02-23-2017 01:29 PM - edited 03-08-2019 09:28 AM
Hi there,
Thanks for reading.
I have a vlan which I need to make available to remote users. It's a small location with a switch behind a router. The router has a /24 vlan int defined which we're natting to the Internet Fa1. Here's (what I think are) the important details:
RT1
interface FastEthernet1
description INTERNET
no ip dhcp client request static-route
no ip dhcp client request router
ip address 192.168.0.2 255.255.255.0
ip access-group 198 in
ip nat outside
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
interface Vlan1
description LAN
ip address 10.25.2.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip nat inside source static tcp 10.25.2.254 23 interface FastEthernet1 23
ip nat inside source route-map NONAT interface FastEthernet1 overload
route-map NONAT permit 10
match ip address 110
access-list 110 deny ip 10.25.2.0 0.0.0.255 192.44.44.0 0.0.0.255
access-list 110 deny ip 10.25.2.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny ip 10.25.2.0 0.0.0.255 10.1.11.0 0.0.0.255
access-list 110 deny ip host 10.25.255.29 host A.B.C.135
access-list 110 deny ip host 10.25.255.29 host A.B.C.136
access-list 110 permit ip any any
The router can ping the 10.25.x.x range but local VPN Tunnel infs cannot. The Tunnels are how the remote site is connected to the central network.
show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.25.2.100 133 78e3.b5f6.3c22 ARPA Vlan1
Internet 10.25.2.253 15 649e.f31c.42e2 ARPA Vlan1
Internet 10.25.2.254 - 0016.c7bf.f5ce ARPA Vlan1
Internet 192.168.0.1 10 c03f.0ecb.43c0 ARPA FastEthernet1
Internet 192.168.0.2 - 0016.c7bf.f5cf ARPA FastEthernet1
!
router eigrp 100
passive-interface FastEthernet1
network 10.3.144.80 0.0.0.3 (This covers one of the Tunnel /30 networks)
network 10.3.208.80 0.0.0.3 (This covers the other Tunnel /30 network)
network 10.3.128.0 0.0.127.255
network 10.25.2.0 0.0.0.255
no auto-summary
eigrp stub connected summary
This looks wrong to me: shouldn't the inside global be a routable address?
rtuk401#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.0.2:23 10.25.2.254:23 --- ---
udp 192.168.0.2:500 192.168.0.2:500 91.212.206.135:500 91.212.206.135:500
udp 192.168.0.2:500 192.168.0.2:500 91.212.206.136:500 91.212.206.136:500
udp 192.168.0.2:4500 192.168.0.2:4500 91.212.206.135:4500 91.212.206.135:4500
udp 192.168.0.2:4500 192.168.0.2:4500 91.212.206.136:4500 91.212.206.136:4500
Thanks in advance!
02-23-2017 04:34 PM
Hi Bob,
There are a number of things that are missing from the equation, sharing the configs for the router and switch would help a lot. If you would fell better e-mailing them to me that would be fine. You didn't go into a lot of details as to what type of VPN (IPSEC, AnyConnect, DMVPN, etc.) that the users connect with. I can only assume that the VPN terminates on the router. It looks as though you have several interfaces/VLANs that terminate on this router.
Share your configs and I'll see if I can help.
Cheers,
Sam
02-23-2017 07:49 PM
02-24-2017 11:40 AM
Hi Bob,
When something like this happens it is generally a route or an access list issue. I would like to see a show ip route instance from all VPN endpoints. If the routes are built correctly you should be able to ping each endpoint from the router. If you are able to ping/trace to each endpoint and the subnets behind the endpoints the routing is correct.
The next step is the access list, your NAT access list seems to have an error:
access-list 110 deny ip 10.25.2.0 0.0.0.255 192.44.44.0 0.0.0.255
This is removing NAT to a public address, I would like to see a NAT list with a broader scope to see if it solves the problem, something like this:
access-list 110 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 110 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 110 permit ip any any
This is a very broad access-list for your NAT process, if this works there is an issue with your access list. It is difficult to decipher no knowing the routes to the remote sites; I can only assume that 10.1.50.0/24 and 10.1.11.0/24 are your endpoints.
Finally the problem could also be on the far endpoint in the routing or access-list, you don't provide any information on the remote locations. However they too will have to have routes and access list that would allow traffic back to this endpoint.
Regards,
Sam
02-24-2017 03:17 PM
Hi Sam,
Thanks for your feedback. I'm stuck right now without remote-hands help. There had been a device powered up getting a VLAN1 ip address but no more. They're in a different time zone too (8 hour difference). So I'm unable to continue til next week (damitol).
Thanks again for your detailed response!
Bob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide