09-03-2013 01:23 AM - edited 03-04-2019 08:55 PM
Hi,
We've got a bunch of Cisco 877 routers we use on our remote sites for data/voice VPN back to our fixed offices.
Originally when we inherited these routers, I only new Cisco switches, so had a steep learning curve, got them configured (probably not the best but it works!) and we've been using them fine since.
I now need to make it so a wireless AP at one of these locations can break out to the internet locally rather than over the VPN; I'm not having any luck.
The specific IP routes were originally so we could access the Cisco Meraki AP from the cloud and monitor it, which worked great, but now we have created a Guest Wireless SSID for other contractors on site which requries the local breakout.
The biggest issue I have (apart from not getting this to work); is that I don't have a spare router to test with, I am having to do this on the live router, and set a timed reload in case anything goes terribly wrong...
Show inventory:
NAME: "877-M", DESCR: "877-M chassis, Hw Serial#: FCZXXXXXXSE, Hw Revision: 0x400"
PID: CISCO877-M-K9 , VID: V04 , SN: FCZ160290SE
Show version:
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(24)T6, RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
Cisco 877-M (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FCZ160290SE
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
Current config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname StGeorgesDATA
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret XXXXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXXXXXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
dot11 syslog
ip source-route
!
!
ip cef
ip domain name XXXXXXX
ip name-server 172.20.0.221
ip name-server 172.20.0.222
!
!
!
!
username XXXXXXXXXXXXXXXXXX password XXXXXXXXXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXXXXXXXX address XXXXXXXXXXXX no-xauth
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC-VPN
set transform-set 3DESSHA
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel0
description --- IPSec Tunnel to KX ---
ip address 172.30.52.1 255.255.255.252
ip ospf mtu-ignore
load-interval 30
tunnel source Dialer0
tunnel destination XXXXXXXXXXXXXXX
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-VPN
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
ip address 172.30.52.10 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname XXXXXXXXXXXXXX
ppp chap password XXXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXXX password XXXXXXXXXXXXX
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.30.52.0 255.255.255.0 Tunnel0
ip route 172.16.0.0 255.240.0.0 Tunnel0
ip route 172.30.52.0 255.255.255.0 Vlan1
ip route 64.156.192.220 255.255.255.255 Tunnel0
ip route 64.156.192.245 255.255.255.255 Tunnel0
ip route 74.50.50.16 255.255.255.255 Tunnel0
ip route 74.50.63.14 255.255.255.255 Tunnel0
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list 100 interface FastEthernet0 overload
!
access-list 100 deny ip 172.30.52.0 0.0.0.255 172.16.0.0 0.0.240.255
access-list 100 permit ip 172.30.52.0 0.0.0.255 any
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
!
!
!
snmp-server community public RO
!
control-plane
!
banner motd ^C
Original config prepared by XXXXXXXXXXXXX
You require authorisation to connect to this device.
If you are not authorised to connect to this device please disconnect now. If
you fail to disconnect we will find you...
^C
!
line con 0
password XXXXXXXXXXXXX
login
no modem enable
line aux 0
line vty 0 4
password XXXXXXXXXXXXX
login
!
scheduler max-task-time 5000
ntp server 172.20.0.221
ntp server 172.20.0.222
end
Hope someone can help me out or point me in the right direction; let me know if you need any more information.
Thanks,
Damien.
09-05-2013 12:50 AM
Additionally, when we get new BT lines/DSL installed, we have issues with the VPN dropping out, but we can still telnet in and reload the router on the public IP.
This generally only happens for the first two months from a new line being installed, but I'd imagine there must be something I can configure to make the router aware, and when it notices the VPN is down to try it again.
Thanks
11-11-2013 08:21 AM
I reconfigured the access points in question to use a teleworker gateway, which meant I could define the IPs they were contacting and applied static routes for these; unnecessary workaround, but it fixed it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide