Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1293
Views
0
Helpful
2
Replies

Static Routing Issue, Can't Ping VPN LAN Hosts IP SLA / IP PBR

Ross Mccullough
Level 1
Level 1

‎03-02-2014 01:02 PM - edited ‎03-07-2019 06:29 PM

Group,

Wanted to get your input on an issue where I am sure I am overlooking something. I rebuilt the router for IP SLA and PBR but I am having a VPN issue. Here is the scenario:

The LAN is 10.41.14.0/255.255.255.0

On the LAN is a VPN device for the networks sits at 10.41.14.110, the VPN has the tunnels built correctly but remotely I can only ping the firewall and the VPN at 10.41.14.100 and 10.41.14.110 respectively from the remote LAN's but no others. I need to get this piece resolved.

After some more investigation I can confirm the following:

The remote LAN can ping 10.41.14.100 and 10.41.14.110 but nothing else.

The router can ping any IP address in the remote LAN without issue. Seems like the issue is the data coming back into the router, perhaps a missing ACL allowing traffic in?

The router is allowing HTTPS to itself via CCP.

I have highlighted them in the config below. Thanks for your input as always!!

Building configuration...

Current configuration : 7935 bytes

!

! Last configuration change at 15:05:40 NewYork Sun Mar 2 2014 by cisco

! NVRAM config last updated at 15:08:13 NewYork Sun Mar 2 2014 by cisco

! NVRAM config last updated at 15:08:13 NewYork Sun Mar 2 2014 by cisco

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname pl-gw1-paf-router1

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 warnings

enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

enable password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

aaa session-id common

clock timezone NewYork -5 0

clock summer-time NewYork date Mar 9 2014 2:00 Nov 2 2014 2:00

!

no ip source-route

ip cef

!

!

!

!

!

!

no ip bootp server

ip domain name XXXXXXXXXXXXXXXXXX

ip name-server 208.67.220.220

ip name-server 208.67.222.222

ip name-server 8.8.4.4

ip name-server 8.8.8.8

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

crypto pki trustpoint TP-self-signed-1476751880

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1476751880

revocation-check none

rsakeypair TP-self-signed-1476751880

!

!

crypto pki certificate chain TP-self-signed-1476751880

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31343736 37353138 3830301E 170D3134 30333032 31373431

  32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34373637

  35313838 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B9C5 15A9B6DA 5AADCF68 1D3552E8 BBC3E0FB 34B47C34 4C01A0F6 BD0D958B

  EC218CDC 158F6357 DE4EDAD6 5259873D B4FD60E9 2D886198 38E81FCD 71967384

  C6BF68DF 88D01803 DF3E1D18 1E73BAFE 531C04BB 80F86321 A538CAF6 B79483D9

  68E85FCE A06F98AF 9CF981AE 8712517C 607AA3A1 1862D58E FA0A8207 84EE78A3

  D3670203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 14F2ECA8 2C1C0B8E 80A46975 33679CE4 F0E917B0 0B301D06

  03551D0E 04160414 F2ECA82C 1C0B8E80 A4697533 679CE4F0 E917B00B 300D0609

  2A864886 F70D0101 05050003 818100AE 25C715F4 B2B1E151 715C9517 45316F3A

  1F53DF3A 4D444558 9C3A5B5F F940E554 055BE425 C2FAA35B 05137D7C 0059184A

  6203C168 30D914F2 B65D6650 D357E457 B734F0E0 A5403927 FFE2AE9B 22885C2B

  F8BB2944 484C644D 7B482C22 8666BA17 139C5AE5 3D176884 443BFBBD 351DA9BB

  4CD17E62 AFBEA900 73D5C3B2 D1BEEE

            quit

license udi pid CISCO2911/K9 sn FGL172810VH

license boot module c2900 technology-package securityk9

!

!

object-group service Asterisk

description SIP VOIP Phones

udp range 5060 5080

udp range 10001 20000

!

username cisco privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

!

redundancy

!

!

!

!

!

!

track 10 ip sla 1 reachability

delay down 1 up 1

!

track 20 ip sla 2 reachability

delay down 1 up 1

!

class-map match-any CCP-Transactional-1

match dscp af21

match dscp af22

match dscp af23

class-map match-any CCP-Voice-1

match dscp ef

class-map match-any CCP-Routing-1

match dscp cs6

class-map match-any CCP-Signaling-1

match dscp cs3

match dscp af31

class-map match-any CCP-Management-1

match dscp cs2

!

policy-map sdm-qos-test-123

class class-default

policy-map CCP-QoS-Policy-1

class CCP-Voice-1

  priority percent 33

class CCP-Signaling-1

  bandwidth percent 5

class CCP-Routing-1

  bandwidth percent 5

class CCP-Management-1

  bandwidth percent 5

class CCP-Transactional-1

  bandwidth percent 5

class class-default

  fair-queue

  random-detect

policy-map CCP-QoS-Policy-2

class class-default

  shape average 2560000

   service-policy CCP-QoS-Policy-1

!

!

!

!

!

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 71.XX.160.123 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

ip address 10.41.14.100 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip policy route-map PBR

duplex auto

speed auto

!

interface GigabitEthernet0/2

ip address 206.XX.77.82 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

service-policy output CCP-QoS-Policy-2

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 25

sort-by bytes

cache-timeout 3600

!

no ip nat service sip udp port 5060

ip nat inside source route-map Brighthouse interface GigabitEthernet0/0 overload

ip nat inside source route-map Megapath interface GigabitEthernet0/2 overload

ip nat inside source static tcp 10.41.14.103 80 71.XX.160.123 80 extendable

ip nat inside source static tcp 10.41.14.103 443 71.XX.160.123 443 extendable

ip route 0.0.0.0 0.0.0.0 71.XX.160.121 track 10

ip route 0.0.0.0 0.0.0.0 206.XX.77.81 track 20

ip route 10.0.2.0 255.255.255.0 10.41.14.110 2 permanent

ip route 10.67.188.32 255.255.255.224 10.41.14.99 6 permanent

ip route 10.67.188.96 255.255.255.224 10.41.14.99 8 permanent

ip route 10.200.107.0 255.255.255.0 10.41.14.99 9 permanent

ip route 10.200.110.0 255.255.254.0 10.41.14.99 7 permanent

ip route 74.200.107.0 255.255.255.0 10.41.14.99 5 permanent

ip route 74.200.110.0 255.255.254.0 10.41.14.99 4 permanent

ip route 192.168.10.0 255.255.255.224 10.41.14.110 3 permanent

ip route 208.67.188.32 255.255.255.224 10.41.14.99 2 permanent

ip route 208.67.188.96 255.255.255.224 10.41.14.99 3 permanent

!

ip sla auto discovery

ip sla 1

icmp-echo 71.XX.160.121 source-interface GigabitEthernet0/0

threshold 1000

timeout 3000

frequency 10

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 206.XX.77.81 source-interface GigabitEthernet0/2

threshold 1000

timeout 3000

frequency 10

ip sla schedule 2 life forever start-time now

access-list 10 permit 10.41.14.0 0.0.0.255

access-list 100 permit object-group Asterisk any any

access-list 101 permit ip any any

!

route-map Megapath permit 10

match ip address 10

match interface GigabitEthernet0/2

!

route-map PBR permit 10

match ip address 100

set ip next-hop verify-availability 206.XX.77.81 1 track 20

!

route-map PBR permit 30

match ip address 101

set ip next-hop verify-availability 71.XX.160.121 2 track 10

!

route-map Brighthouse permit 10

match ip address 10

match interface GigabitEthernet0/0

!

!

snmp-server community public RO

snmp-server community ourCommStr RW

snmp-server location Clearwater North

snmp-server contact MIS IT Services x1000

snmp-server enable traps entity-sensor threshold

snmp-server host 97.XX.78.222 XXXXXXXXXXXXXXXXXX

!

!

!

control-plane

!

!

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

password 7 14071D0E550D270721296766

transport input ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 24.56.178.140 prefer source GigabitEthernet0/0

ntp server 64.239.96.53 source GigabitEthernet0/0

ntp server 96.226.123.157 source GigabitEthernet0/0

ntp server 64.113.32.5 source GigabitEthernet0/0

ntp server 129.6.15.30 prefer source GigabitEthernet0/0

ntp server 12.10.191.151 source GigabitEthernet0/0

!

end

Labels:
0 Helpful
2 Replies 2

Vasilii Mikhailovskii
Level 7
Level 7

‎03-03-2014 09:27 AM

Hello, Ross.

Could you please draw a diagram with all the IP-addresses and subnets that are involved?

0 Helpful

Ross Mccullough
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎03-03-2014 03:04 PM

Hello,

It apprears to me that when I configured PBR on the inside interface that all traffic that should be routed to the vpn LAN address at 10.41.14.110 is actually being forced out of GigabitEthernet0/0.  The PBR should have ACL 100 for the phones going to GigabitEthernet0/2 which is does, and ACL 101 should be sent down GigabitEthernet0/0 but ALL the other traffic is being sent out GigabitEthernet0/0 including the VPN traffic.

I was able to resolve this today by adjusting the route-map PBR by setting a lower cost on the VPN traffic before it is forced out the WAN1 interface. The modification is below as well as the ACL. Thanks for the help everyone!

pl-gw1-paf-router1#show route-map PBR

route-map PBR, permit, sequence 10

  Match clauses:

    ip address (access-lists): 100

  Set clauses:

    ip next-hop verify-availability 206.135.77.81 1 track 20  [up]

  Policy routing matches: 6196088 packets, 1730149548 bytes

route-map PBR, permit, sequence 20

  Match clauses:

    ip address (access-lists): VPNTraffic

  Set clauses:

    ip next-hop 10.41.14.110

  Policy routing matches: 3293 packets, 373398 bytes

route-map PBR, permit, sequence 30

  Match clauses:

    ip address (access-lists): 101

  Set clauses:

    ip next-hop verify-availability 71.40.160.121 2 track 10  [up]

  Policy routing matches: 4971034 packets, 718272101 bytes

pl-gw1-paf-router1#

pl-gw1-paf-router1#show access-list VPNTraffic

Extended IP access list VPNTraffic

    10 permit ip 10.41.14.0 0.0.0.255 10.0.2.0 0.0.0.255 (3045 matches)

    20 permit ip 10.41.14.0 0.0.0.255 192.168.10.0 0.0.0.31 (175 matches)

pl-gw1-paf-router1#

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card