06-16-2022 02:26 AM
Dear all,
I got a problem. I have a cisco router connect to other site by IPsec. From the cisco, VLAN 100 works properly, but VLAN 101 not. Through VLAN 101, I can ping 8.8.8.8, but cannot resolve google.com so that cannot access to the website.
The conf:
ip dhcp pool VLAN100
network 192.168.200.0 255.255.255.128
default-router 192.168.200.1
dns-server 172.25.36.2 172.25.36.9
lease 7
!
ip dhcp pool VLAN101
network 192.168.201.0 255.255.255.0
default-router 192.168.201.1
dns-server 172.25.36.2 172.25.36.9
lease 7
!
interface Tunnel1
ip unnumbered Vlan100
ip access-group IPsec-in in
ip access-group IPsec-out out
tunnel source 201.155.211.114
tunnel mode ipsec ipv4
tunnel destination 221.241.162.33
tunnel protection ipsec profile IPsecProfile
!
interface GigabitEthernet0/0/0
ip address 201.155.211.114 255.255.255.248
ip nat outside
speed 1000
no negotiation auto
!
interface GigabitEthernet0/1/0
switchport access vlan 100
switchport mode access
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
switchport access vlan 101
switchport mode access
!
interface Vlan1
no ip address
!
interface Vlan100
ip address 192.168.200.1 255.255.255.128
ip nat inside
!
interface Vlan101
ip address 192.168.201.1 255.255.255.0
ip nat inside
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 202.155.211.113
ip route 172.25.36.0 255.255.255.128 Tunnel1
!
!
ip access-list extended IPsec-in
10 permit ip any 192.168.200.0 0.0.0.127
20 permit ip any 192.168.201.0 0.0.0.255
30 permit tcp host 172.25.36.68 host 192.168.200.254 eq telnet
40 permit tcp host 172.25.36.90 host 192.168.200.254 eq telnet
ip access-list extended IPsec-out
10 permit ip any any
!
ip access-list standard 1
10 permit 192.168.200.0 0.0.0.127
20 permit 192.168.201.0 0.0.0.255
Where did I config wrongly? Thank you very much!
Solved! Go to Solution.
06-16-2022 07:14 PM
Hi all,
I found the problem. I haven't set the access-list form other side properly. Thank you for all kindly help:)
06-16-2022 02:31 AM
you can ping 8.8.8.8 but no internet. this mean you have DNS issue.
06-16-2022 02:33 AM - edited 06-16-2022 02:33 AM
In fact two VLAN config is the same, however, one has problem. May I know why?
Thank you!
06-16-2022 02:39 AM
interface Tunnel1 ip unnumbered Vlan101 ip access-group IPsec-in in ip access-group IPsec-out out tunnel source 201.155.211.114 tunnel mode ipsec ipv4 tunnel destination 221.241.162.33 tunnel protection ipsec profile IPsecProfile
can you try and test with Vlan101 instead of Vlan100. as you are calling the Vlan100 is ip unumbered this could be playing up here.
06-16-2022 02:55 AM
Hi,
Interestingly the situation is the same, vlan 100 works properly while vlan 101 can ping 8.8.8.8 bat cannot access internet.
06-16-2022 03:04 AM - edited 06-16-2022 03:09 AM
does the remote side had a route for VLAN 101? as there is a tunnel between this router and the remote router.
I am just thinking to get this in more depth you can setup the "monitor session" with access-list to vlan101 and see in packet capture/wireshark/tcp dumps.
Embedded Packet Capture for Cisco IOS and IOS-XE Configuration Example - Cisco
can DNS server can ping VLAN101?
06-16-2022 02:37 AM
does the other end of your IPSec tunnel have a route back to VLAN101 for the return DNS traffic to the clients ?
06-16-2022 02:52 AM
Hi,
The static route was set properly in the other side.
06-16-2022 04:05 AM
So DNS lookups from device on VLAN101 are working - from the windows command-line you issue the command "ping www.cisco.com" and you see DNS 172.25.36.2 + 172.25.36.9 returning an IP address for the ping destination ??
06-16-2022 02:42 AM
Hello,
since you are using identical settings in the DHCP pools, and since the rest of the configuration looks absolutely by the book as well, in theory, this should work. Can you post the output of 'ipconfig /all' from one of the clients ? What clients are those anyway in Vlan 101 (e.g. Windows 10/11) ?
06-16-2022 02:58 AM - edited 06-16-2022 03:04 AM
Hi,
The ipconfig
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : xxx
Description . . . . . . . . . . . : xxx
Physical Address. . . . . . . . . : xxx
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.201.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, June 15, 2022 11:51:21 PM
Lease Expires . . . . . . . . . . : Thursday, June 16, 2022 6:51:21 PM
Default Gateway . . . . . . . . . : 192.168.201.1
DHCP Server . . . . . . . . . . . : 192.168.201.1
DNS Servers . . . . . . . . . . . : 172.25.36.2
172.25.36.9
NetBIOS over Tcpip. . . . . . . . : Enabled
I tried Ubuntu, Windows 10&11, still same problems.
06-16-2022 03:43 AM
Hi
"interface Tunnel1
ip unnumbered Vlan100
ip access-group IPsec-in in
ip access-group IPsec-out out
tunnel source 201.155.211.114
tunnel mode ipsec ipv4
tunnel destination 221.241.162.33
tunnel protection ipsec profile IPsecProfile
!"
It seems to me that what differentiate the scenarion is this config. You have a tunnel for vlan 100 but you dont have a tunnel for vlan 101.
The DNS you are using, 172.25.36.2 172.25.36.9 probably does not exist on the local network but exist on the other side of this tunnel. That way you can ping from both vlans but only have internet on the vlan 100.
What you can do for test is deliver 8.8.8.8 as DNS server for machine by change your DHCP scope to:
ip dhcp pool VLAN101
network 192.168.201.0 255.255.255.0
default-router 192.168.201.1
dns-server 8.8.8.8
lease 7
06-16-2022 04:12 AM
Hi,
Thank you for the reply first.
In fact I know that set the dns-server to 8.8.8.8 can solve the problem, but I'm finding the way to use own dns server.
If as you said that there is no tunnel for vlan 101, could I clone the same conf of the tunnel 1 to tunnel 2 for the vlan 101 so that I could connet to 172.25.x.x dns server?
Thank you!
06-16-2022 04:16 AM
That wont fix the issue either.
what you can do is to create a Loopback on the router and called the Loopback as ip unnumbered loopback
06-16-2022 04:21 AM - edited 06-16-2022 04:22 AM
Yeah, I think you can try that. This tunnel exist for a reason. I was wrondering if you can add the same vlan 101 to the same tunnel but you need to change the other side this tunnel as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide