Routing problem

becostergaard · ‎09-13-2005

Hi,

I am having a problem configuring a Cisco 2600 router. The router has 2 ethernet ports and one ADSL WAN port. I have configured the router as a VPN server and when I connect to it over VPN I can ping one of the ethernet ports but not the other. Also, on the ethernet port that I can ping (FE0/0), I can ping the primary IP address but not its secondary IP address.

Below is my router configuration. If anyone could help me with this I would appreciate it,

thanks,

Rebecca

Router#show config

Using 2855 out of 29688 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no logging console

!

aaa new-model

!

aaa authentication login ezvpnxauth local

aaa authorization network ezvpnnetwork local

aaa session-id common

ip subnet-zero

ip cef

!

ip dhcp excluded-address 192.168.0.0 192.168.0.199

ip dhcp excluded-address 10.1.2.0 10.1.2.1

!

ip dhcp pool e0Pool

network 10.1.2.0 255.255.255.0

dns-server 203.0.178.191

default-router 10.1.2.1

lease 7

!

ip dhcp pool e1Pool

network 192.168.0.0 255.255.255.0

dns-server 203.0.178.191

default-router 192.168.0.5

lease 7

!

ip audit notify log

ip audit po max-events 100

vpdn enable

vpdn ip udp ignore checksum

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

group 2

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group EZVPNgroup

key beccaspw

dns 203.21.20.20 203.10.1.9

pool ezvpnpool

acl 100

!

crypto ipsec transform-set my-transform esp-3des esp-sha-hmac

!

crypto dynamic-map ezvpn-dymap 1

set transform-set my-transform

reverse-route

!

crypto map MYCMAP client authentication list ezvpnxauth

crypto map MYCMAP isakmp authorization list ezvpnnetwork

crypto map MYCMAP client configuration address respond

crypto map MYCMAP 65535 ipsec-isakmp dynamic ezvpn-dymap

!

interface ATM0/0

no ip address

no atm ilmi-keepalive

pvc 8/35

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface FastEthernet0/0

ip address 172.17.2.1 255.255.0.0 secondary

ip address 10.1.2.1 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.0.5 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface Dialer1

mtu 1492

ip address dhcp

ip nat outside

ip address slarp retry 10

encapsulation ppp

dialer pool 1

crypto map MYCMAP

!

ip local pool ezvpnpool 10.1.2.240 10.1.2.250

ip nat inside source list 1 interface Dialer1 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.1.2.0 255.255.255.0 FastEthernet0/0

!

access-list 1 permit 10.1.2.0 0.0.0.255

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 permit ip 10.1.2.0 0.0.0.255 any

!

dial-peer cor custom

!

line con 0

line au

Richard Burts · ‎09-13-2005

Rebecca

I believe that part of the explanation of your situation is that when you connect over VPN your PC is assigned an address in the ezvpnpool of 10.1.2.240 to 10.1.2.250. This put them in the same subnet as the primary address of FastEthernet0/0. So when the PC attempts to ping the FastEthernet0/0 interface it is in the locally connected subnet and the PC does it easily. To ping FastEthernet0/1 or to ping the seconday address of FastEthernet0/0 is attempting to access a "remote" address and to do that the PC must use its default gateway. And I think that the default gateway on the PCs is not pointing to your router.

I also notice that you have a static route configured for:

ip route 10.1.2.0 255.255.255.0 FastEthernet0/0

I do not understand why you have this static route. The connected subnet should be in the routing table anyway.

Check the gateway issue and let us know what you find.

HTH

Rick

HTH

Rick