01-30-2014 08:15 PM - edited 03-07-2019 05:55 PM
Hi Guys, I have a Cisco 887 with an Internet link, there is a VPN which is currently working, but the users cannot access the internet. I have another model router with the exact same config that is working. But this is not.
Here is the problem, using ping from the router, I can ping google.com source vlan 1. that works for me, i see my NAT access list get hit, and I can see a NAT translation. However when a user connects to the router they get assigned an IP address (192.168.31.32 for example), they can ping the router (the default gateway) they can even ping the ATM interface of the router however they cannot ping an intenet address such as 8.8.8.8. and when trying google.com DNS does not resolve.
The problem is, I do not see them hitting the access list, or any NAT translations. Its as if the traffic doesn't hit the router. The VPN tunnel works, the traffic goes via the tunnel for the users, and by doing ping source vlan1 from the router. Also I have had to use a loopback interface because we are given /32 Ip range which cannot be applied directly to the dialer. Not sure if this has caused an issue. But it does work fine at another site. They have trried 4 different PC's, a wirlesss device and a laptop. all of them get timeout when trying to ping 8.8.8.8. The traffic is not hitting the crypto map. I checked that already. also I have removed the crypto map from the dialer interface and the access list and it still didn't work.
snippets of the config:
ip dhcp pool POOL
network 192.168.31.0 255.255.255.0
default-router 192.168.31.254
dns-server 123.100.67.135 123.100.67.136 192.168.0.31
!
!
!
ip domain name example.com
ip name-server 123.100.67.135
ip name-server 123.100.67.136
no ipv6 cef
!
crypto map ipsec-blah 110 ipsec-isakmp
**
match address ADD-IF-encrypt
!
!
interface Loopback0
ip address 123.123.123.123 255.255.255.255
ip virtual-reassembly in
!
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description DSL
ip flow ingress
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
!
interface Vlan1
ip address 192.168.31.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip unnumbered Loopback0
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 1024
encapsulation ppp
crypto map blah
!
!
ip nat inside source list 105 interface Loopback0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended ADD-IF-encrypt
permit ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
!
access-list 105 deny ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 192.168.31.0 0.0.0.255 any
Solved! Go to Solution.
02-02-2014 02:48 PM
Ryan
I don't understand why the route map configuration changed the NAT because it was doing the same as your acl 105.
Can you remove the log keyword from your acl 105 entries and try again.
Jon
01-30-2014 08:18 PM
Ok weird. I might have got it working.
Saw an odd message in the logs:
VFR(in) is being used by other features. Will be disabled when no other feature needs VFR support on interface
I reloaded the router and noticed the command "ip virtual-reassembly in" had disappeared from under lo0. I added it back in, and did not see that log again. and then straight away i saw a DNS request in the NAT xlate table. so that may have fixed it. No one is at site now to test but will find out soon.
What exactly went wrong here?
01-30-2014 08:41 PM
sorry for self replying
still not working. when I connect to the built in wifi module (which has address 192.168.31.30) I cannot ping 8.8.8.8 and nothing is seen in the NAT table.
Any help?
01-30-2014 11:45 PM
Hi,
Can you try this:
no ip nat inside source list 105 interface Loopback0 overload
ip nat inside source list 105 interface dialer0 overload
Regards
Alain
Don't forget to rate helpful posts.
02-02-2014 01:10 PM
Hi Alain, I tried that, but that broke the routers ability to ping the internet. changing it back to loopback0 restored the abaility for the router to see th einternet but the LAN still cannot access out.
02-02-2014 01:25 PM
Ryan
Can you try adding "ip nat outside" to your loopback interface.
Jon
02-02-2014 01:42 PM
yep tried it with ip natoutsid eon just the loop, on just th edialer and on both the dialer and loopback. Ping form the router will only work when the ip nat statement is on the dialer interface (it also works when uts on both) but none of the three combinaitons allows LAn internet access.
Site thats working: (same model router, config is indenticla line by line)
Total active translations: 184 (0 static, 184 dynamic; 184 extended)
Peak translations: 1521, occurred 1d14h ago
Outside interfaces:
Dialer0, Loopback0, Virtual-Access2
Inside interfaces:
Vlan1
Hits: 9374281 Misses: 0
CEF Translated packets: 9367037, CEF Punted packets: 7233
Expired translations: 76614
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 105 interface Loopback0 refcount 184
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
site thats not working:
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 5, occurred 2d17h ago
Outside interfaces:
Dialer0, Loopback0, Virtual-Access2
Inside interfaces:
Vlan1
Hits: 243 Misses: 0
CEF Translated packets: 105, CEF Punted packets: 24
Expired translations: 19
Dynamic mappings:
-- Inside Source
[Id: 8] access-list 105 interface Loopback0 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
02-02-2014 01:53 PM
Ryan
Is the rest of the configuration the same as with the working router ?
Are the switch ports left in the default vlan ?
Can you try "debug ip nat translations" and then try connecting from a PC and see what shows up ?
Jon
02-02-2014 02:01 PM
Yes I went through the configs line by line. Even the IOS images are exactly the same.
The thing is though, When I debug NAT I see NOTHING when trying to ping form a host. no hits against the ACL either. i even tried debugging IP packet then searching for the host address but saw no entries (mkay have scrolled too quickly though). But the host can ping the router and the router can ping the host, and the host can ping a host on the other side of the VPN tunnel.
02-02-2014 02:21 PM
made some progress, I got NAT to work. However it natted ALL my traffic and hence broke the VPN. This is what I used:
ip access-list extended NAT_ACL
deny ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.31.0 0.0.0.255 any
route-map NAT_ACL
ip nat inside source route-map NAT_ACL interface lo0 overload
02-02-2014 02:24 PM
Ryan
You must have read my mind as i was about to suggest disabling the IPSEC tunnel and chaning your NAT statement. I think this is to with an interaction between the two.
Can you post the entire configuration please.
Jon
02-02-2014 02:39 PM
Here you go, FYI I did try disabling the Ipsec, but it didnt make any difference, this is the original config. I have rmeoved the route map since it broek the VPN.
version 15.2
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname router
!
!
no aaa new-model
clock timezone NZST+12 12 0
clock summer-time NZDT+13 recurring last Sun Sep 3:00 1 Sun Apr 2:00
!
crypto pki trustpoint TP-self-signed-3138814177
trim
!
!
crypto pki certificate chain TP-self-signed-3138814177
trim
ip cef
!
!
!
no ip dhcp use vrf connected
!
ip dhcp pool POOL
network 192.168.31.0 255.255.255.0
default-router 192.168.31.254
dns-server 123.100.67.135 123.100.67.136 192.168.0.31
!
!
!
ip domain name trim
ip name-server 123.100.67.135
ip name-server 123.100.67.136
no ipv6 cef
!
!
!
!
!
!
!
controller VDSL 0
!
ip tftp source-interface Vlan1
!
!
crypto isakmp policy 15
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key trim
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set aes-sha esp-aes esp-md5-hmac
mode tunnel
!
!
!
crypto map trim 11 ipsec-isakmp
set peer trim
set transform-set aes-sha
match address encrypt
!
!
!
!
!
interface Loopback0
ip address trim 255.255.255.255
ip nat outside
ip virtual-reassembly in
!
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description DSL
ip flow ingress
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
!
interface Vlan1
description Branch LAN
ip address 192.168.31.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip unnumbered Loopback0
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 1024
encapsulation ppp
dialer pool 1
dialer-group 1
ppp trim
no cdp enable
crypto map trim
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 105 interface Loopback0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended encrypt
permit ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255
!
logging trap warnings
logging host 202.175.136.98
logging host 202.175.136.117
access-list 105 deny ip 192.168.31.0 0.0.0.255 192.168.0.0 0.0.0.255 log
access-list 105 permit ip 192.168.31.0 0.0.0.255 any log
no cdp run
!
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
!
02-02-2014 02:48 PM
Ryan
I don't understand why the route map configuration changed the NAT because it was doing the same as your acl 105.
Can you remove the log keyword from your acl 105 entries and try again.
Jon
02-02-2014 03:04 PM
Well I have never seen anything like it before, but removing the log keyword has resolved it!! (pretty sure I only added the log in *because* it wouldnt work)
Many blessings to you Jon I still have some hair left too.
02-02-2014 03:07 PM
Ryan
No problem, glad you got it sorted.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: