Hello. I am trying to assist a client with configuring their 1711 with a VPN tunnel going back to their main office. They have several routers set up in much the same way (see config below). I plugged this router in, setup the configuration with the correct ip's (checked several times) and now I am stuck.
I am able to ping outside addresses (such as 126.96.36.199) from the router console. I am not able to contact those same sites from my PC that is directly connected to Fe4.
I am able to ping from my pc, the gateway installed in the router (10.1.6.1), and from the router console I am able to ping my PC.
So from the router console: I can ping internet addresses and LAN addresses
From my PC: I can ping the routers internal IP, but nothing else.
I seem to think the issue is with the way they have Vlan1 set up on teh 1711, but I cannot see what the issue is. like I said, they have several configs just like this at other sites, and they are working just fine. Can anyone point me in the right direction?
Just to be clear, I haven't even gotten to the point where I've tried to establish the tunnel on the other end. I am just trying to get from my lan (10.1.6.x) out to the internet, throgh this router.
Thanks for any help.
! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service compress-config service sequence-numbers ! hostname Routername ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 64000 warnings ! username asdadf password 7 0016071417asdf5A1845fad0833494B07 username 23wwfa privilege 15 password 7 asdf23qwrt32asdg3 clock timezone EST -5 clock summer-time EST date Apr 6 2003 2:00 Oct 26 2003 2:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero no ip source-route ! ! ! ! no ip domain lookup ip domain name domainname.local no ip bootp server ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 smtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 icmp ip ids po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 2 ip ssh version 2 login quiet-mode access-class 123 no ftp-server write-enable ! ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key as2323sa433 address x.x.x.x ! ! crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_10 1 ipsec-isakmp description Tunnel to DataCenter set peer x.x.x.x set transform-set SDM_TRANSFORMSET_1 match address GRE2DATACENTER ! ! ! interface Tunnel0 description VPN to DataCenter Fiber bandwidth 2048 ip address 10.254.253.30 255.255.255.252 no ip redirects no ip proxy-arp ip mtu 1338 ip hello-interval eigrp 10000 20 ip hold-time eigrp 10000 60 ip route-cache flow ip tcp adjust-mss 1200 cdp enable tunnel source FastEthernet0 tunnel destination x.x.x.x.x ! interface Null0 no ip unreachables ! interface Loopback100 ip address 10.254.1.14 255.255.255.255 no ip redirects no ip proxy-arp ip route-cache flow ! interface FastEthernet0 description Connected to Internet ip address x.x.x.x y.y.y.y ip access-group 123 in no ip redirects no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable crypto map SDM_CMAP_10 crypto ipsec df-bit clear ! interface FastEthernet1 no ip address shutdown ! interface FastEthernet2 no ip address shutdown ! interface FastEthernet3 no ip address shutdown ! interface FastEthernet4 no ip address ! interface Vlan1 description Connected to Datacenter ip address 10.1.6.1 255.255.254.0 ip helper-address 10.0.2.11 no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ! interface Async1 no ip address ! router eigrp 10000 passive-interface Vlan1 passive-interface FastEthernet0 network 10.0.0.0 no auto-summary eigrp stub connected ! ip classless ip route 0.0.0.0 0.0.0.0 y.y.y.y (next hop) ip route x.x.x.x (tunnel address) 255.255.255.255 y.y.y.y (next hop) no ip http server ip http access-class 1 ip http authentication local no ip http secure-server ! ! ! ip access-list extended GRE2DATACENTER permit gre host x.x.x.x host y.y.y.y access-list 1 permit 10.1.14.0 0.0.1.255 access-list 1 permit 10.0.0.0 0.0.255.255 access-list 1 permit 10.1.6.0 0.0.1.255 access-list 123 permit esp any any access-list 123 permit ip host x.x.x.x host y.y.y.y access-list 123 permit icmp host x.x.x.x host y.y.y.y access-list 123 permit icmp any host y.y.y.y unreachable access-list 123 permit icmp any host y.y.y.y time-exceeded access-list 123 permit icmp any host y.y.y.y echo-reply access-list 123 permit icmp any host y.y.y.y source-quench access-list 123 permit icmp x.x.x.x 0.0.0.7 host y.y.y.y access-list 123 permit udp host x.x.x.x host y.y.y.y eq isakmp access-list 123 permit udp host 188.8.131.52 eq ntp host y.y.y.y eq ntp access-list 123 permit tcp 184.108.40.206 0.0.1.255 any range ftp-data 22 access-list 123 permit tcp 220.127.116.11 0.0.0.255 any range ftp-data 22 access-list 123 permit tcp host x.x.x.x any range ftp-data 22 access-list 123 permit tcp any host y.y.y.y eq telnet access-list 123 permit ip x.x.x.x 0.0.7.255 any access-list 123 permit ip x.x.x.x 0.0.0.255 any access-list 123 deny ip 10.0.0.0 0.255.255.255 any access-list 123 deny ip 172.16.0.0 0.15.255.255 any access-list 123 deny ip 192.168.0.0 0.0.255.255 any access-list 123 deny ip 127.0.0.0 0.255.255.255 any access-list 123 deny ip host 255.255.255.255 any access-list 123 deny ip host 0.0.0.0 any access-list 123 deny ip any any log snmp-server community publicsum#blue RO snmp-server community privatesum#blue RW snmp-server community ripcord RO 3 snmp-server enable traps tty snmp-server host 10.0.2.11 publicsum#blue syslog ! ! control-plane ! ! line con 0 logging synchronous login local line 1 stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 logging synchronous login local line vty 5 15 logging synchronous login local transport input ssh ! end
Geez, you're probably right. I've been staring at that config for a good part of the day (albeit on 3 hours of sleep (long DC move)). I'll try that and let you know tomorrow. Thank you for taking the time to look at it.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...