Solved: Re: Connectivity from IOS CLI

Jon Are Endrerud · ‎03-18-2021

Hello,

I'm a neewbie on the IOS platform after years on the ASA, FTD platforms I am using a Cisco 829IR to deploy IKEv2 between HQ and a remote location.

The unit is connecting with IKEv2 againts HQ with Cisco FTD units. This traffic is flowing as expected. I also remotly access the 829IR with SSH and pull information with SNMP through the IPsec.

The problem is connectivity from the Cisco 829IR itself, I noticed when configuring NTP that I had no ping and no response when running checks in the IOS CLI on the unit. Can anyone help me out with this ? Attaching the runnig_config.

Thanks very much in advance.

Regards

Jon

Please rate as helpful, if that would be the case. Thanx

Giuseppe Larosa · ‎03-18-2021

Hello @Jon Are Endrerud ,

by default an IOS router uses as source the exit interface in the direction of destination address.

The routing table will use the public address.

there is an option /source Vlsn1 or you csn use extended ping

ping <enter>

Hope to help

Giuseppe

View solution in original post

Spooster IT Services · ‎03-18-2021

Hello @Jon Are Endrerud

Are you configuring public NTP or private one you have in your own network?

Is the LAN network behind 829IR have secured internet access over the VPN through Cisco FTD?

***Please rate all helpful posts***

Spooster IT Services Team

Jon Are Endrerud · ‎03-18-2021

NTP is not the problem itself, I think connectivity is. I though traffic from the 829 itself would be from the the interface VLAN 1 ip, which is 172.17.241.1, I can connect to this IP and get SSH/SNMP.

Yes the LAN 172.18.241.0/24 is routing everything to the Cisco FTD.

If i put a client behind the Cisco 829 with ie. IP 172.18.241.100, I will be able to ping and get connectivity to remote hosts at the HQ, but when standing in IOS CLI which I thought would be 172.18.241.1, I get nothing.

Thanks you

Please rate as helpful, if that would be the case. Thanx

Georg Pauwen · ‎03-18-2021

Hello,

you have SNTP and not NTP configured, not sure if that makes a difference when synchronzing across a VPN.

Either way, try and configure:

sntp source-interface vlan 1

or configure NTP instead of SNTP:

ntp server 192.168.8.10
ntp source-interface vlan 1

Jon Are Endrerud · ‎03-18-2021

I will try this, but what are the reason I cannot get icmp against hosts from the IOS CLI 172.18.240.1,but from all other IP's in the same subnet? Im looking to forward syslogs and use other services, so the problem as said, is not only the NTP/SNTP configuration.

Please rate as helpful, if that would be the case. Thanx

Georg Pauwen · ‎03-18-2021

Hello,

can you ping 172.18.240.1 from the FTD on the other side ?

Giuseppe Larosa · ‎03-18-2021

Hello @Jon Are Endrerud ,

by default an IOS router uses as source the exit interface in the direction of destination address.

The routing table will use the public address.

there is an option /source Vlsn1 or you csn use extended ping

ping <enter>

Hope to help

Giuseppe

Jon Are Endrerud · ‎03-18-2021

Thank you for this. This was the problem. I have ICMP when defining the source interface as "VLAN 1".

This is something Im used to when operating ASA's and FTD's, my mistake really!

Do you now if there are any way to define a NAT to get around this ? Or do I just need to define the source vlan on diffrent services like NTP, SYSLOG and so ? Im guessing I need to define.

Thank you again.

Please rate as helpful, if that would be the case. Thanx

Giuseppe Larosa · ‎03-18-2021

Hello @Jon Are Endrerud ,

no problems every day we make mistakes or we learn or re-learn something, we are human beings !

You need to specify the source interface for each service like NTP , SNMP, logging and so on to be VLAN1

Hope to help

Giuseppe