877 VPN local internet breakout issues

Damien Silman · ‎09-03-2013

Hi,

We've got a bunch of Cisco 877 routers we use on our remote sites for data/voice VPN back to our fixed offices.

Originally when we inherited these routers, I only new Cisco switches, so had a steep learning curve, got them configured (probably not the best but it works!) and we've been using them fine since.

I now need to make it so a wireless AP at one of these locations can break out to the internet locally rather than over the VPN; I'm not having any luck.

The specific IP routes were originally so we could access the Cisco Meraki AP from the cloud and monitor it, which worked great, but now we have created a Guest Wireless SSID for other contractors on site which requries the local breakout.

The biggest issue I have (apart from not getting this to work); is that I don't have a spare router to test with, I am having to do this on the live router, and set a timed reload in case anything goes terribly wrong...

Show inventory:

NAME: "877-M", DESCR: "877-M chassis, Hw Serial#: FCZXXXXXXSE, Hw Revision: 0x400"

PID: CISCO877-M-K9 , VID: V04 , SN: FCZ160290SE

Show version:

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2)

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Cisco 877-M (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memory.

Processor board ID FCZ160290SE

MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10

4 FastEthernet interfaces

1 ATM interface

128K bytes of non-volatile configuration memory.

24576K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Current config:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname StGeorgesDATA

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret XXXXXXXXXXXXXXXXXXXXXXXXX

enable password XXXXXXXXXXXXXXXXXXXXXXXXXXX

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

!

dot11 syslog

ip source-route

!

ip cef

ip domain name XXXXXXX

ip name-server 172.20.0.221

ip name-server 172.20.0.222

!

username XXXXXXXXXXXXXXXXXX password XXXXXXXXXXXXXXX

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXXXXXXXXXXX address XXXXXXXXXXXX no-xauth

!

crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC-VPN

set transform-set 3DESSHA

!

archive

log config

hidekeys

!

interface Tunnel0

description --- IPSec Tunnel to KX ---

ip address 172.30.52.1 255.255.255.252

ip ospf mtu-ignore

load-interval 30

tunnel source Dialer0

tunnel destination XXXXXXXXXXXXXXX

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC-VPN

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface Vlan1

ip address 172.30.52.10 255.255.255.252

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp chap hostname XXXXXXXXXXXXXX

ppp chap password XXXXXXXXXXXXX

ppp pap sent-username XXXXXXXXXXXXXX password XXXXXXXXXXXXX

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.30.52.0 255.255.255.0 Tunnel0

ip route 172.16.0.0 255.240.0.0 Tunnel0

ip route 172.30.52.0 255.255.255.0 Vlan1

ip route 64.156.192.220 255.255.255.255 Tunnel0

ip route 64.156.192.245 255.255.255.255 Tunnel0

ip route 74.50.50.16 255.255.255.255 Tunnel0

ip route 74.50.63.14 255.255.255.255 Tunnel0

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 100 interface FastEthernet0 overload

!

access-list 100 deny ip 172.30.52.0 0.0.0.255 172.16.0.0 0.0.240.255

access-list 100 permit ip 172.30.52.0 0.0.0.255 any

access-list 100 permit ip 10.0.0.0 0.255.255.255 any

!

snmp-server community public RO

!

control-plane

!

banner motd ^C

Original config prepared by XXXXXXXXXXXXX

You require authorisation to connect to this device.

If you are not authorised to connect to this device please disconnect now. If

you fail to disconnect we will find you...

^C

!

line con 0

password XXXXXXXXXXXXX

login

no modem enable

line aux 0

line vty 0 4

password XXXXXXXXXXXXX

login

!

scheduler max-task-time 5000

ntp server 172.20.0.221

ntp server 172.20.0.222

end

Hope someone can help me out or point me in the right direction; let me know if you need any more information.

Thanks,

Damien.

Damien Silman · ‎09-05-2013

Additionally, when we get new BT lines/DSL installed, we have issues with the VPN dropping out, but we can still telnet in and reload the router on the public IP.

This generally only happens for the first two months from a new line being installed, but I'd imagine there must be something I can configure to make the router aware, and when it notices the VPN is down to try it again.

Thanks

Damien Silman · ‎11-11-2013

I reconfigured the access points in question to use a teleworker gateway, which meant I could define the IPs they were contacting and applied static routes for these; unnecessary workaround, but it fixed it.