12-02-2012 10:40 PM - edited 03-11-2019 05:31 PM
Cisco CISCO2911/K9
IOS: Version 15.0(1r)M15
Inventory:
1 DSL controller
3 Gigabit Ethernet interfaces
1 ATM interface
2 Virtual Private Network (VPN) Modules
1 cisco ISM Crypto Engine(s)
Its a simple configuration of a branch router connecting HO with VPN and the internet for the branch machines.
Problem:
Both internet and vpn stops working after 10 seconds after enabling VPN on dialer interface: crypto map VPN
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface Ethernet0/1/0
no ip address
shutdown
!
interface Dialer1
ip address negotiated
ip nat outside
ip nat enable
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap chap callin optional
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXXXXXXXXX
crypto map VPN (Both internet and VPN stop working in 10 sec after configuring this)
What could be done differently to fix this issue?
12-03-2012 12:51 AM
Hi,
post output of sh ip int br, sh crypto map, sh access-list, sh ip route and sh run | s nat
Regards.
Alain
Don't forget to rate helpful posts.
12-03-2012 03:26 AM
Hi Alain,
show ip int bri and sh run | s nat - will provide u later, meanwhile check this:
------------------ show ip nat translations ------------------
Pro Inside global Inside local Outside local Outside global
icmp 178.152.18.136:1 10.17.1.45:1 8.8.8.8:1 8.8.8.8:1
tcp 178.152.18.136:21291 10.17.1.45:21291 75.126.159.157:80 75.126.159.157:80
udp 178.152.18.136:52352 10.17.1.45:52352 8.8.8.8:53 8.8.8.8:53
udp 178.152.18.136:55794 10.17.1.45:55794 8.8.8.8:53 8.8.8.8:53
udp 178.152.18.136:58987 10.17.1.45:58987 8.8.8.8:53 8.8.8.8:53
udp 178.152.18.136:62341 10.17.1.45:62341 8.8.8.8:53 8.8.8.8:53
udp 178.152.18.136:64921 10.17.1.45:64921 8.8.8.8:53 8.8.8.8:53
------------------ show crypto map ------------------
Crypto Map IPv4 "VPN" 10 ipsec-isakmp
Peer = 78.100.40.130
Extended IP access list 101
access-list 101 permit ip 10.17.1.0 0.0.0.255 10.10.0.0 0.0.255.255
Current peer: 78.100.40.130
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
ASA-SET: { esp-3des esp-md5-hmac } ,
}
Interfaces using crypto map VPN:
Dialer1
------------------ show access-list ------------------
Extended IP access list 101
10 permit ip 10.17.1.0 0.0.0.255 10.10.0.0 0.0.255.255 (193 matches)
Extended IP access list 102
10 permit tcp 10.150.1.0 0.0.0.255 any eq pop3
20 permit tcp 10.150.1.0 0.0.0.255 any eq smtp
30 permit ip host 10.150.1.23 any
40 permit ip host 10.150.1.24 any
50 permit ip host 10.150.1.25 any
60 permit ip host 10.150.1.26 any
70 permit ip host 10.150.1.45 any
80 deny tcp 10.150.1.0 0.0.0.255 any eq www
90 permit ip any any (2625 matches)
Extended IP access list 110
10 deny ip 10.17.1.0 0.0.0.255 10.10.0.0 0.0.255.255 (797 matches)
20 permit ip any any (362 matches)
------------------ show crypto isakmp sa ------------------
IPv4 Crypto ISAKMP SA
dst src state conn-id status
78.100.40.130 178.152.18.136 MM_NO_STATE 0 ACTIVE
78.100.40.130 178.152.18.136 MM_NO_STATE 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
------------------ show ip route ------------------
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, Dialer1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.17.1.0/24 is directly connected, GigabitEthernet0/0
L 10.17.1.254/32 is directly connected, GigabitEthernet0/0
178.152.0.0/32 is subnetted, 2 subnets
C 178.152.16.1 is directly connected, Dialer1
C 178.152.18.136 is directly connected, Dialer1
12-03-2012 05:03 AM
Hi,
Is ACL 110 the NAT ACL ? if so can you remove line 20 and replace it :
ip access-list extended 110
no 20
20 permit ip 10.17.0.0 0.0.255.255 any
Waiting for feedback.
Regards.
Alain
Don't forget to rate helpful posts.
12-03-2012 07:45 AM
Dear Alain,
Thanks for your feedback however the issue is been fixed after degrading the Cisco IOS without doing any configuration change.
It is working with version 15.1.4M4 (MD)
Thanks once again for your time and support...!!
Regards,
Siraj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide