Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1101
Views
0
Helpful
2
Replies

Router WAN interface IP did not ping from Outside

mimrankhalid
Level 1
Level 1

‎07-07-2014 03:47 AM - edited ‎03-04-2019 11:17 PM

I have facing problem in accessibility from outside in following scenario. I have two internet connection from two different ISPs said ISP1 and ISP2, Goal is both ISPs work in load sharing manner,

PPTP VPN traffic goes to ISP2 from Interface Fastethernet4 and all other traffic is goes to ISP1 and in case of any link down all traffic shift to other active link for this I configure IP SLA with route-map all is working well from inside the problem is:

1- Both WAN IPs did not ping from outside.

Router is Cisco 881W which also act PPTP VPN Server.

 

Router#sh run
Building configuration...

Current configuration : 5852 bytes
!
! Last configuration change at 12:44:23 UTC Sat Jul 5 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1493367857
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1493367857
 revocation-check none
 rsakeypair TP-self-signed-1493367857
!
!
crypto pki certificate chain TP-self-signed-1493367857
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31343933 33363738 3537301E 170D3134 30363135 31373434
  35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34393333
  36373835 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008F5B D12F7C52 30F969CE 199606CC A985F48C BCCF3F33 92638C33 E32B9185
  63192609 13E55312 90F7A256 D23F7A50 8D52D8FA 024FE689 8817D48C 135D8AC6
  2B3E4D8C A5BB398D 8CF343D4 1ECC69CA D6B5DA34 E46B7FFA AE764C19 34B5874D
  E05E18BB 31E50AD6 7D0CD718 4191919C 3619AD0D F6391A39 6F9902A2 2942A081
  91BB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 1406DB1C 6027E998 D014F712 0CB13A31 581A4D95 3A301D06
  03551D0E 04160414 06DB1C60 27E998D0 14F7120C B13A3158 1A4D953A 300D0609
  2A864886 F70D0101 05050003 81810082 65335E8F 3D897005 1F465AB4 115CB94B
  3437C7F2 86E17086 DD1D5621 BEA0C4AC D6F1E39F 61B182E8 5A5F0170 33912CC2
  2ABB2ACD 8149ED74 B6D07442 4075BAE1 65121247 0C3684B6 6E727497 AEFCA859
  71DE5BD1 FE65640E 0B919FE4 27445439 CF5B5AB4 2F4B73E2 14011FC5 BADEE879
  C4A25B8E 1AF5C16B 9D88FD2C 87D9BF
        quit
ip cef
!
!
!
!


!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.114
ip dhcp excluded-address 10.0.1.1 10.0.1.100
ip dhcp excluded-address 10.0.1.230 10.0.1.254
!
ip dhcp pool INSIDE
 network 10.0.1.0 255.255.255.0
 default-router 10.0.1.1
 dns-server 202.xx.xx.xx 202.xx.xx.xx 203.xx.x.xx 203.xx.x.xx 8.8.8.8
!
!
!
no ip domain lookup
ip domain name asd.com
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
 ! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
license udi pid C881WD-A-K9 sn FGL172823Z9
!
!
username admin password 7 xxxxxxxxxxxxxxxxxxxxxxxx
username asd privilege 15 password 7 xxxxxxxxxxxxxxx
username sdf password 7 xxxxxxxxxxxxxxx
!
!
!
!
!
ip ssh source-interface FastEthernet4
ip ssh version 1
!
track 10 ip sla 1 reachability
 delay down 1 up 1
!
track 20 ip sla 2 reachability
 delay down 1 up 1
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 switchport access vlan 2
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address 116.xx.xx.26 255.255.255.xx
 ip nat outside
 no ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered FastEthernet4
 peer default ip address pool webvpn-pool
 no keepalive
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
 no ip address
!
interface wlan-ap0
 description Embedded Service module interface to manage the embedded AP
 ip unnumbered Vlan1
!
interface Vlan1
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 no ip virtual-reassembly in
 ip policy route-map PBR
!
interface Vlan2
 ip address 122.xx.xx.204 255.255.255.xx
 ip nat outside
 no ip virtual-reassembly in
!
ip local pool webvpn-pool 10.0.1.80 10.0.1.100
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat translation timeout 9000
ip nat pool LIVEIPs 116.xx.xx.26 116.xx.xx.29 netmask 255.255.255.xx
ip nat inside source route-map ISP1 interface Vlan2 overload
ip nat inside source route-map ISP2 pool LIVEIPs overload
ip nat inside source static tcp 10.0.1.114 81 116.xx.xx.xx 81 extendable
ip route 0.0.0.0 0.0.0.0 116.xx.xx.25 track 10
ip route 0.0.0.0 0.0.0.0 122.xx.xx.254 track 20
!
ip sla auto discovery
ip sla 1
 icmp-echo 116.xx.xx.25
 threshold 500
 timeout 500
 frequency 1
ip sla schedule 1 life forever start-time now

!
ip sla 2
 icmp-echo 122.xx.xx.254
 threshold 500
 timeout 500
 frequency 1
ip sla schedule 2 life forever start-time now

!
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 102 permit icmp any any
access-list 102 permit ip 10.0.1.0 0.0.0.255 any
access-list 102 permit tcp host 10.0.1.1 eq 22 any
access-list 102 permit tcp host 10.0.1.1 eq 81 any
access-list 102 permit udp host 10.0.1.1 eq 81 any
access-list 102 permit tcp host 10.0.1.1 eq 1723 any
access-list 102 permit gre any any
access-list 103 permit ip any any
!
route-map PBR permit 10
 match ip address 102
 set ip next-hop verify-availability 116.xx.xx.25 1 track 10
!
route-map PBR permit 30
 match ip address 103
 set ip next-hop verify-availability 122.xx.xx.254 2 track 20
!
route-map ISP2 permit 10
 match ip address 101
 match interface FastEthernet4
!
route-map ISP1 permit 10
 match ip address 101
 match interface Vlan2
!
snmp-server community xxxxxxxxxxxxx RO
!
!
!
control-plane
!
!
!
line con 0
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line vty 0 4
 transport input ssh
line vty 5 15
 transport input ssh
!
scheduler allocate 20000 1000
!
end

 

 

 

 

Labels:
0 Helpful
2 Replies 2

Emmanuel Valdez
Level 3
Level 3

‎07-07-2014 04:26 PM

Hi,

Are you testing from inside PC´s or outside PC´s?

You are using dot1q and the interface VLAN 2 is not a physical interface, do you have a router in the same VLAN?

Regards.

0 Helpful

mimrankhalid
Level 1
Level 1
In response to Emmanuel Valdez

‎08-12-2014 03:08 AM

Hi

After brainstroming, the problem with "ip cef" when I disable it with "no ip cef" command router get ping from outside but now problem is that packet has drop with out "ip cef" can some boday mention that what is wrong with "ip cef" when it is on with PBR and IP SLA

 

0 Helpful
Customers Also Viewed These Support Documents