Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Routing Issue

Hi,

We are currently having an issue configuring our wireless interface to allow access to the internet.

We have an Cisco 1841 with two external connections that we have been configuring, with use of a route-map, to direct all traffic except for traffic heading to our remote site over our VPN. We have two internal subnets, one for ethernet connectivity and one for wireless connectivity. The route-map configuration works for our wired connections sending it down one of our external connections for VPN traffic and the other for everything else but when we test a wireless connection it doesn't.

We can see that the wireless connection is getting NAT'd, can resolve DNS but can't connect or ping any website.

Any ideas? I have a feeling it is something very simple.

Thanks,

David.

icmp 72.167.13.44:1      192.168.50.31:1       173.194.37.83:1       173.194.37.83:1

tcp 72.167.13.44:49200   192.168.50.31:49200   192.168.10.203:445    192.168.10.203:445

tcp 72.167.13.44:49490   192.168.50.31:49490   92.122.207.170:80     92.122.207.170:80

tcp 72.167.13.44:49491   192.168.50.31:49491   212.58.246.91:80      212.58.246.91:80

tcp 72.167.13.44:49492   192.168.50.31:49492   212.58.246.99:80      212.58.246.99:80

tcp 72.167.13.44:49493   192.168.50.31:49493   212.58.246.99:80      212.58.246.99:80

tcp 72.167.13.44:49494   192.168.50.31:49494   92.122.207.170:80     92.122.207.170:80

tcp 72.167.13.44:49495   192.168.50.31:49495   212.58.246.99:80      212.58.246.99:80

tcp 72.167.13.44:49496   192.168.50.31:49496   212.58.244.71:80      212.58.244.71:80

tcp 72.167.13.44:49497   192.168.50.31:49497   212.58.246.99:80      212.58.246.99:80



version 12.4

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname hatterFW_01

!

boot-start-marker

boot-end-marker

!

logging buffered 8192 informational

logging console informational

logging monitor informational

enable password 7

!

aaa new-model

!

!

aaa authentication login userlist local

aaa authentication ppp default local

aaa authorization network groupauthor local

!

aaa session-id common

!

resource policy

!

memory-size iomem 20

clock timezone London 0

clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00

no ip source-route

ip icmp rate-limit unreachable 100

ip icmp rate-limit unreachable DF 1

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.50.254

ip dhcp excluded-address 192.168.50.10 192.168.50.11

!

ip dhcp pool Wireless

   import all

   network 192.168.50.0 255.255.255.0

   dns-server 192.168.10.1 192.168.10.2

   default-router 192.168.50.254

   lease 3

!

!

no ip bootp server

ip domain name hatter.co.uk

ip name-server 192.168.10.1

ip name-server 192.168.10.2

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect name outbound esmtp

ip inspect name outbound tcp

ip inspect name outbound udp

!

!

crypto pki trustpoint TP-self-signed-337632103

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-337632103

revocation-check none

rsakeypair TP-self-signed-337632103

!

!

crypto pki certificate chain TP-self-signed-337632103

certificate self-signed 01

  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33333736 33323130 33301E17 0D303930 38313030 39353735

  305A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53

  quit

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

lifetime 28800

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp key bob address 16.161.13.21

crypto isakmp keepalive 20 10

crypto isakmp xauth timeout 20


!

crypto isakmp client configuration group VPNCLIENTGROUP

key bob

dns 192.168.10.1 192.168.10.2

domain hatter.co.uk

pool vpn1

acl hattervpn_splitTunnelAcl

crypto isakmp profile VPNclient

   description VPN clients profile

   match identity group VPNCLIENTGROUP

   client authentication list userlist

   isakmp authorization list groupauthor

   client configuration address respond

!

!

crypto ipsec transform-set 3des esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set HiRemote esp-aes esp-sha-hmac

!

crypto dynamic-map dynmap 20

set transform-set 3des

set isakmp-profile VPNclient

reverse-route

!

!

crypto map map1 10 ipsec-isakmp

set peer 16.161.13.21

set transform-set HiRemote

match address 100

crypto map map1 20 ipsec-isakmp dynamic dynmap

!

bridge irb

!

!

!

interface FastEthernet0/0

description $ETH-WAN$

bandwidth 2048

ip address 242.12.146.210 255.255.255.240

ip access-group outside_acl in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip inspect outbound in

ip inspect outbound out

ip virtual-reassembly

no ip route-cache cef

ip route-cache flow

ip tcp adjust-mss 1452

no ip mroute-cache

duplex auto

speed auto

no cdp enable

arp timeout 1800

no mop enabled

crypto map map1

!

interface BVI1

description Wireless LAN

ip address 192.168.50.254 255.255.255.0

ip access-group inside_acl in

ip nat inside

ip virtual-reassembly

ip policy route-map dialer

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.10.254 255.255.255.0

ip access-group inside_acl in

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip inspect outbound in

ip inspect outbound out

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map dialer

speed 100

full-duplex

!

interface ATM0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no ip mroute-cache

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

no snmp trap link-status

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dot11Radio0/1/0

description Wireless interface

no ip address

no ip redirects

ip local-proxy-arp

ip virtual-reassembly

!

broadcast-key vlan 1 change 45

!

broadcast-key vlan 2 change 45

!

!

encryption vlan 1 mode ciphers tkip

!

encryption vlan 2 mode ciphers tkip

!

encryption mode ciphers tkip

!

ssid hatter01

    vlan 1

    authentication open

    authentication key-management wpa

    guest-mode

    wpa-psk ascii 7

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2452

station-role root

no cdp enable

!

interface Dot11Radio0/1/0.1

description hatter UnSecure

encapsulation dot1Q 1 native

ip virtual-reassembly

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dialer0

bandwidth 8192

ip address 72.167.13.44 255.255.240.0

ip access-group dialer in

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname bob

ppp chap password 7 062A3B7

ppp pap sent-username bob password 7 013F325

!

interface BVI2

mtu 1514

ip address 192.168.51.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool vpn1 192.168.11.1 192.168.11.20

ip route 0.0.0.0 0.0.0.0 242.12.146.209

ip route 146.101.163.30 255.255.255.255 242.12.146.209

!

ip flow-top-talkers

top 20

sort-by bytes

!

ip http server

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool pool1 242.12.146.211 242.12.146.211 netmask 255.255.255.240

ip nat inside source list 111 pool pool1 overload

ip nat inside source route-map dialer interface Dialer0 overload

!

ip access-list extended hattervpn_splitTunnelAcl

permit ip 192.168.10.0 0.0.0.255 any

ip access-list extended dialer

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.50.0 0.0.0.255 any

deny   ip any any

ip access-list extended general

permit ip any any

ip access-list extended inside_acl

permit udp host 192.168.10.1 host 172.16.1.78 eq domain

permit udp host 192.168.10.1 host 172.16.1.80 eq domain

permit udp host 192.168.10.2 host 172.16.1.78 eq domain

permit udp host 192.168.10.2 host 172.16.1.80 eq domain

permit tcp host 192.168.10.50 host 172.16.1.90 eq 8080

permit tcp host 192.168.10.50 host 172.16.1.90 eq 8081

permit tcp host 192.168.10.48 host 172.16.1.92 eq 8080

permit tcp host 192.168.10.48 host 172.16.1.92 eq 8081

permit tcp host 192.168.10.63 host 172.16.1.92 eq 8080

permit tcp host 192.168.10.54 host 172.16.1.10 eq 3389

permit tcp host 192.168.10.54 host 172.16.1.11 eq 3389

permit tcp host 192.168.10.54 host 172.16.1.13 eq 3389

permit tcp host 192.168.10.54 host 172.16.1.14 eq 3389

permit tcp host 192.168.10.54 host 172.16.1.15 eq 3389

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.20 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.22 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.24 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.26 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.28 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.30 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.32 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.34 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.36 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.100 eq 1433

permit tcp 192.168.10.0 0.0.0.255 host 172.16.2.118 eq 1433

permit ip host 192.168.10.50 172.16.0.0 0.0.255.255

permit ip host 192.168.10.51 172.16.0.0 0.0.255.255

permit ip host 192.168.10.57 172.16.0.0 0.0.255.255

permit ip host 192.168.10.66 172.16.0.0 0.0.255.255

permit ip host 192.168.10.61 172.16.0.0 0.0.255.255

permit ip host 192.168.10.67 172.16.0.0 0.0.255.255

permit ip host 192.168.10.83 172.16.0.0 0.0.255.255

permit ip host 192.168.10.84 172.16.0.0 0.0.255.255

permit ip host 192.168.10.55 172.16.0.0 0.0.255.255

permit ip host 192.168.10.160 172.16.0.0 0.0.255.255

permit ip host 192.168.10.163 172.16.0.0 0.0.255.255

permit ip host 192.168.10.203 172.16.0.0 0.0.255.255

permit tcp 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255 eq www

permit tcp 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255 eq 443

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.90 eq 7099

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.93 eq ftp

permit tcp 192.168.10.0 0.0.0.255 host 172.16.1.93 eq 22

deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

deny   ip 192.168.11.0 0.0.0.255 172.16.0.0 0.0.255.255

deny   tcp any any eq 4662

deny   tcp any 128.121.20.0 0.0.0.15 eq www

deny   tcp any 128.121.4.0 0.0.0.255 eq www

permit ip any any

permit icmp 192.168.10.0 0.0.0.255 any echo

permit icmp 192.168.10.0 0.0.0.255 any echo-reply

ip access-list extended outside_acl

permit ahp host 146.101.163.30 host 242.12.146.210

permit ahp any host 242.12.146.210

permit esp host 146.101.163.30 host 242.12.146.210

permit esp any host 242.12.146.210

permit udp host 146.101.163.30 host 242.12.146.210 eq isakmp

permit udp any host 242.12.146.210 eq isakmp

permit udp host 146.101.163.30 host 242.12.146.210 eq non500-isakmp

permit udp any host 242.12.146.210 eq non500-isakmp

permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit udp host 146.101.163.30 any eq isakmp

permit udp host 146.101.163.30 eq isakmp any

permit esp host 146.101.163.30 any

permit udp any eq isakmp any

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit ahp any any

permit esp any any

permit tcp any host 242.12.146.212 eq 995

permit tcp any host 242.12.146.212 eq 587

permit tcp any host 242.12.146.212 eq www

permit tcp any host 242.12.146.212 eq 443

permit tcp any host 242.12.146.212 eq smtp

permit tcp any host 242.12.146.212 eq 993

permit tcp any host 242.12.146.213 eq www

permit tcp any host 242.12.146.214 eq www

permit tcp any host 242.12.146.215 eq www

permit tcp any host 242.12.146.215 eq 443

permit tcp any host 242.12.146.216 eq www

permit tcp any host 242.12.146.216 eq 443

permit tcp host 80.177.153.32 host 242.12.146.214 eq 8080

permit tcp host 146.101.163.30 host 242.12.146.214 eq 8080

permit icmp any any

deny   ip any any log

!

no logging trap

logging 192.168.10.203

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 101 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 101 permit ip any host 146.101.162.209

access-list 101 permit ip any host 146.101.250.35

access-list 101 permit ip any host 80.64.57.160

access-list 101 permit ip any host 80.64.57.161

access-list 101 permit ip any host 146.101.121.78

access-list 101 permit ip any host 146.101.121.79

access-list 101 deny   ip host 192.168.10.203 any

access-list 101 deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 101 deny   ip any 192.168.11.0 0.0.0.255

access-list 101 deny   ip 192.168.10.50 0.0.0.1 any

access-list 101 deny   ip 192.168.10.52 0.0.0.3 any

access-list 101 deny   ip 192.168.10.56 0.0.0.7 any

access-list 101 deny   ip 192.168.10.64 0.0.0.31 any

access-list 101 deny   ip 192.168.10.96 0.0.0.3 any

access-list 101 deny   ip host 192.168.10.100 any

access-list 101 deny   ip host 192.168.10.204 any

access-list 101 deny   ip host 192.168.10.205 any

access-list 101 deny   ip host 192.168.10.206 any

access-list 101 deny   ip host 192.168.10.207 any

access-list 101 deny   ip host 192.168.10.208 any

access-list 101 deny   ip host 192.168.10.209 any

access-list 101 deny   ip host 192.168.10.210 any

access-list 101 deny   ip host 192.168.10.220 any

access-list 101 deny   ip host 192.168.10.221 any

access-list 101 permit ip 192.168.50.0 0.0.0.255 any

access-list 101 permit ip 192.168.10.0 0.0.0.31 any

access-list 101 permit ip 192.168.10.32 0.0.0.15 any

access-list 101 permit ip 192.168.10.48 0.0.0.1 any

access-list 101 permit ip host 192.168.10.101 any

access-list 101 permit ip 192.168.10.102 0.0.0.1 any

access-list 101 permit ip 192.168.10.104 0.0.0.7 any

access-list 101 permit ip 192.168.10.112 0.0.0.15 any

access-list 101 permit ip 192.168.10.128 0.0.0.63 any

access-list 101 permit ip 192.168.10.192 0.0.0.31 any

access-list 101 permit ip 192.168.10.224 0.0.0.15 any

access-list 101 permit ip 192.168.10.240 0.0.0.7 any

access-list 101 permit ip 192.168.10.248 0.0.0.3 any

access-list 101 permit ip 192.168.10.252 0.0.0.1 any

access-list 102 permit ip any any

access-list 103 deny   ip any any dscp 1 log

access-list 103 permit ip any any

access-list 104 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 104 deny   ip host 192.168.10.203 172.16.0.0 0.0.255.255

access-list 104 deny   ip host 192.168.10.203 192.168.11.0 0.0.0.255

access-list 104 deny   ip any 192.168.11.0 0.0.0.255

access-list 104 permit ip host 192.168.10.203 any

access-list 104 permit ip host 192.168.10.204 any

access-list 104 permit ip host 192.168.10.205 any

access-list 104 permit ip host 192.168.10.206 any

access-list 104 permit ip host 192.168.10.207 any

access-list 104 permit ip host 192.168.10.208 any

access-list 104 permit ip host 192.168.10.209 any

access-list 104 permit ip host 192.168.10.210 any

access-list 104 permit ip host 192.168.10.220 any

access-list 104 permit ip host 192.168.10.221 any

access-list 105 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255

access-list 105 deny   ip host 192.168.10.203 any

access-list 105 deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 105 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 105 deny   ip any 192.168.11.0 0.0.0.255

access-list 105 deny   ip 192.168.10.0 0.0.0.31 any

access-list 105 deny   ip 192.168.10.32 0.0.0.15 any

access-list 105 deny   ip 192.168.10.48 0.0.0.1 any

access-list 105 deny   ip host 192.168.10.101 any

access-list 105 deny   ip 192.168.10.102 0.0.0.1 any

access-list 105 deny   ip 192.168.10.104 0.0.0.7 any

access-list 105 deny   ip 192.168.10.112 0.0.0.15 any

access-list 105 deny   ip 192.168.10.128 0.0.0.63 any

access-list 105 deny   ip 192.168.10.192 0.0.0.31 any

access-list 105 deny   ip 192.168.10.224 0.0.0.15 any

access-list 105 deny   ip 192.168.10.240 0.0.0.7 any

access-list 105 deny   ip 192.168.10.248 0.0.0.3 any

access-list 105 deny   ip 192.168.10.252 0.0.0.1 any

access-list 105 deny   ip host 192.168.10.204 any

access-list 105 deny   ip host 192.168.10.205 any

access-list 105 deny   ip host 192.168.10.206 any

access-list 105 deny   ip host 192.168.10.207 any

access-list 105 deny   ip host 192.168.10.208 any

access-list 105 deny   ip host 192.168.10.209 any

access-list 105 deny   ip host 192.168.10.210 any

access-list 105 deny   ip host 192.168.10.220 any

access-list 105 deny   ip host 192.168.10.221 any

access-list 105 permit ip 192.168.10.50 0.0.0.1 any

access-list 105 permit ip 192.168.10.52 0.0.0.3 any

access-list 105 permit ip 192.168.10.56 0.0.0.7 any

access-list 105 permit ip 192.168.10.64 0.0.0.31 any

access-list 105 permit ip 192.168.10.96 0.0.0.3 any

access-list 105 permit ip host 192.168.10.100 any

access-list 105 permit ip 192.168.50.0 0.0.0.255 any

access-list 106 permit ip any any

access-list 107 permit ip any any

access-list 109 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0

access-list 109 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.255.0

access-list 109 permit ip any 0.0.0.0 255.255.255.0

access-list 109 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0

access-list 110 deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 110 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 110 deny   udp host 192.168.50.31 192.168.10.0 0.0.0.255 eq domain

access-list 110 permit ip host 192.168.10.51 any

access-list 110 permit ip host 192.168.10.52 any

access-list 110 permit ip host 192.168.10.55 any

access-list 110 permit ip host 192.168.10.56 any

access-list 110 permit ip host 192.168.10.57 any

access-list 110 permit ip host 192.168.10.61 any

access-list 110 permit ip host 192.168.10.66 any

access-list 110 permit ip host 192.168.10.68 any

access-list 110 permit ip host 192.168.10.76 any

access-list 110 permit ip host 192.168.10.83 any

access-list 110 permit ip host 192.168.10.84 any

access-list 110 permit ip host 192.168.50.31 any

access-list 110 deny ip any any

access-list 111 deny   ip 192.168.10.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 111 deny   ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 111 deny   ip any 192.168.11.0 0.0.0.255

access-list 111 deny   ip host 192.168.10.51 any

access-list 111 deny   ip host 192.168.10.52 any

access-list 111 deny   ip host 192.168.10.55 any

access-list 111 deny   ip host 192.168.10.56 any

access-list 111 deny   ip host 192.168.10.57 any

access-list 111 deny   ip host 192.168.10.61 any

access-list 111 deny   ip host 192.168.10.66 any

access-list 111 deny   ip host 192.168.10.68 any

access-list 111 deny   ip host 192.168.10.76 any

access-list 111 deny   ip host 192.168.10.83 any

access-list 111 deny   ip host 192.168.10.84 any

access-list 111 deny   ip host 192.168.50.31 any

access-list 111 permit ip 192.168.50.0 0.0.0.255 any

access-list 111 permit ip 192.168.10.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community bob RO

snmp-server host 192.168.10.203 bob

arp 192.168.10.110 03bf.c0a8.0a6e ARPA

arp 192.168.10.111 03bf.c0a8.0a6e ARPA

!

!

!

route-map dialer permit 20

match ip address 110

set interface Dialer0

!

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

!

scheduler allocate 20000 1000

end

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Routing Issue

Hi David,

Removing the ACL from the BVI interface probably won't help here: it is placed in the inbound direction which is basically the traffic going from the wireless clients and entering the routed part of the router. You may give it a try but I would not expect too much. You have stated yourself that the NAT entries are populated correctly, so from this it follows that either the packets from the wireless clients are unable to go out to the internet, or the replies cannot make it back. Follow the path in both directions and have a look on those appropriate ACLs.

Eventually, you could add a single deny ip any any log at the very end of each ACL, one at a time, and see if there are any dropped packets logged that constitute the traffic from your wireless clients going out, or responses coming back in.

Best regards,

Peter

8 REPLIES
Cisco Employee

Re: Routing Issue

David,

You have a fairly large ACL and IP Inspect configuration which is quite hard to follow here. I suggest trying to temporarily remove the ACLs and IP Inspect away from the interfaces and putting them subsequently back, one by one, to see whether the traffic is actually blocked by those ACLs and which one exactly is the one blocking your traffic.

If removing the ACLs does not help then let's try looking down further on the NAT and routing process.

Best regards,

Peter

New Member

Re: Routing Issue

Hi Peter,

Yes, the ACL is large, and I suspect a lot of the ACLs are not needed but at the moment I don't think I'll be able to touch many of them. Are there any in specific that are worth looking at removing? Would it be worth removing the ACL inside_acl on the wireless interface BVI1?

Thanks

David.

Cisco Employee

Re: Routing Issue

Hi David,

Removing the ACL from the BVI interface probably won't help here: it is placed in the inbound direction which is basically the traffic going from the wireless clients and entering the routed part of the router. You may give it a try but I would not expect too much. You have stated yourself that the NAT entries are populated correctly, so from this it follows that either the packets from the wireless clients are unable to go out to the internet, or the replies cannot make it back. Follow the path in both directions and have a look on those appropriate ACLs.

Eventually, you could add a single deny ip any any log at the very end of each ACL, one at a time, and see if there are any dropped packets logged that constitute the traffic from your wireless clients going out, or responses coming back in.

Best regards,

Peter

New Member

Re: Routing Issue

Ok, thanks for the suggestions, I will give the logging a go.

Just I'm not missing anything, I've removed the ACL from BVI1 because the rules didn't even match the traffic so it was pointless IMO, so that leaves the following location that the problem can exist, the ACL applied to Dialer0 Inbound? There are no outbound ACLs applied to either Dialer0 or BVI1 so the traffic should not be blocked?

Thanks,

David.

Hall of Fame Super Blue

Re: Routing Issue

David

Just to clarify, is the wireless client you are testing from 192.168.50.31 ? because that is the only wireless IP address you have in your 110 acl which is used in the route-map.

Jon

New Member

Re: Routing Issue

Hi Jon,

Yeah, for the moment that is the only client I want to apply the new route to, basically for testing.

Thanks,

David.

Hall of Fame Super Blue

Re: Routing Issue

So what does a traceroute show ie. how far does it get. Can you run a traceroute for both wired and wireless client.

Jon

New Member

Re: Routing Issue

Hey guys,

So it was because we had the ACL dialer configured to access the internal addresses, but we should have had the rule configured to allow access to the NAT'd addresses.

Pete, the ACL log idea worked a charm.

Thanks for both your input,

David.

1374
Views
0
Helpful
8
Replies
CreatePlease to create content