Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
0
Helpful
3
Replies

Stumped on tryng to configure a 1711

Go to solution
J W
Level 1
Level 1

‎08-21-2010 04:58 PM - edited ‎03-06-2019 12:35 PM

Hello. I am trying to assist a client with configuring their 1711 with a VPN tunnel going back to their main office. They have several routers set up in much the same way (see config below). I plugged this router in, setup the configuration with the correct ip's (checked several times) and now I am stuck.

I am able to ping outside addresses (such as 4.2.2.2) from the router console. I am not able to contact those same sites from my PC that is directly connected to Fe4.

I am able to ping from my pc, the gateway installed in the router (10.1.6.1), and from the router console I am able to ping my PC.

So from the router console: I can ping internet addresses and LAN addresses

From my PC: I can ping the routers internal IP, but nothing else.

I seem to think the issue is with the way they have Vlan1 set up on teh 1711, but I cannot see what the issue is. like I said, they have several configs just like this at other sites, and they are working just fine. Can anyone point me in the right direction?

Just to be clear, I haven't even gotten to the point where I've tried to establish the tunnel on the other end. I am just trying to get from my lan (10.1.6.x) out to the internet, throgh this router.

Thanks for any help.

!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
service sequence-numbers
!
hostname Routername
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 64000 warnings
!
username asdadf password 7 0016071417asdf5A1845fad0833494B07
username 23wwfa privilege 15 password 7 asdf23qwrt32asdg3
clock timezone EST -5
clock summer-time EST date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
no ip source-route
!
!
!
!
no ip domain lookup
ip domain name domainname.local
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip ids po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
login quiet-mode access-class 123
no ftp-server write-enable
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key as2323sa433 address x.x.x.x
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_10 1 ipsec-isakmp 
 description Tunnel to DataCenter
 set peer x.x.x.x
 set transform-set SDM_TRANSFORMSET_1 
 match address GRE2DATACENTER
!
!
!
interface Tunnel0
 description VPN to DataCenter Fiber
 bandwidth 2048
 ip address 10.254.253.30 255.255.255.252
 no ip redirects
 no ip proxy-arp
 ip mtu 1338
 ip hello-interval eigrp 10000 20
 ip hold-time eigrp 10000 60
 ip route-cache flow
 ip tcp adjust-mss 1200
 cdp enable
 tunnel source FastEthernet0
 tunnel destination x.x.x.x.x
!
interface Null0
 no ip unreachables
!
interface Loopback100
 ip address 10.254.1.14 255.255.255.255
 no ip redirects
 no ip proxy-arp
 ip route-cache flow
!
interface FastEthernet0
 description Connected to Internet
 ip address x.x.x.x y.y.y.y
 ip access-group 123 in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_10
 crypto ipsec df-bit clear
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 no ip address
!
interface Vlan1
 description Connected to Datacenter
 ip address 10.1.6.1 255.255.254.0
 ip helper-address 10.0.2.11
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Async1
 no ip address
!
router eigrp 10000
 passive-interface Vlan1
 passive-interface FastEthernet0
 network 10.0.0.0
 no auto-summary
 eigrp stub connected
!
ip classless
ip route 0.0.0.0 0.0.0.0 y.y.y.y (next hop)
ip route x.x.x.x (tunnel address) 255.255.255.255 y.y.y.y (next hop)
no ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
!
!
!
ip access-list extended GRE2DATACENTER
 permit gre host x.x.x.x host y.y.y.y
access-list 1 permit 10.1.14.0 0.0.1.255
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 1 permit 10.1.6.0 0.0.1.255
access-list 123 permit esp any any
access-list 123 permit ip host x.x.x.x host y.y.y.y
access-list 123 permit icmp host x.x.x.x host y.y.y.y
access-list 123 permit icmp any host y.y.y.y unreachable
access-list 123 permit icmp any host y.y.y.y time-exceeded
access-list 123 permit icmp any host y.y.y.y echo-reply
access-list 123 permit icmp any host y.y.y.y source-quench
access-list 123 permit icmp x.x.x.x 0.0.0.7 host y.y.y.y
access-list 123 permit udp host x.x.x.x host y.y.y.y eq isakmp
access-list 123 permit udp host 192.5.41.41 eq ntp host y.y.y.y eq ntp
access-list 123 permit tcp 192.5.32.0 0.0.1.255 any range ftp-data 22
access-list 123 permit tcp 192.5.34.0 0.0.0.255 any range ftp-data 22
access-list 123 permit tcp host x.x.x.x any range ftp-data 22
access-list 123 permit tcp any host y.y.y.y eq telnet
access-list 123 permit ip x.x.x.x 0.0.7.255 any
access-list 123 permit ip x.x.x.x 0.0.0.255 any
access-list 123 deny   ip 10.0.0.0 0.255.255.255 any
access-list 123 deny   ip 172.16.0.0 0.15.255.255 any
access-list 123 deny   ip 192.168.0.0 0.0.255.255 any
access-list 123 deny   ip 127.0.0.0 0.255.255.255 any
access-list 123 deny   ip host 255.255.255.255 any
access-list 123 deny   ip host 0.0.0.0 any
access-list 123 deny   ip any any log
snmp-server community publicsum#blue RO
snmp-server community privatesum#blue RW
snmp-server community ripcord RO 3
snmp-server enable traps tty
snmp-server host 10.0.2.11 publicsum#blue  syslog
!
!
control-plane
!
!
line con 0
 logging synchronous
 login local
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 logging synchronous
 login local
line vty 5 15
 logging synchronous
 login local
 transport input ssh
!
end
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-21-2010 05:13 PM

Hello,

I do not see NAT rules configured on the router. Can you try the following:

access-list 1 permit 10.0.0.0 0.255.255.255

ip nat inside source list 1 interface fa 0 overload

Hope this helps.

Regards,

NT

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-21-2010 05:13 PM

Hello,

I do not see NAT rules configured on the router. Can you try the following:

access-list 1 permit 10.0.0.0 0.255.255.255

ip nat inside source list 1 interface fa 0 overload

Hope this helps.

Regards,

NT

0 Helpful

Go to solution
J W
Level 1
Level 1
In response to Nagaraja Thanthry

‎08-21-2010 05:40 PM

Geez, you're probably right. I've been staring at that config for a good part of the day (albeit on 3
hours of sleep (long DC move)). I'll try that and let you know tomorrow. Thank you for taking the time to look at it.

0 Helpful

Go to solution
J W
Level 1
Level 1

‎08-22-2010 08:31 AM

Yep. That was it. Such a simple answer, but it completely escaped me. Thank you for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card