Client cant access the network on cisco 877W router

Unanswered Question
Mar 6th, 2007

Hi guys,

I'm having a total nightmare with a 877 router. I have it fully configured using a vpn tunnle and bgp. From the router interface I can ping out the entire network and the routing table shows all the BGP networks. My problem is thus, when i connect my desktop to the switch on the router, it pulls an IP from the DHCP on the router but I can't ping outside of the local interfaces. It can't get anywhere. That along with the wireless doesn't seem to be working. I've mirrored a config that works as close as possible but still nothing.I'm prob missing something small. Can you have alook at the config? any help is great.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bporter78 Fri, 04/06/2007 - 12:21

Hi there,

For the wireless side of it:

* Take out the WEP key (don't need this if using EAP)

* Change the cipher statement to:

encryption mode ciphers tkip

* Under ssid EmP1R3D add in: authentication key-management wpa

* might also have to remove the authentication open mac-address mac_methods eap eap_methods line

This should now allow the client to communicate with your EAP radius servers and generate a dynamic WPA key and then authenticate via the EAP and MAC servers to the wireless.

For you LAN side of it:

Could be your nat inside and outside causing the problem. Trying setting up a route-map to exclude natting on your VPN addresses. I'm assuming that you are not wanting any external access out to the internet - just traffic between the VPN's?

*in global config add in: ip nat inside source route-map NAT_MAP_1 interface Dialer1 overload

*then: route-map NAT_MAP_1 permit 1

* then in the route map add in: match ip address 101

*exit back to global config and then set: access-list 101 deny ip 172.17.25.80 0.0.0.15 x.x.x.x x.x.x.x (where x represents the remote internal network and subnet mask)

access-list 101 permit ip 172.17.25.80 0.0.0.15 any

* also you want to change your match address list to an extended access list. at the moment you are only encrypting 1 host to another host. So that is why your router can ping across the VPN but nothing else can.

* in your crypto map change the command so it reads: match address VPN_Traffic

* then in global config enter: ip access-list extended VPN_Traffic

* then in the access-list:

remark Allow VPN Traffic to remote office

permit ip 172.17.25.80 0.0.0.15 x.x.x.x x.x.x.x (where the x's represent the other network and it's associated subnet massk)

That should do it. Attached is your config with the required changes - email me at [email protected] to let me know how you get on :)

Cheers,

Peter

Actions

This Discussion

 

 

Trending Topics - Security & Network