Help Configuring Cisco Router

I have a CIsco 1921 which controls the VPN connection between our two locations and our internet connection. Our previous IT company improperly configured the router to send all traffic over the VPN and not directly to the Cable modem. Below is some of the running config. Can anyone help tell me what's wrong?
sample.txt
JesusFreak42Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tmoore1962Commented:
Check this cisco document out it is for site to site vpn and split tunneling which I believe is what you are trying to do.
http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html
0
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

Your configuration seam to be OK, except some remarks regarding defined routes:

ip route 0.0.0.0 0.0.0.0 23.25.94.70 ===> this OK, this will route every think to the Internet
ip route 0.0.0.0 0.0.0.0 23.0.0.0 ====> this route need to be removed since the syntax is incorrect, the next hope need to be an host address and not a network, also this is a public IP which is covered by previous route
ip route 0.0.0.0 0.0.0.0 172.16.0.1 ===> this route use the remote site connected via serial E1 line, this need to be optimized to use only useful subnet in order to prevent perturbing internet traffic or at least if there is a lot of subnets that need to be configured use a different metric.

Best Regards.

Salah
0
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
Could we see the "ip access-list extended NAT" from the running config?

What router is at the other end?  Due to the route statements, you are going to have some asynchronous routing going on.  It will definitely cause problems.

That said, it is hard to troubleshoot without a fuller configuration.  You can mask IP's and remove passwords, but the full configuration is more helpful.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

JesusFreak42Author Commented:
Basically, there should be phone traffic going over the VPN, that's it.

1) What does the bandwidth setting do under GB Inferface 1?
2) I think the ip route is supposed to be 170, not 70 (subnet is 23.25.94.168/255.255.255.252)
3) Fuller COnfig file uploaded
sample2.txt
0
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
You have no "NAT" access list.  Do the following:

no ip nat inside source list NAT interface GigabitEthernet0/1 overload

ip access-list extended RMAP-NAT
  deny ip 172.16.0.0 0.0.15.255 172.16.0.0 0.0.15.255
  deny ip 172.16.0.0 0.0.15.255 10.0.0.0 0.255.255.255
  deny ip 172.16.0.0 0.0.15.255 192.168.0.0 0.0.255.255
  permit ip 172.16.0.0 0.0.15.255 any

route-map RMAP-NAT
 match ip address RMAP-NAT
 match interface Gi0/1

ip nat inside source route-map RMAP-NAT interface GigabitEthernet0/1 overload

no ip route 0.0.0.0 0.0.0.0 23.25.94.70
ip route 0.0.0.0 0.0.0.0 23.25.94.170

no ip route 0.0.0.0 0.0.0.0 23.0.0.0
no ip route 0.0.0.0 0.0.0.0 172.16.0.1

Open in new window


That should hopefully fix it up for you.  Keep in mind, your voice traffic should route over the VPN, unless you are trying to route your VOIP traffic to a public IP on the internet.  If you are trying to do that, you will need to add an additional "ip route" statement for the network you are trying to route to.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
If you have any questions, let me know.

"Bandwidth" is only used in the routing metric calculation and some SNMP pollers use it to get the interface "speed", so you can ignore it here
0
JesusFreak42Author Commented:
Daniel,
   What does that NAT access list do for us?
0
Salah Eddine ELMRABETTechnical Lead Manager (Owner)Commented:
Hi,

The NAT access list will only permit destination address to Internet without applying the NAT to the first excluded ones defined in the access list.

As you share you full configuration, you have a primary link using T1 to your phone provider and the VPN is only a secondary path serving as backup if the T1 link is down!!

So you need to add the route for your voip provider, since we don't know the IP and if you phones are registered into local call manager or directly to service provider one you have to ask for the network address and update the following route:

ip route VOIP_PROVIDER_NETWORK_ADD VOIP_PROVIDER_NETWORK_MASK 172.16.0.1

Regards.

Salah
0
Daniel SheppardSenior Network Analyst - Core & PerimeterCommented:
That will apply NAT to the access list, and only to the outbound flows on Gi0/1 (match interface).

As I mentioned (and then Salah mentioned after), if your voip network is accessible through your T1, then you will need to add a route for that.  This is only if the route is not already in EIGRP somehow (redistributed or otherwise added to EIGRP).

You also may want to enable a IPSLA for your voip, to ensure call quality.  You would do such things as ping, jitter, delay, etc to the IP of the voip endpoint.

You may need a local policy route to ensure that that works as expected however and I would focus on getting everything working first.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.