Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco Router 881 and SG500-52 switch configuration Issue

Hi Everyone,,,

I hope I will get some help here if not atleast a direction,,,

I am configuring cisco 881 router with Layer-3 switch SG500-52,,,with Vlan configuration

Vlan1: 192.168.10.0/24

Vlan2: 192.168.0.0/24

Problem : For some reason I can't ping google.ca from switch:

switch013294#ping google.ca

Pinging google.ca (74.125.225.215) with 18 bytes of data:

PING: no reply from 74.125.225.215

PING: timeout

PING: no reply from 74.125.225.215

PING: timeout

PING: no reply from 74.125.225.215

PING: timeout

PING: no reply from 74.125.225.215

PING: timeout

----74.125.225.215 PING Statistics----

4 packets transmitted, 0 packets received, 100% packet loss

switch013294#tracero ip google.ca

Tracing the route to google.ca (74.125.225.215) from , 30 hops max, 18 byte packets

Type Esc to abort.

1  192.168.10.1 (192.168.10.1)  <20 ms  <20 ms  <20 ms

2   *  *  *

3   *

Trace aborted.

I can ping router public IP but not router's public gateway from Switch:(from Router I can ping

switch013294#tracero ip 24.XX.XX.XXX

Tracing the route to 24.XX.XX.XX (24.XX.XX.XXX) from , 30 hops max, 18 byte packets

Type Esc to abort.

1  192.168.10.1 (192.168.10.1)  <20 ms  <20 ms  <20 ms

Trace complete.

switch013294#tracero ip 24.XX.XX.1

Tracing the route to 24.XX.XX.1 (24.XX.XX.1) from , 30 hops max, 18 byte packets

Type Esc to abort.

1  192.168.10.1 (192.168.10.1)  <20 ms  <20 ms  <20 ms

2   *  *  *

3   *  *

Trace aborted.

NAT Debug:

I have also tested with debug ip NAT and it shows following:

Tried pinging from Switch:

Nov 18 04:16:55.794: NAT*: s=192.168.10.2->24.XX.XX.XX, d=74.125.225.183 [2206]

Nov 18 04:16:55.866: NAT*: s=74.125.225.183, d=24.XX.XX.XX->192.168.10.2 [13679]

Nov 18 04:16:58.034: NAT*: s=192.168.10.2->24.XX.XX.XX, d=74.125.225.183 [37854]

Nov 18 04:16:58.114: NAT*: s=74.125.225.183, d=24.XX.XX.XX->192.168.10.2 [13680]

Tried pinging from Host on Vlan-2:

Nov 18 04:20:30.862: NAT*: s=192.168.0.54->24.XX.XX.XX, d=74.125.225.169 [23980]

Nov 18 04:20:30.958: NAT*: s=74.125.225.169, d=24.XX.XX.XX->192.168.0.54 [40901]

Nov 18 04:20:31.122: NAT*: s=192.168.0.54->24.XX.XX.XX, d=74.125.225.169 [23981]

Nov 18 04:20:31.194: NAT*: s=74.125.225.169, d=24.XX.XX.XX->192.168.0.54 [3341]

Router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is 24.xx.xx.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 24.xx.xx.1

      24.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        24.xx.xx.0/24 is directly connected, FastEthernet4

L        24.XX.XX.XXx/32 is directly connected, FastEthernet4

S     192.168.0.0/24 [1/0] via 192.168.10.2

      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.10.0/24 is directly connected, Vlan1

L        192.168.10.1/32 is directly connected, Vlan1

switch013294#show ip route

Maximum Parallel Paths: 1 (1 after reset)

IP Forwarding: enabled

Codes: > - best, C - connected, S - static

S   0.0.0.0/0 [1/1] via 192.168.10.1, 01:21:05, vlan 1

C   192.168.0.0/24 is directly connected, vlan 2

C   192.168.10.0/24 is directly connected, vlan 1

C   192.168.30.0/24 is directly connected, vlan 3

Router Running Config:

Router#sh running-config

Building configuration...

Current configuration : 9565 bytes

!

