03-02-2014 01:02 PM - edited 03-07-2019 06:29 PM
Group,
Wanted to get your input on an issue where I am sure I am overlooking something. I rebuilt the router for IP SLA and PBR but I am having a VPN issue. Here is the scenario:
The LAN is 10.41.14.0/255.255.255.0
On the LAN is a VPN device for the networks sits at 10.41.14.110, the VPN has the tunnels built correctly but remotely I can only ping the firewall and the VPN at 10.41.14.100 and 10.41.14.110 respectively from the remote LAN's but no others. I need to get this piece resolved.
After some more investigation I can confirm the following:
The remote LAN can ping 10.41.14.100 and 10.41.14.110 but nothing else.
The router can ping any IP address in the remote LAN without issue. Seems like the issue is the data coming back into the router, perhaps a missing ACL allowing traffic in?
The router is allowing HTTPS to itself via CCP.
I have highlighted them in the config below. Thanks for your input as always!!
Building configuration...
Current configuration : 7935 bytes
!
! Last configuration change at 15:05:40 NewYork Sun Mar 2 2014 by cisco
! NVRAM config last updated at 15:08:13 NewYork Sun Mar 2 2014 by cisco
! NVRAM config last updated at 15:08:13 NewYork Sun Mar 2 2014 by cisco
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname pl-gw1-paf-router1
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
clock timezone NewYork -5 0
clock summer-time NewYork date Mar 9 2014 2:00 Nov 2 2014 2:00
!
no ip source-route
ip cef
!
!
!
!
!
!
no ip bootp server
ip domain name XXXXXXXXXXXXXXXXXX
ip name-server 208.67.220.220
ip name-server 208.67.222.222
ip name-server 8.8.4.4
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1476751880
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1476751880
revocation-check none
rsakeypair TP-self-signed-1476751880
!
!
crypto pki certificate chain TP-self-signed-1476751880
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343736 37353138 3830301E 170D3134 30333032 31373431
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34373637
35313838 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9C5 15A9B6DA 5AADCF68 1D3552E8 BBC3E0FB 34B47C34 4C01A0F6 BD0D958B
EC218CDC 158F6357 DE4EDAD6 5259873D B4FD60E9 2D886198 38E81FCD 71967384
C6BF68DF 88D01803 DF3E1D18 1E73BAFE 531C04BB 80F86321 A538CAF6 B79483D9
68E85FCE A06F98AF 9CF981AE 8712517C 607AA3A1 1862D58E FA0A8207 84EE78A3
D3670203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14F2ECA8 2C1C0B8E 80A46975 33679CE4 F0E917B0 0B301D06
03551D0E 04160414 F2ECA82C 1C0B8E80 A4697533 679CE4F0 E917B00B 300D0609
2A864886 F70D0101 05050003 818100AE 25C715F4 B2B1E151 715C9517 45316F3A
1F53DF3A 4D444558 9C3A5B5F F940E554 055BE425 C2FAA35B 05137D7C 0059184A
6203C168 30D914F2 B65D6650 D357E457 B734F0E0 A5403927 FFE2AE9B 22885C2B
F8BB2944 484C644D 7B482C22 8666BA17 139C5AE5 3D176884 443BFBBD 351DA9BB
4CD17E62 AFBEA900 73D5C3B2 D1BEEE
quit
license udi pid CISCO2911/K9 sn FGL172810VH
license boot module c2900 technology-package securityk9
!
!
object-group service Asterisk
description SIP VOIP Phones
udp range 5060 5080
udp range 10001 20000
!
username cisco privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
!
!
!
!
!
!
track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1
!
class-map match-any CCP-Transactional-1
match dscp af21
match dscp af22
match dscp af23
class-map match-any CCP-Voice-1
match dscp ef
class-map match-any CCP-Routing-1
match dscp cs6
class-map match-any CCP-Signaling-1
match dscp cs3
match dscp af31
class-map match-any CCP-Management-1
match dscp cs2
!
policy-map sdm-qos-test-123
class class-default
policy-map CCP-QoS-Policy-1
class CCP-Voice-1
priority percent 33
class CCP-Signaling-1
bandwidth percent 5
class CCP-Routing-1
bandwidth percent 5
class CCP-Management-1
bandwidth percent 5
class CCP-Transactional-1
bandwidth percent 5
class class-default
fair-queue
random-detect
policy-map CCP-QoS-Policy-2
class class-default
shape average 2560000
service-policy CCP-QoS-Policy-1
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 71.XX.160.123 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
ip address 10.41.14.100 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip policy route-map PBR
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address 206.XX.77.82 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
service-policy output CCP-QoS-Policy-2
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 25
sort-by bytes
cache-timeout 3600
!
no ip nat service sip udp port 5060
ip nat inside source route-map Brighthouse interface GigabitEthernet0/0 overload
ip nat inside source route-map Megapath interface GigabitEthernet0/2 overload
ip nat inside source static tcp 10.41.14.103 80 71.XX.160.123 80 extendable
ip nat inside source static tcp 10.41.14.103 443 71.XX.160.123 443 extendable
ip route 0.0.0.0 0.0.0.0 71.XX.160.121 track 10
ip route 0.0.0.0 0.0.0.0 206.XX.77.81 track 20
ip route 10.0.2.0 255.255.255.0 10.41.14.110 2 permanent
ip route 10.67.188.32 255.255.255.224 10.41.14.99 6 permanent
ip route 10.67.188.96 255.255.255.224 10.41.14.99 8 permanent
ip route 10.200.107.0 255.255.255.0 10.41.14.99 9 permanent
ip route 10.200.110.0 255.255.254.0 10.41.14.99 7 permanent
ip route 74.200.107.0 255.255.255.0 10.41.14.99 5 permanent
ip route 74.200.110.0 255.255.254.0 10.41.14.99 4 permanent
ip route 192.168.10.0 255.255.255.224 10.41.14.110 3 permanent
ip route 208.67.188.32 255.255.255.224 10.41.14.99 2 permanent
ip route 208.67.188.96 255.255.255.224 10.41.14.99 3 permanent
!
ip sla auto discovery
ip sla 1
icmp-echo 71.XX.160.121 source-interface GigabitEthernet0/0
threshold 1000
timeout 3000
frequency 10
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 206.XX.77.81 source-interface GigabitEthernet0/2
threshold 1000
timeout 3000
frequency 10
ip sla schedule 2 life forever start-time now
access-list 10 permit 10.41.14.0 0.0.0.255
access-list 100 permit object-group Asterisk any any
access-list 101 permit ip any any
!
route-map Megapath permit 10
match ip address 10
match interface GigabitEthernet0/2
!
route-map PBR permit 10
match ip address 100
set ip next-hop verify-availability 206.XX.77.81 1 track 20
!
route-map PBR permit 30
match ip address 101
set ip next-hop verify-availability 71.XX.160.121 2 track 10
!
route-map Brighthouse permit 10
match ip address 10
match interface GigabitEthernet0/0
!
!
snmp-server community public RO
snmp-server community ourCommStr RW
snmp-server location Clearwater North
snmp-server contact MIS IT Services x1000
snmp-server enable traps entity-sensor threshold
snmp-server host 97.XX.78.222 XXXXXXXXXXXXXXXXXX
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password 7 14071D0E550D270721296766
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 24.56.178.140 prefer source GigabitEthernet0/0
ntp server 64.239.96.53 source GigabitEthernet0/0
ntp server 96.226.123.157 source GigabitEthernet0/0
ntp server 64.113.32.5 source GigabitEthernet0/0
ntp server 129.6.15.30 prefer source GigabitEthernet0/0
ntp server 12.10.191.151 source GigabitEthernet0/0
!
end
03-03-2014 09:27 AM
Hello, Ross.
Could you please draw a diagram with all the IP-addresses and subnets that are involved?
03-03-2014 03:04 PM
Hello,
It apprears to me that when I configured PBR on the inside interface that all traffic that should be routed to the vpn LAN address at 10.41.14.110 is actually being forced out of GigabitEthernet0/0. The PBR should have ACL 100 for the phones going to GigabitEthernet0/2 which is does, and ACL 101 should be sent down GigabitEthernet0/0 but ALL the other traffic is being sent out GigabitEthernet0/0 including the VPN traffic.
I was able to resolve this today by adjusting the route-map PBR by setting a lower cost on the VPN traffic before it is forced out the WAN1 interface. The modification is below as well as the ACL. Thanks for the help everyone!
pl-gw1-paf-router1#show route-map PBR
route-map PBR, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop verify-availability 206.135.77.81 1 track 20 [up]
Policy routing matches: 6196088 packets, 1730149548 bytes
route-map PBR, permit, sequence 20
Match clauses:
ip address (access-lists): VPNTraffic
Set clauses:
ip next-hop 10.41.14.110
Policy routing matches: 3293 packets, 373398 bytes
route-map PBR, permit, sequence 30
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop verify-availability 71.40.160.121 2 track 10 [up]
Policy routing matches: 4971034 packets, 718272101 bytes
pl-gw1-paf-router1#
pl-gw1-paf-router1#show access-list VPNTraffic
Extended IP access list VPNTraffic
10 permit ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255 (3045 matches)
20 permit ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31 (175 matches)
pl-gw1-paf-router1#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide