Solved: Re: Help Dual wan setup. Upstream Vpn and ISP split traffic - Page 2

thlillyr · ‎11-03-2020

I started a position at a new company and inherited a mess. I have a cisco C3900 router feeding a cisco 3560x switch. The switch does the inter Vlan routing. I will later expand this as I improve their networking topology.

My current issue: Their local network does not have internet access. The only active wan link is to an upstream Checkpoint VPN device that is a site to site VPN. I want to add an ISP to a second wan interface to provide internet for the local network. Currently they have a physically separate network for internet access as no one before me could figure it out. I have added the ISP router to a wan port on the c3900 router. I can ping the ISP gateway from the router but cannot ping outside addresses. I cannot ping the ISP gateway from the switch or a client PC. Having only recently obtained my CCNA I feel a little out of my depth. There is only one static route set on the router and that is to forward traffic up to the VPN Wan connection. The gateway of last resort is also statically assigned to the Checkpoint VPN. Removing either of these breaks the VPN link. After reading a lot of forum posts i tried several static routes changes to the gateway of last resort and PBR maps. Nothing worked. If someone could help that would be much appreciated. The router config is below.

Note: I do not have access to anything upstream on the VPN wan link. Also this router has a bunch of left over config as I am told it was removed from one department and given to us without a config wipe. I'm working on cleaning that up. I have to finish identifying to unneeded networks which has been hard as nobody has any idea as to what is in use.

Config:

version 15.0

no ipv6 cef
ip source-route
ip cef
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.160.0 192.168.160.25
ip dhcp excluded-address 192.168.163.0 192.168.163.25
ip dhcp excluded-address 192.168.162.0 192.168.162.25
ip dhcp excluded-address 192.168.161.0 192.168.161.25
ip dhcp excluded-address 192.168.164.0 192.168.164.25
!
ip dhcp pool LAN0
network 192.168.160.0 255.255.255.0
default-router 192.168.160.1
dns-server 192.168.163.58
!
ip dhcp pool LAN3
network 192.168.163.0 255.255.255.0
default-router 192.168.163.1
dns-server 192.168.163.15
!
ip dhcp pool LAN2
network 192.168.162.0 255.255.255.0
default-router 192.168.162.1
dns-server 192.168.163.58
!
ip dhcp pool LAN1
network 192.168.161.0 255.255.255.0
default-router 192.168.161.1
dns-server 192.168.163.58
!
ip dhcp pool LAN4
network 192.168.164.0 255.255.255.0
default-router 192.168.164.1
dns-server 192.168.163.58
!
ip dhcp pool lan3
dns-server 192.168.163.227
!
!
no ip domain lookup
ip domain name wtblab
multilink bundle-name authenticated

!
interface GigabitEthernet0/0 * Not in use
description Rise Broadband Open WAN Link
ip address dhcp
duplex auto
speed auto
!
interface GigabitEthernet0/1 * not in use
ip address 192.168.162.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2 * Downstream to local access switch
ip address 192.168.163.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0 * VPN Wan link
description PRN_VPN
ip address 172.16.248.113 255.255.255.248
negotiation auto
!
interface FastEthernet0/2/0
ip address 192.168.60.100 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/2/1 * Not In use
ip address 192.168.101.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/3/0 *This is the WAN ISP link
ip address 192.168.50.2 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/3/1
description PRN_VPN
ip address dhcp
shutdown
duplex auto
speed auto
!
interface GigabitEthernet4/0
ip address 192.168.160.1 255.255.255.0
!
!
router eigrp 109
network 192.168.50.0
network 192.168.160.0
network 192.168.161.0
network 192.168.162.0
network 192.168.163.0
network 192.168.164.0
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT_TO_VPN interface FastEthernet0/2/0 overload
ip route 0.0.0.0 0.0.0.0 172.16.248.114
!
!
route-map NAT_TO_VPN permit 10
match ip address 1
match interface FastEthernet0/2/0
!
route-map NAT_TO_ISP permit 10
match ip address 1 100
match interface FastEthernet0/3/0
!
!
!
control-plane
!

paul driver · ‎11-04-2020

Hello
FYI - I know i have come in late into this and it seems you have a resolution but reveiwing your configuration it doesnt look correct?

Your NAT access list seems incorrect:

access-list 1 permit 192.168.163.0 0.0.0.255 < Okay
access-list 1 permit 192.168.160.0 0.0.0.255 <--- not in use
access-list 1 permit 172.16.0.0 0.0.255.255 < no nat interface
access-list 1 permit 172.16.134.0 0.0.0.255 < no nat interface
access-list 1 permit 192.168.101.0 0.0.0.255 <-not in use
access-list 1 permit 192.168.161.0 0.0.0.255 <--- not in use
access-list 1 permit 192.168.162.0 0.0.0.255 <--- not in use
access-list 1 permit 192.168.164.0 0.0.0.255 < not in use
access-list 1 permit 172.16.248.0 0.0.0.255 < not nat interface
access-list 1 permit 141.221.0.0 0.0.255.255 <-- external no nat
access-list 1 permit 10.255.254.0 0.0.0.255 <-- external no nat
access-list 1 permit 10.10.48.0 0.0.0.255 <-- doesnt exist

