cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
555
Views
0
Helpful
2
Replies

Locally generated traffic not routing correctly

I have struggled with this for quite some time and would be very grateful for some help.

 

I have a Cisco 867 firewall installed in a branch office, connected between the office network and the local Internet connection.  I have two IPSec tunnels between the 867 and remote datacentres.  All this is working OK and any packets which come from outside the 867 are getting through to the correct places.

 

However, if I connect on to the 867 and try to ping remote devices to test connectivity, the box passes everything out through interface gigabitethernet1 which is the Internet interface.  It does not route correctly over either of the tunnels and so I cannot ping from the 867 to test any devices which are over one of the tunnels.  Also, the TFTP server which I use for network configurations is at one of the datacentres and so I cannot copy the configuration for this 867 back and forth to the TFTP server.

 

Please would someone help me overcome this problem.

 

Here is the configuration:

 

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ECR_Cisco867
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 <REMOVED>
!
no aaa new-model
wan mode ethernet
clock timezone gmt 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
!
!
!
!
ip domain name <REMOVED>
ip cef
no ipv6 cef
!
!
!
flow record nbar-appmon
 match ipv4 source address
 match ipv4 destination address
 match application name
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp absolute first
 collect timestamp absolute last
!
!
flow monitor application-mon
 cache timeout active 60
 record nbar-appmon
!
!
!
crypto pki trustpoint TP-self-signed-<REMOVED>
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-<REMOVED>
 revocation-check none
 rsakeypair TP-self-signed-<REMOVED>
!
!
crypto pki certificate chain TP-self-signed-<REMOVED>
 certificate self-signed 01
<REMOVED>
!
!
username <REMOVED> privilege 15 secret 5 <REMOVED>
!
!
controller VDSL 0
 shutdown
!
ip ssh version 2
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
! 
!
!
!
!
crypto isakmp policy 1
 encr aes 256
 hash sha256
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 2
 encr aes 192
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key <REMOVED> address <REMOVED>  
crypto isakmp key <REMOVED> address <REMOVED>   
crypto isakmp key <REMOVED> address <REMOVED>  
crypto isakmp key <REMOVED> address <REMOVED>
!
!
crypto ipsec transform-set ConvergeVPN esp-aes 192 esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set WatchguardVPN esp-aes 256 esp-sha256-hmac 
 mode tunnel
!
!
!
crypto map VPN 101 ipsec-isakmp 
 set peer <REMOVED>
 set peer <REMOVED>
 set transform-set WatchguardVPN 
 match address 101
crypto map VPN 102 ipsec-isakmp 
 set peer <REMOVED>
 set peer <REMOVED>
 set transform-set ConvergeVPN 
 match address 102
!
!
!
!
!
!
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 shutdown
!
interface Ethernet0.101
 encapsulation dot1Q 101
 pppoe-client dial-pool-number 1
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 ip address 192.168.6.100 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map VPN
!
interface Vlan1
 ip address 10.0.38.1 255.255.255.0
 ip helper-address 10.0.201.102
 ip helper-address 10.0.201.103
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT_ACL interface GigabitEthernet1 overload
ip route 0.0.0.0 0.0.0.0 192.168.6.254
!
ip access-list extended NAT_ACL
 permit ip 10.0.38.0 0.0.0.255 host <REMOVED>
 permit ip 10.0.38.0 0.0.0.255 host <REMOVED>
 permit ip 10.0.38.0 0.0.0.255 host <REMOVED>
 permit ip 10.0.38.0 0.0.0.255 host <REMOVED>
 permit ip 10.0.38.0 0.0.0.255 <REMOVED> 0.0.0.255
 deny   ip 10.0.38.0 0.0.0.255 any
!
access-list 2 permit <REMOVED>
access-list 2 permit 10.0.0.0 0.255.255.255
access-list 2 permit <REMOVED> 0.0.0.7
access-list 2 permit <REMOVED> 0.0.0.31
access-list 101 deny   ip 10.0.38.0 0.0.0.255 host <REMOVED>
access-list 101 deny   ip 10.0.38.0 0.0.0.255 host <REMOVED>
access-list 101 deny   ip 10.0.38.0 0.0.0.255 host <REMOVED>
access-list 101 deny   ip 10.0.38.0 0.0.0.255 host <REMOVED>
access-list 101 deny   ip 10.0.38.0 0.0.0.255 <REMOVED> 0.0.0.255
access-list 101 deny   ip 10.0.38.0 0.0.0.255 10.221.1.0 0.0.0.255
access-list 101 permit ip 10.0.38.0 0.0.0.255 any
access-list 102 deny   ip 10.0.38.0 0.0.0.255 host <REMOVED>
access-list 102 deny   ip 10.0.38.0 0.0.0.255 host <REMOVED>
access-list 102 deny   ip 10.0.38.0 0.0.0.255 host <REMOVED>
access-list 102 deny   ip 10.0.38.0 0.0.0.255 host <REMOVED>
access-list 102 deny   ip 10.0.38.0 0.0.0.255 <REMOVED> 0.0.0.255
access-list 102 permit ip 10.0.38.0 0.0.0.255 10.221.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
line con 0
 exec-timeout 60 0
 login local
 no modem enable
line aux 0
 exec-timeout 60 0
line vty 0 4
 access-class 2 in
 exec-timeout 60 0
 privilege level 15
 login local
 transport input ssh
!
scheduler allocate 60000 1000
!
end

ECR_Cisco867#
1 Accepted Solution

Accepted Solutions

dkilpatrick1
Level 1
Level 1

Try specifying a source interface:

 

ie: ping 8.8.8.8 source Vlan1

 

 

For TFTP try adding:

 

ip tftp source-interface Vlan1

View solution in original post

2 Replies 2

dkilpatrick1
Level 1
Level 1

Try specifying a source interface:

 

ie: ping 8.8.8.8 source Vlan1

 

 

For TFTP try adding:

 

ip tftp source-interface Vlan1

Hi dkilpatrick1, your suggestion works.  It is a bit of nuisance to have to remember to add the source to the command - but I can live with that.

I'm thinking of changing the configuration and to try a virtual interface for the tunnel.  This may also help with locally generated packets.

Thanks for your help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: