05-13-2010 09:59 PM - edited 03-04-2019 08:29 AM
Hi Folks,
I'm pretty new to Cisco's so bear with me. I'm switching my office network to a new internet provider, who gives me 8 ip addresses: xxx.xxx.73.128/29
The ISP requires that I dialup using PPPoE, and use IP unnumbered.
On my side, I use 2 Cisco 2811 ISRs, Network diagram looks like this
WAN, ISP Line
|
| Fe0/1
Router 1
| Fe0/0 xxx.xxx.73.129
|
| Fe0/1 xxx.xxx.73.130
Router 2
| Fe0/0 192.168.196.1
|
LAN 192.168.196.x
Basically router 1 does only the PPPOE dialup, Router2 is my pre-existing router and does the NAT, firewall, ipsec tunnel to other office and stuff. Once I'm comfortable with the config I'll consolidate all to router 2 only, but having router 1 allows me to experiment with the config without endangering the old, stable config on router 2.
Problem is: Router 2 can't ping router 1 and vice versa, nor can I ping router 2 from the WAN. Yet for some reason, the ipsec tunnel on router 2 manages to go up. Machines on the LAN can access other offices via the tunnel, but cannot access the internet any more.
Router 1 does the dialup and accesses the internet just fine.
Here are the relevant bits of the configs:
Router 1:
vpdn enable
!
interface FastEthernet0/0
description =====LAN Interne=====
ip address xxx.xxx.73.129 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description =====ISP Line=======
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
Router 2
interface Tunnel1
ip address 10.255.0.196 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication ------
ip nhrp map multicast dynamic
ip nhrp map multicast --------
ip nhrp map 10.255.0.1 --------
ip nhrp network-id 1
ip nhrp nhs 10.255.0.1
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf cost 100
ip ospf priority 0
qos pre-classify
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile DMVPN_Profile
!
Solved! Go to Solution.
05-14-2010 12:59 AM
05-14-2010 12:59 AM
hi
can you paste the access lists named WAN_IN here ?
regds
05-14-2010 02:32 AM
Silly me - indeed the pb was in access list WAN_IN, not a routing issue at all! All working now, thx!
Correct me if I'm wrong but it should be OK to get rid of the 1st router altogether, right? I could create the dialer1 interface on router 2, plug the ISP line on FE0/1, and have the router's public IP xxx.xxx.73.129 on a Loopback interface...
Anyway, I'm going to leave it like this for the time being. Lucky I had that second 2811 ISR on hand...
05-14-2010 03:04 AM
Hi
Can you post the show version output of both the routers here ? so that we can check out whether you can remove off the first router from your network and directly connect the pppoe link onto the second router
regds
05-14-2010 03:09 AM
Here goes: it's exactly the same for both. Both routers have 11 FastEthernet intefaces Currently using 2 on each
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(19b),
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 13-Jun-08 04:12 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)T7, RELEASE SOFTWARE (fc1)
--------------------- uptime is 6 hours, 19 minutes
System returned to ROM by reload at 03:43:10 UTC Fri May 14 2010
System image file is "flash:c2800nm-advsecurityk9-mz.124-19b.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 2811 (revision 53.51) with 247808K/14336K bytes of memory.
Processor board ID FHK0915F1GT
11 FastEthernet interfaces
1 ISDN Basic Rate interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
05-14-2010 03:13 AM
Hi
If you were already having a 2811 then why did you go for another 2811 ? i thought you might have some 800 series router which you are looking to get replaced using with 2800 series one.
any specific requirement in place to have 2 routers out there in your network ?
regds
05-14-2010 03:17 AM
I just had that second 2811 on hand as a backup so I used it. I didn't want to cause too much downtime on Router 2 to experiment with the config.
Ideally in the long run the configuration would be a single 2811 router, or coupled with a 800-series router to do the Pppoe connection. The reason for having two 2811 in the first place was to have a backup if one breaks down.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: