JesusFreak42
asked on
Help Configuring Cisco Router
I have a CIsco 1921 which controls the VPN connection between our two locations and our internet connection. Our previous IT company improperly configured the router to send all traffic over the VPN and not directly to the Cable modem. Below is some of the running config. Can anyone help tell me what's wrong?
sample.txt
sample.txt
Hi,
Your configuration seam to be OK, except some remarks regarding defined routes:
ip route 0.0.0.0 0.0.0.0 23.25.94.70 ===> this OK, this will route every think to the Internet
ip route 0.0.0.0 0.0.0.0 23.0.0.0 ====> this route need to be removed since the syntax is incorrect, the next hope need to be an host address and not a network, also this is a public IP which is covered by previous route
ip route 0.0.0.0 0.0.0.0 172.16.0.1 ===> this route use the remote site connected via serial E1 line, this need to be optimized to use only useful subnet in order to prevent perturbing internet traffic or at least if there is a lot of subnets that need to be configured use a different metric.
Best Regards.
Salah
Your configuration seam to be OK, except some remarks regarding defined routes:
ip route 0.0.0.0 0.0.0.0 23.25.94.70 ===> this OK, this will route every think to the Internet
ip route 0.0.0.0 0.0.0.0 23.0.0.0 ====> this route need to be removed since the syntax is incorrect, the next hope need to be an host address and not a network, also this is a public IP which is covered by previous route
ip route 0.0.0.0 0.0.0.0 172.16.0.1 ===> this route use the remote site connected via serial E1 line, this need to be optimized to use only useful subnet in order to prevent perturbing internet traffic or at least if there is a lot of subnets that need to be configured use a different metric.
Best Regards.
Salah
Could we see the "ip access-list extended NAT" from the running config?
What router is at the other end? Due to the route statements, you are going to have some asynchronous routing going on. It will definitely cause problems.
That said, it is hard to troubleshoot without a fuller configuration. You can mask IP's and remove passwords, but the full configuration is more helpful.
What router is at the other end? Due to the route statements, you are going to have some asynchronous routing going on. It will definitely cause problems.
That said, it is hard to troubleshoot without a fuller configuration. You can mask IP's and remove passwords, but the full configuration is more helpful.
ASKER
Basically, there should be phone traffic going over the VPN, that's it.
1) What does the bandwidth setting do under GB Inferface 1?
2) I think the ip route is supposed to be 170, not 70 (subnet is 23.25.94.168/255.255.255.2
3) Fuller COnfig file uploaded
sample2.txt
1) What does the bandwidth setting do under GB Inferface 1?
2) I think the ip route is supposed to be 170, not 70 (subnet is 23.25.94.168/255.255.255.2
3) Fuller COnfig file uploaded
sample2.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have any questions, let me know.
"Bandwidth" is only used in the routing metric calculation and some SNMP pollers use it to get the interface "speed", so you can ignore it here
"Bandwidth" is only used in the routing metric calculation and some SNMP pollers use it to get the interface "speed", so you can ignore it here
ASKER
Daniel,
What does that NAT access list do for us?
What does that NAT access list do for us?
Hi,
The NAT access list will only permit destination address to Internet without applying the NAT to the first excluded ones defined in the access list.
As you share you full configuration, you have a primary link using T1 to your phone provider and the VPN is only a secondary path serving as backup if the T1 link is down!!
So you need to add the route for your voip provider, since we don't know the IP and if you phones are registered into local call manager or directly to service provider one you have to ask for the network address and update the following route:
ip route VOIP_PROVIDER_NETWORK_ADD VOIP_PROVIDER_NETWORK_MASK
Regards.
Salah
The NAT access list will only permit destination address to Internet without applying the NAT to the first excluded ones defined in the access list.
As you share you full configuration, you have a primary link using T1 to your phone provider and the VPN is only a secondary path serving as backup if the T1 link is down!!
So you need to add the route for your voip provider, since we don't know the IP and if you phones are registered into local call manager or directly to service provider one you have to ask for the network address and update the following route:
ip route VOIP_PROVIDER_NETWORK_ADD VOIP_PROVIDER_NETWORK_MASK
Regards.
Salah
That will apply NAT to the access list, and only to the outbound flows on Gi0/1 (match interface).
As I mentioned (and then Salah mentioned after), if your voip network is accessible through your T1, then you will need to add a route for that. This is only if the route is not already in EIGRP somehow (redistributed or otherwise added to EIGRP).
You also may want to enable a IPSLA for your voip, to ensure call quality. You would do such things as ping, jitter, delay, etc to the IP of the voip endpoint.
You may need a local policy route to ensure that that works as expected however and I would focus on getting everything working first.
As I mentioned (and then Salah mentioned after), if your voip network is accessible through your T1, then you will need to add a route for that. This is only if the route is not already in EIGRP somehow (redistributed or otherwise added to EIGRP).
You also may want to enable a IPSLA for your voip, to ensure call quality. You would do such things as ping, jitter, delay, etc to the IP of the voip endpoint.
You may need a local policy route to ensure that that works as expected however and I would focus on getting everything working first.
http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html