! Last configuration change at 14:11:21 PCTime Mon Nov 18 2013 by XXXXXXX

! NVRAM config last updated at 23:59:41 PCTime Sat Nov 16 2013 by XXXXXXX

! NVRAM config last updated at 23:59:41 PCTime Sat Nov 16 2013 by XXXXXXX

version 15.1

parser view CCP_EasyVPN_Remote

secret 5 $1$xXXT$at0nd7EXXX8s7iXNd5bJ1

commands interface include all crypto

commands interface include all no crypto

commands interface include no

commands configure include end

commands configure include all access-list

commands configure include all ip nat

commands configure include ip dns server

commands configure include ip dns

commands configure include all interface

commands configure include all identity policy

commands configure include identity profile

commands configure include identity

commands configure include all dot1x

commands configure include all ip domain lookup

commands configure include ip domain

commands configure include ip

commands configure include all crypto

commands configure include all aaa

commands configure include no end

commands configure include all no access-list

commands configure include all no ip nat

commands configure include no ip dns server

commands configure include no ip dns

commands configure include all no interface

commands configure include all no identity policy

commands configure include no identity profile

commands configure include no identity

commands configure include all no dot1x

commands configure include all no ip domain lookup

commands configure include no ip domain

commands configure include no ip

commands configure include all no crypto

commands configure include all no aaa

commands configure include no

commands exec include dir all-filesystems

commands exec include dir

commands exec include crypto ipsec client ezvpn connect

commands exec include crypto ipsec client ezvpn xauth

commands exec include crypto ipsec client ezvpn

commands exec include crypto ipsec client

commands exec include crypto ipsec

commands exec include crypto

commands exec include write memory

commands exec include write

commands exec include all ping ip

commands exec include ping

commands exec include configure terminal

commands exec include configure

commands exec include all terminal width

commands exec include all terminal length

commands exec include terminal

commands exec include all show

commands exec include all debug appfw

commands exec include all debug ip inspect

commands exec include debug ip

commands exec include debug

commands exec include all clear

commands exec include no

!

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authentication login ciscocp_vpn_xauth_ml_3 local

aaa authentication login ciscocp_vpn_xauth_ml_4 local

aaa authentication login ciscocp_vpn_xauth_ml_5 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

aaa authorization network ciscocp_vpn_group_ml_3 local

aaa authorization network ciscocp_vpn_group_ml_4 local

aaa authorization network ciscocp_vpn_group_ml_5 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone PCTime -6 0

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3187996699

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3187996699

revocation-check none

rsakeypair TP-self-signed-3187996699

!

!

crypto pki certificate chain TP-self-signed-3187996699

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33313837 39393636 3939301E 170D3133 31313039 32303531

  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31383739

  39363639 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AB7B FE64ED81 5853FF1C DAEE4727 BBCFA1DD AB5002CE BC9E0DB2 A6920BE9

  51CBDB48 720EAC77 D2B5EAB0 AF78F0D3 0A0583F0 EDB53C02 76264762 52AA0B89

  B96458A3 FCED1C48 4E2F687A 0D72663C 1F118888 099ECDBA 7AD48215 5D18DFA0

  A769EA45 E893009A 73C0D6E8 74EBED75 B63E12C5 123C1112 9BB90C86 9433A1CB

  44290203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 148472F2 203DD224 6B71B287 185DEEAE D156C1A4 A9301D06

  03551D0E 04160414 8472F220 3DD2246B 71B28718 5DEEAED1 56C1A4A9 300D0609

  2A864886 F70D0101 05050003 818100A0 F431211C 3540849F BF8E0DCE 7DC8E2F1

  A3349CF5 60B7A233 BD6F457E 6E53DE58 63DA9DB9 040FD35F 7D8D8BA5 8BB9D0E4

  F3DF92EC EEA7A912 7F60BC55 E9173147 E21114BC A7ADDBF1 489E7A1D DAB4CE98

  039CC0CF 84A2F3FE 5DD8E88D 81738972 E23E0D82 89B3F470 19405095 6D8803BD

  500867E7 A3582A1C AD3151BD FCAAAE

        quit

ip source-route

!

!

!

!

!

ip cef

ip domain name int.ccs-sk.ca

ip name-server XX.87.XXX.4

ip name-server XX.87.XXX.5

ip name-server 192.168.0.5

ip port-map user-protocol--1 port tcp 587

no ipv6 cef

!

!

license udi pid CISCO881-K9 sn FGL171020FH

!

!

username XXXXX privilege 15 secret 4 4TdGW32lppiywk7GXXXXXXqppUKotcC3qw35q7NbGx0o

username XXXXXX privilege 15 view CCP_EasyVPN_Remote secret 4 Cq2gROSp/6XXXXXXXSIjyGphSJe9KdkL/kxeMwZuIv6

username XXXX privilege 15 secret 4 qPLpXkgs4XXXXXZlVZcI/oxNuuXXXXXXtFwRblxZs

!

!

!

!

!

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 103

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-smtp-1

match access-group 103

match protocol smtp

!

zone security Outside

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group ccsvpn

key Logmein123

dns 192.168.0.5 65.87.230.4

domain int.ccs-sk.ca

pool SDM_POOL_1

acl 101

max-users 25

netmask 255.255.255.0

!

crypto isakmp client configuration group ccsvpn1

key Logmein123

dns 192.168.0.5 65.87.230.4

domain int.ccs-sk.ca

pool SDM_POOL_1

acl 102

max-users 25

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-2

   match identity group ccsvpn1

   client authentication list ciscocp_vpn_xauth_ml_5

   isakmp authorization list ciscocp_vpn_group_ml_5

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile2

set security-association idle-time 43200

set transform-set ESP-3DES-SHA4

set isakmp-profile ciscocp-ike-profile-2

!

!

!

!

!

!

interface Loopback1

no ip address

!

interface FastEthernet0

description Internal

switchport mode trunk

no ip address

spanning-tree portfast

!

interface FastEthernet1

switchport trunk native vlan 3

switchport mode trunk

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description $ETH-WAN$

ip address dhcp client-id FastEthernet4

ip nbar protocol-discovery

ip nat outside

ip virtual-reassembly in

zone-member security Outside

duplex auto

speed auto

!

interface Virtual-Template2 type tunnel

no ip address

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile2

!

interface Vlan1

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

router rip

version 2

network 24.0.0.0

network 192.168.10.0

no auto-summary

!

ip local pool SDM_POOL_1 10.10.10.1 10.10.10.25

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 2 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 24.XX.XX.1

ip route 192.168.0.0 255.255.255.0 192.168.10.2

!

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 2 permit 192.168.0.0 0.0.255.255

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 permit ip 192.168.30.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 permit ip 192.168.30.0 0.0.0.255 any

access-list 103 remark CCP_ACL Category=0

access-list 103 permit ip any host 192.168.0.100

access-list 104 remark SMTP

access-list 104 remark CCP_ACL Category=64

access-list 104 remark Mail SMTP

access-list 104 permit tcp host 24.XX.XX.159 eq smtp 192.168.0.0 0.0.0.255 eq smtp established log

access-list 107 remark outsideSMTP

access-list 107 remark CCP_ACL Category=16

access-list 107 remark SMTP

access-list 107 permit tcp any eq smtp 192.168.0.0 0.0.0.255 eq smtp established log

access-list 112 permit ip 192.168.0.0 0.0.255.255 any log

!

!

!

!

route-map outside permit 10

match ip address 112

set ip default next-hop 24.XX.XX.1

!

!

!

!

line con 0

password Marketel123

no modem enable

line aux 0

line vty 0 4

password Marketel123

transport input all

!

ntp update-calendar

ntp server 192.168.0.5 prefer source FastEthernet0

end

Router#

  • LAN Switching and Routing
1 REPLY
Purple

Cisco Router 881 and SG500-52 switch configuration Issue

Hi,

try not to post duplicates.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
449
Views
0
Helpful
1
Replies
This widget could not be displayed.