07-30-2021 01:02 AM - edited 07-30-2021 01:06 AM
Hello,
I "inherited" a cisco1921 router
While connected to VPN which is working, ping to the internet is not working, is there a command I have to use for it?
Thank you for the help!
07-30-2021 02:25 AM
Looks Like some ACL / NAT issue ? only ping not working or how about browsing of any site is that works ?
- post show run ( tell us what IP / Domain name you try to ping ?) - what is your source IP ?
07-30-2021 02:57 AM
Hello
Are you trying to connect to the internet via the tunnel if not then you would require split tunneling to be enabled as such possibley NAT too.
Can you post the config of the router?
07-30-2021 04:25 AM
version 15.1 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname ! boot-start-marker boot-end-marker ! ! logging buffered 51200 warnings enable secret 4 5VEiMbSl8rsF22S87AfiXk/eYobcOL16Y0.xMaMUZ4A enable password 7 1047070A11161E07 ! aaa new-model ! ! aaa authentication login default local group radius aaa authentication enable default enable group radius aaa authorization exec default local group radius ! ! ! ! ! aaa session-id common ! clock timezone MEZ 1 0 clock summer-time MESZ recurring last Sun Mar 2:00 last Sun Oct 3:00 ! no ipv6 cef no ip source-route ip cef ! ! ! ! ! ip domain name ! multilink bundle-name authenticated ! password encryption aes crypto pki token default removal timeout 0 ! --More-- ! license udi pid CISCO1921/K9 sn FCZ1616C32L ! ! username admin privilege 15 password 7 000D001656550E050462 username admin privilege 15 password 7 03015559344C731C1C5837 ! redundancy ! ! ! ! ip ssh version 1 ! track 1 ip sla 1 ! ! crypto isakmp policy 10 encr aes authentication pre-share group 2 crypto isakmp key key address xxxx no-xauth crypto isakmp invalid-spi-recovery crypto isakmp keepalive 30 crypto isakmp nat keepalive 30 ! ! crypto ipsec transform-set crypto-set1 esp-aes esp-sha-hmac ! crypto map VPN 10 ipsec-isakmp set peer xxxxx set security-association lifetime seconds 28800 set transform-set crypto-set1 match address VPN ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description LAN-Outside ip address xxxx 255.255.255.224 ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map VPN ! interface GigabitEthernet0/1 --More-- no ip address no ip redirects ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1.100 encapsulation dot1Q 100 ip address 10.20.160.254 255.255.255.0 ip helper-address 10.20.1.110 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet0/1.160 encapsulation dot1Q 160 ip address 10.2.160.254 255.255.255.0 ip helper-address 10.20.1.110 ip nat inside ip virtual-reassembly in ! ip default-gateway 109.73.150.65 ip forward-protocol nd ! ip http server ip http authentication aaa no ip http secure-server ! ip nat inside source list natOutside interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 xxxx ip route 10.0.0.0 255.0.0.0 xxxx ! ip access-list extended flan deny ip any xxxx 0.0.0.255 permit tcp any any eq www permit tcp any any eq 443 ip access-list extended natOutside deny ip 10.2.160.0 0.0.0.255 any deny ip 10.20.160.0 0.0.0.255 any permit ip any any ip access-list extended VPN permit ip 10.20.160.0 0.0.0.255 any permit ip 10.2.160.0 0.0.0.255 any ! ip sla 1 icmp-echo xxxx frequency 30 ip sla schedule 1 life forever start-time now ! ! ! ! route-map fklan permit 10 match ip address flan set ip next-hop verify-availability xxxx 1 track 1 ! route-map flan permit 20 set ip next-hop xxxx ! ! ! ! ! control-plane line con 0 transport output telnet ssh line aux 0 transport output telnet ssh line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 privilege level 15 transport input ssh transport output telnet ssh line vty 5 15 privilege level 15 transport input ssh transport output telnet ssh ! scheduler allocate 20000 1000 ntp server ntp server end
Ping is from 10.20.160.0 to 8.8.8.8
07-30-2021 04:54 AM - edited 07-30-2021 04:54 AM
Hello
I would say it down to your access-lists, The ispec VPN acl needs to be more specific.Specifiying the source and destinationas vpn traffic as such it enables to then you deny that VPN traffic in the natOutside access list
Example:
ip access-list extended natOutside
deny ip 10.2.160.0 0.0.0.255 x.x.x.x < other end vpn subnet
deny ip 10.20.160.0 0.0.0.255 x.x.x.x < other end vpn subnet
permit ip 10.2.160.0 0.0.0.255 any
permit ip 10.20.160.0 0.0.0.255 any
ip access-list extended VPN
permit ip 10.20.160.0 0.0.0.255 x.x.x.x < other end vpn subnet
permit ip 10.2.160.0 0.0.0.255 x.x.x.x < other end vpn subnet
07-30-2021 05:13 AM
Oh I lost the connection once deleting the old one. I assume I need to do this conencted directly to the router...
07-30-2021 05:25 AM - edited 07-30-2021 07:42 AM
Hello @sahara101 ,
you should have prepared new ACLs to take the place of the existing wrong ones as noted by @paul driver .
Then you would have needed to change the reference from one ACL to the new one and this would allow you to make the change remotely.
In the current ACL you have a final permit ip any any that you should change in
permit ip 10.2.160.0 0.0.0.255 any
permit ip 10.20.160.0 0.0.0.255 any
For this reason is easier to build two new extended ACLs with different ACLs names then changing on the fly the existing ones
Hope to help
Giuseppe
07-30-2021 05:37 AM
I added like this:
ip access-list extended natOutside deny ip 10.2.160.0 0.0.0.255 10.20.0.0 0.0.255.255 deny ip 10.20.160.0 0.0.0.255 10.20.0.0 0.0.255.255 permit ip 10.2.160.0 0.0.0.255 any permit ip 10.20.160.0 0.0.0.255 any no deny ip 10.2.160.0 0.0.0.255 any no deny ip 10.20.160.0 0..0.0.255 any - once this entered I lost the connection.
What is weird, 2 weeks ago it was working, same configuration.
Trace stops at gateway
nslookup works as the DC is answering via VPN
07-30-2021 07:31 AM
Hello @sahara101 ,
you had no time to save the configuration have someone on site to power cycle the router for you.
Prepare a new ACL with a different name that is complete and then use make the change in the NAT configuration
Hope to help
Giuseppe
07-30-2021 07:56 AM
Thank you!
It is working with:
deny IP any 10.0.0.0 0.255.255.255
permit IP any any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: