11-05-2012 09:07 AM - edited 03-07-2019 09:52 AM
I have 2 site running off the same internet connection. One is the local network(Host) which it can access the internet with no problems. The second is coming from a T1 connection from the second office (Remote). This connection can make it to the internal network of the host site but can not get out to the internet. I am using Cisco 881s on both ends to make the connection. The tunnel is working fine it is just the routing to the internet for the remote location that isn't working. Below is part of my configuration. The host IP is vlan 1. Remote IP is 192.168.65.0 network. From the remote network I can ping Fa4 but I can get to the gateway. If anyone could help me with this it would be great. Thank you in advance. Jonathon
interface Tunnel1
ip address 2.2.2.1 255.255.255.252
ip pim dense-mode
keepalive 10 3
tunnel source Vlan2
tunnel destination 192.168.15.5
!
!
interface FastEthernet0
switchport access vlan 2
!
!
interface FastEthernet1
switchport mode trunk
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description Connection to Internet Firewall
ip address x.x.x.x 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.55.1 255.255.255.0
ip pim dense-mode
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip igmp static-group 224.0.1.55
!
!
interface Vlan2
ip address 192.168.15.1 255.255.255.0
ip pim dr-priority 10
ip pim dense-mode
ip tcp adjust-mss 1452
ip igmp static-group 224.0.1.55
!
!
interface Vlan3
description Guest Vlan
ip address 10.10.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
!
router eigrp 1
network 10.10.10.0 0.0.0.255
network 192.168.15.0
network 192.168.55.0
!
ip default-gateway 64.233.204.20
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 192.168.65.0 255.255.255.0 Tunnel1
!
access-list 101 permit ip 192.168.65.0 0.0.0.255 any
access-list 101 permit ip 10.10.6.0 0.0.0.255 any
access-list 150 deny ip 10.10.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 10.10.2.0 0.0.0.255 any
no cdp run
!
!
!
!
!
control-plane
!
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
Solved! Go to Solution.
11-05-2012 12:17 PM
Jonathan,
I look forward to seeing what you find out. I successfully labbed it with no issue. I have the following:
(LAN: 172.16.1.0) R1 (192.168.12.1) --> (192.168.12.2)R2 (10.23.0.2) --> (10.23.0.3) R3 (10.34.0.3) ---> (10.34.0.4) R4 (Lo4: 4.4.4.4)
GRE Tunnel between R2 and R3 using 2.2.2.2 and 2.2.2.3
R1:
ip route 0.0.0.0 0.0.0.0 192.168.12.2
R2:
interface Tunnel1
ip address 2.2.2.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 10.23.0.3
ip route 0.0.0.0 0.0.0.0 tunnel1
ip route 172.16.1.0 255.255.255.0 192.168.12.1
R3:
interface Tunnel1
ip address 2.2.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly
tunnel source FastEthernet0/0
tunnel destination 10.23.0.2
interface FastEthernet0/1
ip address 10.34.0.3 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 172.16.1.0 0.0.0.255
R4:
interface FastEthernet0/0
ip address 10.34.0.4 255.255.255.0
duplex auto
speed auto
end
interface Loopback4
ip address 4.4.4.4 255.255.255.255
end
** Routing table on R4 doesn't know about 172.16.1.0/24 **
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback4
10.0.0.0/24 is subnetted, 2 subnets
D 10.23.0.0 [90/307200] via 10.34.0.3, 00:11:30, FastEthernet0/0
C 10.34.0.0 is directly connected, FastEthernet0/0
From R1 I can ping:
R1#ping 4.4.4.4 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Trace shows that the traffic does go over the tunnel:
R1#trace 4.4.4.4 sour 172.16.1.1
Type escape sequence to abort.
Tracing the route to 4.4.4.4
1 192.168.12.2 36 msec 44 msec 32 msec
2 2.2.2.3 72 msec 84 msec 72 msec
3 10.34.0.4 148 msec * 120 msec
Let me know what you find out and we can continue to work with this if you're still having an issue.
HTH,
John
11-05-2012 09:19 AM
Jonathon,
Can you post the other end? Do you have a default route configured on your other router to point to the tunnel?
HTH,
John
11-05-2012 09:27 AM
Here is the remote config. And yes the default route is configred to go thru the tunnel.
interface Tunnel1
ip address 2.2.2.2 255.255.255.252
ip pim dense-mode
keepalive 10 3
tunnel source Vlan2
tunnel destination 192.168.15.1
!
!
interface FastEthernet0
switchport access vlan 2
!
!
interface FastEthernet1
switchport access vlan 3
switchport mode trunk
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
no ip address
shutdown
duplex auto
speed auto
!
!
interface Vlan1
ip address 192.168.65.1 255.255.255.0
ip pim dense-mode
ip virtual-reassembly
ip tcp adjust-mss 1452
ip igmp join-group 224.0.1.55
!
!
interface Vlan2
ip address 192.168.15.5 255.255.255.0
ip access-group 111 in
ip pim dense-mode
ip igmp join-group 224.0.1.55
!
!
interface Vlan3
description Guest Vlan
ip address 10.10.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
!
router eigrp 1
network 10.10.6.0 0.0.0.255
network 192.168.15.0
network 192.168.65.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface Tunnel1 overload
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 192.168.25.0 255.255.255.0 2.2.2.1
ip route 192.168.35.0 255.255.255.0 2.2.2.1
ip route 192.168.45.0 255.255.255.0 2.2.2.1
ip route 192.168.55.0 255.255.255.0 Tunnel1
!
access-list 101 permit ip 10.10.6.0 0.0.0.255 any
access-list 101 permit ip 192.168.65.0 0.0.0.255 any
access-list 111 permit ip any host 224.0.1.59 log
access-list 111 permit ip any any
access-list 150 deny ip 10.10.6.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 10.10.6.0 0.0.0.255 any
no cdp run
!
!
!
!
!
control-plane
!
!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
11-05-2012 10:12 AM
Jonathon,
I believe the only thing that you need to do is to enable inside nat on the tunnel interface of the router that connects to the default gateway and you should be good.
HTH,
John
11-05-2012 10:43 AM
John,
I have added the inside nat to the tunnel interface on the router that connects to the gateway but still no luck. Do you have any other ideas?
Thank you,
Jonathon,
11-05-2012 11:49 AM
Jonathon,
Let me lab this up, but I do have a question. On the remote side, you have nat configured, but you only have nat inside configured on vlan3. Are you wanting to run nat, or is that an old config? If it isn't needed, you should remove it. I'm going to lab this up...
John
11-05-2012 11:55 AM
John,
Well this might be a different problem now. I just got a call from the Host location and they just told me they can not get to the internet since about 30 minutes after I left, which I left their location at 9:00 AM cst this morning. haha. So let me look at that and I will get back to you.
To answer your question. The vlan3 is actually a copy from my client's other locations and it just got thrown in there with it. vlan 3 is currently not operational. I am more worried about vlan 1.
Thanks,
Jonathon
11-05-2012 12:17 PM
Jonathan,
I look forward to seeing what you find out. I successfully labbed it with no issue. I have the following:
(LAN: 172.16.1.0) R1 (192.168.12.1) --> (192.168.12.2)R2 (10.23.0.2) --> (10.23.0.3) R3 (10.34.0.3) ---> (10.34.0.4) R4 (Lo4: 4.4.4.4)
GRE Tunnel between R2 and R3 using 2.2.2.2 and 2.2.2.3
R1:
ip route 0.0.0.0 0.0.0.0 192.168.12.2
R2:
interface Tunnel1
ip address 2.2.2.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 10.23.0.3
ip route 0.0.0.0 0.0.0.0 tunnel1
ip route 172.16.1.0 255.255.255.0 192.168.12.1
R3:
interface Tunnel1
ip address 2.2.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly
tunnel source FastEthernet0/0
tunnel destination 10.23.0.2
interface FastEthernet0/1
ip address 10.34.0.3 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 172.16.1.0 0.0.0.255
R4:
interface FastEthernet0/0
ip address 10.34.0.4 255.255.255.0
duplex auto
speed auto
end
interface Loopback4
ip address 4.4.4.4 255.255.255.255
end
** Routing table on R4 doesn't know about 172.16.1.0/24 **
4.0.0.0/32 is subnetted, 1 subnets
C 4.4.4.4 is directly connected, Loopback4
10.0.0.0/24 is subnetted, 2 subnets
D 10.23.0.0 [90/307200] via 10.34.0.3, 00:11:30, FastEthernet0/0
C 10.34.0.0 is directly connected, FastEthernet0/0
From R1 I can ping:
R1#ping 4.4.4.4 source 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.4, timeout is 2 seconds:
Packet sent with a source address of 172.16.1.1
!!!!!
Trace shows that the traffic does go over the tunnel:
R1#trace 4.4.4.4 sour 172.16.1.1
Type escape sequence to abort.
Tracing the route to 4.4.4.4
1 192.168.12.2 36 msec 44 msec 32 msec
2 2.2.2.3 72 msec 84 msec 72 msec
3 10.34.0.4 148 msec * 120 msec
Let me know what you find out and we can continue to work with this if you're still having an issue.
HTH,
John
11-05-2012 02:00 PM
John,
Thank you for your assistance with this. You were right about the nat and after re adding the Access-list 101 permit IP 192.168.65.0 back to the Host router it started routing to the internet again.
Thank you once again,
Jonathon
11-05-2012 02:02 PM
Awesome to hear I'm glad to hear it's working, and thank you for the rating!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: