12-07-2012 06:05 AM - edited 03-04-2019 06:21 PM
I'm having an issue where internal hosts cannot access the internet but I am able to ping external hosts when I console into the router. The router is a 2800 series. Does anyhting jump out at you?
Thanks in advance.
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
enable secret 5 $1$okjq$nzEJtcQA.jMAxu4XJuzTu0
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
dot11 syslog
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.48.10.1 10.48.10.63
ip dhcp excluded-address 10.48.9.1 10.48.9.63
!
ip dhcp pool voice
network 10.48.10.0 255.255.255.0
default-router 10.48.10.1
option 42 ip 10.48.255.9 10.48.255.254
option 2 hex ffff.8f80
option 156 ascii "ftpservers=10.48.2.16, country=1, language=1, layer2tagging=1, vlanid=102"
dns-server 8.8.8.8
!
ip dhcp pool data
network 10.48.9.0 255.255.255.0
default-router 10.48.9.1
option 156 ascii "ftpservers=10.48.2.16, country=1, language=1, layer2tagging=1, vlanid=102"
dns-server 8.8.8.8
!
ip dhcp pool data-bw-hb-01
host 10.48.9.32 255.255.255.0
client-identifier 68b5.9990.97a2
default-router 10.48.9.1
dns-server 8.8.8.8
!
ip dhcp pool data-bw-hb-02
host 10.48.9.33 255.255.255.0
client-identifier 68b5.9990.5503
default-router 10.48.9.1
dns-server 8.8.8.8
!
ip dhcp pool data-clr-bh-01
host 10.48.9.40 255.255.255.0
client-identifier 0000.854e.777d
default-router 10.48.9.1
dns-server 8.8.8.8
!
ip dhcp pool data-bh-staff-01
host 10.48.9.39 255.255.255.0
client-identifier 68b5.9990.cd2f
default-router 10.48.9.1
dns-server 8.8.8.8
!
ip dhcp pool data-bh-ptr-mb
host 10.48.9.50 255.255.255.0
client-identifier 0100.8077.84f7.76
default-router 10.48.9.1
dns-server 8.8.8.8
!
ip dhcp pool data-bh-chk-01
host 10.48.9.38 255.255.255.0
hardware-address 0025.b3fc.7cf2
default-router 10.48.9.1
dns-server 10.48.254.16 68.94.156.1
!
ip dhcp pool data-bh-ptr-sc
host 10.48.9.49 255.255.255.0
hardware-address 0013.21c1.8cc0
default-router 10.48.9.1
dns-server 8.8.8.8
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
no ip bootp server
ip domain lookup source-interface FastEthernet0/0.997
ip domain name jag.intra
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-295269958
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-295269958
revocation-check none
rsakeypair TP-self-signed-295269958
!
!
crypto pki certificate chain TP-self-signed-295269958
certificate self-signed 01 nvram:IOS-Self-Sig#2.cer
!
!
username sitetech privilege 15 secret 5 $1$NNKm$MC8mPimeV9RRKoyJz5cZv0
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key *********************** address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set jag-trans esp-aes 256 esp-md5-hmac
!
crypto ipsec profile jag-dmvpn
set transform-set jag-trans
!
!
!
!
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
class-map match-any Call-Signaling
match ip dscp cs3
match ip dscp af31
class-map match-any Voice
match ip dscp ef
match access-group 161
!
!
policy-map WAN-EDGE
class Voice
priority percent 33
class Call-Signaling
bandwidth percent 5
class class-default
fair-queue
!
!
!
!
interface Loopback0
ip address 10.48.255.9 255.255.255.255
ip nat inside
ip virtual-reassembly
load-interval 30
!
interface Loopback1
no ip address
!
interface Tunnel0
description DMVPN via ATT DSL
bandwidth 1000
ip address 10.255.48.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip nhrp authentication DMVPN_NW
ip nhrp map multicast x.x.x.230
ip nhrp map 10.255.48.254 x.x.x.230
ip nhrp network-id 100000
ip nhrp holdtime 30
ip nhrp nhs 10.255.48.254
ip tcp adjust-mss 1360
ip summary-address eigrp 1048 10.48.8.0 255.255.252.0 5
delay 1000
shutdown
qos pre-classify
tunnel source FastEthernet0/0.998
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile jag-dmvpn
!
interface Tunnel1
description DMVPN via XO EoC
bandwidth 10000
ip address 10.255.48.9 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip nhrp authentication DMVPN_NW
ip nhrp map 10.255.48.254 x.x.x.230
ip nhrp map multicast x.x.x.230
ip nhrp network-id 100000
ip nhrp holdtime 30
ip nhrp nhs 10.255.48.254
ip tcp adjust-mss 1360
ip summary-address eigrp 1048 10.48.8.0 255.255.252.0 5
delay 1000
qos pre-classify
tunnel source FastEthernet0/0.997
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile jag-dmvpn
!
