Search this Blog

Wednesday, December 25, 2013

Why can't we ping IP from LAN while we can do it from the console?


We recently purchased a 1921 to replace our 871 because the bandwidth on our leased line has been upgraded beyond its capabilities.

I thought I could get away with copying the config (with a few edits obviously). While I can ping Internet IPs from the console I can't from the LAN. I suspected an ACL problem and found replecated entries in NAT, INSIDE and VPN, but removing them has had no effect. The 871 was running V12.4, the 1921 has  V15.2 so I'm guessing that a command has changed or been introduced that I don't know about.  I can also get telnet access from outside and inside.

Please find the config below, and to preempt the obvious comment I'm aware that we shouldn't be using the LAN range that we are, it's something I inherited and has been deemed "more trouble than it's worth" to change. Also the config is quite old and while I understand the basics I'm sure there will be stuff that could be improved. Any pointers would be most gratefully received.

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname PPP
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 NdjNJ4O.rO9g2BG.9GEHVz270zomH.TB7GIPeb9B1bg
!
aaa new-model
!
!
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
memory-size iomem 15
!
ip cef
!
!
!
!
!
!
ip flow-cache timeout active 1
no ip domain lookup
ip domain name ***.local
ip inspect name DEF-INSPECT h323 timeout 3600
ip inspect name DEF-INSPECT netshow timeout 3600
ip inspect name DEF-INSPECT rcmd timeout 3600
ip inspect name DEF-INSPECT realaudio timeout 3600
ip inspect name DEF-INSPECT rtsp timeout 3600
ip inspect name DEF-INSPECT sqlnet timeout 3600
ip inspect name DEF-INSPECT streamworks timeout 3600
ip inspect name DEF-INSPECT tftp timeout 3600
ip inspect name DEF-INSPECT tcp timeout 3600
ip inspect name DEF-INSPECT udp timeout 3600
ip inspect name DEF-INSPECT vdolive timeout 3600
ip inspect name DEF-INSPECT icmp timeout 3600
ip inspect name DEF-INSPECT ftp timeout 3600
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4023999173
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4023999173
 revocation-check none
 rsakeypair TP-self-signed-4023999173
!
!
crypto pki certificate chain TP-self-signed-4023999173
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34303233 39393931 3733301E 170D3032 30333031 30303036
  34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30323339
  39393137 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100D329 7197348E EE5E81A2 4AA95826 D856319E 6412CBCC 25F1E1F4 7F2571D3
  41061F03 C0A12C45 D405A54F ABFBF471 8A5193E3 463EAD06 EF1365A4 352B0572
  6E0522BB B7C9003E 7CAEFC3C 931200C0 66F14A7F 2591A1E0 EC533069 B3B1558D
  49669A33 EBD2CC21 027AA3E4 62E0C0E1 A383170F 405AA6F8 E2116E77 18642D17
  7BFF0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14D95FF9 B14D7AD0 3CED0CE9 517DC7A1 D6C6FCB9
  0D301D06 03551D0E 04160414 D95FF9B1 4D7AD03C ED0CE951 7DC7A1D6 C6FCB90D
  300D0609 2A864886 F70D0101 04050003 81810016 600B17A6 CA5FD528 909464D8
  9B19286D 8CEBAB8F 1AE26D4E 11F9FF4B 4B12443E E87FAC30 1CDE3814 2E1E4684
  92C38FCD 195D8DDA 4FC01B23 F4A0CCD6 9FA6AE54 CD2D8230 4AF67BBF 472266B0
  4156E08E 11A787B6 4ACBE852 8DA962C2 69BCD157 63395C8D 8603CE89 1812F8F9
  52678336 DEC725C6 0B3670F0 111A01CC DAE129
        quit
license udi pid CISCO1921/K9 sn FCZ174093QY
!
!
archive
 log config
  hidekeys
username admin password 7 012822555C5A125B2D71
username nwild password 7 12370C1017075D
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 7200
crypto isakmp key *** address *.*.*.*   no-xauth
!
crypto isakmp client configuration group trupak
 key ***
 dns 192.192.192.3
 pool VPNCLIENTS
 acl VPN
!
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac mode tunnel
crypto ipsec transform-set ROUTER3DES esp-3des esp-sha-hmac mode tunnel
!
!
!
crypto dynamic-map REMOTE 10
 set transform-set 3DES
!
!
crypto map VPN client authentication list VPN
crypto map VPN isakmp authorization list groupauthor
crypto map VPN client configuration address respond
crypto map VPN 15 ipsec-isakmp
 set peer *.*.*.*
 set transform-set 3DES
 match address 170
crypto map VPN 30 ipsec-isakmp dynamic REMOTE
!
!
!
!
!
interface Loopback1
 ip address 172.16.1.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 bandwidth 40960
 ip address aaa.bbb.ccc.229 255.255.255.248
 ip access-group FIREWALL in
 ip mtu 1420
 ip flow ingress
 ip nat outside
 ip inspect DEF-INSPECT out
 ip virtual-reassembly in
 no ip route-cache cef
 duplex auto
 speed auto
 crypto map VPN
!
interface GigabitEthernet0/1
 ip address 192.168.192.254 255.255.255.0 secondary
 ip address 192.192.192.254 255.255.255.0
 ip access-group INSIDE in
 ip flow ingress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 ip policy route-map vpn_nonat
 duplex auto
 speed auto
 hold-queue 100 out
!
ip local pool VPNCLIENTS 10.0.0.1 10.0.0.254
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 192.192.192.56 2055
!
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.192.192.3 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 192.192.192.3 110 interface GigabitEthernet0/1 110
ip nat inside source static tcp 192.192.192.3 2525 interface GigabitEthernet0/1 2525
ip nat inside source static tcp 192.192.192.3 80 interface GigabitEthernet0/1 80
ip nat inside source static tcp 192.192.192.3 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 192.192.192.16 5900 interface GigabitEthernet0/1 5900
ip nat inside source static udp 192.192.192.16 5900 interface GigabitEthernet0/1 5900
ip nat inside source static tcp 192.192.192.3 3389 interface GigabitEthernet0/1 4000
ip route 0.0.0.0 0.0.0.0 aaa.bbb.ccc.225
!
ip access-list extended FIREWALL
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit udp any any eq ntp
 permit esp any any
 permit ip 192.168.254.0 0.0.0.255 192.192.192.0 0.0.0.255
 permit tcp any any eq telnet
 permit tcp any any eq 3389
 permit tcp any any eq smtp
 permit icmp any any
 permit tcp any any eq pop3
 permit tcp any any eq 2525
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq 6504
 permit udp any any eq 6504
 permit udp any any eq 16504
 permit udp any any eq 26504
 permit udp any any eq 36504
 permit udp any any range 46504 46604
 permit ip 10.0.0.0 0.0.0.255 192.192.192.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 192.168.192.0 0.0.0.255
 permit tcp any any eq 5900
 permit udp any any eq 5900
 permit tcp any any eq 4000
ip access-list extended INSIDE
 permit ip 192.192.192.0 0.0.0.255 any
ip access-list extended NAT
 deny   ip 192.192.192.0 0.0.0.255 192.168.254.0 0.0.0.255
 permit ip 192.192.192.0 0.0.0.255 any
ip access-list extended VPN
 permit ip 192.192.192.0 0.0.0.255 10.0.0.0 0.0.0.255
ip access-list extended pbr
 permit ip 192.192.192.0 0.0.0.255 10.0.0.0 0.0.0.255
!
access-list 170 permit ip 192.192.192.0 0.0.0.255 192.168.254.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map vpn_nonat permit 10
 match ip address pbr
 set ip next-hop 172.16.1.2
!
!
snmp-server ifindex persist
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
alias exec sib show ip int brief
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
end

There are a couple of things to correct-

Your NAT's are on the wrong interface-
ip nat inside source list NAT interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.192.192.3 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 192.192.192.3 110 interface GigabitEthernet0/1 110
ip nat inside source static tcp 192.192.192.3 2525 interface GigabitEthernet0/1 2525
ip nat inside source static tcp 192.192.192.3 80 interface GigabitEthernet0/1 80
ip nat inside source static tcp 192.192.192.3 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 192.192.192.16 5900 interface GigabitEthernet0/1 5900
ip nat inside source static udp 192.192.192.16 5900 interface GigabitEthernet0/1 5900
ip nat inside source static tcp 192.192.192.3 3389 interface GigabitEthernet0/1 4000

They should be-
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.192.192.3 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 192.192.192.3 110 interface GigabitEthernet0/0 110
ip nat inside source static tcp 192.192.192.3 2525 interface GigabitEthernet0/0 2525
ip nat inside source static tcp 192.192.192.3 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.192.192.3 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.192.192.16 5900 interface GigabitEthernet0/0 5900
ip nat inside source static udp 192.192.192.16 5900 interface GigabitEthernet0/0 5900
ip nat inside source static tcp 192.192.192.3 3389 interface GigabitEthernet0/0 4000

You also need to apply CBAC to the outside interface-

int gi0/0
ip inspect DEF-INSPECT out


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */