我有一个带有专用 LAN 接口和公共 WAN 接口的 Cisco 1921 路由器。我还配置了两个 VPN 隧道，一个到另一个托管位置，一个到 AWS。从这个路由器的 LAN 端，我可以访问我们的其他 colo，但无法通过 WAN 接口访问 Internet 上的任何内容。从路由器的 CLI，我可以 ping 公共互联网地址，但不能从 LAN 端。我对思科还很陌生，有人可以帮我解决我所缺少/做错的事情吗？

以下是我们当前的配置：

    cisco-1-c#sho run
Building configuration...

Current configuration : 5261 bytes
!
! Last configuration change at 12:35:42 est Wed Aug 3 2016 by chris
! NVRAM config last updated at 10:13:38 est Tue Aug 2 2016 by chris
! NVRAM config last updated at 10:13:38 est Tue Aug 2 2016 by chris
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco-1-c
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$M5cQ$CnHaSbm3Y609.UyyO4uQk.
enable password pqBwmuzM5HwKWUc3
!
no aaa new-model
clock timezone est -4 0
!
ip cef
!
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 10.1.9.1 10.1.9.200
ip dhcp ping packets 10
ip dhcp ping timeout 100
!
ip dhcp pool 365
 network 10.1.9.0 255.255.255.0
 domain-name sidecartechnologies.com
 default-router 10.1.9.1
 dns-server 10.1.11.27 10.1.9.0
 lease infinite
!
!
!
ip domain name sidecartechnologies.com
ip name-server 66.28.0.45
ip name-server 66.28.0.61
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1921/K9 sn FGL171525QB
!
!
username chris privilege 15 secret 4 jP26tUYnl6KctHh55eUO9/UgebW38DaXI1nRsos92PQ
username sidecaradmin privilege 15 secret 4 3wDP4cwei1UMG.WnceYEkjK2v8adDxeofNSHSHI3y1M
username adam privilege 15 password 0 1mxsuck5
!
redundancy
!
!
!
!
!
!
crypto keyring keyring-vpn-04d0c665-1
  local-address 38.122.23.162
  pre-shared-key address 54.210.103.217 key sT_bDVJbXn2vY8onWRFVnR2z5yiAkUu8
crypto keyring keyring-vpn-04d0c665-0
  local-address 38.122.23.12
  pre-shared-key address 52.203.180.41 key dulIUfC0AEgGInhqmB9MtnKZnY5zA8mM
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
!
crypto isakmp policy 200
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 201
 encr aes
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key iGX9sFJHfxQo address 70.34.227.146
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-04d0c665-0
   keyring keyring-vpn-04d0c665-0
   match identity address 52.203.180.41 255.255.255.255
   local-address 38.122.23.162
crypto isakmp profile isakmp-vpn-04d0c665-1
   keyring keyring-vpn-04d0c665-1
   match identity address 54.210.103.217 255.255.255.255
   local-address 38.122.23.162
!
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set WCIT esp-des esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ipsec-prop-vpn-04d0c665-0 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set ipsec-prop-vpn-04d0c665-1 esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-04d0c665-0
 set security-association lifetime seconds 3600
 set transform-set ipsec-prop-vpn-04d0c665-0
 set pfs group2
!
crypto ipsec profile ipsec-vpn-04d0c665-1
 set security-association lifetime seconds 3600
 set transform-set ipsec-prop-vpn-04d0c665-1
 set pfs group2
!
!
crypto map WCITVPN 10 ipsec-isakmp
 set peer 70.34.227.146
 set transform-set WCIT
 match address 150
!
!
!
!
!
interface Tunnel1
 ip address 169.254.44.102 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1387
 tunnel source 38.122.23.162
 tunnel mode ipsec ipv4
 tunnel destination 52.203.180.41
 tunnel protection ipsec profile ipsec-vpn-04d0c665-0
!
interface Tunnel2
 ip address 169.254.45.178 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1387
 tunnel source 38.122.23.162
 tunnel mode ipsec ipv4
 tunnel destination 54.210.103.217
 tunnel protection ipsec profile ipsec-vpn-04d0c665-1
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address 10.1.9.1 255.255.255.0
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/0/0
 ip address 38.122.23.162 255.255.255.248
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 no mop enabled
 crypto map WCITVPN
!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 169.254.44.101 remote-as 7224
 neighbor 169.254.44.101 timers 10 30 30
 neighbor 169.254.45.177 remote-as 7224
 neighbor 169.254.45.177 timers 10 30 30
 !
 address-family ipv4
  network 0.0.0.0
  neighbor 169.254.44.101 activate
  neighbor 169.254.44.101 default-originate
  neighbor 169.254.44.101 soft-reconfiguration inbound
  neighbor 169.254.45.177 activate
  neighbor 169.254.45.177 default-originate
  neighbor 169.254.45.177 soft-reconfiguration inbound
 exit-address-family
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list 1 interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 38.122.23.161
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 10 permit 10.1.9.0 0.0.0.255
access-list 150 permit ip 10.1.9.0 0.0.0.255 10.1.11.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password pqBwmuzM5HwKWUc3
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp peer 0.us.pool.ntp.org prefer version 2
!
end

cisco-1-c#

路由表：

Gateway of last resort is 38.122.23.161 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 38.122.23.161
      10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks
C        10.1.9.0/24 is directly connected, GigabitEthernet0/0
L        10.1.9.1/32 is directly connected, GigabitEthernet0/0
B        10.10.0.0/16 [20/100] via 169.254.45.177, 2d00h
      38.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        38.122.23.160/29 is directly connected, GigabitEthernet0/0/0
L        38.122.23.162/32 is directly connected, GigabitEthernet0/0/0
         169.254.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        169.254.45.176/30 is directly connected, Tunnel2
L        169.254.45.178/32 is directly connected, Tunnel2

从内部网络上的服务器到公共 Internet 服务器（在本例中为 google.com）的跟踪路径

    [chris@db1-r2-c ~]$ tracepath 74.125.22.139
 1?: [LOCALHOST]     pmtu 1500
 1:  cisco-1-c.sidecartechnologies.com (10.1.9.1)           0.558ms
 1:  cisco-1-c.sidecartechnologies.com (10.1.9.1)           0.486ms
 2:  no reply
 3:  no reply
 4:  no reply
 5:  no reply
 6:  no reply
 7:  no reply
 8:  no reply
 9:  no reply
10:  no reply
11:  no reply
12:  no reply
13:  no reply
14:  no reply
15:  no reply
16:  no reply
17:  no reply
18:  no reply
19:  no reply
20:  no reply
21:  no reply
22:  no reply
23:  no reply
24:  no reply
25:  no reply
26:  no reply
27:  no reply
28:  no reply
29:  no reply
30:  no reply
31:  no reply
     Too many hops: pmtu 1500
     Resume: pmtu 1500
[chris@db1-r2-c ~]$