Help Configuring Cisco Router

I have a CIsco 1921 which controls the VPN connection between our two locations and our internet connection. Our previous IT company improperly configured the router to send all traffic over the VPN and not directly to the Cable modem. Below is some of the running config. Can anyone help tell me what's wrong?
sample.txt
JesusFreak42Asked:
Who is Participating?
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
You have no "NAT" access list.  Do the following:

no ip nat inside source list NAT interface GigabitEthernet0/1 overload

ip access-list extended RMAP-NAT
  deny ip 172.16.0.0 0.0.15.255 172.16.0.0 0.0.15.255
  deny ip 172.16.0.0 0.0.15.255 10.0.0.0 0.255.255.255
  deny ip 172.16.0.0 0.0.15.255 192.168.0.0 0.0.255.255
  permit ip 172.16.0.0 0.0.15.255 any

route-map RMAP-NAT
 match ip address RMAP-NAT
 match interface Gi0/1

ip nat inside source route-map RMAP-NAT interface GigabitEthernet0/1 overload

no ip route 0.0.0.0 0.0.0.0 23.25.94.70
ip route 0.0.0.0 0.0.0.0 23.25.94.170

no ip route 0.0.0.0 0.0.0.0 23.0.0.0
no ip route 0.0.0.0 0.0.0.0 172.16.0.1

Open in new window


That should hopefully fix it up for you.  Keep in mind, your voice traffic should route over the VPN, unless you are trying to route your VOIP traffic to a public IP on the internet.  If you are trying to do that, you will need to add an additional "ip route" statement for the network you are trying to route to.
0
 
tmoore1962Commented:
Check this cisco document out it is for site to site vpn and split tunneling which I believe is what you are trying to do.
http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html
0
 
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

Your configuration seam to be OK, except some remarks regarding defined routes:

ip route 0.0.0.0 0.0.0.0 23.25.94.70 ===> this OK, this will route every think to the Internet
ip route 0.0.0.0 0.0.0.0 23.0.0.0 ====> this route need to be removed since the syntax is incorrect, the next hope need to be an host address and not a network, also this is a public IP which is covered by previous route
ip route 0.0.0.0 0.0.0.0 172.16.0.1 ===> this route use the remote site connected via serial E1 line, this need to be optimized to use only useful subnet in order to prevent perturbing internet traffic or at least if there is a lot of subnets that need to be configured use a different metric.

Best Regards.

Salah
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
Could we see the "ip access-list extended NAT" from the running config?

What router is at the other end?  Due to the route statements, you are going to have some asynchronous routing going on.  It will definitely cause problems.

That said, it is hard to troubleshoot without a fuller configuration.  You can mask IP's and remove passwords, but the full configuration is more helpful.
0
 
JesusFreak42Author Commented:
Basically, there should be phone traffic going over the VPN, that's it.

1) What does the bandwidth setting do under GB Inferface 1?
2) I think the ip route is supposed to be 170, not 70 (subnet is 23.25.94.168/255.255.255.252)
3) Fuller COnfig file uploaded
sample2.txt
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
If you have any questions, let me know.

"Bandwidth" is only used in the routing metric calculation and some SNMP pollers use it to get the interface "speed", so you can ignore it here
0
 
JesusFreak42Author Commented:
Daniel,
   What does that NAT access list do for us?
0
 
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

The NAT access list will only permit destination address to Internet without applying the NAT to the first excluded ones defined in the access list.

As you share you full configuration, you have a primary link using T1 to your phone provider and the VPN is only a secondary path serving as backup if the T1 link is down!!

So you need to add the route for your voip provider, since we don't know the IP and if you phones are registered into local call manager or directly to service provider one you have to ask for the network address and update the following route:

ip route VOIP_PROVIDER_NETWORK_ADD VOIP_PROVIDER_NETWORK_MASK 172.16.0.1

Regards.

Salah
0
 
Daniel SheppardNetwork Administrator/Engineer/ArchitectCommented:
That will apply NAT to the access list, and only to the outbound flows on Gi0/1 (match interface).

As I mentioned (and then Salah mentioned after), if your voip network is accessible through your T1, then you will need to add a route for that.  This is only if the route is not already in EIGRP somehow (redistributed or otherwise added to EIGRP).

You also may want to enable a IPSLA for your voip, to ensure call quality.  You would do such things as ping, jitter, delay, etc to the IP of the voip endpoint.

You may need a local policy route to ensure that that works as expected however and I would focus on getting everything working first.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.