06-14-2018 08:38 AM - edited 03-05-2019 10:35 AM
I have struggled with this for quite some time and would be very grateful for some help.
I have a Cisco 867 firewall installed in a branch office, connected between the office network and the local Internet connection. I have two IPSec tunnels between the 867 and remote datacentres. All this is working OK and any packets which come from outside the 867 are getting through to the correct places.
However, if I connect on to the 867 and try to ping remote devices to test connectivity, the box passes everything out through interface gigabitethernet1 which is the Internet interface. It does not route correctly over either of the tunnels and so I cannot ping from the 867 to test any devices which are over one of the tunnels. Also, the TFTP server which I use for network configurations is at one of the datacentres and so I cannot copy the configuration for this 867 back and forth to the TFTP server.
Please would someone help me overcome this problem.
Here is the configuration:
version 15.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ECR_Cisco867 ! boot-start-marker boot-end-marker ! ! enable secret 5 <REMOVED> ! no aaa new-model wan mode ethernet clock timezone gmt 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00 ! ! ! ! ! ! ip domain name <REMOVED> ip cef no ipv6 cef ! ! ! flow record nbar-appmon match ipv4 source address match ipv4 destination address match application name collect interface output collect counter bytes collect counter packets collect timestamp absolute first collect timestamp absolute last ! ! flow monitor application-mon cache timeout active 60 record nbar-appmon ! ! ! crypto pki trustpoint TP-self-signed-<REMOVED> enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-<REMOVED> revocation-check none rsakeypair TP-self-signed-<REMOVED> ! ! crypto pki certificate chain TP-self-signed-<REMOVED> certificate self-signed 01 <REMOVED> ! ! username <REMOVED> privilege 15 secret 5 <REMOVED> ! ! controller VDSL 0 shutdown ! ip ssh version 2 zone security LAN zone security WAN zone security VPN zone security DMZ ! ! ! ! ! crypto isakmp policy 1 encr aes 256 hash sha256 authentication pre-share group 2 lifetime 28800 ! crypto isakmp policy 2 encr aes 192 authentication pre-share group 2 lifetime 28800 crypto isakmp key <REMOVED> address <REMOVED> crypto isakmp key <REMOVED> address <REMOVED> crypto isakmp key <REMOVED> address <REMOVED> crypto isakmp key <REMOVED> address <REMOVED> ! ! crypto ipsec transform-set ConvergeVPN esp-aes 192 esp-sha-hmac mode tunnel crypto ipsec transform-set WatchguardVPN esp-aes 256 esp-sha256-hmac mode tunnel ! ! ! crypto map VPN 101 ipsec-isakmp set peer <REMOVED> set peer <REMOVED> set transform-set WatchguardVPN match address 101 crypto map VPN 102 ipsec-isakmp set peer <REMOVED> set peer <REMOVED> set transform-set ConvergeVPN match address 102 ! ! ! ! ! ! ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0 no ip address shutdown ! interface Ethernet0.101 encapsulation dot1Q 101 pppoe-client dial-pool-number 1 ! interface FastEthernet0 no ip address ! interface FastEthernet1 no ip address ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface GigabitEthernet0 no ip address ! interface GigabitEthernet1 ip address 192.168.6.100 255.255.255.0 ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map VPN ! interface Vlan1 ip address 10.0.38.1 255.255.255.0 ip helper-address 10.0.201.102 ip helper-address 10.0.201.103 ip nat inside ip virtual-reassembly in ! ip forward-protocol nd no ip http server no ip http secure-server ! ! ip nat inside source list NAT_ACL interface GigabitEthernet1 overload ip route 0.0.0.0 0.0.0.0 192.168.6.254 ! ip access-list extended NAT_ACL permit ip 10.0.38.0 0.0.0.255 host <REMOVED> permit ip 10.0.38.0 0.0.0.255 host <REMOVED> permit ip 10.0.38.0 0.0.0.255 host <REMOVED> permit ip 10.0.38.0 0.0.0.255 host <REMOVED> permit ip 10.0.38.0 0.0.0.255 <REMOVED> 0.0.0.255 deny ip 10.0.38.0 0.0.0.255 any ! access-list 2 permit <REMOVED> access-list 2 permit 10.0.0.0 0.255.255.255 access-list 2 permit <REMOVED> 0.0.0.7 access-list 2 permit <REMOVED> 0.0.0.31 access-list 101 deny ip 10.0.38.0 0.0.0.255 host <REMOVED> access-list 101 deny ip 10.0.38.0 0.0.0.255 host <REMOVED> access-list 101 deny ip 10.0.38.0 0.0.0.255 host <REMOVED> access-list 101 deny ip 10.0.38.0 0.0.0.255 host <REMOVED> access-list 101 deny ip 10.0.38.0 0.0.0.255 <REMOVED> 0.0.0.255 access-list 101 deny ip 10.0.38.0 0.0.0.255 10.221.1.0 0.0.0.255 access-list 101 permit ip 10.0.38.0 0.0.0.255 any access-list 102 deny ip 10.0.38.0 0.0.0.255 host <REMOVED> access-list 102 deny ip 10.0.38.0 0.0.0.255 host <REMOVED> access-list 102 deny ip 10.0.38.0 0.0.0.255 host <REMOVED> access-list 102 deny ip 10.0.38.0 0.0.0.255 host <REMOVED> access-list 102 deny ip 10.0.38.0 0.0.0.255 <REMOVED> 0.0.0.255 access-list 102 permit ip 10.0.38.0 0.0.0.255 10.221.1.0 0.0.0.255 dialer-list 1 protocol ip permit ! ! line con 0 exec-timeout 60 0 login local no modem enable line aux 0 exec-timeout 60 0 line vty 0 4 access-class 2 in exec-timeout 60 0 privilege level 15 login local transport input ssh ! scheduler allocate 60000 1000 ! end ECR_Cisco867#
Solved! Go to Solution.
06-22-2018 04:30 AM - edited 06-22-2018 04:35 AM
Try specifying a source interface:
ie: ping 8.8.8.8 source Vlan1
For TFTP try adding:
ip tftp source-interface Vlan1
06-22-2018 04:30 AM - edited 06-22-2018 04:35 AM
Try specifying a source interface:
ie: ping 8.8.8.8 source Vlan1
For TFTP try adding:
ip tftp source-interface Vlan1
06-22-2018 07:14 AM
Hi dkilpatrick1, your suggestion works. It is a bit of nuisance to have to remember to add the source to the command - but I can live with that.
I'm thinking of changing the configuration and to try a virtual interface for the tunnel. This may also help with locally generated packets.
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide