This is a branch that is connected to the Internet via cable with a dynamic (DHCP) assigned external IP address. There is a tunnel which is successfully established via dynamic map to the headquarters (HQ).
On the LAN Internet connectivity is good, however, they need to access a web (www) site on the internal LAN at HQ (Headquarters) which fails. The local subnet is 10.7.x.x amd tje remote subnet is 10.0.x.x and the internal site is 10.0.0.110.
Unfortuantely, ping isn't available, so I can't test that, but I a traceroute shows the first hop does NOT appear to be routing properly. I have included the configuration of the branch office and at the bottom a snippet of another branch that can connect to the 10.0.0.110 web site and an illustration of that routing, however, the difference is that that site has a static IP address (perhaps I have something routing wrong on the branch with the DHCP Internet access).
Bad_1710#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1710-K9O3SY-M), Version 12.3(1a), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Fri 06-Jun-03 19:50 by dchih
Image text-base: 0x80008120, data-base: 0x80F0625C
ROM: System Bootstrap, Version 12.2(1r)XE1, RELEASE SOFTWARE (fc1)
Trexlertown uptime is 1 hour, 7 minutes
System returned to ROM by reload
System restarted at 13:03:16 UTC Tue Jun 17 2008
System image file is "flash:c1710-k9o3sy-mz.123
-1a.bin"
cisco 1710 (MPC855T) processor (revision 0x200) with 49152K/16384K bytes of memory.
Processor board ID JAD072800VZ (2205510933), with hardware revision 0000
MPC855T processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
1 Virtual Private Network (VPN) Module(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102
++++++++++++++++++++++++++
++++
== End of show version ==
++++++++++++++++++++++++++
++++
Bad_1710#sh start
Using 2848 out of 29688 bytes
!
! Last configuration change at 14:01:43 UTC Tue Jun 17 2008 by lantek
! NVRAM config last updated at 14:01:45 UTC Tue Jun 17 2008 by lantek
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Bad_1710
!
enable secret 5
enable password 7
!
memory-size iomem 25
ip subnet-zero
!
!
!
ip inspect name myfw http java-list 98
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw tftp
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw fragment maximum 256 timeout 1
ip inspect name myfw cuseeme
ip inspect name myfw vdolive
ip inspect name myfw sqlnet
ip inspect name myfw streamworks
ip inspect name myfw smtp
ip inspect name myfw h323
ip inspect name myfw rcmd
ip inspect name fwin tcp
ip inspect name fwin udp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
hash md5
authentication pre-share
crypto isakmp key private_key address 63.XXX.XXX.242
!
!
crypto ipsec transform-set strong esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map mymap 11 ipsec-isakmp
set peer 63.XXX.XXX.242
set transform-set strong
match address 120
!
!
!
!
interface Ethernet0
ip address dhcp
ip access-group 110 in
ip nat outside
ip inspect myfw out
half-duplex
crypto map mymap
!
interface FastEthernet0
description connected to Trexlertown LAN
ip address 10.7.0.1 255.255.255.0
ip nat inside
speed auto
!
router rip
version 2
passive-interface Ethernet0
network 10.0.0.0
no auto-summary
!
ip nat inside source route-map nonat interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip http server
ip http secure-server
!
!
access-list 98 permit 10.1.0.0 0.0.0.255
access-list 101 deny ip 10.7.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.7.0.0 0.0.0.255 any
access-list 110 permit esp any any
access-list 110 permit udp any any eq isakmp
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any echo
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any time-exceeded
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 permit ahp any any
access-list 110 permit udp any any range bootps bootpc
access-list 120 permit ip 10.7.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
route-map nonat permit 5
match ip address 101
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
privilege level 15
password 7
login local
transport input telnet ssh
!
no scheduler allocate
!
end
++++++++++++++++++++++++++
++++
== End of Configuration ==
++++++++++++++++++++++++++
++++
Trexlertown#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
C 10.7.0.0 is directly connected, FastEthernet0
C 207.172.224.0/24 is directly connected, Ethernet0
S* 0.0.0.0/0 is directly connected, Ethernet0
++++++++++++++++++++++++++
++++
== End of show ip route ==
++++++++++++++++++++++++++
++++
Trexlertown#traceroute 10.0.0.110
Type escape sequence to abort.
Tracing the route to 10.0.0.110
1 10.19.48.1 8 msec 8 msec 8 msec
2 208.59.252.1 12 msec 24 msec 12 msec
3 * * *
++++++++++++++++++++++++++
+
== End of traceroute ==
++++++++++++++++++++++++++
+
THIS IS A WORKING EXAMPLE OF ANOTHER VPN TUNNEL ROUTING PROPERLY
++++++++++++++++++++++++++
++++
== Start of show ip route that works
++++++++++++++++++++++++++
++++
Good_1710#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
68.0.0.0/24 is subnetted, 1 subnets
C 68.162.87.0 is directly connected, Ethernet0
10.0.0.0/24 is subnetted, 1 subnets
C 10.5.0.0 is directly connected, FastEthernet0
S* 0.0.0.0/0 is directly connected, Ethernet0
++++++++++++++++++++++++++
++++
== End of show ip route ==
++++++++++++++++++++++++++
++++
Good_1710#traceroute 10.0.0.110
Type escape sequence to abort.
Tracing the route to 10.0.0.110
1 68.162.87.1 24 msec 24 msec 24 msec
2 * * *
3
