cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
617
Views
1
Helpful
12
Replies

LAN not communicating with WAN

ruffwise
Level 1
Level 1

Hello all!

DISCLAIMER!!! I am kinda new to cisco configuration, this is my first ever router configuration and the router is a ISR-1100 series.
I am tryng to setup an office network to connect to our datacenter via a L3VPN link provided by the ISP. The L3VPN link is terminated on interface GigabitEthernet0/0/0 on the router and interface GigabitEthernet0/1/0 is the LAN on Vlan20 .
The issue is, I cannot ping nor reach any resources at the datacenter from the LAN.
Below is screenshot When I ping from the my laptop connected to the LAN interface (for troubleshooting sake my laptop is directly connected to the LAN port). I get replies when I ping the LAN interface

ruffwise_0-1728148262708.png

When I try to Ping any resource at the datacenter

ruffwise_1-1728148531807.png

ruffwise_0-1728148501397.png

 

ruffwise_3-1728149299001.png

But I get replies when I do a ping from inside the router

ruffwise_2-1728148610964.png

What am I missing...I will appreciate if someone can help me out with the missing config needed to resolve this. Below is the config the router. Thanking you in advance.

=========================================================================================

Router#show running-config
Building configuration...

Current configuration : 6518 bytes
!
! Last configuration change at 16:51:19 UTC Sat Oct 5 2024
!
version 17.2

hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
ip name-server 172.27.27.11 172.27.27.13
ip domain lookup recursive
ip domain lookup source-interface GigabitEthernet0/0/0
ip dhcp excluded-address 172.20.20.1 172.20.20.30
!
ip dhcp pool DHCP-Pool
network 172.20.20.0 255.255.255.0
default-router 172.20.20.1
domain-name xxx.com
dns-server 172.27.27.13 172.27.27.11
!
login on-success log
!
subscriber templating
multilink bundle-name authenticated
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
redundancy
mode none
!
vlan internal allocation policy ascending

!
interface GigabitEthernet0/0/0
description CONNECTION-L3VPN
ip address 10.6.30.90 255.255.255.252
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 20
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Vlan20
description CONNECTION-LAN
ip address 172.20.20.1 255.255.255.0
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/0/0
ip route 0.0.0.0 0.0.0.0 10.6.30.89
!
control-plane
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
transport input ssh
!
!
end

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

Is this Router provided by the Provider or your Own managed device and the configuration done by your self ?

When you mentioned L3VPN ( i think that is doing by the provider) they offering you a Link for you to connect.

Is the 172.20.20.0/24 provided by the Provider or DC - or you have got it from net network teram.

If i am thinking this is simple link you may need get away with NAT as below : (only add below bold command under the respected interface and test it)

interface GigabitEthernet0/0/0
description CONNECTION-L3VPN
ip address 10.6.30.90 255.255.255.252
negotiation auto
ip virtual-reassembly

ip nat outside

!

interface Vlan20
description CONNECTION-LAN
ip address 172.20.20.1 255.255.255.0
ip virtual-reassembly

ip nat inside

!

access-list 20 permit 172.20.20.1 0.0.0.255

ip nat inside source list 20 interface GigabitEthernet0/0/0 overload

!

 

Test from PC you able to ping to DC ?

if all working as you expecting and write the config on the router.

If you looking that to be done VPN, that is different config and discussion.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

12 Replies 12

Richard Burts
Hall of Fame
Hall of Fame

The OP says "I am trying to setup an office network to connect to our datacenter via a L3VPN link provided by the ISP". I do not see anything in the posted config that relates to L3VPN. To access resources outside the router I would expect either to see some VPN config or some NAT config.

HTH

Rick

Hi, Thanks for your reply. As per my disclaimer, I’m still a newbie to this, however, I believe the VPN configuration you referred to would be on the ISP's side. I’ve also shared a network topology diagram in response to someone else, which might help clarify my setup, probably this will help understand my setup.

Thanks for your assistance

Show ip interface breif <<- share this 

MHM

Hi... Thanks for your reply. Permit me to share this on Monday when I return back to the office.

Thank you for your assistance.

balaji.bandi
Hall of Fame
Hall of Fame

Is this Router provided by the Provider or your Own managed device and the configuration done by your self ?

When you mentioned L3VPN ( i think that is doing by the provider) they offering you a Link for you to connect.

Is the 172.20.20.0/24 provided by the Provider or DC - or you have got it from net network teram.

If i am thinking this is simple link you may need get away with NAT as below : (only add below bold command under the respected interface and test it)

interface GigabitEthernet0/0/0
description CONNECTION-L3VPN
ip address 10.6.30.90 255.255.255.252
negotiation auto
ip virtual-reassembly

ip nat outside

!

interface Vlan20
description CONNECTION-LAN
ip address 172.20.20.1 255.255.255.0
ip virtual-reassembly

ip nat inside

!

access-list 20 permit 172.20.20.1 0.0.0.255

ip nat inside source list 20 interface GigabitEthernet0/0/0 overload

!

 

Test from PC you able to ping to DC ?

if all working as you expecting and write the config on the router.

If you looking that to be done VPN, that is different config and discussion.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji, This is my own managed router. The network topology is represented as shown in the image below.

ruffwise_0-1728190212490.png

I will test the commands you mentioned on Monday when I return to the office, and I'll provide you with feedback shortly after.

Thanks again for your assistance.

.

if that is case may my example fix for you, also make sure you use google DNS of the http/https requests not working. (on the client end PC or in the DHCP DNS config)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

It might be helpful if you would post exactly the information that the ISP provided about the connection.

In looking through the discussion again I am struck by these 2 observations:

- ping from a LAN address to the datacenter fails

-ping from the router itself to the datacenter is successful.

So you have connectivity to the datacenter and the issue is about using LAN addresses. I believe that the suggestion by BB to configure NAT is likely to be the solution to your issue.

HTH

Rick

ruffwise
Level 1
Level 1

Thank you all for the assistance. Adding the NAT as Balaji.Bandi suggested resolved the issue for me.

ruffwise
Level 1
Level 1

Hello All, I would like to bring to your attention another issue I just noticed. We have a direct connection from the Datacenter to AWS. While I can successfully reach and access servers at the Datacenter, I am unable to reach or access applications hosted in AWS. It appears that the traffic is dropping at the router (10.6.1.218) located at the Datacenter (please refer to the screenshot below - the traffic drops at 10.6.1.218)

ruffwise_0-1728463026735.png

This is a screenshot from a working branch/office showing reachability to AWS.

ruffwise_1-1728463542155.png

Your help/assistance in resolving this will be much appreciated. Below are configuration from the router at the datacenter

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

show ip int brief

==============================================================

Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 unassigned YES NVRAM up up
GigabitEthernet0/0/0.1 172.24.24.1 YES NVRAM administratively down down
Gi0/0/0.27 172.27.27.1 YES NVRAM up up
GigabitEthernet0/0/1 154.113.165.106 YES NVRAM up up
GigabitEthernet0/0/2 10.0.220.206 YES NVRAM up up
GigabitEthernet0/1/0 unassigned YES unset up up
GigabitEthernet0/1/1 unassigned YES unset up up
GigabitEthernet0/1/2 unassigned YES unset administratively down down
GigabitEthernet0/1/3 unassigned YES unset administratively down down
GigabitEthernet0 unassigned YES NVRAM down down
Tunnel1 169.254.27.10 YES NVRAM up down
Tunnel2 169.254.188.202 YES NVRAM up down
Vlan1 unassigned YES unset administratively down down
Vlan50 10.6.1.218 YES NVRAM up up
Vlan99 192.168.192.46 YES NVRAM up up

=======================================================================

Datacenter router config

=========================================================================

vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family

!
crypto ikev2 keyring keyring-4
peer aws
description AWS-IPSESC-CONNECTION
address 34.249.254.70
pre-shared-key xxxxxxxxxxxxxxx
!
!
crypto ikev2 keyring keyring_52
peer aws_52
description AWS-IPSESC-CONNECTION_52
address 52.215.47.71
pre-shared-key xxxxxxxxxxxxxxx
!
!
!
crypto ikev2 profile AWS-IKEv2-PROFILE
description AWS-IKEv2 profile
match address local 154.113.167.85
match identity remote address 34.249.254.70 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keyring-4
lifetime 10800
!
crypto ikev2 profile AWS-IKEv2-PROFILE_52
description AWS-IKEv2_52 profile
match address local 154.113.167.85
match identity remote address 52.215.47.71 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keyring_52
lifetime 10800
!
vlan internal allocation policy ascending
!
!
crypto ipsec transform-set AWS-TRANSFORM esp-aes 256 esp-sha256-hmac
mode tunnel
crypto ipsec transform-set AWS-TRANSFORM_52 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile this_profile
set transform-set AWS-TRANSFORM
set pfs group14
set ikev2-profile AWS-IKEv2-PROFILE
!
crypto ipsec profile this_profile_52
set transform-set AWS-TRANSFORM_52
set pfs group14
set ikev2-profile AWS-IKEv2-PROFILE_52
!
interface Tunnel1
ip address 169.254.27.10 255.255.255.252
ip tcp adjust-mss 1379
tunnel source 154.113.167.85
tunnel mode ipsec ipv4
tunnel destination 34.249.254.70
tunnel protection ipsec profile this_profile
!
interface Tunnel2
ip address 169.254.188.202 255.255.255.252
ip tcp adjust-mss 1379
tunnel source 154.113.167.85
tunnel mode ipsec ipv4
tunnel destination 52.215.47.71
tunnel protection ipsec profile this_profile_52
!
interface GigabitEthernet0/0/0
description CONNECTION-MD-LAN
no ip address
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/0.1
encapsulation dot1Q 24
ip address 172.24.24.1 255.255.255.0
ip nat inside
shutdown
ip virtual-reassembly
!
interface GigabitEthernet0/0/0.27
encapsulation dot1Q 27
ip address 172.27.27.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0/1
description CONNECTION-MD-IP-ACCESS
mtu 2500
ip address 154.113.165.106 255.255.255.248
ip nat outside
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/2
description *CONNECTION TO AWS CLOUD CONNECT*
ip address 10.0.220.206 255.255.255.252
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/1/0
description L3VPN-PORT
switchport access vlan 50
!
interface GigabitEthernet0/1/1
switchport access vlan 99
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
interface Vlan50
description CONNECTION-L3VPN-MD
mtu 2000
ip address 10.6.1.218 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Vlan99
description **Century-Connection*
ip address 192.168.192.46 255.255.255.252
!
router bgp 64277
bgp log-neighbor-changes
neighbor 10.0.220.205 remote-as 65277
neighbor 10.0.220.205 description ***PEERING WITH MD***
neighbor 10.0.220.205 version 4
!
address-family ipv4
network 172.16.16.0 mask 255.255.255.0
network 172.18.18.0 mask 255.255.255.0
network 172.20.20.0 mask 255.255.255.0
network 172.24.24.0 mask 255.255.255.0
network 172.25.25.0 mask 255.255.255.0
network 172.26.26.0 mask 255.255.255.0
network 172.26.27.0 mask 255.255.255.0
network 172.27.27.0 mask 255.255.255.0
network 172.28.28.0 mask 255.255.255.0
network 172.29.29.0 mask 255.255.255.0
neighbor 10.0.220.205 activate
neighbor 10.0.220.205 soft-reconfiguration inbound
exit-address-family
!
no ip http server
no ip http secure-server
ip forward-protocol nd
ip nat settings nonpatdrop
ip nat settings nonpatlog-disable
ip nat translation tcp-timeout 3600
ip nat translation syn-timeout 5
ip nat translation dns-timeout 10
ip nat translation icmp-timeout 30
ip nat pool MYPOOL 154.113.189.137 154.113.189.142 netmask 255.255.255.248
ip nat inside source static 172.27.27.10 154.113.165.109
ip nat inside source list 1 pool MYPOOL overload
ip route 0.0.0.0 0.0.0.0 154.113.165.105
ip route 10.6.9.90 255.255.255.255 10.6.1.217
ip route 10.6.14.4 255.255.255.255 10.6.1.217
ip route 10.6.17.54 255.255.255.255 10.6.1.217
ip route 10.6.30.86 255.255.255.255 10.6.1.217
ip route 10.6.30.90 255.255.255.255 10.6.1.217
ip route 10.6.30.100 255.255.255.252 10.6.1.217
ip route 172.15.15.0 255.255.255.0 10.6.1.217
ip route 172.16.0.0 255.255.224.0 10.6.1.217
ip route 172.16.16.0 255.255.255.0 10.6.1.217
ip route 172.18.18.0 255.255.255.0 10.6.1.217
ip route 172.20.20.0 255.255.255.0 10.6.1.217
ip route 172.24.24.0 255.255.255.0 192.168.100.42
ip route 172.26.26.0 255.255.255.0 10.6.1.217
ip route 172.26.27.0 255.255.255.0 10.6.1.217
ip route 172.28.28.0 255.255.255.0 10.6.1.217
ip route 172.29.29.0 255.255.255.0 10.6.1.217
ip route 192.168.0.0 255.255.255.0 10.6.1.217

!
ip community-list 1 permit 473440164
!
!
ip access-list standard 1
10 permit 172.0.0.0 0.252.255.255
20 permit 172.28.28.0 0.0.0.255
30 permit 10.6.9.88 0.0.0.3
40 permit 172.27.27.8 0.0.0.7
50 permit 172.29.29.0 0.0.0.255
60 permit 10.6.14.4 0.0.0.3
70 permit 10.6.30.96 0.0.0.3
80 permit 172.15.15.0 0.0.0.255
90 permit 10.6.30.88 0.0.0.3
100 permit 172.18.18.0 0.0.0.255
110 permit 172.16.16.0 0.0.0.255
120 permit 10.6.17.52 0.0.0.3
130 permit 10.6.30.84 0.0.0.3
140 permit 172.26.27.0 0.0.0.255
150 permit 172.24.24.0 0.0.0.255
160 permit 172.20.20.0 0.0.0.255
170 permit 172.27.27.0 0.0.0.255
180 permit 172.26.26.0 0.0.0.255
!
route-map AWS-ROUTE-FILTER permit 10
match community 1
!
route-map AWS-ROUTE-FILTER deny 100

 

 

10.0.220.205 - what is this router?

Check for route for 172.26.26.0/24 on it, route should be the same as for 172.20.20.0/24

ruffwise
Level 1
Level 1

I inherited this setup, but I believe that 10.0.220.205 is the router for AWS Direct Connect. Unfortunately, I do not have access to this router.As a side note, the 172.20.20.0 network is an existing network that has been operational and functional prior to my involvement. The original router for this network malfunctioned and was replaced with an ISR-1100 series router, which I configured.

Review Cisco Networking for a $25 gift card