interface Tunnel2
description DMVPN test
bandwidth 10000
ip address 10.254.48.254 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_JA
ip nhrp map multicast dynamic
ip nhrp network-id 20000
ip nhrp holdtime 30
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip mroute-cache
load-interval 60
delay 400
shutdown
qos pre-classify
keepalive 5 4
tunnel source FastEthernet0/0.997
tunnel mode gre multipoint
tunnel key 20000
tunnel protection ipsec profile jag-dmvpn
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Outside Trunk
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
no mop enabled
service-policy output WAN-EDGE
!
interface FastEthernet0/0.997
description XO EoC
encapsulation dot1Q 997
ip address y.y.y.110 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
no cdp enable
!
interface FastEthernet0/0.998
description AT&T DSL
encapsulation dot1Q 998
ip address dhcp
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
shutdown
no cdp enable
!
interface FastEthernet0/1
description Inside Trunk
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1.101
encapsulation dot1Q 101
ip address 10.48.9.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.102
encapsulation dot1Q 102
ip address 10.48.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
!
router eigrp 1048
redistribute static route-map redist-static
passive-interface FastEthernet0/0
passive-interface FastEthernet0/0.997
passive-interface FastEthernet0/0.998
network 10.48.0.0 0.0.255.255
network 10.254.48.0 0.0.0.255
network 10.255.48.0 0.0.0.255
network 10.255.49.0 0.0.0.255
network 10.0.0.0
no auto-summary
!
no ip forward-protocol nd
no ip forward-protocol udp tftp
no ip forward-protocol udp nameserver
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 a.a.a.62 100 track 1
ip route 0.0.0.0 0.0.0.0 b.b.b.109 track 2
ip route 10.48.20.0 255.255.252.0 10.48.9.15
ip route 10.48.255.21 255.255.255.255 10.48.9.15
ip route a.a.a.56 255.255.255.248 FastEthernet0/0.998
ip route b.b.b.108 255.255.255.252 FastEthernet0/0.997
ip http server
ip http access-class 90
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map NAT-Map-ATT interface FastEthernet0/0.998 overload
ip nat inside source route-map Nat-Map-XO interface FastEthernet0/0.997 overload
!
ip access-list extended NATIP
deny ip 10.48.0.0 0.0.255.255 10.0.0.0 0.0.0.255
permit ip 10.48.0.0 0.0.255.255 any
!
ip sla 1
icmp-echo a.a.a.62
timeout 30000
frequency 30
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo b.b.b.109
frequency 8
access-list 10 permit 10.48.255.21
access-list 10 remark redist-static allowed
access-list 10 permit 10.48.20.0 0.0.3.255
access-list 90 remark HTTP Server ACL
access-list 90 permit 10.255.48.0 0.0.0.255
access-list 90 permit 10.48.0.0 0.0.255.255
access-list 90 permit 10.20.0.0 0.3.255.255
access-list 90 permit 10.16.1.0 0.0.0.255
access-list 90 permit 206.82.221.224 0.0.0.15
access-list 90 deny any
access-list 90 permit 0.0.0.0 255.255.255.0
access-list 90 permit 10.254.48.0 0.0.0.255
access-list 110 permit ip 10.48.0.0 0.0.255.255 any
access-list 111 permit ip 10.48.0.0 0.0.255.255 any
access-list 161 remark : ShoreTel Voice over IP Ports
access-list 161 permit udp any any eq 2427
access-list 161 permit udp any any eq 2727
access-list 161 permit udp any any range 5440 5446
access-list 161 permit udp any any eq 5004
access-list 161 permit udp any any eq 5060
access-list 161 permit tcp any any eq 5060
access-list 161 permit udp host 10.48.10.16 gt 1024 any gt 1024
access-list 161 permit udp 10.48.10.0 0.0.0.255 any
!
!
!
route-map Nat-Map-XO permit 10
match ip address NATIP
match interface FastEthernet0/0.997
!
route-map redist-static permit 10
match ip address 10
!
route-map redist-static deny 20
!
route-map NAT-Map-ATT permit 10
match ip address NATIP
match interface FastEthernet0/0.998
!
!
snmp-server community $jag-net-stats$ RO 90
!
control-plane
!
banner login ^CC
This system is considered private and proprietary and is subject to audit.
The unauthorized access, use or modification of this or any other computer
systems or networks or of the data contained therein or in transit
thereto/therefrom is a criminal violation of federal and state laws and will
be prosecuted to the fullest extent of the law.
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 103 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 10.20.253.1
ntp server 192.12.19.20
ntp server 164.67.62.194
end
12-07-2012 07:09 AM
Hi Kris,
When you say you can ping from the firewall what is the source address you are using? Can you try an extended ping and specify the inside interface and see if that works. "debug IP nat" will probably help too.
12-07-2012 09:17 PM
This ended up resolving itself. The internet carrier had a routing issue and I was able to ping normally once they resolved it. Thanks for taking a look though.
Kris
12-07-2012 11:03 PM
Hello Kris,
Thank you for sharing the solution with the community.
Some Kudos to you..
Please mark the question as answered so future users can learn from this..
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide