Cisco Easy VPN and 2wire 3800hgv-b modem problems

petergcisco · ‎11-17-2010

I have cisco 851w router that is connected to att 2wire 3800hgv-b modem (att uverse) in DMZ mode. I configured the cisco router with Cisco Easy VPN. From outside I can establish VPN connection to 851w router using Cisco VPN Client and I can access LAN behind 851w. However, the internet connection goes down and I have to reset the 2wire 3800hgv-b modem to get internet back up. Any suggestions why this happens?

Yudong Wu · ‎11-17-2010

can you paste your 851 configuration here?

petergcisco · ‎11-17-2010

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname rt1

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 ***************

enable password 7 ******************

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-3543785435

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3543785435

revocation-check none

rsakeypair TP-self-signed-3543785435

!

crypto pki certificate chain TP-self-signed-3543785435

certificate self-signed 01 nvram:IOS-Self-Sig#E.cer

dot11 association mac-list 700

dot11 syslog

!

dot11 ssid Guest

vlan 20

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 *************

!

dot11 ssid cwifi

vlan 1

authentication open

authentication key-management wpa

wpa-psk ascii 7 *****************

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.3.1 192.168.3.10

ip dhcp excluded-address 192.168.2.1 192.168.2.10

!

ip dhcp pool open

import all

network 192.168.3.0 255.255.255.0

default-router 192.168.3.1

lease 3

!

ip dhcp pool Guest

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

lease 3

!

ip cef

no ip domain lookup

ip domain name peterglab.local

!

username ***** privilege 15 secret 5 **********

username ****** privilege 15 secret 5 *********

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngroup

key ******

dns 192.168.5.1

pool SDM_POOL_1

acl 100

crypto isakmp profile ciscocp-ike-profile-1

match identity group vpngroup

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

crypto ctcp port 10000

archive

log config

hidekeys

!

ip ssh version 2

!

bridge irb

!

interface Loopback0

ip address 131.108.1.1 255.255.255.0

!

interface FastEthernet0

speed 100

spanning-tree portfast

!

interface FastEthernet1

speed 100

spanning-tree portfast

!

interface FastEthernet2

speed 100

spanning-tree portfast

!

interface FastEthernet3

speed 100

!

interface FastEthernet4

description INTERNET WAN CONNECTION

ip address dhcp

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

no cdp enable

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Dot11Radio0

no ip address

!

encryption vlan 1 mode ciphers tkip

!

encryption vlan 20 mode ciphers tkip

!

ssid Guest

!

ssid cwifi

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.20

encapsulation dot1Q 20

ip address 192.168.2.1 255.255.255.0

ip access-group Guest-ACL in

ip nat inside

ip virtual-reassembly

!

interface Vlan1

no ip address

ip nat inside

ip virtual-reassembly

bridge-group 1

!

interface BVI1

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool SDM_POOL_1 192.168.4.1 192.168.4.50

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list 2 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.3.4 21 ********** 21 extendable

ip nat inside source static tcp 192.168.3.4 80 ********* 80 extendable

ip nat inside source static tcp 192.168.3.4 443 ******** 443 extendable

ip nat inside source static tcp 192.168.3.4 3389 ********** 3389 extendable

!

ip access-list extended Guest-ACL

deny ip any 192.168.3.0 0.0.0.255

permit ip any any

!

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 192.168.3.0 0.0.0.255

access-list 2 permit 192.168.2.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 192.168.3.0 0.0.0.255 any

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner motd

***Warning***

Authorized access only

***Warning***

!

line con 0

password 7 ***********

logging synchronous

no modem enable

line aux 0

line vty 0 4

password 7 ************

logging synchronous

transport input telnet ssh

!

scheduler max-task-time 5000

end

Yudong Wu · ‎11-17-2010

I did not see any issue in your config file by a quick look.

Does it happen wheneven you connect a VPN client?

If you disconnect the VPN client, does user behind 851 get internet connectivity back?

By the way, what is the IP "131.108.1.1" under lo0 interface?

If the issue happens whenever you connect the vpn client, you might need check routing stuff on 851 after vpn client is connected.

petergcisco · ‎11-17-2010

This happens when I connect VPN client. When I disconnect the VPN client a user behind 851 router does not get Internet connection. The VPN session does not get disconnected. Ip 131.108.1.1 is the loopback ip address. I have to reboot the modem to get Internet back. Maybe the modem is acting up. I'm not sure.

efrench515 · ‎11-19-2010

Is the 2-wire configured for DMZPlus mode to hand off the outside IP to the 851?

petergcisco · ‎11-19-2010

Yes. 2 wire is configured in DMZmode. The ip address of the 2 wire is 192.168.5.1 subnet 255.255.255.0. The ip address of 851w is 192.168.3.1 on bvi interface.

efrench515 · ‎11-20-2010

I have had an 871 with EZVPN behind my 2 wire in DMZPlus mode for almost 2 years and it worked great on 5.X firmware, when AT&T upgraded it to 6.X I started having strange problems. The tunnel would lock up, I would intermittantly loose internet on the inside clients. Recently I turned off DMZPlus mode and everything works great now. Of course I am only a EZ-VPN Client not a server and obviously this will not work if you are a EEZ-VPN server.

So you may want to give that a try.