Also instead of using static routes you could have policy based the routing as an alternative
Example:
no ip route 10.255.254.0 255.255.255.0 172.16.248.114
no ip route 141.221.0.0 255.255.0.0 172.16.248.114
no ip route 172.16.0.0 255.255.0.0 172.16.248.114
no ip route 172.16.134.0 255.255.255.0 172.16.248.114

ip access-list extended PBR_acl
permit ip any 10.255.254.0 0.0.0.255
permit ip any 141.221.0.0 0.0.255.255
permit ip any 172.16.0.0 0.0.255.255

route-map PBR_rm permit 10
match ip address PBR_acl
set ip next-hop 172.16.248.114

interface GigabitEthernet0/2
ip policy route-map PBR_rm

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

thlillyr · ‎11-04-2020

Yes my access list is a total mess. For troubleshooting purposes I basically dumped every single Network I could find into it as a way of note taking. Also I was rushed to get it done yesterday as the VPN was down for an unrelated reason so I had a window of downtime to make the changes. And also Partly because I'm still trying to identify what the heck each one is and if its even used still. I had previously attempted policy based routing but couldn't get any matches on the route-maps I created. Strong possibility I hadn't configured them right as at the time I still wasn't aware of 2/3rds of the subnets I was dealing with. I will trim down the access list as I finish my discovery process.

I suspect now with the understanding I have of the network I can write the PBRs you posted. But I'm sticking with static routes for now. We have plans to replace this router with a new 9300ISR and do a complete network overhaul in the next few months. I will likely use PBR then as it is much cleaner.

Thanks for the notes on the access list that will really help when I trim them down. I got my CCNA last year worked as and engineer for 3 months the got laid off for covid. So my CLI skills got really really rusty. This process has helped me remember alot of what I had forgotten.

thlillyr · ‎11-04-2020

So I still have an Odd issue that maybe you guys can explain. The router can no longer ping to the 172.16.134.0 subnet which is my remote site. However now only the subnet 192.168.163.1 can ping to it. What have I done that broke all other subnets including the router?

paul driver · ‎11-04-2020

Hello
Initially you had a default routing pointing to 192.168.50.2 now youve got a specific static for that subnet pointing towards 172.16.248.114
Why did you change the default to point to this other next-hop?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

thlillyr · ‎11-04-2020

Because I was up all night out of coffee and couldn't see straight and just ended up mashing random subnets in frustration. Terrible practice don't do it. I removed that route I forgot I had it there.

So few issue I've found this morning with a fresh brain.

users on vpn cannot ping 172.16.134.0 subnet or the 192.168.50.1 ISP gateway which is my remote location.

users on vpn don't have internet access(didn't before either). Split tunnel is disabled so all traffic is through VPN. Not my choice company policy.

Cannot ping 172.16.134.0 from any subnet except 192.168.163.0 My main Office Subnet.

the 141.221.0.0 and 10.10.48.0 are the Subnets for the Checkpoint clients.

thlillyr · ‎11-04-2020

I have cleaned up my config to make for easier Reading. I've shutdown all the Note In use ports.

ip nat inside source list 1 interface FastEthernet0/3/0 overload
ip route 0.0.0.0 0.0.0.0 192.168.50.1 name "Defualt route forwards leftover traffic out the ISP"
ip route 10.255.254.0 255.255.255.0 172.16.248.114 name "Windows Checkpoint VPN Traffic"
ip route 141.221.0.0 255.255.0.0 172.16.248.114 name "Linux Checkpoint Vpn Traffic"
ip route 172.16.134.0 255.255.255.0 172.16.248.114 name "Site To Site Tunnel"
!
access-list 1 permit 192.168.0.0 0.0.255.255
Current issue:

The router can no longer ping to the 172.16.134.0 subnet which is my remote site. However now only the subnet 192.168.163.0 can ping to it.

VPN Endpoints can't Ping 192.168.50.1 so they have no internet. Their split tunnel is disable via company policy can't change it.

VPN Endpoints can't ping 172.16.134.0 subnet

What have I done that broke the other subnets including the router?

paul driver · ‎11-04-2020

Hello

if everything was working other than internet before you made all these changes suggest you roll it back and policy route for internet traffic only

And to do that would be crate an acl and deny source-destination traffic other than internet traffic and then have a permit ip any ny at the end of the acl for internet traffic and then policy route next hop to the isp for internet

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

thlillyr · ‎11-04-2020

Sorry Let me clarify. These issues existed before I made any of the changes. At this point I'm trying to solve additional problems with the routing.

paul driver · ‎11-04-2020

Hello

Okay let get this working for you -
First of all post the existing running config of the router and the following show commands in a file and attach it to this post, this way it wont take up a whole page.

sh run
sh ip route
sh ip protocols
sh ip int bri
sh arp
sh ip nat translations

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

thlillyr · ‎11-04-2020

I've attached the requested Config and command outputs.

paul driver · ‎11-05-2020

Hello
Although i dont see any eigrp routes in the rib table, you do have eigrp active and its has missing statements - Do you have eigrp adjecencys? <-----sh ip eigrp neighbors

Add the following statements
router eigrp 109
no auto summary
network 192.168.50.1 0.0.0.0
network 172.16.248.113 0.0.0.0

Lasty do you have any topology diagram you cpouls share?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

thlillyr · ‎11-05-2020

There is no neighbors listed in the table. That command returns and empty table. It could be left over config. I'm told this router and switch were removed from a different network environment and shoehorned into this one without resetting the config.

thlillyr · ‎11-04-2020

This assumes that the Checkpoint VPN is not blocking this traffic. I can't config the VPN server directly it would take several days to submit a ticket to the department that manages it. Its not an Ideal situation.