Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

877 using fe as WAN (ISP provider modem/router) - routing issues

So, the router can ping everything from every source, but a laptop connected to vlan1 (172.30.99.0/24) can't ping the vpn peer (172.20.0.0/24) and vice versa.

Basic set up is:

Remote firewall <-> internet <-> local ISP (modem/router) <-> Cisco 877 <-> laptop/switch etc

172.20.0.0/16                             192.168.1.254       192.168.1.139    172.30.99.1     172.30.99.0/24

Current configuration : 4340 bytes

!

! No configuration change since last restart

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ITTEST

!

boot-start-marker

boot system flash:c870-advipservicesk9-mz.124-24.T6.bin

boot-end-marker

!

logging message-counter syslog

logging buffered 10240

enable secret <PASSWORD>

enable password <PASSWORD>

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

!

!

dot11 syslog

no ip source-route

!

!

ip dhcp excluded-address 172.30.99.1 172.30.99.100

!

ip dhcp pool dhcppool

   import all

   network 172.30.99.0 255.255.255.0

   default-router 172.30.99.1

   dns-server 172.30.99.1 172.20.0.120 172.20.0.121

   domain-name gratte.com

   update arp

!

!

ip cef

ip domain name gratte.com

ip name-server 192.168.1.254

ip name-server 172.20.0.120

ip name-server 172.20.0.121

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp peer address <REMOTE PEER IP>

set aggressive-mode password <PRESHARED>

set aggressive-mode client-endpoint fqdn ITTEST

!

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC-VPN

set transform-set 3DESSHA

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface Tunnel0

description --- IPSec Tunnel to KX ---

ip address 172.30.99.10 255.255.255.252

ip ospf mtu-ignore

load-interval 30

tunnel source Vlan1

tunnel destination <REMOTE PEER IP>

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-VPN

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

description DATA

spanning-tree portfast

!

interface FastEthernet1

description VOICE

switchport access vlan 100

switchport voice vlan 100

spanning-tree portfast

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

switchport access vlan 666

no cdp enable

spanning-tree portfast

!

interface Vlan1

ip address 172.30.99.1 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Vlan666

ip address 192.168.1.139 255.255.255.0

ip nat outside

ip virtual-reassembly

!

interface Dialer0

no ip address

!

ip default-gateway 192.168.1.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.254

ip route 10.20.0.0 255.255.0.0 Tunnel0

ip route 10.21.0.0 255.255.0.0 Tunnel0

ip route 64.156.192.220 255.255.255.255 Tunnel0

ip route 64.156.192.245 255.255.255.255 Tunnel0

ip route 74.50.50.16 255.255.255.255 Tunnel0

ip route 74.50.63.14 255.255.255.255 Tunnel0

ip route 172.16.0.0 255.240.0.0 Tunnel0

ip route 172.30.99.0 255.255.255.0 Vlan1

no ip http server

no ip http secure-server

!

!

ip dns server

ip nat inside source list 100 interface Vlan666 overload

!

access-list 100 permit ip 172.30.99.0 0.0.0.255 any

access-list 100 permit ip 172.20.0.0 0.0.255.255 any

access-list 199 permit icmp any any

!

!

!

!

snmp-server community public RO

snmp-server community blobby RW

!

control-plane

!

line con 0

password <PASSWORD>

login

no modem enable

line aux 0

line vty 0 4

password <PASSWORD>

login

!

scheduler max-task-time 5000

ntp server 72.8.140.222

ntp server 172.20.0.120

ntp server 172.20.0.121

end

Any ideas?

Thanks!

134
Views
0
Helpful
0
Replies