Weird issue with Interface IP mismatch

I have a tunnel from asa 5520 to 2811. The tunnel is operational. I have one problem and I have no idea how this is even working. The below is the output of show ip int br of the router

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.105.2   YES NVRAM  up                    up      
FastEthernet0/1            192.168.1.2     YES NVRAM  up                    up      
Serial0/2/0                unassigned      YES NVRAM  administratively down down    
NVI0                       192.168.105.2   YES unset  up                    up   

Open in new window


The fa0/1 above apparently is the outside interface:
interface FastEthernet0/1
 description to cable modem
 ip address 192.168.1.2 255.255.255.0

Based on all the notes gathered form the previous network admin, the outside IP of this router is totally different. Based on his notesm it should be 216.182.X.X, which makes whole lot more sense then the 192.168.1.2 address. The 216.182.x.x is pingable address. When I get on the asa and look up the crypto map for the 216.182.x.x address, I get all the info including the ACL matching the inside subnets of this router yet, as you can see above there is no such ip in place.

I was working on the tunnel today, playing around with NAT and ACLs for this partclar tunnel, and i am 100% sure that the 216.182.x.x address is indeed on that router because the tunnel dropped when I started modifying ACLS and nat. Then, I fixed the ACL and NAT, tunnel came back up.

How is this working and is there any explanation for this? I am so lost
LVL 3
Shark AttackNetwork adminAsked:
Who is Participating?
 
mikebernhardtCommented:
Then something is probably natting in front of it. The cable modem? Perhaps it's not just a modem, it may actually be a router.
0
 
mikebernhardtCommented:
What is the topology (where are the router, ASA, LAN, etc. in relation to each other? The 216.182 address must exist somewhere, and you just have to look at the configs to find it.
0
 
Shark AttackNetwork adminAuthor Commented:
2015-05-08-13-05-51.jpg
its a very simple tapology. On the router, I copied thw whole config to a notepad and looked for the IP and nothing was found, I also did  show run | i 216.182.   (only first two octets) and nothing was found. There is no traces of the IP at all nowhere.
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
mikebernhardtCommented:
Perhaps the 216.182 address is somewhere in between the router and the ASA? Configs would help.
0
 
Shark AttackNetwork adminAuthor Commented:
Router
 
Interface                  IP-Address      OK? Method Status                Protocol									
FastEthernet0/0            192.168.105.2   YES NVRAM  up                    up      									
FastEthernet0/1            192.168.1.2     YES NVRAM  up                    up  									
									
								
									
									
Building configuration...									
									
									
version 15.1									
no service pad									
service tcp-keepalives-in									
service tcp-keepalives-out									
service timestamps debug datetime msec									
service timestamps log datetime msec									
service password-encryption									
service sequence-numbers									
!									
								
!									
boot-start-marker									
boot-end-marker									
!									
!									
security authentication failure rate 5 log									
logging buffered 4096 informational									
logging monitor informational									
enable secret 5 									
!									
aaa new-model									
!									
!									
aaa authentication login default group tacacs+ local									
aaa authentication login userauthen local									
aaa authorization network groupauthor local 									
!									
!									
!									
!									
!									
aaa session-id common									
!									
!									
dot11 syslog									
no ip source-route									
!									
!									
ip cef									
!									
!         									
!									
ip domain name suzlon.com									
ip name-server xxxx									
ip device tracking									
!									
multilink bundle-name authenticated									
!									
!									
crypto pki token default removal timeout 0									
!									
crypto pki trustpoint TP-self-signed-2779822261									
 enrollment selfsigned									
 subject-name cn=IOS-Self-Signed-Certificate-2779822261									
 revocation-check none									
 rsakeypair TP-self-signed-2779822261									
!									
!									
crypto pki certificate chain TP-self-signed-2779822261									
 certificate self-signed 01									
  3082026F 308201D8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 									
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 									
  69666963 6174652D 32373739 38323232 3631301E 170D3132 30353233 31393337 									
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 									
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37373938 									
  32323236 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 									
  8100A692 3E1D5542 6D43835D F358CA7B 7D38AE0F 17A072EF 654DB977 1DB778B0 									
  A2013C50 43C5DEC6 05E99C53 6A110FE3 B9CAC3AF DAB5C691 FD6CB91B 2F5EA338 									
  D5004F30 50FA87C3 EAA57C27 7CED4BEE 7D2EAC04 0A0BF3B5 4AF1586A 9D975227 									
  27B55C0E 1CFF016D 362C0DA0 4199E802 611F1B8B 28F9B132 D2F28966 98A6F9F5 									
  3EDB0203 010001A3 81963081 93300F06 03551D13 0101FF04 05300301 01FF3040 									
  0603551D 11043930 37823553 757A6C6F 6E5F4D6F 756E7461 696E5F48 6F6D655F 									
  476C656E 6E5F4665 7272795F 49445F52 6F757465 722E7375 7A6C6F6E 2E636F6D 									
  301F0603 551D2304 18301680 145BCAA7 A6DA7614 2EC8019F 38F7A234 3510F93C 									
  FB301D06 03551D0E 04160414 5BCAA7A6 DA76142E C8019F38 F7A23435 10F93CFB 									
  300D0609 2A864886 F70D0101 04050003 8181007D 706A8E3B B3FF5014 DE7FE8C5 									
  6AACA160 87BA4CA8 5CFAF7C9 90AE48BA 05902274 AAA0F1AE 3B448AD2 3E9FC74F 									
  BC2FC829 00D51F65 870A7D5D BD1B3843 53C18D14 5464DEDB CE05A70B 0C418B8B 									
  CDEB44BF 6DD0A7B3 7A83AEE5 1908F5DF 35D81D5E AF9A11D3 E2A893A1 16977D88 									
  8FAFD632 3E9E3C20 23B518C5 41E819C2 4E1087									
        quit									
!									
!									
license udi pid CISCO2811 sn 
!									
redundancy									
!         									
!									
ip tcp synwait-time 10									
ip ssh version 2									
!									
track 1 ip sla 1									
!									
class-map match-any STREAMING									
 match protocol bittorrent									
 match protocol fasttrack									
 match protocol gnutella									
 match protocol kazaa2									
!									
!									
policy-map DROP									
 class STREAMING									
  drop									
!									
! 									
!									
crypto isakmp policy 21									
 encr 3des									
 hash md5									
 authentication pre-share									
 group 2									
crypto isakmp key xxxx address xxxxxxxxxx								
!									
!									
crypto ipsec transform-set SuzlonSet esp-3des esp-md5-hmac 									
!									
crypto map SuzlonMap 21 ipsec-isakmp 									
 set peer xxxxxxxxxxxxxxx <---------- tunnel to the ASA								
 set transform-set SuzlonSet 									
 match address 150									
!									
!									
!									
!									
!									
interface FastEthernet0/0									
 description connection to LAN									
 ip address 192.168.105.2 255.255.255.192									
 no ip redirects									
 no ip unreachables									
 no ip proxy-arp									
 ip flow ingress									
 ip flow egress									
 ip nat inside									
 ip virtual-reassembly in									
 duplex auto									
 speed auto									
 no cdp enable									
 no mop enabled									
!									
interface FastEthernet0/1									
 description connection to Cable Modem									
 ip address 192.168.1.2 255.255.255.0									
 ip access-group BLOCK_NETFLIX in									
 ip access-group 22 out									
 no ip redirects									
 no ip unreachables									
 no ip proxy-arp									
 ip nbar protocol-discovery									
 ip flow ingress									
 ip flow egress									
 ip nat outside									
 ip virtual-reassembly in									
 duplex auto									
 speed auto									
 no cdp enable									
 no mop enabled									
 crypto map SuzlonMap									
 service-policy input DROP									
!									
interface Serial0/2/0									
 no ip address									
 shutdown									
!									
ip forward-protocol nd									
no ip http server									
no ip http secure-server									
!									
ip flow-top-talkers									
 top 15									
 sort-by bytes									
!									
no ip nat service sip udp port 5060									
ip nat inside source list 155 interface FastEthernet0/1 overload									
ip nat outside source static 121.242.42.34 10.102.0.33 add-route									
ip nat outside source static 121.242.42.58 172.16.11.40 add-route									
ip nat outside source static 125.16.86.53 172.16.11.39 add-route									
ip nat outside source static 125.17.116.37 10.102.0.206 add-route									
ip route 0.0.0.0 0.0.0.0 192.168.1.1									
ip route 10.100.4.0 255.255.255.192 192.168.105.1									
ip route 192.168.104.0 255.255.255.192 192.168.105.1									
ip route 192.168.105.64 255.255.255.192 192.168.105.1									
ip tacacs source-interface FastEthernet0/0									
!									
ip access-list standard Community_String									
 permit 10.153.0.223									
 permit 10.153.0.220									
!									
ip access-list extended BLOCK_NETFLIX									
 deny   ip 198.45.0.0 0.0.255.255 any									
 deny   ip 108.175.0.0 0.0.255.255 any									
 permit ip any any									
!									
ip sla 1									
 icmp-echo 10.153.0.10 source-interface FastEthernet0/0									
 threshold 2500									
 timeout 2500									
 frequency 3									
ip sla schedule 1 life forever start-time now									
no logging trap									
logging source-interface FastEthernet0/0									
logging 10.153.0.197									
logging 10.153.0.198									
logging 10.153.0.199									
access-list 22 deny   66.232.66.130									
access-list 22 permit any									
access-list 150 permit ip 192.168.104.0 0.0.0.63 10.153.0.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 10.153.0.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.16.10.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 204.55.0.0 0.0.31.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.5.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.2.128 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.2.64 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.1.128 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.2.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.0.128 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.1.192 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.1.128 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.1.64 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.1.0 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.3.0 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 10.2.3.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 10.2.33.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 192.168.171.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 192.168.111.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.14.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.13.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.15.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.17.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.16.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.18.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.0.64 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.0.192 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.4.64 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.4.0 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.5.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.12.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.14.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.11.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.10.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.2.128 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.5.128 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.2.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.1.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.2.0 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.16.128 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.16.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.6.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.4.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.8.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.10.128 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.5.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.27.13.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.22.0 0.0.1.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 10.248.162.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.10.0 0.0.0.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.16.0 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.26.20.0 0.0.1.255									
access-list 150 permit ip 192.168.105.0 0.0.0.63 172.28.16.192 0.0.0.63									
access-list 150 permit ip 192.168.105.0 0.0.0.63 10.118.203.0 0.0.0.127									
access-list 150 permit ip 192.168.105.0 0.0.0.63 10.64.169.0 0.0.0.255									
access-list 150 permit ip 192.168.104.0 0.0.0.63 10.64.169.0 0.0.0.255									
access-list 155 deny   ip 192.168.104.0 0.0.0.63 10.153.0.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 10.153.0.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.16.10.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 204.55.0.0 0.0.31.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.5.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.2.128 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.2.64 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.1.128 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.2.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.0.128 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.1.192 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.1.128 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.1.64 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.1.0 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.3.0 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 10.2.3.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 10.2.33.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 192.168.171.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 192.168.111.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.14.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.13.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.15.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.17.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.16.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.18.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.0.64 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.0.192 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.4.64 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.4.0 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.5.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.12.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.14.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.11.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.10.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.2.128 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.5.128 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.2.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.1.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.2.0 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.16.128 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.16.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.6.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.4.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.8.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.10.128 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.5.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.27.13.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.22.0 0.0.1.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 10.248.162.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.10.0 0.0.0.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.16.0 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.26.20.0 0.0.1.255									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 172.28.16.192 0.0.0.63									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 10.118.203.0 0.0.0.127									
access-list 155 deny   ip 192.168.105.0 0.0.0.63 10.64.169.0 0.0.0.255									
access-list 155 deny   ip 192.168.104.0 0.0.0.63 10.64.169.0 0.0.0.255									
access-list 155 permit ip 192.168.105.0 0.0.0.63 any									
access-list 155 permit ip 192.168.104.0 0.0.0.63 any									
access-list 155 permit ip 10.100.4.0 0.0.0.63 any									
access-list 155 permit ip 192.168.105.64 0.0.0.63 any									
no cdp run									
!									
!									
!									
									
snmp-server trap-source FastEthernet0/0									
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart									
snmp-server enable traps envmon									
snmp-server enable traps memory bufferpeak									
snmp-server enable traps cnpd									
snmp-server enable traps config-copy									
snmp-server enable traps config									
snmp-server enable traps cpu threshold									
snmp-server enable traps syslog									
snmp-server enable traps vtp									
snmp-server enable traps aaa_server									
!									
tacacs-server host xxxxxx key 7 xxxxxxxxxx
tacacs-server directed-request									
!									
!									
!									
control-plane									
!									
				
									
			

Open in new window

ASA - i just included the tunnel info. there is no other info about that router or that ip on the ASA.
crypto map newmapds3 133 match address 130
crypto map newmapds3 133 set peer 216.182.X.X
crypto map newmapds3 133 set transform-set myset

Open in new window


On asa
ASA - show run | i 216.182
access-list 133 extended permit ip 10.153.0.0 255.255.255.0 host 216.182.X.X 
crypto map newmapds3 133 set peer 216.182.X.X
tunnel-group 216.182.X.X type ipsec-l2l
tunnel-group 216.182.X.X ipsec-attributes

Open in new window


Router
Router#show run | i 216.182
access-list 150 permit ip host 216.182.X.X 10.153.0.0 0.0.0.255

Open in new window

0
 
Shark AttackNetwork adminAuthor Commented:
unless there are additional equipment on site that i am not aware of. i will double check. the site is in different state
0
 
mikebernhardtCommented:
The access-list 150 line in the last post is not in the previous router config as near as I can tell. Different router? Or is there a change in the running config that needs saving?
0
 
Shark AttackNetwork adminAuthor Commented:
correct i need to "save" there been some changes. cant find anything right?
0
 
Shark AttackNetwork adminAuthor Commented:
look at the picture below. I ssh into 216.182.x.x address, i get in and do show ip int br

2015-05-08-14-26-29.jpg
0
 
Shark AttackNetwork adminAuthor Commented:
thats the only thing i can think of. i am not sure but i guess i will call the ISP
0
 
mikebernhardtCommented:
You could try a traceroute and see where it ends. The might help but might not.
0
 
Shark AttackNetwork adminAuthor Commented:
there was some other router in between the cisco router and asa. didn't know until i seen pictures of the network closet.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.