07-19-2012 03:00 PM - edited 03-07-2019 07:52 AM
Hi.
I'm having difficulty getting a router/L2L VPN scenario to work. I'm not quite sure that it's possible to do what I want to do, but after reading up on OSPF all day I don't see why.
Site A:
ISP has a 1812 router that have two interfaces at my service. FA1 where I get internet access and FA2 where I get access to a few other services they provide me with.
I have a 1811 router that I have connected aganst the ISP router. My FA0 -> ISP FA1 and my FA1 -> ISP FA2. Now I have configured my router so that I can communicate with both internet and I can ping the ISP "service" interface (172.16.3.241).
Site B:
I have a ASA5520 connected to another ISP and I have configured a L2L tunnel between the ASA and my 1811 at Site A.The L2L communiction works just fine. All the networks at Site B that are suppose to be abel to communicate with my router at Site A can do this without any problems.
Now, my goal here is to be able to communicate with networks on the "service" network at Site A from network at Site B. So fare so god.
Now, the ISP at site A want me to advertise my networks using OSPF, and here is where it all stops. I can't seem to get this to work. I have the following configuration in my router at Site A
interface FastEthernet0
description Uplink to ISP WAN connection
ip address 213.xx.xxx.xx2 255.255.xxx.xxx
ip access-group 102 in
no ip route-cache
duplex auto
speed auto
crypto map xxxxx-xxxxx-xxxxx
!
interface FastEthernet1
description Uplink to ISP BusinessTrunk connection
ip address 172.16.3.241 255.255.255.248
duplex auto
speed auto
router ospf 1
router-id 172.16.3.242
max-metric router-lsa
redistribute static subnets
network 172.16.3.240 0.0.0.7 area 0
network 172.16.21.0 0.0.0.255 area 0
network 172.16.52.0 0.0.0.255 area 0
ip route 0.0.0.0 0.0.0.0 213.xxx.xxx.xx1
The 172.16.52.0/24 and 172.16.21.0/24 are networks at the Site B. Right now I can't ping 172.16.3.242 from for example network 172.16.21.0, and the router it self can't ping anything beyond the 172.16.3.242. I do how ever see advertisments from the ISP if I do "sh ip ospf database", but my router dosen't seem to advertise my networks to the ISP's "service" network.
What do I miss here?
Best regards,
Johan Christensson
Solved! Go to Solution.
07-23-2012 08:05 AM
Hello Johan,
the direct link between Site A router and ISP router is not external so this explains why the first output is empty.
As I wrote before you should check if OSPF external routes for Site B IP subnets are generated on the Site A router or not.
you can use the commands that I had suggested before
show ip ospf database external 172.16.52.0
show ip ospf database external 172.16.21.0
I'm afraid both commands have empty output and here comes the issue.
From the point of view of Site A router that has crypto map applied to Fas0 interface you should add two static routes like
ip route 172.16.21.0 255.255.255.0 fas0 ( or use the ISP next-hop on fas0= 213.x.x.241 )
ip route 172.16.52.0 255.255.255.0 fas0
(or use the ISP next-hop on fas0= 213.x.x.241 it is better)
ip route 172.16.21.0 255.255.255.0 213.x.x.241
ip route 172.16.52.0 255.255.255.0 213.x.x.241
This should give the static routes we need and should allow to advertise the IP subnets in OSPF as external routes
Actually I see only a static default route in your router and this will not be injected in OSPF domain ( redistribute static does not work for default route when redistributing into OSPF)
Hope to help
Giuseppe
07-19-2012 05:44 PM
Is OSPF adjacency up and running with 172.16.3.242 router?
what is the output of
sh ip os ne
07-19-2012 11:06 PM
Hi and thanks for your answer.
As far as I can see I get OSPF information from the ISP's router.
OSPF Router with ID (172.16.3.242) (Process ID 1)
Router Link States (Area 0)
Link ID ADV Router Age Seq# Checksum Link count
172.16.3.242 172.16.3.242 1043 0x80000012 0x00B2A3 1
213.50.145.138 213.xxx.xxx.138 1154 0x800000EC 0x005740 1
Net Link States (Area 0)
Link ID ADV Router Age Seq# Checksum
172.16.3.242 213.xxx.xxx.138 1154 0x80000022 0x004D25
Type-5 AS External Link States
Link ID ADV Router Age Seq# Checksum Tag
0.0.0.0 213.xxx.xxx.138 1410 0x800000CE 0x00615E 2
88.xxx.xxx.0 213.xxx.xxx.138 1410 0x800000CE 0x007B5C 77
193.xxx.xxx.71 213.xxx.xxx.138 1410 0x800000CE 0x007BB1 77
193.xxx.xxx.224 213.xxx.xxx.138 1410 0x800000CE 0x00F734 77
195.xxx.xxx.192 213.xxx.xxx.138 1410 0x800000CE 0x00E8AE 77
195.xxx.xxx.168 213.xxx.xxx.138 1410 0x800000CE 0x00B42F 77
And so on...
And if I run the command ju suggester, "sh ip ospf neigbor" I get the following output:
Neighbor ID Pri State Dead Time Address Interface
213.xxx.xxx.138 1 FULL/DR 00:00:37 172.16.3.242 FastEthernet1
Best regards,
Johan Christensson
07-23-2012 06:10 AM
Anyone that have any ideas?
I have talked to the ISP and they say that everything seems to be ok on there side, but to be on the safe side they cleared there ARP cache.
I have doubled checked that this isen't a feature issue, but as far as I can see OSPF is supported on the 1811 platform running c181x-adventerprisek9-mz.151-4.M1.bin.
Anything else that I should check?
/Johan Christensson
07-23-2012 07:12 AM
Hello Johan,
from the point of view of Site A router 1811 it cannot advertise in OSPF the IP subnets of site B using the network command under router ospf process because they are not connected interfaces on the router.
>> The 172.16.52.0/24 and 172.16.21.0/24 are networks at the Site B.
These IP subnets are seen from Site A router on the LAN to LAN VPN.
There are two possible options here:
or the OSPF domain extend over the VPN L2L tunnel and the above IP subnets are advertised by the ASA
OR
they are known as static routes on the Site A router and they should be advertised by redistribution of static routes into OSPF domain (that is configured on site A)
In addition to this, the ASA being a firewall may need some tuning of traffic ACLs to permit communication. Also static routes if used should be updated and ACLs used to decide what to encrypt in case of IPSEC tunnel have to be updated on both ends.
Without seeing the configurations of the C1811 in siteA and of ASA in site B it is difficult to say more.
We see that OSPF adjacency is up on C1811:fas1 as expected.
You should check the OSPF database on C1811 looking for the IP subnets of site B
show ip ospf database external 172.16.52.0
show ip ospf database external 172.16.21.0
(this if the ASA and C1811 don't speak OSPF over the VPN tunnel)
As you see there are some open aspects in this setup.
It would help to know what type of VPN tunnel you have configured (IPSEC I suppose)
Hope to help
Giuseppe
07-23-2012 07:49 AM
HI Guiseppe.
Well, the L2L tunnel between the ASA in site B and the 1811 router in Site A is a IPSec tunnel, but i don't think the problem is here since that communication works as expected. i have also verified the by creating loopback interfaces in the site A router to mimic the networks that I want to communicat with beyone my own network and sucessfully pinged these networks over the L2L VPN tunnel from all the networks involved at Site B.
The problem as I see it, and please correct me if I'm wrong here is that the ISP router don't get my OSPF advertisments from my router in site A. I will try to illustrate the setup below.
ISP Router (Cisco 1812) FA1 <-> My 1811 FA1 = Here is where the OSPF adverts should happen
My 1811 Site A FA0 -> ISP router FA2 -> Internet -> ASA Site B -> Internal subnets
I tryed to minimize the OSPF tabel by just including the network that acctualy exsists as a interface in teh SIte B router so that the OSPF list looked like this:
router ospf 1
router-id 172.16.3.242
redistribute static subnets
network 172.16.3.240 0.0.0.7 area 0
If I have understod this correct i should be abel to ping for example 88.131.xxx.1 directly from my router in Site B, but this times out.This is one of the networks on the ISP's side that I want to be abel to communicate with.
