02-03-2014 12:01 PM - edited 03-07-2019 05:58 PM
Please bear with me I am new to Cisco Routers.
Back Ground:
Small company that has 2 public IP addesses. The company has 2 buiildings across the street from each other and no way to directly connect them together. Currently the company has 2 NetGear Prosafe FVS336G routers to create a VPN between the two buildings. I am trying to replace the NetGear equipment with 2 Cisco 1921 routers with an EHWIC-1GE-SFP-CU card in each. The ISP has fiber running to each buiilding with a media converter that changes the fiber to copper. No matter what I do I have not been able to get the routers onto the internet. I can ping through the LAn port to the WAN port but not to the next hop to the gateway. Here is the configurations:
Building configuration...
Current configuration : 5824 bytes
!
! Last configuration change at 21:13:26 Chicago Wed Jan 29 2014 by *********
! NVRAM config last updated at 20:57:39 Chicago Wed Jan 29 2014
! NVRAM config last updated at 20:57:39 Chicago Wed Jan 29 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname *****-****
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 lb2avLaY6/A.CvVUiNp7qgCloPnmzIN8yPVCg.TeFDY
enable password 7 050F00083645420D150C1117
!
no aaa new-model
clock timezone Chicago -6 0
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
!
ip cef
!
!
! ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool DFG_Mill_Client
import all
network 192.168.2.0 255.255.255.0
domain-name dfg.local
dns-server 192.168.1.10 216.183.32.6
default-router 192.168.2.1
lease infinite
!
!
!
no ip domain lookup
ip domain name dfg.local
ip name-server 216.183.32.6
ip name-server 192.168.1.10
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1634222303
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1634222303
revocation-check none
rsakeypair TP-self-signed-1634222303
!
!
crypto pki certificate chain TP-self-signed-1634222303
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31363334 32323233 3033301E 170D3134 30313239 30303436 32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36333432 32323330 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100BFD3 62B95BA0 D520AF0E 70682CCD A5A30E80 D448BD39 F9572CFB 6A26726D 2ED4886B 458C2493 61AFD3E8 DB936A04 7F7353DF CE4C487E 429F94CC 76C25902 6C612074 E3A5E839 05AD69B3 CFA3F489 40A29D61 ACD691A4 20AF5431 C821D40E EB3A06C9 0F1F2CF7 DDAB7B81 7A68CD5D 7152ACE3 6966BD4A BDBC82FA B43331EC 8D7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14EC992F 83142501 B241B886 C71E627F 81F515A8 5F301D06 03551D0E 04160414 EC992F83 142501B2 41B886C7 1E627F81 F515A85F 300D0609 2A864886 F70D0101 05050003 8181004E 3FAFF3A2 76EE56BE 7BE3C8D3 D34A14CA A2ED06F0 9E835890 8F1A2C40 7D021A5D 64BEF43E CB31F046 68E2893F 0593D339 B9FC214B B1111533 9F89C0E9 B03C8B5C C4772BAE A7E5E0DD 44F2B3B5 4E2D2879 B45A81C0 1D87D85C EC4B2721 9A1E69C6 DBB24540 5C34E4DB 3141EF61 CF938F5E DC6EE9BE 85D49E77 311E20E3 93F90B
quit
license udi pid CISCO1921/K9 sn FTX173885T5
!
!
username ************ privilege 15 secret 4
IRZa0mv.Uv04Aq6uuzX9gZyWOX871btpQ5PlDA56WeE
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ********** address 72.26.36.30
!
!
crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map vpnset 10 ipsec-isakmp
set peer 72.26.36.30
set transform-set vpnset
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description DFG_Mill_Config
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
interface GigabitEthernet0/1
description DFG_Mill_LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
description DFG_Mill_WAN
ip address 72.26.36.28 255.255.255.192
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpnset
!
router rip
version 2
passive-interface GigabitEthernet0/0/0
network 10.0.0.0
network 72.0.0.0
network 192.168.2.0
neighbor 72.26.36.1
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface GigabitEthernet0/0/0 overload
ip nat inside source static tcp 192.168.2.51 1025 72.26.36.28 80 extendable
ip nat outside source static tcp 72.26.36.28 8081 192.168.2.51 80 extendable
ip route 0.0.0.0 0.0.0.0 72.26.36.1
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip any any
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
control-plane
!
!
banner login ^CWARNING!!! This system is solely for the use of authorized users of DFG Wildlife Supply for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly; individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials.#^C
!
line con 0
password 7 110D1F02001B070808232D21
logging synchronous
login
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
password 7 070B274B590015011B1B0D09
login
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 96.226.242.9 prefer source GigabitEthernet0/0/0
ntp server 216.171.120.36 prefer source GigabitEthernet0/0/0
ntp server 64.113.32.5 prefer source GigabitEthernet0/0/0
!
end
02-03-2014 11:08 PM
HI Scott,
If I were you, I would remove the WAN connection cable from the router and connect to a laptop and assign the WAN ip address on to the laptop and verify if the internet is working fine from laptop using public ip address. If this is not working then you will have to work with you ISP on the same.
If this is working i would connect back the cable to router WAN port again and check "show ip nat translations" on the router to verify if the NAT is working fine when you try browsing.
Hope that helps.
Regards
Najaf
Please rate when applicable or helpful !!!
02-03-2014 11:27 PM
Hi,
So you are using same ACL for crypto map and NAT which is not good, could you try like this:
no access-list 100
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
crypto map vpnset 10 ipsec-isakmp
no match add 100
match add 101
Regards
Alain
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide