Help with Cisco 2621 and Routing

[jafo18301]

I have a config file that I have been working on for the past few days. The internal network seems to be fine but whenever I try to go outside the network, it doesn't seem to route. Can someone tell me what I may be missing? I am still new to Cisco routers (I am replacing my PIX 501 which is working) and would like to get this working. The 192.168.0.0 network is the outside network. This 2621 router is connected to a switch which is also connected to a Linksys router (on the cable modem side). I also have the internal network, 10.99.99.0 that is connected to a Cisco 4006 switch. I can ping the outside from the router interface but I cannot ping from a computer attached to the 10.x network. When I perform a trace route, it stops on the 10.x network. What am I missing?

Also, is there any VPN clients that will work with the Cisco routers and Windows Vista 64bit? I have tried NCP but it doesn't look like it has supported Cisco encryption. Thanks in advance. The following is my config:

- Shawn

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname RID_R1
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network netauth local
aaa session-id common
enable password 7 XXXXXXXXXXXXXXXX
!
username XXXXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXX
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip dhcp excluded-address 10.99.99.200 10.99.99.255
!
ip dhcp pool 1
network 10.99.99.0 255.255.255.0
default-router 10.99.99.1
dns-server 204.186.0.201 207.44.96.129
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 40 5
!
crypto isakmp client configuration group XXXXXXXXXX
key XXXXXXXXXXXXXXX
pool vpn_pool_1
acl 120
!
!
crypto ipsec transform-set esp-3des-sha esp-des esp-sha-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set esp-3des-sha
reverse-route
!
!
crypto map vpn_cmap client authentication list userauthen
crypto map vpn_cmap isakmp authorization list netauth
crypto map vpn_cmap client configuration address respond
!
crypto map vpn_dynmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
!
!
voice call carrier capacity active
!
!
!
!
!
!
!
!
!
mta receive maximum-recipients 0
!
!
!
!
interface FastEthernet0/0
description connected to outside Router
ip address 192.168.0.5 255.255.255.0
ip nat outside
speed auto
full-duplex
!
interface Serial0/0
no ip address
no ip mroute-cache
shutdown
!
interface FastEthernet0/1
description connected to EthernetLAN
ip address 10.99.99.1 255.255.255.0
duplex auto
speed auto
!
ip local pool default 10.99.99.25 10.99.99.125
ip local pool vpn_pool_1 10.99.99.220 10.99.99.225
!
ip nat inside source route-map vpn_routemap_1 interface FastEthernet0/0 overload
ip classless
!
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 10.99.99.0 255.255.255.0 FastEthernet0/1 permanent
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0 permanent
ip http server
ip pim bidir-enable
!
!
access-list 101 permit ip any any
!
route-map vpn_routemap_1 permit 1
match ip address 101
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXX
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
end

 

[cisconooblet]

#1 I wouldn't do a double nat.

#2 Your missing your ip nat inside statement on your inside ethernet interface.

 

[cisconooblet]

#3 Take out the
ip route 10.99.99.0 255.255.255.0 FastEthernet0/1 permanent
ip route 192.168.0.0 255.255.255.0 FastEthernet0/0 permanent

 

[jafo18301]

I have added the ip nat inside on the FastEthernet0/1 interface. I have also removed the permanent ip routes but it still doesn't allow traffic to flow outside of the 10.x network. On my PIX I had to add the nat (inside, outside) command to get this to work but I'm not sure what I also require for the router.

Thanks for the reply,

- Shawn

 

[cisconooblet]

Does your linksys router have a route to your 10. network? It will need one.

 

[jafo18301]

The Linksys doesn't have a route to the 10.x network. The linksys was working fine with the PIX. What is getting me is that when I try to do a trace route from a pc attached to the 10.x network, I can't even route to the 192.168.x network. I know it has something to do with the ip route but I'm not 100% what I am missing.

Thanks,

- Shawn

 

[cisconooblet]

bah. Nvm your translating the 10 network to 192. The double nat was messing with me. Won't need the 10. route as it will think its coming from 192.

I'm not familiar with the route map in the statement

ip nat inside source route-map vpn_routemap_1 interface FastEthernet0/0 overload

but it doesn't look to me like its doing anything really. You could change it to

ip nat inside source list 101 interface FastEthernet0/0 overload

to cut out the route map stuff. Then after you try to get out do a show ip nat translations to see if you show up.

 

[jafo18301]

Thanks... I will try that when I get home tonight. The line: ip nat inside source route-map vpn_routemap_1 interface FastEthernet0/0 overload is going to be used for the VPN once I get it up and running. I have tested it (directly connected to the router) and it seemed to be working (checked the debug and it was producing messages). I will remove the route-map line and replace it with the list 101 line. That makes sense.

Thanks again,

- Shawn

 

[unclerico]

Did you ever add the ip nat inside to your f0/1 interface as nooblet advised?? Also, is there any particular reason why you are double-NATing??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[jafo18301]

I did add the ip nat inside to the FastEthernet0/1 interface (I must have removed it when I sent the running-config file via TFTP). I can remove the ip nat inside source statement altogether. The idea that the 10.x network doesn't talk to the 192.168.x network had me puzzled. I will try to remove that statement and then see what happens.

Thanks,

- Shawn

 

[maheick]

Can you ping 192.168.0.1 from your router?

Mark

 

[burtsbees]

Your acl 101 should not be any any if you plan to exclude 10.x.x.x from being NATted---that is, the VPN pool...

/