But if I run the following command from the router CLI.
show ip ospf database external 172.16.3.240 (....240 beeing the "physical" network configured on the router, that also is directly connected to the ISP's router) I get the following output:
OSPF Router with ID (172.16.3.242) (Process ID 1)
But if I do the following:
show ip ospf database external 88.131.198.0
I get the following output:
OSPF Router with ID (172.16.3.242) (Process ID 1)
Type-5 AS External Link States
Routing Bit Set on this LSA in topology Base with MTID 0
LS age: 400
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 88.131.198.0 (External Network Number )
Advertising Router: 213.50.145.138
LS Seq Number: 8000015F
Checksum: 0x57EE
Length: 36
Network Mask: /28
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 10
Forward Address: 0.0.0.0
External Route Tag: 77
Here is my configuration of the router in Site B:
boot-start-marker
boot-end-marker
!
!
enable secret 5 ******
!
aaa new-model
!
!
aaa group server radius *******
server 172.16.20.12 auth-port 1812 acct-port 1813
!
aaa authentication login ISRAdminAuth group **** local enable
aaa authorization exec default group **** local if-authenticated
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
clock summer-time CEST recurring
crypto pki token default removal timeout 0
!
!
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip domain lookup source-interface FastEthernet1
ip domain name manhattan.local
ip name-server 172.16.20.12
ip name-server 172.16.20.13
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811/K9 sn *******
username ***-***-****** privilege 15 secret 5 ***
!
!
ip ftp source-interface FastEthernet1
ip tftp source-interface FastEthernet1
ip ssh version 2
!
!
crypto isakmp policy 11
encr aes 256
authentication pre-share
group 5
crypto isakmp key *** address 193.***.***.11
!
!
crypto ipsec transform-set ***-***-IPSec esp-des esp-sha-hmac
!
crypto map ***-***-CMap 11 ipsec-isakmp
set peer 193.***.***.11
set transform-set ***-***-IPSec
match address 120
!
!
!
!
!
interface FastEthernet0
description Uplink to TDC WAN connection
ip address 213.***.***.242 255.255.255.240
ip access-group 102 in
no ip route-cache
duplex auto
speed auto
crypto map ***-***-CMap
!
interface FastEthernet1
description Uplink to ISP BusinessTrunk connection
ip address 172.16.3.241 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
no ip address
shutdown
!
interface FastEthernet9
no ip address
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
router ospf 1
router-id 172.16.3.242
redistribute static subnets
network 172.16.3.240 0.0.0.7 area 0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 213.***.***.241
!
access-list 102 permit udp host 193.***.***.11 any eq 10000
access-list 102 permit udp host 193.***.***.11 any eq non500-isakmp
access-list 102 permit udp host 193.***.***.11 any eq isakmp
access-list 102 permit esp host 193.***.***.11 any
access-list 102 permit ahp host 193.***.***.11 any
access-list 102 permit udp host 172.16.20.13 eq domain any
access-list 102 permit udp host 172.16.20.12 eq domain any
access-list 102 permit tcp host 193.***.***.11 any eq 22
access-list 102 permit ip host 193.***.***.116 any
access-list 102 permit ip host 84.***.***.90 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip any any log
access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.20.0 0.0.0.255
access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.21.0 0.0.0.255
access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.52.0 0.0.0.255
access-list 120 permit ip 88.131.198.0 0.0.0.255 172.16.20.0 0.0.0.255
access-list 120 permit ip 88.131.198.0 0.0.0.255 172.16.21.0 0.0.0.255
access-list 120 permit ip 88.131.198.0 0.0.0.255 172.16.52.0 0.0.0.255
!
!
!
!
!
!
radius-server **************
!
!
control-plane
!
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
session-timeout 60
exec-timeout 60 0
login authentication *************
transport preferred ssh
transport input ssh
!
ntp source FastEthernet1
ntp server 172.16.20.12 prefer
ntp server 172.16.20.13
Best regards,
Johan Christensson
07-23-2012 08:05 AM
Hello Johan,
the direct link between Site A router and ISP router is not external so this explains why the first output is empty.
As I wrote before you should check if OSPF external routes for Site B IP subnets are generated on the Site A router or not.
you can use the commands that I had suggested before
show ip ospf database external 172.16.52.0
show ip ospf database external 172.16.21.0
I'm afraid both commands have empty output and here comes the issue.
From the point of view of Site A router that has crypto map applied to Fas0 interface you should add two static routes like
ip route 172.16.21.0 255.255.255.0 fas0 ( or use the ISP next-hop on fas0= 213.x.x.241 )
ip route 172.16.52.0 255.255.255.0 fas0
(or use the ISP next-hop on fas0= 213.x.x.241 it is better)
ip route 172.16.21.0 255.255.255.0 213.x.x.241
ip route 172.16.52.0 255.255.255.0 213.x.x.241
This should give the static routes we need and should allow to advertise the IP subnets in OSPF as external routes
Actually I see only a static default route in your router and this will not be injected in OSPF domain ( redistribute static does not work for default route when redistributing into OSPF)
Hope to help
Giuseppe
07-23-2012 11:18 AM
Thanks for all of your replys.
Well, adding the two following lines, as you suggested, solved the problem:
ip route 172.16.21.0 255.255.255.0 fa0
ip route 172.16.52.0 255.255.255.0 fa0
When I now query the database like.
show ip ospf database external 172.16.21.0
I get a more correct output:
OSPF Router with ID (172.16.3.242) (Process ID 1)
Type-5 AS External Link States
LS age: 801
Options: (No TOS-capability, DC)
LS Type: AS External Link
Link State ID: 172.16.21.0 (External Network Number )
Advertising Router: 172.16.3.242
LS Seq Number: 80000002
Checksum: 0x1FFB
Length: 36
Network Mask: /24
Metric Type: 2 (Larger than any link state path)
MTID: 0
Metric: 20
Forward Address: 0.0.0.0
External Route Tag: 0
And for some reason my router at Site B is abel to ping one of the hosts in the ISP network as expected.
So far so good. Now, it's just the matter of getting the remote networks a Site B to be abel to communicate with the networks at the remote side of the ISP router. I guess this is a completly different question, but in the ASA at site B i added a static route as following:
route outside 88.131.198.0 255.255.255.0 172.16.3.242 1
And as prevously stated I also have added the routes in the site A router. Wouldent this be enough?
Best reagrds,
Johan Christensson
07-23-2012 11:27 AM
Hello Johan,
good news there has been progress.
>> ASA at site B i added a static route as following:
route outside 88.131.198.0 255.255.255.0 172.16.3.242 1
No, this is not correct and it is not enough.
The IP next-hop has to be the local IP next-hop used by the ASA not the ISP router IP address at Site A.
And you need to update all the involved ACLs ( the one used to decide what traffic has to be encrypted and the ACL on the inside as a minimum)
Hope to help
Giuseppe
07-23-2012 12:43 PM
Ok, then I hade evernything correct before I added the route in the ASA at site B. When I think about it I hade it working before when I emulated the ISP network by creating a few loopback interfaces in the Site A router and pinged from the networks at Site B. So the vpn configuration is correct as far as I can see...
Correct?
/Johan Christensson
07-29-2012 05:34 PM
Had to put this matter aside for a few days, but I have been looking over this during the weekend but I can't seem to get it to work.
The setup is the same as before, now with working OSPF against my ISP. It's the VPN bits that don't work.
On the ASA in Site B I have created a site-to-site tunnel against the router at Site A. I have created a crypto-map containing all the networks in Site B that I want to be abel to communicate with networks in Site A. Asside from the local network at Site A I have also included the Site B ISP service network in the crypto-map. I have also made sure that, for purpose of testing that all the networks in Site A have unrestricted access to the networks in Site B regardnig ACL's in the ASA in Site B. I have also created NAT exeptions for traffic between the networks.
The VPN tunnel configuration at Site A is matching the configuration at Site A. Nedless to say, the crypto map is ofcourse turned around. If I was to create a loopback interface at the router in Site A, matching the IP-adress in the ISP service network that I'm intrested in, i can ping this adress from Site B to A. The router in Site A can ping the address in the ISP service network, but I can't ping the "service address" from Site B. (Ofcourse I remove the loopback interface...)
So, it feels as if there is still something missing in the configuration of the router at Site A, but I don't know what at this point since as far as I can see the VPN connection work as it is suppose to.
What do I miss?
/Johan Christensson
07-30-2012 12:21 AM
Hello Johan,
if my understanding is correct, when you emulate the ISP service network with a loopback address on site A router, you are able to ping from Site B networks via VPN. So the VPN is fine. And also Site B ASA configuration is fine.
In addition to this, OSPF is now correctly advertising SIte B IP subnets to ISP on service link as you have checked in OSPF database.
