cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
568
Views
0
Helpful
2
Replies

Problems Connecting to the Internet

Scott Spencer
Level 1
Level 1

Please bear with me I am new to Cisco Routers.

Back Ground:

Small company that has 2 public IP addesses. The company has 2 buiildings across the street from each other and no way to directly connect them together. Currently the company has 2 NetGear Prosafe FVS336G routers to create a VPN between the two buildings. I am trying to replace the NetGear equipment with 2 Cisco 1921 routers with an EHWIC-1GE-SFP-CU card in each. The ISP has fiber running to each buiilding with a media converter that changes the fiber to copper. No matter what I do I have not been able to get the routers onto the internet. I can ping through the LAn port to the WAN port but not to the next hop to the gateway. Here is the configurations:

Building configuration...

Current configuration : 5824 bytes

!

! Last configuration change at 21:13:26 Chicago Wed Jan 29 2014 by *********

! NVRAM config last updated at 20:57:39 Chicago Wed Jan 29 2014

! NVRAM config last updated at 20:57:39 Chicago Wed Jan 29 2014

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname *****-****

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

enable secret 4 lb2avLaY6/A.CvVUiNp7qgCloPnmzIN8yPVCg.TeFDY

enable password 7 050F00083645420D150C1117

!

no aaa new-model

clock timezone Chicago -6 0

clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00

!

ip cef

!

!

! ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 192.168.2.1 192.168.2.99

!

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

!

ip dhcp pool DFG_Mill_Client

import all

network 192.168.2.0 255.255.255.0

domain-name dfg.local

dns-server 192.168.1.10 216.183.32.6

default-router 192.168.2.1

lease infinite

!

!

!

no ip domain lookup

ip domain name dfg.local

ip name-server 216.183.32.6

ip name-server 192.168.1.10

no ipv6 cef

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-1634222303

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1634222303

revocation-check none

rsakeypair TP-self-signed-1634222303

!

!

crypto pki certificate chain TP-self-signed-1634222303

certificate self-signed 01  

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030   31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274   69666963 6174652D 31363334 32323233 3033301E 170D3134 30313239 30303436   32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649   4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36333432   32323330 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281   8100BFD3 62B95BA0 D520AF0E 70682CCD A5A30E80 D448BD39 F9572CFB 6A26726D   2ED4886B 458C2493 61AFD3E8 DB936A04 7F7353DF CE4C487E 429F94CC 76C25902   6C612074 E3A5E839 05AD69B3 CFA3F489 40A29D61 ACD691A4 20AF5431 C821D40E   EB3A06C9 0F1F2CF7 DDAB7B81 7A68CD5D 7152ACE3 6966BD4A BDBC82FA B43331EC   8D7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603   551D2304 18301680 14EC992F 83142501 B241B886 C71E627F 81F515A8 5F301D06   03551D0E 04160414 EC992F83 142501B2 41B886C7 1E627F81 F515A85F 300D0609   2A864886 F70D0101 05050003 8181004E 3FAFF3A2 76EE56BE 7BE3C8D3 D34A14CA   A2ED06F0 9E835890 8F1A2C40 7D021A5D 64BEF43E CB31F046 68E2893F 0593D339   B9FC214B B1111533 9F89C0E9 B03C8B5C C4772BAE A7E5E0DD 44F2B3B5 4E2D2879   B45A81C0 1D87D85C EC4B2721 9A1E69C6 DBB24540 5C34E4DB 3141EF61 CF938F5E   DC6EE9BE 85D49E77 311E20E3 93F90B  

quit

license udi pid CISCO1921/K9 sn FTX173885T5

!

!

username ************ privilege 15 secret 4

IRZa0mv.Uv04Aq6uuzX9gZyWOX871btpQ5PlDA56WeE

!

redundancy

!

!

!

!

!

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ********** address 72.26.36.30   

!

!

crypto ipsec transform-set vpnset esp-aes esp-sha-hmac

mode tunnel

!

!

!

crypto map vpnset 10 ipsec-isakmp

set peer 72.26.36.30

set transform-set vpnset

match address 100

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description DFG_Mill_Config

ip address 10.10.10.1 255.255.255.248

duplex auto

speed auto

!

interface GigabitEthernet0/1

description DFG_Mill_LAN

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/0/0

description DFG_Mill_WAN

ip address 72.26.36.28 255.255.255.192

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map vpnset

!

router rip

version 2

passive-interface GigabitEthernet0/0/0

network 10.0.0.0

network 72.0.0.0

network 192.168.2.0

neighbor 72.26.36.1

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 100 interface GigabitEthernet0/0/0 overload

ip nat inside source static tcp 192.168.2.51 1025 72.26.36.28 80 extendable

ip nat outside source static tcp 72.26.36.28 8081 192.168.2.51 80 extendable

ip route 0.0.0.0 0.0.0.0 72.26.36.1

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 permit ip any any

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

!

!

control-plane

!

!

banner login ^CWARNING!!! This system is solely for the use of authorized users of DFG Wildlife Supply for official purposes. You have no expectation of privacy in its use and to ensure that the system is functioning properly; individuals using this computer system are subject to having all of their activities monitored and recorded by system personnel. Use of this system evidences an express consent to such monitoring and agreement that if such monitoring reveals evidence of possible abuse or criminal activity, system personnel may provide the results of such monitoring to appropriate officials.#^C

!

line con 0

password 7 110D1F02001B070808232D21

logging synchronous

login

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

password 7 070B274B590015011B1B0D09

login

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 96.226.242.9 prefer source GigabitEthernet0/0/0

ntp server 216.171.120.36 prefer source GigabitEthernet0/0/0

ntp server 64.113.32.5 prefer source GigabitEthernet0/0/0

!

end

2 Replies 2

kcnajaf
Level 7
Level 7

HI Scott,

If I were you, I would remove the WAN connection cable from the router and connect to a laptop and assign the WAN ip address on to the laptop and verify if the internet is working fine from laptop using public ip address. If this is not working then you will have to work with you ISP on the same.

If this is working i would connect back the cable to router WAN port again and check "show ip nat translations" on the router to verify if the NAT is working fine when you try browsing.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

cadet alain
VIP Alumni
VIP Alumni

Hi,

So you are  using same ACL for crypto map and NAT  which is not good, could you try like this:

no access-list 100

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

crypto map vpnset 10 ipsec-isakmp

no match add 100

match add 101

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card