Cisco Switches : 七月 2013

2013年7月30日星期二

Route-maps & redistribution LAB -- one simple question for you

Question:

I just wanted to Cisco 3560 Switch ask for your help to undersstand the following route-map behaviour.

I'm doing some redistribution labs and I have the following scenario.

{ (EIGRP 100) R4 ----- [ R2 } ------ R1 (OSPF) ]

R2 sits between EIGRP and OSPF AS.

R4 has the following subnets (loopbacks) with the following requirements when redistributed into OSPF:

R4 LOOPBACKS

10.4.0.0/24 -- seed 100 - tag 10

10.4.2.0/24 -- seed 200 - tag 20

10.4.4.0/24 -- deny

All other subnets: seed metric 300 - tag 30

Where I'm having problems is with the requirement that 10.4.4.0 should be denied from crossing over to OSPF.

Here's my configuration for R2

I've configured the following ACLs:

access-list 1 permit 10.4.0.0 0.0.0.255

access-list 2 permit 10.4.2.0 0.0.0.255

access-list 3 deny 10.4.4.0 0.0.0.255 <---

put them in a route-map EIGRP-TO-OSPF:

route-map EIGRP-TO-OSPF permit 10

match ip address 1

set metric 100

set tag 10

route-map EIGRP-TO-OSPF permit 20

match ip address 2

set metric 200

set tag 20

route-map EIGRP-TO-OSPF permit 30 <-------- permitting because ACL has a DENY statement

match ip address 3 <----

route-map EIGRP-TO-OSPF permit 40

set metric 300 <--- (no match statement to select all others)

set tag 30

and then under R2, router ospf 1:

redistribute eigrp 100 subnets route-map EIGRP-TO-OSPF

So far so good!

However, requirement for route 10.4.4.0 to be denied doesn't work! It passes through to R1 and I'm trying to figure out why since this is an exercise for me to understand route-maps and redistribution.

The way around to solve it was to change the ACL 3 and route-map to:

access-list 3 permit 10.4.4.0 0.0.0.255

route-map EIGRP-TO-OSPF deny 30

match ip address 3

essentially what I've noticed is that with the deny statement in the ACL, 10.4.4.0 passes through and has a tag of 30 so I guess it's caught by the match all of the route-map seq 40. I've tried to rearrange the statement and put it before last but it didn't change anything.

On the other hand when the deny is at the route map seq 30, then 10.4.4.0 isn't caught by the seq 40 and works as it should... very confusing!

so my question is why does it work when denied at the route map but not when denied at the ACL ?

Answer:

>> so my question is why does it work when denied at the route map but not when denied at the ACL ?

Because, this is the way it is implemented in IOS: the route-map logic provided by permit or deny at route-map clause (block) is the one that counts. The IP ACLs are invoked to provide a match condition and a deny in the ACL is simply a not match.

The deny in route-map clause provides a true filtering action so an IP prefix that matches an ACL in a route-,map clause with a deny action is actually filtered. A prefix that is denied in the IP ACL is simply a not match in the route-map clause.

For more Cisco Switch news about Price ans Specification, you can click here.

Cisco 871w cannot ping outside WAN

Question:

Hello, I have Cisco 3560 Price a cisco 871w router that I'm trying to incorporate into an existing network. I have FastEthernet4 (WAN port) plugged into an ISP device, which I don't have access to. I have the address set to use dhcp, which is successfully recognized and I see that the interface gets a valid ip address that I can ping with other computers on the same network.

Problems:

I am logged into the router via the serial port and I cannot ping websites on the internet. I am able to ping sites that are hosted inside the WAN, but when I try "google.com" for instance, I see it sending out packets, but none are received. It resolves the hostname from the local DNS server, but there are no packets received.

Configuration:

I'm really new at this, so I was wondering if you guys could take a look at the commands that I type into the console to set up the router. I'm missing a lot of stuff. This is what I've been able to piece together using google and the software manuals:

enable

config t

hostname [hostname]

interface FastEthernet 4

ip address dhcp

ip nat outside

no shutdown

interface loopback 0

ip address 192.168.0.1 255.255.255.248

no shutdown

interface Vlan 1

ip dhcp pool vlan1

network 192.168.1.0 255.255.255.0

domain-name [domain]

default-router 192.168.0.1

dns-server 10.195.57.1

ip address 192.168.1.1 255.255.255.0

ip helper-address 10.195.57.2

ip virtual-reassembly

ip nat inside

no shutdown

interface FastEthernet 0

switchport access vlan 1

no shutdown

interface FastEthernet 1

switchport access vlan 1

no shutdown

interface FastEthernet 2

switchport access vlan 1

no shutdown

interface FastEthernet 3

switchport access vlan 1

no shutdown

interface FastEthernet 4

switchport access vlan 1

no shutdown

ip nat inside source list 100 interface FastEthernet4 overload

access-list 100 permit ip 192.168.1.1 0.0.0.255 any

Thank you very much for your help!

Answer:

I see several issues. First I do not see any default route configured. Probably it should be something like

ip route 0.0.0.0 0.0.0.0 dhcp

Also I believe that there is a problem in the DHCP configuration. It has the default route as 192.168.0.1. But the default route needs to be in the same subnet as the client addresses. So the default router should probably be 192.168.1.1.

Also the address translation is using an extended access list. But I do not see anything that justifies the extended list. I suggest that it would be better to use a standard access list like this

access-list 1 permit 192.168.1.0 0.0.0.255

ip nat inside source list 100 interface FastEthernet4 overload

For more Cisco Switch news about Price ans Specification, you can click here.

2013年7月28日星期日

NAT route map

Question:

I'm trying Catalyst 3560 Price to understand if this route map NO_NAT setup is needed or a mistake.

There's a vpn range nat exemption that allows 192.168.10.0/24 and 192.168.254.0/24 to communicate and it's applied to Gi0/0. So why would the same route map need be applied to static nat statments?

Thanks.

ip local pool vpnpool 192.168.254.100 192.168.254.200

ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.185 805 9.x.y.z 805 extendable

ip nat inside source static tcp 192.168.10.186 806 9.x.y.z 806 extendable

ip nat inside source static tcp 192.168.10.111 810 9.x.y.z 810 extendable

ip nat inside source static tcp 192.168.10.187 850 9.x.y.z 850 extendable

ip nat inside source static tcp 192.168.10.126 5902 9.x.y.z 5902 extendable

ip nat inside source static udp 192.168.10.10 5901 9.x.y.z 5901 extendable

route-map NO_NAT permit 1

match ip address 125

access-list 125 deny ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255

access-list 125 permit ip 192.168.10.0 0.0.0.255 any

Answer:

I had looked again your first post and realized that you were asking for reason of below these three route-map in static nat command, sorry I didn't notice that.

ip nat inside source static tcp 192.168.10.104 25 9.x.y.z 25 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.104 80 9.x.y.z 80 route-map NO_NAT extendable

ip nat inside source static tcp 192.168.10.104 443 9.x.y.z 443 route-map NO_NAT extendable

To answer whether these three route-map are necessary, I lab it up and found that:

1. If I remove the route-map in the static nat command, then subnet 192.168.254.0/24 will no longer reach 192.168.10.104 port 25, 80, and 443. Debug shows that after traffic from 192.168.254.0/24 reached 192.168.10.104, the source of reture traffic will be natted to the interface ip. that's to say, host send http 25 traffic to 192.168.10.104, but got reply from other ip.

2. reason for this is the static nat will create addtional nat translation rule that is independent of the first rule appiled on interface "ip nat inside source route-map NO_NAT interface GigabitEthernet0/0 overload", so that's why the route-map has to be applied again on Cisco 3560X the static nat.

2013年7月26日星期五

DHCP not working on Cisco 877W

Question:

I have a Cisco 877W in WS-C3560X-48PF-S place with an ADSL connection, which is working fine. However I cannot get it to hand out a DHCP address. If I associate with the AP over wireless then set a static IP I have full connectivity, similarly if I connect over Eth0 and set a static IP I have full connectivity. So it does just seem to be DHCP. Below shows my config... Any thoughts on the issue? Is it access-list related?

I have checked with Wireshark and I see the DHCP request being sent out, but I don't see a DHCP offer being returned

Thanks

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

hostname cisco-router1

boot-start-marker

boot-end-marker

logging buffered 51200 warnings

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

aaa new-model

aaa authentication login default local

aaa authorization exec default local

aaa authorization network default local

aaa session-id common

resource policy

clock timezone London 0

no ip subnet-zero

ip cef

ip dhcp use vrf connected

ip dhcp excluded-address 192.168.99.1 192.168.99.64

ip dhcp pool home

network 192.169.99.0 255.255.255.0

domain-name Wireless.local

dns-server 192.168.99.1

default-router 192.168.99.1

lease infinite

ip domain name Wireless.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip ssh version 2

bridge irb

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

dsl enable-training-log

interface ATM0.1 point-to-point

description Link to O2

ip address 94.192.245.80 255.255.248.0

ip nat outside

ip virtual-reassembly

atm route-bridged ip

pvc 0/101

oam-pvc manage

encapsulation aal5snap

interface FastEthernet0

spanning-tree portfast

interface FastEthernet1

interface FastEthernet2

interface FastEthernet3

interface Dot11Radio0

no ip address

encryption mode ciphers tkip

encryption vlan 1 key 1 size 128bit 0 xxxxxxxxxxxxxxxxxxxxxxxxxx transmit-key

encryption vlan 1 mode ciphers wep128

ssid Wireless

vlan 1

authentication open

accounting acct_methods

guest-mode

infrastructure-ssid optional

speed basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no snmp trap link-status

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

interface Vlan1

no ip address

bridge-group 1

interface BVI1

description local range

ip address 192.168.99.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip classless

ip route 0.0.0.0 0.0.0.0 94.192.240.1

no ip http server

no ip http secure-server

ip nat inside source list 1 interface ATM0.1 overload

ip dns server

access-list 1 permit 192.168.99.0 0.0.0.255

access-list 102 permit udp host 0.0.0.0 host 255.255.255.255

control-plane

bridge 1 protocol ieee

bridge 1 route ip

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 1 in

privilege level 15

transport input ssh

scheduler max-task-time 5000

ntp clock-period 17175141

ntp server 85.234.136.65

ntp server 94.228.40.3

ntp server 82.113.154.206

ntp server 178.32.175.244

Answer:

There is a typo in the network- IP-address: 169 instead of 168:

ip dhcp pool home

network 192.169.99.0 255.255.255.0

Don't stop after you've improved your network! Improve the world by lending money to the working poor: WS-C3750X-24P-L

http://www.kiva.org/invitedby/karsteni

2013年7月24日星期三

OSPF Problems

Question:

Can anybody help Cisco 3560V2 Price me please.

I have two third party routers connected by fibre running OSPF between them.

Due to a new requirment i need to put one of these routers in a new location.

I cant reconfigure them which is a massive problem for me.

Is there any way i can make them think they are dirrectly connected across my EIGRP network so they will form there old OSPF NBR relationship.

Answer:

L2TPv3 seems like an OK work around to satisfy the requirement, it gives you flexibility in a way where you can have control of the placement of the routers, keeping the neighborships in up state after the move.

See here for a very easy guide: http://www.networkstudies.co.uk/2011/11/extend-your-lan-across-multiple-sites.html

You will have to dedicate one interface at each end through the transport network to hook these two up Cisco 3560V2 on the same LAN.

Router on a stick - AP and switch can't ping subifs

Question:

I am deploying WS-C3560X-48PF-S a wireless network with multiple SSID's - 1242 trunked to 3560. 3560 trunked to 2811 subifs. Native VLAN 99 set at every point. Wireless clients can connect to SSID fine, but do not get DHCP from the router. The switch can ping BVI interface on AP (VLAN 99), and its own VLAN 99 of course, but cannot reach router loopback, 99, or subifs. Phones and desktop PC's in their respective VLAN's work fine and connect with DHCP etc. I am stumped. Seeing as the switch can ping the AP, but clients on the AP cannot ping the switch or router, or get DHCP, I am assuming there is a problem with the switch rather than the AP.

SWITCH

vlan 21

name VLAN-21-WLAN

vlan 22

name VLAN-22-GUEST-WLAN

vlan 99

name VLAN-99-NETMGT

interface Loopback0

description loopback

ip address 192.102.10.2 255.255.255.255

no ip route-cache

interface FastEthernet0/47

description to AP 1

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport trunk allowed vlan 21,22,40,41,51,99

switchport mode trunk

interface FastEthernet0/48

description to 2811 fa0/0

switchport trunk encapsulation dot1q

switchport trunk native vlan 99

switchport trunk allowed vlan 12,20-22,30,40,41,50,51,60,99

switchport mode trunk

interface Vlan99

ip address 192.102.99.2 255.255.255.192

no ip route-cache

ROUTER

ip dhcp pool VLAN-21-WLAN

network 192.102.21.0 255.255.255.192

default-router 192.102.21.1

dns-server 61.88.88.88 192.102.21.1 8.8.8.8

lease 7

ip dhcp pool VLAN-22-GUEST-WLAN

network 192.102.22.0 255.255.255.0

default-router 192.102.22.1

dns-server 61.88.88.88 192.102.21.1 8.8.8.8

interface Loopback0

description L,OP,Rothwell,4022

ip address 192.102.10.1 255.255.255.192

interface FastEthernet0/0

description to SW 0/48

no ip address

no ip redirects

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed 100

interface FastEthernet0/0.21

description VLAN-21-WLAN

encapsulation dot1Q 21

ip address 192.102.21.1 255.255.255.192

no ip redirects

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

interface FastEthernet0/0.22

description VLAN-22-GUEST-WLAN

encapsulation dot1Q 22

ip address 192.102.22.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip flow ingress

interface FastEthernet0/0.99

description VLAN-99-NETMGT,OP,Rothwell,4022

encapsulation dot1Q 99 native

no ip redirects

no ip proxy-arp

ip flow ingress

dot11 ssid Guest Connect

vlan 22

authentication open

authentication key-management wpa

guest-mode

mbssid guest-mode

wpa-psk ascii 7 XXXXX

dot11 ssid Corporate Connect

vlan 21

authentication open

nterface Dot11Radio0

no ip address

no ip route-cache

encryption vlan 21 key 1 size 128bit 7 XXXX transmit-key

encryption vlan 21 mode wep mandatory

encryption mode ciphers tkip

encryption vlan 22 mode ciphers tkip

ssid Guest Connect

ssid Corporate Connect

mbssid

station-role root

bridge-group 1

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

interface Dot11Radio0.21

encapsulation dot1Q 21

no ip route-cache

bridge-group 21

bridge-group 21 subscriber-loop-control

bridge-group 21 block-unknown-source

no bridge-group 21 source-learning

no bridge-group 21 unicast-flooding

bridge-group 21 spanning-disabled

interface Dot11Radio0.22

encapsulation dot1Q 22

no ip route-cache

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

bridge-group 2 spanning-disabled

interface FastEthernet0.21

encapsulation dot1Q 21

no ip route-cache

interface FastEthernet0.22

encapsulation dot1Q 22

no ip route-cache

interface FastEthernet0.99

encapsulation dot1Q 99 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

interface BVI1

ip address 192.102.99.3 255.255.255.192

no ip route-cache

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

Answer:

You need to assign your bridge-groups under the subinterfaces for f0 as well. Your native has it, but the other two do not...

interface FastEthernet0.21

encapsulation dot1Q 21

bridge-group 21

no ip route-cache

interface FastEthernet0.22

encapsulation dot1Q 22

bridge-group 2

no ip WS-C3560X-48PF-S Price route-cache

2013年7月22日星期一

OSPF Problems

Question:

Can anybody Cisco2901-SEC help me please.

I have two third party routers connected by fibre running OSPF between them.

Due to a new requirment i need to put one of these routers in a new location.

I cant reconfigure them which is a massive problem for me.

Is there any way i can make them think they are dirrectly connected across my EIGRP network so they will form there old OSPF NBR relationship.

Answer:

See here for a very easy guide: http://www.networkstudies.co.uk/2011/11/extend-your-lan-across-multiple-sites.html

You will have to dedicate one interface at each end through the transport network to hook these two up on Cisco2911-SEC the same LAN.

2013年7月21日星期日

Native and Hybrid Mode

Question:

How can we know that WS-C3560X-24T-S Price 6500 and 7600 series switch and router are running in native mode or in hybrid mode.

Answer:

in Hybrid mode the switching processor and the routing processor (the MSFC) are two separate entities each with its own shell.

to check if you are in hybrid mode you can verify if:

all available commands start with set

there is no configuration mode ( no need to use configuration terminal)

you can connect to the MSFC using

session 15

session 16.

the MSFC appears as a CDP neighbor in show cdp neig on switching supervisor on an internal port channel

in native mode you have an IOS based single shell for both SP and RP,

the command show ip int brief

is supported

to configure the device you need to use config t

commands have hierarchy and are IOS based ( global configuration versus interface configuration mode and so on)

C7600 are all native IOS as far as WS-C3560X-24T-S I know but hardware is similar to C6500.

2013年7月18日星期四

Uplink QoS on Cisco 877-M

Question:

First time poster Cisco2901-SEC in these forums

Anyways, down to why it is I've posted here. I've got a Cisco 877-M at home which i picked up to replace the old Linksys/Cisco WAG160N, which was having dropout issues on my line

Fast forward, it not only solved it, its smashing out speeds even my ISP finds amazing.

I've got a running config going on the router which is currently quite happily handling our LAN requirements (DHCP,IGMP Proxy, Firewall,DNS), but what I want to do is have an upload link QoS policy, which makes sure everyone can be able to access the net with little hassle (Not so much worried about the Downlink QoS, our connection can burst at time to 900k/sec (Currently on a 8160/384 ADSL1 Line, RIM, 300m Cable Length verified by ISP)

I'd have to get the running-config from the router when I get home, but for a Home based network, what would be required in setting up a policy for Upload, to allow the following Protocols prioritised access to the net:

HTTP (Top Priority)

IMAP (Top Priority)

POP3 (Top Priority)

Streaming Audio (Med Priority)

BT (Low Priority)

These are the main ones. There's probably more that I could add, but for my upload, what would you all suggest?

Answer:

adding some more to Josephs info

If you are lookig to configure MQ ie dedicated bandwidth for specific protocols/ports

Router(config)# class-map http

Router(config-cmap)# match access-group 101

ip access-list ex 101

permit tcp any any eq ww

ip access-list ex 101

permit tcp any any eq smtp

Router(config)# class-map smtp

Router(config-cmap)# match access-group 102

Router(config)# policy-map TEST

Router(config-pmap)# class http

Router(config-pmap-c)# bandwidth x

Router(config-pmap)# class smtp

Router(config-pmap-c)# bandwidth y

for more you can Cisco2911-SEC refer

http://www.cisco.com/en/US/docs/ios/12_2/qos/configuration/guide/qcfmcli2.html

2013年7月17日星期三

EIGRP Feasible Successor Election

Question:

I have a quick question Catalyst Switches Price regarding Feasible Successor election process.

I've read that Feasibility Condition is AD<FD

So for example we have the ff feasible distances on R1

(Cost+AD)

R2 10 + 11 = 21 (Successor)

R3 4 + 20 = 24

R4 6 + 19 = 25

Which would be chosen as the Feasible Successor?

In this case, we have 2 entries which satisfies the condition: 20<21 ; 19<21

Will it be both R3 & R4?

If yes, will R3 be more prioritized as the backup route when R2 goes down since it has the lesser metric?

Answer:

I've read that Feasibility Condition is AD<FD

Correct.

So for example we have the ff feasible distances on R1

Be careful here. There are two very strong misunderstandings about the feasible distance:

Some sources say that the feasible distance is the current lowest distance to the destination. This is wrong. Such a distance is simply the current distance.

Some other sources say that the feasible distance is the distance to the destination via a particular neighbor. This is also wrong. Such a distance is called computed distance or total distance.

In reality, the feasible distance is the historical (i.e. not necessarily current) lowest distance to the destination. The history starts anew when the route goes from Active to Passive state. In other words, the feasible distance is a record of the lowest distance since the last time the route entered the Passive state. It is not necessarily equal to the current lowest distance, and most certainly, there is no per-neighbor feasible distance.

In this sense, the feasibility condition says: "If a router is closer to the destination than I have ever been (now or in the past), it can not be on a routing loop."

R2 10 + 11 = 21 (Successor)

R3 4 + 20 = 24

R4 6 + 19 = 25

Which would be chosen as the Feasible Successor?

Assuming that there was no shorter path since the last time the route entered the Passive state, the feasible distance is 21. Every neighbor whose reported distance is less than 21 is a feasible successor. So in this case, both R3 and R4 would be feasible successors.

If yes, will R3 be more prioritized as the backup route when R2 goes down since it has the lesser metric?

Yes, R3 would be the next choice after R2 fails because the total distance through R3 is the next best.

Note a different thing: assume that the costs are as follows:

R2 10 + 11 = 21 (Successor)

R3 4 + 20 = 24 (feasible successor)

R4 6 + 19 = 25 (feasible successor)

R5 1 + 22 = 23

R3 and R4 are feasible successors. R5 is not a feasible successor because it does not meet the feasibility condition, yet, in case R2 fails, R5 provides the next least-cost path.

Most textbooks about EIGRP say that if the successor fails, we'll start using the feasible successor that provides the next shortest path. In this case, it would be R3 - however, the total distance through R3 is 24 while R5, it would be just 23. Staying with R3 would actually cause EIGRP to hang on a worse path than which is currently available.

So what really happens is that if the successor fails, the router will first look up the neighbor that appears to provide the next least-cost path - in this case, R5 - and only then it verifies whether it meets the feasibility condition. If it does, we start using it right away. If it does not, as in this case, we will not start using it, nor will we start using R3. Instead, we will enter the Active state and start sending queries, trying to find out if the R5 is really an appropriate next hop and can be promoted to the successor role. If it can, then after receiving all replies, the feasible distance can be reset and set to the new minimum which is now 23, thereby allowing R5 to pass the feasibility distance and to become the next successor.

Not quite an easy thing to digest, I know, but this is really what happens inside EIGRP.

You're welcome to Catalyst Switches ask further!

Failover question

Question:

I’d like to ask some failover WS-C3560V2-24PS-S question. Please help me with it.

Thanks in advance.

In my network, the network is working well. It can ping 4.2.2.2. In order to test failover,

I shut down the interface Gi 1/12 of Core1 switch. After this,

From Host, it can ping the router 1 outside interface IP, X.X.X.X

And router 1 outside interface can ping 4.2.2.2

But the host is NOT able to ping 4.2.2.2.

And I found that the ASA outside interface can ping 4.2.2.2, but ping 4.2.2.2 with ASA inside interface does NOT work.

I have no idea how to troubleshoot it.

So please help me

Thank you very very much

router config :

……….

no aaa new-model

ip cef

ip domain round-robin

ip domain name aaaaa

ip name-server 4.2.2.2

multilink bundle-name authenticated