Cisco 871 router cannot ping corporate network space over IPsec vpn.
We have an 871 configured as an Ezvpn client in network extention mode. We have outbound shaping and QOS applied to the virtual-template interface to prioritize voice and all that is working great.
The problem is that from the 871 itself I cannot ping anything on our corporate network space. If I do an extended ping and use the 871 vlan1 interface IP address as the source I can ping back to the corporate network.
Here is the routing table in the 871 once the IPsec tunnel comes up:
871RT_232#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 18.104.22.168 to network 0.0.0.0
22.214.171.124/32 is subnetted, 1 subnets
S 126.96.36.199 [254/0] via 188.8.131.52, FastEthernet4
S 172.26.0.0/16 [1/0] via 0.0.0.0, Virtual-Access2
172.28.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.28.0.232/29 is directly connected, Vlan1
S 172.28.0.0/16 [1/0] via 0.0.0.0, Virtual-Access2
184.108.40.206/23 is subnetted, 1 subnets
C 220.127.116.11 is directly connected, FastEthernet4
S 192.168.1.0/24 [1/0] via 0.0.0.0, Virtual-Access2
S 18.104.22.168/16 [1/0] via 0.0.0.0, Virtual-Access2
S 22.214.171.124/24 [1/0] via 0.0.0.0, Virtual-Access2
126.96.36.199/32 is subnetted, 1 subnets
S 188.8.131.52 [1/0] via 184.108.40.206
S* 0.0.0.0/0 [254/0] via 220.127.116.11
Our main corporate network space is the 18.104.22.168 network.
All the static routes that point to Virtual-Access2 are injected from the 3030 concentrator headend when the 871 brings up the IPsec tunnel.
Again the PC and IP phone plugged into the 871 can access services on the 22.214.171.124 network, but the router itself cannot - unless I use the extended ping function.
I need the 871 to be able to send snmp traffic to network management consoles on the 126.96.36.199 network as well as get its NTP (or SNTP) clock from that network.
Any ideas - any fancy static routing I need to do in the 871?
Re: Cisco 871 router cannot ping corporate network space over IP
Good news and bad news. Good news is you can get SNMP, Telnet, SSH, Radius, NTP, etc... to work. The bad news is you can't get ping to work without using extended ping.
The VPN tunnel entrance is between the Fe4 and Vlan1 interface. By default the 870 series routers likes to use the Fe4 as their source interface. This won't work obviously since it knows nothing about a tunnel entrance.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...