cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
875
Views
0
Helpful
9
Replies

Cisco 1921 issue

sahara101
Level 1
Level 1

Hello,

 

I "inherited" a cisco1921 router  

While connected to VPN which is working, ping to the internet is not working, is there a command I have to use for it?

Thank you for the help!

9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

Looks Like some ACL / NAT issue ?  only ping not working or how about browsing  of any site is that works ?

 

- post show run  ( tell us what IP / Domain name you try to ping ?) - what is your source IP ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello

Are you trying to connect to the internet via the tunnel if not then you would require split tunneling to be enabled as such possibley NAT too.

Can you post the config of the router?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 5VEiMbSl8rsF22S87AfiXk/eYobcOL16Y0.xMaMUZ4A
enable password 7 1047070A11161E07
!
aaa new-model
!
!
aaa authentication login default local group radius
aaa authentication enable default enable group radius
aaa authorization exec default local group radius 
!
!
!
!
!
aaa session-id common
!
clock timezone MEZ 1 0
clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
!
ip domain name 
!
multilink bundle-name authenticated
!
password encryption aes
crypto pki token default removal timeout 0
!
 --More--         !
license udi pid CISCO1921/K9 sn FCZ1616C32L
!
!
username admin privilege 15 password 7 000D001656550E050462
username admin privilege 15 password 7 03015559344C731C1C5837
!
redundancy
!
!
!
!
ip ssh version 1
!
track 1 ip sla 1
! 
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key key address xxxx no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30
crypto isakmp nat keepalive 30
!
!
crypto ipsec transform-set crypto-set1 esp-aes esp-sha-hmac 
!
crypto map VPN 10 ipsec-isakmp 
 set peer xxxxx
 set security-association lifetime seconds 28800
 set transform-set crypto-set1 
 match address VPN

!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description LAN-Outside
 ip address xxxx 255.255.255.224
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map VPN
!
interface GigabitEthernet0/1
 --More--          no ip address
 no ip redirects
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.100
 encapsulation dot1Q 100
 ip address 10.20.160.254 255.255.255.0
 ip helper-address 10.20.1.110
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.160
 encapsulation dot1Q 160
 ip address 10.2.160.254 255.255.255.0
 ip helper-address 10.20.1.110
 ip nat inside
 ip virtual-reassembly in
!
ip default-gateway 109.73.150.65
ip forward-protocol nd
!
ip http server
ip http authentication aaa
no ip http secure-server
!
ip nat inside source list natOutside interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 xxxx
ip route 10.0.0.0 255.0.0.0 xxxx
!
ip access-list extended flan
 deny   ip any xxxx 0.0.0.255
 permit tcp any any eq www
 permit tcp any any eq 443
ip access-list extended natOutside
 deny   ip 10.2.160.0 0.0.0.255 any
 deny   ip 10.20.160.0 0.0.0.255 any
 permit ip any any
ip access-list extended VPN
 permit ip 10.20.160.0 0.0.0.255 any
 permit ip 10.2.160.0 0.0.0.255 any
!
ip sla 1
 icmp-echo xxxx
 frequency 30
ip sla schedule 1 life forever start-time now
!
!
!
!
route-map fklan permit 10
 match ip address flan
 set ip next-hop verify-availability xxxx 1 track 1
!
route-map flan permit 20
 set ip next-hop xxxx
!
!
!
!
!
control-plane

line con 0
 transport output telnet ssh
line aux 0
 transport output telnet ssh
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 privilege level 15
 transport input ssh
 transport output telnet ssh
line vty 5 15
 privilege level 15
 transport input ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
ntp server 
ntp server
end

Ping is from 10.20.160.0 to 8.8.8.8

Hello

I would say it down to your access-lists, The ispec VPN acl needs to be more specific.Specifiying the source and destinationas vpn traffic as such it enables to then you deny that VPN traffic in the natOutside access list

 

Example:
ip access-list extended natOutside
deny ip 10.2.160.0 0.0.0.255 x.x.x.x < other end vpn subnet
deny ip 10.20.160.0 0.0.0.255  x.x.x.x < other end vpn subnet
permit ip 10.2.160.0 0.0.0.255 any
permit ip 10.20.160.0 0.0.0.255 any

ip access-list extended VPN
permit ip 10.20.160.0 0.0.0.255 x.x.x.x < other end vpn subnet
permit ip 10.2.160.0 0.0.0.255 x.x.x.x < other end vpn subnet


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Oh I lost the connection once deleting the old one. I assume I need to do this conencted directly to the router...

Hello @sahara101 ,

you should have prepared new ACLs to take the place of the existing wrong ones as noted by @paul driver .

Then you would have needed to change the reference from one ACL to the new one and this would allow you to make the change remotely.

In the current ACL you have a final permit ip any any that you should change in

permit ip 10.2.160.0 0.0.0.255 any

permit ip 10.20.160.0 0.0.0.255 any

 

For this reason is easier to build two new extended ACLs with different ACLs names then changing on the fly the existing ones

Hope to help

Giuseppe

 

I added like this:

 

ip access-list extended natOutside
deny ip 10.2.160.0 0.0.0.255 10.20.0.0 0.0.255.255
deny ip 10.20.160.0 0.0.0.255  10.20.0.0 0.0.255.255
permit ip 10.2.160.0 0.0.0.255 any
permit ip 10.20.160.0 0.0.0.255 any

no deny ip 10.2.160.0 0.0.0.255 any
no deny ip 10.20.160.0 0..0.0.255 any - once this entered I lost the connection.


What is weird, 2 weeks ago it was working, same configuration. 

Trace stops at gateway

nslookup works as the DC is answering via VPN

Hello @sahara101 ,

you had no time to save the configuration have someone on site to power cycle the router for you.

 

Prepare a new ACL with a different name that is complete and then use make the change in the NAT configuration

 

Hope to help

Giuseppe

 

Thank you!

 

It is working with:

 

deny IP any 10.0.0.0 0.255.255.255

permit IP any any 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco