New Config, Can't access WAN from LAN

Sbecker · ‎03-24-2015

I am rebuilding our configuration on both of our 2911 routers from scratch. Replacing them one at a time. I loaded this config into the router, but I wasn't able to access the internet from any computers behind the router. I can ping WAN addresses from within the router.

(I am new to Cisco routing and it's probably something easy, I just can't seem to figure it out)

Here's the config

redundancy
!
!
!
!
!
track 1 ip sla 1 reachability
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key $$$$$$$$$$$ address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set VPNset esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map vpnset 10 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set VPNset
match address VPN_TRAFFIC
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.0.4.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 20.20.20.20 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
crypto map vpnset
!
interface GigabitEthernet0/2
ip address 21.21.21.21 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.4.10 1723 20.20.20.21 1723 extendable
ip route 0.0.0.0 0.0.0.0 20.20.20.1 track 1
ip route 0.0.0.0 0.0.0.0 21.21.21.1 10
!
ip access-list extended VPN_TRAFFIC
permit ip 10.0.4.0 0.0.3.255 10.0.0.0 0.0.3.255
!
ip sla 1
icmp-echo 8.8.8.8 source-interface GigabitEthernet0/1
threshold 2
timeout 1000
frequency 3
ip sla schedule 1 life forever start-time now
!
!
snmp-server community public RO
snmp-server chassis-id cisco2
access-list 100 remark NAT_SERVICE
access-list 100 deny ip 10.0.4.0 0.0.3.255 10.0.0.0 0.0.3.255
access-list 100 permit ip 10.0.4.0 0.0.3.255 any
access-list 100 remark
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Dragan Ilic · ‎03-24-2015

Your config needs many things to be changed to work as it should...but for a quick solution try remove track 1 from line "ip route 0.0.0.0 0.0.0.0 20.20.20.1 track 1" and it should work...just remove track 1 part and leave everything before that as it is!

AFAIK google DNS doesn't like to be tested for reachability purposes :)...I mean they for sure block that ping reply...

HTH,

Dragan

HTH,
Dragan

Sbecker · ‎03-24-2015

Gotcha, I was just looking for a reliable ping. My next hop would jump from 2ms to 150ms every once in a while.

What other problems do you see with the config? If you don't mind.

Dragan Ilic · ‎03-24-2015

Well - you have 2 ISP on WAN side so I suggest you go with adequate route-map in your global nat statement so you can choose where to translate your local addresses.

Also when you have this kind of setup using track is great but don't forget that - in case you have primary and secondary WAN links - you need to restore your traffic to primary link when it comes back...using just tracking as is in this config isn't enough. I have good example on my blog with these floating static routes using EEM and track...your config is even simpler because you have SLA feature on your router. Here is link: http://draganchilly.blogspot.com/2013/04/floating-static-routes-without-ip-sla.html

BR,

Dragan

HTH,
Dragan