Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
946
Views
0
Helpful
2
Replies

Cisco 877VA issue with Route Maps

camplingm
Level 1
Level 1

‎04-11-2012 11:57 AM - edited ‎03-04-2019 03:59 PM

Dear Forum Members, please could you offer some assistance with an issue I have.

We have had to replace a Cisco 877 with a Cisco 877VA (DSL & VDSL). Router connects using its DSL interface to the ISP and works ok, from the router if I ping 8.8.8.8 for google it works ok.

If I use an IP NAT and Access list (See Below)  from the internal network I can ping and get out OK.

ip nat inside source list 105 interface dialer0 overload

access-list 105 permit ip 10.10.10.0 0 0.0.0.255 any.

If I use a route map, which is required for getting around some of my VPN / Static NAT issues I currently can not ping or get out. The config works ok on the old 877 model router which is running an older version of code and is an older model.

Attached is config.

ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600


interface Ethernet0
no ip address
!
interface ATM0
description *** PSLNET ADSL INTERNET CONNECTION ***
no ip address
atm vc-per-vp 128
no atm ilmi-keepalive
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
description *** Not-In-USE ***
no ip address
!
interface Vlan1
description *** Routed VLAN Interface for 10.101.10.x Network ***
ip address 10.101.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******
ppp chap password 7 *******
ppp pap sent-username ********* password 7 **********
ppp ipcp dns request
ppp ipcp wins request
no cdp enable
crypto map VPN-AH
hold-queue 224 in
!
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map PSL_RMAP_1 interface Dialer1 overload
ip nat inside source static tcp 10.101.10.50 21 178.238.155.50 21 route-map NoNAT extendable
ip nat inside source static tcp 10.101.10.50 8080 178.238.155.50 80 route-map NoNAT extendable
ip nat inside source static tcp 10.101.10.50 6000 178.238.155.50 6000 route-map NoNAT extendable
ip nat inside source static tcp 10.101.10.50 6001 178.238.155.50 6001 route-map NoNAT extendable
ip nat inside source static tcp 10.101.10.50 6001 178.238.155.50 6021 route-map NoNAT extendable
ip nat inside source static tcp 10.101.10.50 13777 178.238.155.50 15797 route-map NoNAT extendable
ip nat inside source static tcp 10.101.10.51 80 178.238.155.51 80 route-map NoNAT extendable
ip nat inside source static tcp 10.101.10.51 502 178.238.155.51 502 route-map NoNAT extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended pure-astra
permit ip 10.101.10.0 0.0.0.255 10.1.2.0 0.0.0.255
permit ip 10.101.10.0 0.0.0.255 10.1.100.0 0.0.0.255
!
logging source-interface Dialer1
logging 217.46.179.105
access-list 23 permit 10.1.2.3
access-list 23 permit 10.1.2.5
access-list 23 permit 217.46.179.105
access-list 23 permit 81.149.149.236
access-list 23 permit 81.86.35.241
access-list 23 permit 10.10.0.0 0.0.255.255
access-list 23 permit 10.101.10.0 0.0.0.255
access-list 23 permit 86.28.75.0 0.0.0.255
access-list 23 permit 10.1.100.0 0.0.0.255
access-list 100 remark PureTech-VLAN NonNAT Addresses
access-list 100 deny   ip 10.101.10.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 deny   ip 10.101.10.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 100 remark Allow Penwood Out Addresses
access-list 100 permit ip 10.101.10.0 0.0.0.255 any
access-list 102 permit ip 10.101.10.0 0.0.0.255 any
access-list 111 permit ip host 217.46.179.105 any
access-list 111 permit ip host 81.149.149.236 any
access-list 111 permit ip host 86.28.75.1 any
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit esp any any
access-list 111 permit ahp any any
access-list 111 permit gre any any
access-list 111 permit tcp any any established
access-list 111 permit tcp any any eq www
access-list 111 permit udp any any eq ntp
access-list 111 permit udp any any eq snmp
access-list 111 remark **** HMI PORTS ****
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq 6000
access-list 111 permit tcp any any eq 6001
access-list 111 permit tcp any any eq 6021
access-list 111 permit tcp any any eq 15797
access-list 111 permit tcp any any eq 13777
access-list 111 remark **** HMI PORTS END ****
access-list 111 remark **** PLC PORTS ****
access-list 111 permit tcp any any eq 502
access-list 111 remark **** PLC PORTS END ****
access-list 111 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map PSL_RMAP_1 permit 1
match ip address 100
!
route-map NoNAT permit 10
match ip address 100

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎04-11-2012 01:45 PM

I see that there is a crypto map on the dialer interface. But there is no information in what you posted about the crypto. Can you provide the information about the crypto? I am wondering if there is some interaction with crypto that is impacting the traffic going out.

I am also curious about the fact that the route map for dynamic translation is using the same access list as the route map for static translation. Was it this way on the original  router? And I notice that both route maps are just doing a single match to a single access list. So I wonder what it is that the route map is doing that would not be done with an access list in the ip nat commands.

HTH

Rick

HTH

Rick
0 Helpful

camplingm
Level 1
Level 1
In response to Richard Burts

‎04-12-2012 02:13 AM

Hi Rick,

Thanks for the reply. Yes the original config worked on a 877 running a 12.x version.

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key recycle address 86.28.75.1

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map VPN-AH 1 ipsec-isakmp

description VPN Tunnel to Astra House

set peer 86.28.75.1

set transform-set ESP-3DES-MD5

match address pure-astra

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key recycle address 86.28.75.1

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map VPN-AH 1 ipsec-isakmp

description VPN Tunnel to Astra House

set peer 86.28.75.1

set transform-set ESP-3DES-MD5

match address pure-astra

!

When we had NAT statements to a public IP address for example port 80 it would work fine on the external interface but not via the VPN.

We created the Route Map to get arround this issue, which works on this and other routers.

If you have a better idea, I am open to suggestions, as its not really my area, being a voice engineer.

Regards

Matthew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card