07-02-2012 11:09 AM - edited 03-07-2019 07:34 AM
My problem is that I can not ping an external address from vlan2.
I included my running config below. Here is an overview of my setup:
- There are two internal vlans,10.10.0.0 and 10.20.0.0.
- NAT on vlan 1 (10.10.0.0) works fine. I can ping an external IP address from 10.10.0.1.
- NAT on vlan 2 (10.20.0.0) does not work. I can not ping an external IP address from 10.20.0.1
- I have a peer to peer VPN Tunnel where vlan 2 has access to a peer network
I suspect that the VPN may be interfering with NAT traffice, however I believe I have the ACLs configured correctly.
Thanks in advance,
-Jesse
Building configuration...
Current configuration : 5977 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco1811
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
logging console critical
enable secret 5 ###########################
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name company.com
ip name-server xxx.xxx.xxx.xxx
ip name-server 8.8.8.8
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-406172510
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-406172510
revocation-check none
rsakeypair TP-self-signed-406172510
!
!
crypto pki certificate chain TP-self-signed-406172510
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
quit
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 2
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key xxxxxxxxxxxxxx address 55.5.5.5
!
!
crypto ipsec transform-set Peer_VPN_Tunnel esp-aes 256 esp-md5-hmac
!
crypto map crypto_map_peer_tunnel 1 ipsec-isakmp
description Tunnel to 55.5.5.5
set peer 55.5.5.5
set transform-set Peer_VPN_Tunnel
match address 100
!
!
!
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1
ip address 66.6.6.6 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map crypto_map_peer_tunnel
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.10.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 10.20.0.1 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 66.6.6.1
!
!
ip http server
ip http access-class 99
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map map_dsl_nat interface FastEthernet1 overload
!
no logging trap
access-list 99 remark Limit Router Config Access (SSH, SDM, TELNET, etc)
access-list 99 permit 10.10.0.0 0.0.0.255 log
access-list 100 remark Encrypt tunnel traffic to peer network, only for vlan2
access-list 100 permit ip 10.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark DSL NAT
access-list 101 deny ip 10.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
access-list 101 permit ip 10.20.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map map_dsl_nat permit 1
match ip address 101
!
!
!
!
control-plane
!
banner login ^CCCCCCCCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
access-class 99 in
transport input ssh
line vty 5 15
access-class 99 in
transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
09-30-2012 04:34 AM
Hello Jessem,
remove the following line and see how does it go
access-list 101 deny ip 10.20.0.0 0.0.0.255 192.168.1.0 0.0.0.255
regards
Harish.
09-30-2012 06:34 AM
Jesse
I can't see anything obviously wrong with your config. So some quick checks.
1) does the VPN work
2) from a client in vlan 2 can you ping the vlan 1 interface
3) from a client in vlan 2 can you ping the fa1 interface IP
4) What does a traceroute from a client in vlan 2 show
5) when you try to ping an external IP from a client in vlan 2 can you see any activity on the IPSEC tunnel
Note it is best to do all these tests from a client and not from the router itself ie. don't use the vlan 2 IP as the source IP.
Jon
09-30-2012 06:55 AM
If these are real addresses, your default route next hop and your Internet facing interface are not in the same subnet.
Sent from Cisco Technical Support iPad App
09-30-2012 07:05 AM
Jeff
Good spot although it begs the question why a device in vlan 1 can access internet addresses ?
Jon
09-30-2012 09:10 AM
I didn't imply it would. But if there is an error in routing its my experience to fix that first.
Sent from Cisco Technical Support iPad App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide