Cisco WAN :: 2911 Router VPN Tunnel And Default Routing?
Feb 16, 2012
I have a Cisco 2911 that I am configuring for a remote site. I have configured a IPSec Tunnel from our main site ( ASA 5510 ). The Tunnel is up and I can connect from the main site LAN to the address of the 2911 through the IPSec Tunnel. The 2911 is equipped with a 16port switch service module. The switch is configured with an address and I can open a telnet session to the switch. From that session, I am able to reach hosts on the LAN across the IPSec tunnel. However, when I open a telnet session to the 2911 router, I cannot reach hosts on the main site LAN from that address. When I do, the traffic is sent outside of the tunnel instead of inside it. It works from the service module as traffic between the interfaces have the ACL for insteresting traffic applied, but traffic generated from the address of the 2911 router does not seem to get picked up by the ACL on the IPSec tunnel and it is getting the default route applied and going directly to the outside interface instead of to the tunnel. how to make this work?
I recently purchased a Cisco 2911 to replace my Cisco 1711 router. I copied the configuration from the Cisco 1711 router to the Cisco 2911 router. Everything seemed to work correctly except when I VPN tunnel into the Cisco 2911 router using Cisco's VPN client version 5.0. I can ping the router LAN interface from my PC that is VPNed into the router but I can no longer ping or access the devices on the LAN side of the router as I did on the Cisco 1711 router. I don’t see errors in the log or hits blocking anything in the acls. It’s using the same configuration that I had on the Cisco 1711 router, and this did work on the Cisco 1711. The Cisco 2911 router is running IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE SOFTWARE (fc1).
Here is the VPN clinet portion of the configuration: The LAN is addressed as 192.168.0.0/24. The router LAN interface is 192.168.0.1, which I can ping and access. I can't ping or access anything on the LAN (192.168.0.0/24) beside the router.
aaa authentication login vpnclientauth local aaa authorization network vpngroupauth local ! crypto isakmp client configuration group remote-clients key 6 xxxx pool clients [Code]....
I'm trying to configure an IPSEC VPN + tunnel for multicast data. When the default gateway is set on the router (1841) it works fine but if I only set a route to the IPSEC peer via our gateway then the tunnel fails to come up. The end point is to a 3rd party. [code]
I found that if I add a static route for the tunnel destination via fa0/0, the public facing interface, the tunnel comes up..ip route 10.23.4.2 255. 255. 255. 255 FastEthernet0/0
and I can then ping the tunnel IP at the far end - 10.23.0.5.Why would that be? Is there a better way to do this without using a default route??
Recently i attempted to build a LAN 2 LAN VPN tunnel from an Asa to a 2911 running zone based firewall. This was a standard IPSec psk tunnel nothing fancy. I got the tunnel to establish but i could only get traffic to encap on the Asa side and decap on the 2911 side. I couldn't get return traffic.I followed this doc here for classic IPSec in the last example. URL
And I am sure the Asa is right I built a ton of those but I am new to zfw. I did not see anything about a NAT exempt rule. But since everything uses real IPs instead of NAT I wasnt sure and I could not find any info. Do I need to do NAT exempt? If so do you use a route map on the end of you NAT overload config line like in the past?
Also I have a zone-pair to "self" and I was not sure if I needed anything there to be able to ping the inside interface of the 2911 when the tunnel is up from the remote end.
We have a 6 spoke DMVPN setup. Five of the six spokes work fine. On the 6th spoke, a 2911, we have created a Tunnel0. Other spokes and the hubs can ping it's ip, but it can't ping itself. When we do a show interface it shows the Tunnel 0 is up, but the protocol is down. What does that mean?
Is it possible to create a site-to-site ipsec vpn (lab environment) between two 5505's (ASA IOS 8.2(5) & asdm-645-206) with the same default gateway. I.E. a back to back site-to-site VPN tunnel or do I need to deploy a router and hang each 5505 off a different interface? We have plenty of public IP's but only one default gateway to our ISP (Internet).
I am struggling on a problem for over 2 weeks despite of various researches.
We have a Cisco router, then an ASA 5520 8.4(3). The private interface of the ASA is connected to a switch, and so on connected to one interface of the router. The private interface is as following : 129.88.63.253 255.255.248.0 (/21) => It is in the 129.88.56.0/21 subnet
Here is the part of the router config we are interested in : ! interface Vlan32 ip address 129.88.63.254 255.255.248.0 (this is the tunnel default gateway configured on the ASA - 129.88.56.0/21 subnet) ip address 129.88.71.254 255.255.255.0 secondary ip address 129.88.75.254 255.255.252.0 secondary ip access-group CVPN-depuis-129.88.56 in ip access-group CVPN-vers-129.88.56 out ip verify unicast source reachable-via rx allow-default no ip redirects mls rp ip !
On the ASA, there is currently one default route for the tunneled traffic : route Private 0.0.0.0 0.0.0.0 129.88.63.254 tunneled As you can see, it's on the same subnet as the primary IP address of interface Vlan32 on the router.
The scenario is as following : - we can connect to the VPN with the appropriate alias (LDAP connection), then we get an IP address in the defined range (it's a local ASA pool) - the pool is : 129.88.71.0/24 - but, once we are connected, we can't do anything, because it seems like we don't have any network access
i have problem with a router 2900 with a card switch 16 ports (sm-es2-16p) that does not doing the intervlan routing. i have attached 2 show tech one of the router and one of the card switch 16 ports (sm-es2-16p). I connected physically the switch card to a router interface and it seem to be working because i can do a ping from my pc ( in user vlan 26) to my gateway on the router (172.20.26.1) but i can not do ping to the others vlan like (172.10.26.1) or others. .. i want to know what is happening and if it there is a way to do the trunk conectivity between the switch card and the router internally without a phyisical connection.
I have installed a cisco 2911 router and the cisco usb console drivers on my pc, win 7 64 bit.however when I use putty and open the com port assigned it just goes blank, I am using the usb port on my laptop to connect and using the cisco usb console cable provided
We have purchased a number of 2911 routers.We got Base & security license as we wanted to enable encryption. However we probably wont use the security.We are replacing 2811 routers.Unfortunately the 2811 routers have FXS ports with 2 - 4 POTS handsets - I completely forgot about these ports when I was ordering.Now I have VIC3-FXS cards which are ok in the 2911 but unfortunately I cant get them to work.I am missing PVDMs (well adapters anyway), and even if I got them the router wont take any commands relating to voice due to the license.Is is possible to 'rehost' the security and turn it into a UC ?I am new to these 2911 and Licensing.
I have a 2801 router that I am replacing with a 2911. I know the ports on the 2911 are Gigabits and the 2801 are Fe. I read where the IOS would not support backup and restore on each other . I am attaching a show ver on both routers. I need to know if backup and restore would work and or what other changes would need to get done.
I have a Cisco 2911 router that I will like to use it for setting up a site to site VPN but the router does not support VPN commands. When I issue crypto isakmp command, it says command no recognized. When I issue ipsec transform-set command, it says command not recognized. The IOS running on my router is c2900-universalk9-mz.SPA.151-2.T1.bin. Also see the output of my show licences features command: [code]
what can be done on this router to enable use it for setting up a VPN connection.
I have a 2911 router with 15.1(4) Ios Version. I need to enable the evaluation sna feature but when I try to enter the command "license feature snasw" but I get an error, the command "License feature" does not exist.
I am planning on having a contractor in to configure some new routers and would like for him to login using the local account on the routers while company personal continues to use radius is this possible.
I am trying to connect my Cisco 2911 router to my community in CNA. I can see the routers on the topology map, but when I try to add to community I get an error message stating that the router is unreachable (Unable to connect). I can ping device from ame client. I can view Device Properties for map (Device type: CISCO2911/K9). Telenet attempt to connect but we only use SSH for connectivity (the same as all of my switches that are connected to community). 2911 is listed as a supported router on Cisco site.
whether a Cisco Router 2911 would work on images other than universal image. This is the question raised by one of our customer. He has 2811 Router where-in he has configured T1/E1 configuration, terminated to Zyxel Modem and working fine. Now he wants to replace this 2811 router with 2911 router. Since the universal image in 2911 router is not working with the present configuration in 2811 router, he wants to know, what options are there for him to configure this in 2911.
We have a Cisco 2911 router in our company. I didn't set it up myself nor I was involved. I only started working here recently, bit over 3 months ago. I have been given ongoing task which other IT Technicians been struggling for almost a year with a idea that maybe because I'm fresh person in the company I will find a original idea why could this thing not work.
Our router have a problem with blocking a single IP address, but not completely It's hard to explain but I will try my best. Company is hosting their website externally and accessing the host and FTP on the host on daily bases. It is important for the website to work on the internal network in company. It does work sometimes, but from time-to-time the website showing time-out error 118 on any point before Cisco router using both http and https, have tried putting just the IP address( doesn't matter is it on the general network or last ISA server on DMZ ). I am able to connect to the website using any of proxy gates but not directly to the website. I have also tested the connection past the router and I was able to connect to the website without any problems. I am also able to ping the host's address from the router and internal network.
I have eliminated the possibility of not correctly setup proxy or firewall on the network as problem also occur on the DMZ. I have also checked access-lists on the router and firewall rules for Any possibilities and I can't really see a way why would the router do this.
I am having 2911 router running with C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)IOS and i have configured the following commands for eigrp
how this switch module works in 2911 router? I have two 2911 routers in HSRP configuration for redundancy with crossover cable between switch modules. OSPF running on routers.If active router loses its power and then comes back again, it boots first, its internal link to switch module comes up and it starts to forward packets to switch module. The switch module starts to boot only after router is ready. So I have outage of about 3-4 minutes. For our real-time applications it is way too long.
any way to start booting of the switch module before router gets ready?I understand I can boot it manually, but it is only after router is ready. Only way to get around it I found is to disable internal link and use router interface to connect to the switch module.
We have a cisco 2911 router configured with password for telnet login, but I always failed to login use telnet, does any one know any place need to be modify?
I'm in process of purchasing a new Cisco routers for our branches that will be used primary to enable IPSec virtual tunnel interfce with "tunnel mode ipsec ipv4". does the default IOS IP Base supports this feature? or i need to purchase DATA license or SECURITY license?
The setup looks like this:I have a core swith (HP Procurve) which is connected to Cisco router ( which is ISP router).I have to create vlans and do intervlan between them and reach the ISP router.I created two vlans on HP Core Switch ( apart from default vlan 1) , vlan 99 ip add 10.110.234.1 subnet 255.255.255.128 and vlan 999 ip add 10.110.234.129 subnet 255.255.255.128,vlan 1 ip add 10.110.232.42 subnet 255.255.254.0.tagged the ports of vlan 99 and vlan 999 in vlan 1. I am able to do intervlan routing, but i cannot reach router which is 10.110.232.1 subnet 255.255.252.0.I tried these scenrio on packet tracer, it is working fine.
I have a small network that i want to setup, i have 1 2900 router and i'd like to create subinterfaces for the internal. but more importantly i'd like to have the dsl modems connected to the router with traffic from one subinterface going through one modem and traffic from the other going through the other.
We have two MPLS circuits managed by two different suppliers, one carries VOICE the other DATAWe are to decommision the VOICE MPLS and have increased the bandwith of the DATA MPLS to carry VoIP traffic too.
At both of our sites A & B ,devices connected to the LAN have a default gateway of the VOICE providers Cisco 2600 router , which then goes into the LAN switching. (see diagram)So what I am trying to achieve is toto simply replace these 2600 routers from the VOICE MPLS provider with our own so we dont have to change the default gateways at both sites. Testing
Our Cisco 2600 routes are plugged into each LAN switching environment with two subinterfaces configured, one for voip and the other for dataThe problem is from the router and respective subinterfaces we can get to the other sites destination without any issue, but if for example a user is at site A with Ip address 10.16.11.12/16 they cant ping the VOIP subnet at site B 10.3.11.0/24. But If a ping is issue from the Site A test router then the 10.3.11.0/24 subnet is reachable but only on the 10.3.12.0/24 configured subinterface.So i guess what Im saying is 10.16.0.0/16 from the LAN needs to be able to get to 10.3.11.0/24Note at site A 10.16.0.0/16 & 10.3.12.0/24 can communicate no problem and at site B 10.207.0.0/16 & 10.3.11.0/24 can communicate no problem.We are using IP routing, should we be using route-maps?
I am using Cisco 2911 & IOS version is 15.1. My problem is that after some days (e.g. 15-20 days), the routing table suddenly stops updating & then I have to enter the default route again to make it up. I am using Track 1 to track default route here. After primary link goes down, the Track is also going down but after coming the primary link up, the track is not coming up. So, I have to add the default route again to make it up.
i've configured Cisco VPN CLient on a router 2821, and it is working fine.I could access inside resourses normally>the problem is that when i connect with VPN i lost connectivity to internet? What is wrong with my configuration? Below the running config of the router.
CISCO2821#sh run Building configuration... Current configuration : 5834 bytes ! version 12.4
I am having one router CISCO2911/K9 (Cisco 2911 w/3 GE,4 EHWIC,2 DSP,1 SM,256MB CF,512MB DRAM,IPB). But now my management asking me to upgrade this router as CISCO2911-SEC/K9.
I have setup a basic PBR config to route Http and Https out of a different interface (fa0/0/0) but for some reason http traffic is still going out of the Gi0/1 interface.
Config attached minus the crypto stuff and the publics have been changed.
We recently installed a 2911 sec router.On this device there are three Ipsec GRE Tunnnels which are working fine and an Easy VPN Server.The problem is that when clients connect to the easy vpn server they cannot ping anything inside , the configuration regarding protected networks is fine.After restarting the router the first client conneced works but when disconnected all the others are authenticating and the cant see anythining in the internal network . By checking the routing table i realized that the route to the virtual access interface is missing for no reason. i used the #debug ip routing detail command and i got the following during the client connection
Mar 31 09:51:37.875: RT: interface Virtual-Access5 removed from routing tableMar 31 09:51:37.875: RT: delete route to 192.168.20.9 via 79.xxx.xxx.xxx, Virtual-Access5
