416] via 10.255.255.93, 00:28:17, Tunnel6301

D       10.255.255.180/30

           [90/299804416] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.61.224.0/19 [90/298526976] via 10.255.255.93, 10:30:37, Tunnel6301

D       10.255.255.248/30

           [90/297246976] via 10.255.255.41, 05:15:11, Tunnel152

D       10.255.255.252/30 [90/297247232] via 10.255.255.13, 05:30:10, Tunnel65

S*   0.0.0.0/0 [1/0] via 177.244.222.57

D EX 192.168.0.0/17 [170/297247232] via 10.255.255.13, 05:30:10, Tunnel65

Hi Jon,

Yes, the tunnels are up and can access the router remotely.

We are only using 177.244.222.57 on the modem and .58 on this router.

Jenna

I am wondering if it is something to do with your NAT config. Is there any chance you could change the nat pool to use a spare IP from the public IPs instead of the fa0/0 interface IP you have and then tie that new NAT pool to your NAT statement.

You may need to clear any existing translations on your router.

It may not work but i think it is worth a try.

Jon