ClioSport.net

Register a free account today to become a member!
Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

  • When you purchase through links on our site, we may earn an affiliate commission. Read more here.

Cisco 871W



KDF

  Audi TT Stronic
Anyone any good with Cisco IOS configs ?

Got a 871W which ive configured to have static IP on the WAN, and a dhcp server for the LAN, and i've configured WPA on the WIFI.

Now everything works perfectly well until I add in a VPN connection. After that the VPN works fine and can ping the main office but not internet connectivity, but if I connect to the 871 and try pinging google's ip it works fine. I suspect it maybe a ACL problem ???

Here is the full config (minus sensitive data ofcourse).

Code:
Test#sh run
Building configuration...

Current configuration : 5230 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Test
!
boot-start-marker
boot-end-marker
!
enable secret 5 *****************
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-4136434735
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4136434735
 revocation-check none
 rsakeypair TP-self-signed-4136434735
!
!
crypto pki certificate chain TP-self-signed-4136434735
 certificate self-signed 01
  ******* ******* ******* ******* ******* ******* ******* *******
  ******* ******* ******* ******* ******* ******* ******* *******
  ******* ******* ******* ******* ******* ******* ******* *******
  ******* ******* ******* ******* ******* ******* ******* *******
  ******* ******* ******* ******* ******* ******* ******* *******
  ******* ******* ******* ******* ******* ******* ******* *******
  ******* ******* ******* ******* ******* ******* ******* *******
  ******* ******* ******* ******* ******* ******* ******* *******
        quit
dot11 syslog
!
dot11 ssid MyCompany
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7   ******* 
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.4.100 192.168.4.254
!
ip dhcp pool Internal-net
   import all
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.254
   dns-server 192.168.1.1 192.168.1.8
   domain-name ********.com
   lease 4
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name *******.com
!
!
!
username admin privilege 15 password 7 **************
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key ********** address **********
!
!
crypto ipsec transform-set transet1 esp-des esp-md5-hmac
!
crypto map Cryptomap1 10 ipsec-isakmp
 set peer *********
 set transform-set transet1
 match address 120
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
 spanning-tree portfast
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
 spanning-tree portfast
!
interface FastEthernet3
 spanning-tree portfast
!
interface FastEthernet4
 ip address 192.168.49.2 255.255.255.0
 ip access-group Internet-inbound-ACL in
 ip inspect MYFW out
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 duplex auto
 speed auto
 no cdp enable
 crypto map Cryptomap1
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid Crummock
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 description Bridge to Internal Network
 ip address 192.168.4.254 255.255.255.0
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.49.254
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source route-map 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
 permit udp host ************ host 192.168.49.2 eq isakmp
 permit udp host ************ host 192.168.49.2 eq non500-isakmp
 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
 permit esp host ************ host 192.168.49.2
 permit ahp host ************ host 192.168.49.2
 permit udp any eq bootps any eq bootpc
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
 permit gre any any
 permit esp any any
!
access-list 10 permit 192.168.4.0 0.0.0.255
access-list 120 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
route-map nonat permit 10
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 password 7 **********
 no modem enable
line aux 0
line vty 0 4
 password 7 **********
!
scheduler max-task-time 5000
end
 
  182FF with cup packs
It's been a while since I had to tackle VPN's with IOS, but I suspect what is happening is that when you add the VPN in, it is trying to pump all of your traffic down the VPN tunnel, so your internet traffic is actually being pushed down the tunnel to your head office, and is probably not let out through your main firewall.

I might take a look this afternoon if I get a sec (busy copnfiguring an ASA cluster atm)
 

KDF

  Audi TT Stronic
Its a weird one for sure, if I take the VPN out all goes back to normal.

If I put the VPN the LAN wont speak to the WAN other than VPN stuff.

If I log into the box through the console cable and tell it to ping google's ip it works, if I tell it to ping 192.168.1.1 it doesn't and vice-versa from the LAN. arrgh !!
 
  VW ....

KDF

  Audi TT Stronic
If only you were on sooner eh !! ;)

Well that's it all fixed now anyway, just got to set up RADUIS authentication on the WIFI.

Cheers guys.
 

Dafthead

ClioSport Club Member
  Q8 E-Tron
Looks like your network shepherd has got lost and the gigglepin has dropped out of the appliance
 

KDF

  Audi TT Stronic
Don't worry !! I've pointed the network shepherd towards the BAA interface and re-attached the Gigglepin ;)
 
  Fiesta ST
Nice one, I got a similar issue with a customer who VPN's into their office but then loses internet connection.
 
Nice one, I got a similar issue with a customer who VPN's into their office but then loses internet connection.

You need to configure split tunneling, so only traffic going to the remote network (the office) is tunneled.. otherwise, by default, EVERYTHING goes down the established tunnel, including normal browsing which won't always work depending on set up. (as you've found out) ;)
 

KDF

  Audi TT Stronic
Ye, that was exactly the problem I was having, it was sending everything down the VPN. You just have to deny any packets destined for your home network from going through the NAT.

I can post my working config if its any help.
 
  Fiesta ST
cheers guys! I'm running a zyxel router with windows VPN client, I'll have a look through the configuration.
 

Similar threads



Top