Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
838
Views
4
Helpful
4
Replies

issue with vpn and internet

Sirajhussain
Level 1
Level 1

‎12-02-2012 10:40 PM - edited ‎03-11-2019 05:31 PM

Cisco CISCO2911/K9

IOS: Version 15.0(1r)M15

Inventory:

1 DSL controller

3 Gigabit Ethernet interfaces

1 ATM interface

2 Virtual Private Network (VPN) Modules

1 cisco ISM Crypto Engine(s)

Its a simple configuration of a branch router connecting HO with VPN and the internet for the branch machines.

Problem:

Both internet and vpn stops working after 10 seconds after enabling VPN on dialer interface:  crypto map VPN

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

pvc 8/35

  encapsulation aal5snap

  pppoe-client dial-pool-number 1

!

!

interface Ethernet0/1/0

no ip address

shutdown

!

interface Dialer1

ip address negotiated

ip nat outside

ip nat enable

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication pap chap callin optional

ppp chap hostname XXXXXXXX

ppp chap password 7 XXXXXXXXXXXX

crypto map VPN (Both internet and VPN stop working in 10 sec after configuring this)

What could be done differently to fix this issue?

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎12-03-2012 12:51 AM

Hi,

post output of sh ip int br, sh crypto map, sh access-list, sh ip route and sh  run | s nat

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Sirajhussain
Level 1
Level 1
In response to cadet alain

‎12-03-2012 03:26 AM

Hi Alain,

show ip int bri and sh run | s nat - will provide u later, meanwhile check this:

------------------ show ip nat translations ------------------

Pro Inside global      Inside local       Outside local      Outside global

icmp 178.152.18.136:1  10.17.1.45:1       8.8.8.8:1          8.8.8.8:1

tcp 178.152.18.136:21291 10.17.1.45:21291 75.126.159.157:80  75.126.159.157:80

udp 178.152.18.136:52352 10.17.1.45:52352 8.8.8.8:53         8.8.8.8:53

udp 178.152.18.136:55794 10.17.1.45:55794 8.8.8.8:53         8.8.8.8:53

udp 178.152.18.136:58987 10.17.1.45:58987 8.8.8.8:53         8.8.8.8:53

udp 178.152.18.136:62341 10.17.1.45:62341 8.8.8.8:53         8.8.8.8:53

udp 178.152.18.136:64921 10.17.1.45:64921 8.8.8.8:53         8.8.8.8:53

------------------ show crypto map ------------------

Crypto Map IPv4 "VPN" 10 ipsec-isakmp

Peer = 78.100.40.130

Extended IP access list 101

    access-list 101 permit ip 10.17.1.0 0.0.0.255 10.10.0.0 0.0.255.255

Current peer: 78.100.40.130

Security association lifetime: 4608000 kilobytes/3600 seconds

Responder-Only (Y/N): N

PFS (Y/N): N

Transform sets={

ASA-SET:  { esp-3des esp-md5-hmac  } ,

}

Interfaces using crypto map VPN:

Dialer1

------------------ show access-list ------------------

Extended IP access list 101

    10 permit ip 10.17.1.0 0.0.0.255 10.10.0.0 0.0.255.255 (193 matches)

Extended IP access list 102

    10 permit tcp 10.150.1.0 0.0.0.255 any eq pop3

    20 permit tcp 10.150.1.0 0.0.0.255 any eq smtp

    30 permit ip host 10.150.1.23 any

    40 permit ip host 10.150.1.24 any

    50 permit ip host 10.150.1.25 any

    60 permit ip host 10.150.1.26 any

    70 permit ip host 10.150.1.45 any

    80 deny tcp 10.150.1.0 0.0.0.255 any eq www

    90 permit ip any any (2625 matches)

Extended IP access list 110

    10 deny ip 10.17.1.0 0.0.0.255 10.10.0.0 0.0.255.255 (797 matches)

    20 permit ip any any (362 matches)

------------------ show crypto isakmp sa ------------------

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

78.100.40.130   178.152.18.136  MM_NO_STATE          0 ACTIVE

78.100.40.130   178.152.18.136  MM_NO_STATE          0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

------------------ show ip route ------------------

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, Dialer1

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.17.1.0/24 is directly connected, GigabitEthernet0/0

L        10.17.1.254/32 is directly connected, GigabitEthernet0/0

      178.152.0.0/32 is subnetted, 2 subnets

C        178.152.16.1 is directly connected, Dialer1

C        178.152.18.136 is directly connected, Dialer1

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Sirajhussain

‎12-03-2012 05:03 AM

Hi,

Is ACL 110 the NAT ACL ? if so can you remove line 20 and replace it :

ip access-list extended 110

no 20

20 permit ip 10.17.0.0 0.0.255.255 any

Waiting for feedback.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Sirajhussain
Level 1
Level 1
In response to cadet alain

‎12-03-2012 07:45 AM

Dear Alain,

Thanks for your feedback however the issue is been fixed after degrading the Cisco IOS without doing any configuration change.

It is working with version 15.1.4M4 (MD)

Thanks once again for your time and support...!!

Regards,

Siraj

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card