Having issues with new cisco router

S

simonhutton

n00b
Joined
Nov 4, 2014
Messages
17
First let me apologize for posting probably such a simple question but i'm new to configuring routers so please be nice :) I have installed a 2nd router on our network (my first router config) from this router I can get out to the rest of the network and Internet no problem however I am not able to access any computer connected to the new router. There are 2 networks configured on the new router 10.20.4.0/10.20.5.0. I can ping the router and connect to it over my network, I can ping 10.20.4.1 and 5.1 but the laptop I connect, which has IP address 10.20.4.2, I am unable to ping. Any help would be great. Can post running config etc. if needed
 
Is this an actual router or an ASA?

Either way, check your ACL's and use debug commands to see why the packets are being dropped.
 
It turns out the ASA didn't have RIP enabled and that was what was stopping me from accessing the Laptop behind the new router. I've now added static routes onto the ASA and can PING the laptop as long as NAT is disabled on the new router. However with NAT disabled on the new router my laptop can now no longer get out to the Internet or rest of my network. but with NAT on it does but I can't get to it. does that make sense?
 
More details will definitely help. How many networks (or subnets) are currently residing on the entirety of the LAN? I see you mentioned 2

10.20.4.0/16
10.20.5.0/16

Those are both on two different interfaces of the 1900 correct? Also, another interface then connects to the ASA, which is acting as your firewall and connects to the internet maybe? A simple diagram would be immensely helpful really.

If you have the security license on the 1900 series (1941 maybe?), having the ASA in addition may not be necessary. An ASA is made to be a firewall, an edge device connecting to the internet, and not a router. So if you need routing between different subnets, a L3 switch or a router (1900 series in this case) would be more suitable to your situation.
 
128422558@N05


Just a quick diagram of the setup for this router. The router I am adding is Router B on the diagram. I am sat at Laptop A trying to Ping Laptop B. With Nat enabled on Router B I can access my network and Internet from Laptop B but cannot access Laptop B from Router A. If i turn Nat off on Router B I can access laptop B from Router A but cannot access network or internet from Laptop B.
 
Last edited:
https://flic.kr/p/pEWMat
Just a quick diagram of the setup for this router. The router I am adding is Router B on the diagram. I am sat at Laptop A trying to Ping Laptop B. With Nat enabled on Router B I can access my network and Internet from Laptop B but cannot access Laptop B from Router A. If i turn Nat off on Router B I can access laptop B from Router A but cannot access network or internet from Laptop B.

I couldn't get the picture to actually show on here so linked to the image on Flickr.
Ignore the /32 CIDR it's actually a /26 dunno why i did /32 on drawing.
 
Last edited:
Correct. coming off the 1900 i have 3 interfaces. 2 are for the 2 new networks and 1 is the connection to the rest of the LAN. This is into a Layer 2 switch which is then connected to our ASA (I know not best practice to use the ASA as our router but that was the situation when i started and at the moment I can't change that) The ASA has 4 interfaces 0/0 - Outside, 0/1 - DMZ, 0/2 - Link to our 2nd site and 0/3 - Internal LAN. I have added static routes onto the ASA for 10.20.4.x and 10.20.5.x, we don't have the security licence on the 1900.
 
IF Router A is an ASA, therein lies part of the problem. The ASA is not a router, it is a firewall as previously stated. It wants to "sessionize" all traffic going through it. It treats all traffic coming in from one interface, going out through another interface as traffic that should be NATd and added to the XLATE table. If you want to route between them, you should be NAT exempting the traffic, setting up routes, disable proxy-arp.

A much better solution in this scenario is to make Router A (ASA right?) an edge device connected directly to Router B, then terminate all networks to Router B, and have routing and ACLs setup on Router B. More akin to the setup below.

10.20.3.0
|
((Internet))-------------[ASA]-------------[1900] -----10.20.0.0/24
| |
10.20.4.0 |
10.20.5.0
 
And I see you can't change that now....
And, my diagram didn't work properly with the formatting haha, oops, it's irrelevant now, back to the drawing board.
 
Could you post configs, removing WAN addresses and any other identifying information?
 
Below is the running config for the ASA

: Saved
:
ASA Version 8.4(2)
!
hostname AT-ASA01
domain-name autotech.local
enable password 62jUrFE7j01.BxRF encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address 194.74.x.x 255.255.255.248
!
interface Ethernet0/1
shutdown
nameif DMZ
security-level 100
ip address dhcp setroute
!
interface Ethernet0/2
nameif LinkToIgranic
security-level 100
ip address 192.168.x.x. 255.255.255.0
!
interface Ethernet0/3
flowcontrol send on 16 45 26624
nameif Inside
security-level 100
ip address 10.20.3.254 255.255.252.0
!
interface Ethernet0/3.11
vlan 11
nameif Guest
security-level 100
ip address 192.168.20.1 255.255.255.0
!
interface Ethernet0/3.21
vlan 21
nameif Voice
security-level 100
ip address 10.200.11.254 255.255.254.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name autotech.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ATGEX01
host 10.20.0.22
object network LutonLAN
subnet 10.10.10.0 255.255.255.0
object network Netextender
host 10.20.3.200
object network TeamSite
host 10.20.0.27
object network Mailwall1
host 66.197.x.x
object network Mailwall2
subnet 92.48.x.x 255.255.255.192
object network Mailwall3
subnet 195.72.x.x 255.255.255.240
object network Mailwall4
subnet 95.154.x.x 255.255.255.192
object network KingsNortonLAN
subnet 10.10.11.0 255.255.255.0
object network LandRoverLAN
subnet 10.10.12.0 255.255.255.0
object network GuestLAN
subnet 192.168.20.0 255.255.255.0
object network Thor-SMTP1
host 92.60.x.x
description Thor mailrelay
object network Thor-SMTP2
host 92.60.x.x
description Thor mailrelay
object network Thor-SMTP3
host 217.172.x.x
description Thor mailrelay
object network Thor-SMTP4
host 217.172.x.x
description Thor mailrelay
object network IgranicLAN
subnet 10.10.13.0 255.255.255.0
object network igranic2
subnet 192.168.88.0 255.255.255.0
object network test
subnet 192.168.1.0 255.255.255.0
object network IgranicDAGNIC
host 192.168.50.3
object network ACLFS01
host 10.10.10.11
object network LyncVC
subnet 192.168.50.0 255.255.255.0
description Dedicated for Lync Video Conferencing
object network SilsoeLAN
subnet 10.20.0.0 255.255.252.0
object network ATG-CaptureIT
host 10.20.0.32
object network BedfordVoice
subnet 10.200.30.0 255.255.254.0
object network ATGEX02
host 10.20.0.23
object network SilsoeVoice
subnet 10.200.10.0 255.255.254.0
object network Tens
subnet 10.0.0.0 255.0.0.0
object network KingsNortonVoice
subnet 10.200.20.0 255.255.254.0
object network IgranicLAN2
subnet 10.10.13.0 255.255.255.0
object network SpiceworkExternalSilsoe
host 81.145.196.129
object network atg-sworks01
host 10.20.0.29
object network VidyoExternal
host 81.145.196.130
object network VidyoInternal
host 10.20.0.53
object network SpiceworksExternalBedford
host 81.145.x.x
object network SpiceworksInternalBedford
host 10.10.13.1
object network KasperskyConnectionGatewayExternal
host 81.145.x.x
object network KasperskyConnectionGatewayInternal
host 10.20.0.56
object service KasperskyConnectionGateway
service tcp destination range 13000 14000
description Non SSL
object service KasperskyConnectionGatewaySSL
service tcp destination eq 13000
object network ROU-Sil-10
host 10.20.3.253
description Router for Demo and Training Room
object network TrainingRoom
subnet 10.20.4.0 255.255.255.192
description Training Room
object network DemoRoom
subnet 10.20.5.0 255.255.255.192
description Demo Room
object-group service DM_INLINE_TCP_1 tcp
port-object eq https
port-object eq pptp
object-group network DM_INLINE_NETWORK_1
network-object host 10.20.3.200
network-object object ATGEX02
network-object object TeamSite
object-group network Mailwall
network-object object Mailwall1
network-object object Mailwall2
network-object object Mailwall3
network-object object Mailwall4
object-group network Thor-SMTP
description Thor SMTP Servers
network-object object Thor-SMTP1
network-object object Thor-SMTP2
network-object object Thor-SMTP3
network-object object Thor-SMTP4
object-group network ATG_EMAIL_SERVERS
network-object object ATGEX01
network-object object ATGEX02
object-group network AUTOTECH_LANS
network-object object GuestLAN
network-object object IgranicLAN
network-object object KingsNortonLAN
network-object object LandRoverLAN
network-object object LutonLAN
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_2
network-object object SilsoeLAN
network-object object SilsoeVoice
network-object object IgranicLAN
object-group network DM_INLINE_NETWORK_3
network-object object KingsNortonLAN
network-object object LandRoverLAN
object-group network DM_INLINE_NETWORK_4
network-object object BedfordVoice
network-object object IgranicLAN
network-object object KingsNortonLAN
network-object object LandRoverLAN
network-object object SilsoeLAN
network-object object SilsoeVoice
object-group network DM_INLINE_NETWORK_5
network-object object KingsNortonLAN
network-object object KingsNortonVoice
object-group network DM_INLINE_NETWORK_7
network-object object KingsNortonLAN
network-object object KingsNortonVoice
object-group network DM_INLINE_NETWORK_6
network-object object KingsNortonLAN
network-object object KingsNortonVoice
object-group network DM_INLINE_NETWORK_8
network-object object SilsoeLAN
network-object object IgranicLAN2
object-group network DM_INLINE_NETWORK_9
network-object object IgranicLAN
network-object object IgranicLAN2
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service VidyoEMCP tcp
port-object eq 17992
object-group service VidyoSCIP tcp
port-object eq 17990
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
group-object VidyoEMCP
group-object VidyoSCIP
object-group service VidyoConferencing udp
port-object range 50000 65535
object-group network DM_INLINE_NETWORK_10
network-object object SpiceworksInternalBedford
network-object object atg-sworks01
access-list Outside_access_in extended permit object KasperskyConnectionGateway any object KasperskyConnectionGatewayInternal
access-list Outside_access_in extended permit icmp any any echo-reply
access-list Outside_access_in remark VidyoConferencing UDP access from the Internet
access-list Outside_access_in extended permit ip any object VidyoInternal
access-list Outside_access_in extended permit tcp object-group Mailwall object ATGEX01 eq smtp
access-list Outside_access_in extended permit tcp object-group Thor-SMTP object ATGEX01 eq smtp
access-list Outside_access_in extended permit tcp any object ATGEX01 object-group DM_INLINE_TCP_1
access-list Outside_access_in extended permit tcp any host 10.20.0.32 eq 8080
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_1 eq https
access-list Outside_access_in extended permit tcp any object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_2
access-list Outside_access_in remark VidyoConferencing Web access from the Internet
access-list Outside_access_in extended permit tcp any object VidyoInternal object-group DM_INLINE_TCP_3
access-list Outside_access_in extended deny ip any any
access-list Outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_7
access-list Inside_access_in extended permit ip any any
access-list Guest_access_in extended deny ip any 10.10.10.0 255.255.255.0
access-list Guest_access_in extended permit ip any any
access-list Igranic_access_in extended permit ip any any
access-list Igranic_access_in extended permit udp any any
access-list Igranic_access_in extended permit icmp any any
access-list DAGSilsoe_access_in extended permit tcp object-group ATG_EMAIL_SERVERS any eq smtp
access-list DAGSilsoe_access_in extended deny tcp any any eq smtp
access-list DAGSilsoe_access_in extended permit ip any any
access-list DAGSilsoe_access_in extended permit icmp any any
access-list DAGSilsoe_access_in extended permit ip any object TrainingRoom inactive
access-list DAGSilsoe_access_in extended permit ip object DemoRoom any
access-list SMTP_ACCESS remark ##### Permit any SMTP Traffic from ATG Email Servers #####
access-list SMTP_ACCESS extended permit tcp object-group ATG_EMAIL_SERVERS any eq smtp
access-list SMTP_ACCESS remark ##### Deny SMTP Traffic from all other devices #####
access-list SMTP_ACCESS extended deny tcp object-group AUTOTECH_LANS any eq smtp
access-list SMTP_ACCESS extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list Voice_access_in extended permit ip any any
access-list VOIP_access_in extended permit ip any any
access-list Guest_access_in_1 extended deny ip any object-group DM_INLINE_NETWORK_4
access-list Guest_access_in_1 extended permit icmp any any
access-list Guest_access_in_1 extended permit ip any any
access-list Outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_8 object LandRoverLAN
access-list Inside_access_in_1 extended permit ip host 10.20.0.29 any
pager lines 24
logging enable
logging emblem
logging asdm debugging
logging host Inside 10.20.2.2 format emblem
mtu Outside 1500
mtu DMZ 1500
mtu LinkToIgranic 1500
mtu Inside 1500
mtu Guest 1500
mtu Voice 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (Inside,Outside) source static SilsoeLAN SilsoeLAN destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6
nat (Voice,Outside) source static SilsoeVoice SilsoeVoice destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5
nat (Inside,Outside) source static SilsoeLAN SilsoeLAN destination static LandRoverLAN LandRoverLAN
nat (LinkToIgranic,Outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3
!
object network ATGEX01
nat (Inside,Outside) static 194.74.x.x
object network LutonLAN
nat (DMZ,Outside) dynamic interface
object network Netextender
nat (Inside,Outside) static 194.74.x.x
object network TeamSite
nat (Inside,Outside) static 194.74.x.x service tcp https https
object network GuestLAN
nat (Guest,Outside) dynamic interface
object network IgranicLAN
nat (LinkToIgranic,Outside) dynamic 194.74.x.x
object network SilsoeLAN
nat (Inside,Outside) dynamic interface
object network ATG-CaptureIT
nat (Inside,Outside) static 194.74.x.x service tcp 8080 8080
object network ATGEX02
nat (Inside,Outside) static 194.74.x.x service tcp https https
object network atg-sworks01
nat (Inside,Outside) static SpiceworkExternalSilsoe
object network VidyoInternal
nat (Inside,Outside) static VidyoExternal
object network SpiceworksInternalBedford
nat (LinkToIgranic,Outside) static SpiceworksExternalBedford
object network KasperskyConnectionGatewayInternal
nat (Inside,Outside) static KasperskyConnectionGatewayExternal
access-group Outside_access_in in interface Outside
access-group SMTP_ACCESS in interface DMZ
access-group Igranic_access_in in interface LinkToIgranic
access-group Inside_access_in_1 in interface Inside control-plane
access-group DAGSilsoe_access_in in interface Inside
access-group Guest_access_in_1 in interface Guest
access-group VOIP_access_in in interface Voice
route Outside 0.0.0.0 0.0.0.0 194.74.101.x.x
route LinkToIgranic 10.10.13.0 255.255.255.0 192.168.88.1 5
route Inside 10.20.4.0 255.255.255.192 10.20.3.253 1
route Inside 10.20.5.0 255.255.255.192 10.20.3.253 1
route LinkToIgranic 10.200.30.0 255.255.254.0 192.168.88.1 1
route LinkToIgranic 192.168.51.3 255.255.255.255 192.168.88.1 7
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 192.168.10.0 255.255.255.0 management
http 10.10.10.0 255.255.255.0 DMZ
http 88.98.x.x 255.255.255.255 Outside
http 10.10.13.0 255.255.255.0 DMZ
http 10.20.0.0 255.255.252.0 Inside
snmp-server group Authentication&Encryption v3 priv
snmp-server user ASA_SNMP Authentication&Encryption v3 encrypted auth md5 00:55:99 priv 3des 00:55:99:43:d8:bc:c7:44:db:7b:7b:5e:52:a2:d2:9a:76:3c:a5:ef:cd:1c:a1:00:00:00:00:d0:d4:00:80:29
snmp-server host Inside 10.20.0.29 version 3 ASA_SNMP
snmp-server location Silsoe Server Room
snmp-server contact Simon Stevens
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection timewait
crypto ipsec ikev1 transform-set 3DESMD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 195.74.x.x
crypto map Outside_map 1 set ikev1 transform-set 3DESMD5
crypto map Outside_map 2 match address Outside_cryptomap_1
crypto map Outside_map 2 set peer 81.142.x.x 176.227.x.x
crypto map Outside_map 2 set ikev1 transform-set ESP-AES-128-MD5
crypto map Outside_map interface Outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.0 DMZ
telnet 10.10.13.0 255.255.255.0 DMZ
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh 10.10.10.0 255.255.255.0 DMZ
ssh 10.10.13.0 255.255.255.0 DMZ
ssh 10.20.0.0 255.255.252.0 Inside
ssh 192.168.10.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcp-client client-id interface DMZ
dhcpd dns 8.8.8.8 interface DMZ
!
dhcpd address 192.168.20.10-192.168.20.200 Guest
dhcpd dns 208.67.222.222 208.67.220.220 interface Guest
dhcpd option 3 ip 192.168.20.1 interface Guest
dhcpd enable Guest
!
dhcpd address 192.168.10.10-192.168.10.20 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1
username mirus password MBHB0f7Vlg4TnuoM encrypted privilege 15
username admin password FzJuC8klY.Qnj3v8 encrypted privilege 15
tunnel-group 195.74.x.x type ipsec-l2l
tunnel-group 195.74.x.x ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 176.227.x.x type ipsec-l2l
tunnel-group 176.227.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 81.142.x.x type ipsec-l2l
tunnel-group 81.142.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect rsh
inspect rtsp
inspect sqlnet
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect h323 h225
inspect h323 ras
inspect sip
inspect skinny
class global-class
inspect dns
inspect rtsp
inspect snmp
inspect tftp
inspect sip
inspect h323 h225
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:020668cf6a1993df88d262832a6b33e8
: end
asdm image disk0:/asdm-645-106.bin
no asdm history enable
 
This is running config for new router.


Building configuration...

Current configuration : 4827 bytes
!
! Last configuration change at 08:31:58 London Fri Nov 7 2014 by simon
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ROU-Sil-10
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5 $1$Vp1R$fNIb44/T/6NZn93KqK7.3.
enable password $1$Vp1R$fNIb44/T/6NZn93KqK7.3.
!
no aaa new-model
clock timezone London 0 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
!
!
ip dhcp excluded-address 10.20.4.1
ip dhcp excluded-address 10.20.5.1
!
ip dhcp pool Train
import all
network 10.20.4.0 255.255.255.192
dns-server 10.20.0.20 10.20.0.21
default-router 10.20.4.1
lease 8
!
ip dhcp pool Demo
import all
network 10.20.5.0 255.255.255.192
dns-server 10.20.0.20 10.20.0.21
domain-name autotech.co.uk
default-router 10.20.5.1
lease 8
!
!
!
ip domain name autotech.co.uk
ip name-server 10.20.0.20
ip name-server 10.20.0.21
ip cef
ipv6 unicast-routing
ipv6 cef
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2598932824
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2598932824
revocation-check none
rsakeypair TP-self-signed-2598932824
!
!
crypto pki certificate chain TP-self-signed-2598932824
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353938 39333238 3234301E 170D3134 30383132 30383037
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35393839
33323832 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E5DE 5D5C775A 1DA0AD04 8FADAA5C B7BDB80E 02D6D065 E8A4FFE4 B6095AE7
D6C7BF86 B628245F FF316D27 1AF9643B FE878F66 512FD4DA FDB6E812 A9B41658
53F8B2C9 E9FAFB30 F333E0AE C16AD332 5FA111B7 8C0EDC35 BF531A21 BA73716D

quit
license udi pid CISCO1921/K9 sn FCZ1811C4DU
!
!
username atgadmin privilege 15 password 0 $1$Vp1ertR$fNIb44/T/6NZn93KqK7.3.
username simon privilege 15 password 0 $1$Vp1R$fNIbter44/T/6NZn93KqK7.3.
!
redundancy
!
!
no ip ftp passive
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description LAN Port to Rest of Network$ETH-LAN$
ip address 10.20.3.253 255.255.252.0
ip access-group Allow in
ip access-group Allow out
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Training Room$ETH-LAN$
ip address 10.20.4.1 255.255.255.192
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0/0
description Demo Room$ETH-LAN$
ip address 10.20.5.1 255.255.255.192
ip virtual-reassembly in
ip tcp adjust-mss 1412
duplex auto
speed auto
media-type rj45
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp ipcp dns request
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 199 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 10.20.3.254 permanent
ip route 10.20.4.0 255.255.255.192 GigabitEthernet0/1
ip route 10.20.5.0 255.255.255.192 GigabitEthernet0/0/0
!
ip access-list extended Allow
remark Allow
remark CCP_ACL Category=1
permit ip any any
!
dialer-list 1 protocol ip permit
!
!
snmp-server community public RO
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.20.4.0 0.0.0.63
access-list 1 permit 10.20.5.0 0.0.0.63
access-list 2 remark CCP_ACL Category=2
access-list 2 permit any
access-list 199 permit ip any any
!
control-plane
!
!
!
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password $1$Vp1R$fNIbawerstdfygT/6NZn93KqK7.3.
login local
transport input telnet
transport output telnet
!
scheduler allocate 20000 1000
!
end
 
Sorry! I Checked this a couple of times and thought I had subscribed, but I guess I had not. When I get a moment, I can look at those configs, they are a bit longer than I expected. Is this still an issue you need help wit?
 
If its still the NAT and internet issue then i'm thinking you'll need to disable NAT on the 1900 and add some NAT rules on the ASA to NAT the traffic from the two subnets behind the 1900 to the internet.
 
Ummm silly question, does laptop have firewall turned on? I did a ctrl+f on here for firewall and I don't see you mention the laptop firewall haha
 
Charold - Yes still having the issue, so if you are able to take a look and advise that would be great :)
bmh.01 - NAT as far as i recall is turned off on the 1900. i'll double check NAT on both the 1900 and add any rules needed to the ASA
MysticRyuujin - No the laptop does not currently have any form of Firewall turned on.
 
NAT is off on the 1900, with NAT turned on the laptop connected to that router can get to the Internet and my existing network but my existing network cannot get to it.
 
You must log in or register to reply here.
Back
Top