I wonder if the ISP has implemented ACLs that allow traffic from Site A only, as the service was originally intended only for site A.
May you ask to ISP tech stuff if they have any form of traffic control applied to their service?
The reasoning is that the Site A router configuration should be complete now.
However, if you like feel free to post the current configuration ( just remove username/pwds and substitute public IP addresses)
Hope to help
Giuseppe
07-30-2012 02:08 PM
You are correct. If I create a loopback interface in the router at Site A, that emulates the ISP service network eveything seems to work just fine from Site B.
Maby I should explain what I'm doing and why. The reason for all this is that we have moved our datacenter from one cty to another. The problem is that the ISP that we have at Site A (old location) was unable to deliver a connection for a resonabel price at Site B (new location) and we wanted to avoid all the hassel of switching over all the phone numbers to another ISP for now. So, the quick and dirty solution was to create a VPN link between the two locations to get the SIP traffic from Site A to Site B.
Now, as I see it nothing has realy changed from a logical point of view. The IP subnet configured on the FA1 interface of the router at Site B use to be the link network between the ISP router and the ASA firewall, an there has been no changes in the IP-adressing of the internal voice network either. So the TP-cabel has been replaced with a VPN link.
Any how, the config of the router looks like this:
Building configuration...
Current configuration : 7331 bytes
!
! Last configuration change at 01:16:38 CEST Mon Jul 30 2012 by ***
! NVRAM config last updated at 23:09:21 CEST Sun Jul 29 2012 by ***
! NVRAM config last updated at 23:09:21 CEST Sun Jul 29 2012 by ***
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VOIPGW01-********-*****-SE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ***********.
!
aaa new-model
!
!
aaa group server radius RADIUS_AUTH
server 172.16.20.12 auth-port 1812 acct-port 1813
!
aaa authentication login ISRAdminAuth group RADIUS_AUTH local enable
aaa authorization exec default group RADIUS_AUTH local if-authenticated
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
clock summer-time CEST recurring
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3**********0
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3**********0
revocation-check none
rsakeypair TP-self-signed-3**********0
!
!
crypto pki certificate chain TP-self-signed-3*******0
certificate self-signed 01
###############################
quit
dot11 syslog
!
flow exporter SOHO-NetFlow1
destination 172.16.20.16
source FastEthernet1
output-features
transport udp 2055
export-protocol netflow-v5
!
!
flow monitor SOHO-NetFlow1
record netflow-original
exporter SOHO-NetFlow1
cache timeout active 1
!
ip source-route
!
!
!
!
!
ip cef
ip domain lookup source-interface FastEthernet1
ip domain name manhattan.local
ip name-server 172.16.20.12
ip name-server 172.16.20.13
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1811/K9 sn F***********6
username N***4-****-ISRAdmin privilege 15 secret 5 ******
!
!
ip ftp source-interface FastEthernet1
ip tftp source-interface FastEthernet1
ip ssh version 2
!
!
crypto isakmp policy 11
encr aes 256
authentication pre-share
group 5
crypto isakmp key ************************************ address 193.***.***.11
!
!
crypto ipsec transform-set N***3-***-IPSec esp-des esp-sha-hmac
!
crypto map N***3-***-CMap 11 ipsec-isakmp
set peer 193.***.***.11
set transform-set N****3-***-IPSec
match address 120
!
!
!
!
!
interface FastEthernet0
description Uplink to ISP WAN connection
ip address 213.***.***.242 255.255.255.240
ip access-group 102 in
no ip route-cache
duplex auto
speed auto
crypto map N***3-***-CMap
!
interface FastEthernet1
description Uplink to ISP BusinessTrunk connection
ip address 172.16.3.241 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
no ip address
shutdown
!
interface FastEthernet5
no ip address
shutdown
!
interface FastEthernet6
no ip address
shutdown
!
interface FastEthernet7
no ip address
shutdown
!
interface FastEthernet8
no ip address
shutdown
!
interface FastEthernet9
no ip address
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
router ospf 1
router-id 172.16.3.242
redistribute static subnets
network 172.16.3.240 0.0.0.7 area 0
network 172.16.21.0 0.0.0.255 area 0
network 172.16.52.0 0.0.0.255 area 0
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
ip nat inside source route-map inside_nat0_outbound interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 213.***.***.241
ip route 172.16.21.0 255.255.255.0 FastEthernet0
ip route 172.16.52.0 255.255.255.0 FastEthernet0
!
access-list 102 permit udp host 193.***.***.11 any eq 10000
access-list 102 permit udp host 193.***.***.11 any eq non500-isakmp
access-list 102 permit udp host 193.***.***.11 any eq isakmp
access-list 102 permit esp host 193.***.***.11 any
access-list 102 permit ahp host 193.***.***.11 any
access-list 102 permit udp host 172.16.20.13 eq domain any
access-list 102 permit udp host 172.16.20.12 eq domain any
access-list 102 permit tcp host 193.***.***.11 any eq 22
access-list 102 permit ip host 193.***.***.116 any
access-list 102 permit ip host 46.***.***.180 any
access-list 102 permit ip host 84.****.***.90 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip any any log
access-list 110 deny ip 172.16.3.240 0.0.0.7 172.16.20.0 0.0.0.255
access-list 110 deny ip 172.16.3.240 0.0.0.7 172.16.21.0 0.0.0.255
access-list 110 deny ip 172.16.3.240 0.0.0.7 172.16.52.0 0.0.0.255
access-list 110 deny ip 88.***.***.0 0.0.0.255 172.16.21.0 0.0.0.255
access-list 110 deny ip 88.***.***.0 0.0.0.255 172.16.52.0 0.0.0.255
access-list 110 permit ip 172.16.3.240 0.0.0.7 any
access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.20.0 0.0.0.255
access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.21.0 0.0.0.255
access-list 120 permit ip 172.16.3.240 0.0.0.7 172.16.52.0 0.0.0.255
access-list 120 permit ip 88.***.***.0 0.0.0.255 172.16.21.0 0.0.0.255
access-list 120 permit ip 88.***.***.0 0.0.0.255 172.16.52.0 0.0.0.255
!
!
!
!
route-map inside_nat0_outbound permit 10
match ip address 110
!
snmp-server community netflowtest RW
snmp-server ifindex persist
!
!
radius-server host 172.16.20.12 auth-port 1812 acct-port 1813 key *!
!
control-plane
!
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
session-timeout 60
exec-timeout 60 0
login authentication ISRAdminAuth
transport preferred ssh
transport input ssh
!
ntp source FastEthernet1
ntp server 172.16.20.12 prefer
ntp server 172.16.20.13
end
/Johan Christensson
07-31-2012 05:14 AM
Hello Johan,
I would suggest to configure an outgoing ACL to be applied to Fas1 just to count packets sourced from Site B IP subnets and destinated to service network.
something like
access-list 150 permit ip host 172.16.21.Z 88.xx.xx.0 0.0.0.255
access-list 150 permit ip 172.16.21.0 0.0.0.255 88.xx.xx.0 0.0.0.255
access-list 150 permit ip 172.16.52.0 0.0.0.255 88.xx.xx.0 0.0.0.255
access-list 150 permit ip any any
int fas1
ip access-group 150 out
This is to check if packets sourced at siteB are effectively sent out the interface Fas1 to the ISP
Note: you may have already performed this test.
As I wrote the Site A router configuration looks like complete and correct now.
Hope to help
Giuseppe
07-31-2012 10:42 AM
Well I did that yesterday, but just for the fun of it I activated the same rule again and got the following result:
Extended IP access list 140
10 permit ip 172.16.21.0 0.0.0.255 88.xxx.xxx.0 0.0.0.255 (22 matches)
20 permit ip 172.16.52.0 0.0.0.255 88.xxx.xxx.0 0.0.0.255 (7 matches)
30 permit ip any any (1 match)
One strange this though is that I created another rule:
Extended IP access list 160
10 permit ip 88.xxx.xxx.0 0.0.0.255 172.16.21.0 0.0.0.255 (1 match)
20 permit ip 88.xxx.xxx.0 0.0.0.255 172.16.52.0 0.0.0.255 (4 matches)
30 permit ip any any (5 matches)
This rule was also applyed to the FA1 interface but with the IN direction. If we assume that the ISP router isen't responding, shoulden't the statistic show 0? The matches in rule position 30 chould be explained by the OSPF updates between the router.
Correct?
/Johan Christensson
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide