11-18-2013 01:25 PM - edited 03-07-2019 04:39 PM
Hi all
I got in trouble when I can access google search, but cannot access gmail site. Additionally, I cannot access any site related to Microsoft or sometime it is too slow. I think it maybe relate to my DNS server or Cisco router configuration.
Please any advice.
Thanks
Here is the configuration:
Router#show run
Building configuration...
Current configuration : 1981 bytes
!
! Last configuration change at 20:06:06 UTC Thu Nov 14 2013
! NVRAM config last updated at 15:04:59 UTC Tue Nov 5 2013
! NVRAM config last updated at 15:04:59 UTC Tue Nov 5 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 xxxxx
!
no aaa new-model
memory-size iomem 20
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2911/K9 sn FTX1603AH9C
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
description internal-LAN
ip address 172.x.x.x 255.255.0.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 11
ip address 172.16.x.x 255.255.240.0
!
interface GigabitEthernet0/2
description internet
ip address 50.240.x.x 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/2 overload
ip route profile
ip route 0.0.0.0 0.0.0.0 50.240.x.x
ip route 0.0.0.0 0.0.0.0 172.10.0.30 name ROUTE-VPN-REMOTE
ip route 172.16.240.0 255.255.254.0 172.10.x.x
!
access-list 100 permit ip 172.10.0.0 0.0.255.255 any
access-list 100 permit ip 172.16.240.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
11-18-2013 01:38 PM
Why do you have 2 entries here -
ip route 0.0.0.0 0.0.0.0 50.240.x.x
ip route 0.0.0.0 0.0.0.0 172.10.0.30 name ROUTE-VPN-REMOTE
looking at the rest of your config it looks like the first entry is the one you need., What is the second entry meant to be doing ?
If you do a "sh ip route" do you see both entries in the route table ?
Jon
11-18-2013 01:46 PM
I use 172.10.0.30 for one ASA VPN interface to connect with my current network. That why I need that route for any PC connect directly to ASA can access internet. I can remove it if can fix the problem. But I think it is not because it works well before.
After, I attached my IP PbX to network, and configure some ACL to allow ports for calls. The problem occured, but there are still problems even though I deleted those ACLs
Thanks
11-18-2013 02:22 PM
Hi
Thanks a lot. It is my fault. I delete that route and it works fine. That is the problem. But Can you expain it for me?
11-18-2013 02:29 PM
When you have multiple routes to the same destination as long as the cost is the same (and it is for those 2 routes) the router will use both routes. It will basically switch between those routes. But in your case only one of the routes (the first entry) actually sent traffic out to the internet. So sometimes it would use the correct one ie. the first entry and sometimes it would use the wrong one. When it used the wrong one the packets would not be sent out to the internet and so they never reach their destination.
This is why some sites where unreachable ie. the initial packet used the wrong route and so never got to the server. And it also explains why some other sites were slow ie. part of the connection was using the right route but another part was using the wrong route eg. if a DNS lookup was needed and the wrong route was used then there would be a delay while the client waited for an answer. It might then reissue the request and this time the correct route was used.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide