Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
0
Helpful
7
Replies

887VA no connection on ADSL2+ (

Go to solution
ICTinfrastructure
Level 1
Level 1

‎06-01-2018 05:16 AM - edited ‎03-05-2019 10:32 AM

Greetings,  long time lurker, first time poster :) 

 

We are currently going through the process of replacing our external sites routers from 837's to 887va's.  Unfortunately at a number of sites we are experiencing issues. 

 

I have been looking at one of the sites and have so far managed to get as far as getting a ppp light on but still no connectivity through to the net. Device itself is capable of pinging the DNS servers that are delivered via connection but nothing else.  Please see below Config used to program  device.  I think that the problem is something silly but can't tell what it is.  (I have obscured any identifying/secure information)

 

Routers and pc's connected to routers are assigned addresses in 192.168.231.xxx range

ICT computers are assigned addresses in 192.168.112.xxx range

 

Should all be using 256aes encryption but for some reason old router 837 model falls back to 3des, we do not want to replicate that behaviour.

 

Thanks.

 

 

no service slave-log
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16384 informational
enable password *PASSWORD*
!
no aaa new-model
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
no ip source-route
!
!
!
!

!
!
!
!
no ip domain lookup
ip domain name basildon.gov.uk
ip inspect name IOSFW tcp timeout 3600
ip inspect name IOSFW udp timeout 30
ip inspect name IOSFW ftp timeout 3600
ip inspect name IOSFW h323 timeout 3600
ip inspect name IOSFW http timeout 3600
ip inspect name IOSFW rcmd timeout 3600
ip inspect name IOSFW realaudio timeout 3600
ip inspect name IOSFW smtp timeout 3600
ip inspect name IOSFW sqlnet timeout 3600
ip inspect name IOSFW streamworks timeout 3600
ip inspect name IOSFW tftp timeout 30
ip inspect name IOSFW vdolive timeout 3600
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
username *USER* privilege 15 password *PASSWORD*
!
!
!
!
!
controller VDSL 0
!
ip ssh time-out 20
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key *SECRETKEY* address *Address of interface on ASA*
!
!
crypto ipsec transform-set 1 esp-aes 256 esp-sha-hmac
 mode tunnel
!
!
!
crypto map VPN 10 ipsec-isakmp
 set peer *Address of External interface on ASA*
 set transform-set 1
 match address 112
!
!
!
!
!
!
interface ATM0
description ADSL PHYSICAL INTERFACE

no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
no shutdown
!
interface FastEthernet0
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface FastEthernet1
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface FastEthernet2
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface FastEthernet3
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description CORPORATE
ip address 192.168.231.33 255.255.255.248
ip access-group 115 in
!
interface Dialer1
description ADSL VIRTUAL INTERFACE
ip address negotiated
ip access-group 111 in
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname (Hostname from ISP)
ppp chap password (Password from ISP)
ppp pap sent-username (Hostname from ISP) password (Password from ISP)
ppp ipcp dns request
ppp ipcp wins request
crypto map VPN
hold-queue 224 in
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source route-map NONAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
!
route-map NONAT permit 10
match ip address 114
!

access-list 1 permit *MD NW Address* 0.0.0.63
access-list 1 permit 192.168.112.0 0.0.0.255
access-list 1 permit 192.168.231.32 0.0.0.7
access-list 111 remark OUTSIDE-IN-ACL
access-list 111 permit icmp *MD NW Address* 0.0.0.63 any echo
access-list 111 permit icmp *MD NW Address* 0.0.0.63 any echo-reply
access-list 111 permit icmp *MD NW Address* 0.0.0.63 any traceroute
access-list 111 permit icmp *Virgin Network Address* 0.0.0.31 any echo
access-list 111 permit icmp *Virgin Network Address* 0.0.0.31 any echo-reply
access-list 111 permit icmp *Virgin Network Address* 0.0.0.31 any traceroute
access-list 111 permit esp *MD NW Address* 0.0.0.63 any
access-list 111 permit udp *MD NW Address* 0.0.0.63 any eq isakmp
access-list 111 permit udp *MD NW Address* 0.0.0.63 any eq 10000
access-list 111 permit tcp *MD NW Address* 0.0.0.63 any eq 22
access-list 111 permit tcp *Virgin Network Address* 0.0.0.31 any eq 22
access-list 111 permit ip 192.168.0.0 0.0.255.255 192.168.231.32 0.0.0.7
access-list 112 remark CORPORATE-SUBNET
access-list 112 permit ip 192.168.231.32 0.0.0.7 any
access-list 114 remark NONAT-LIST
access-list 114 deny   ip 192.168.231.32 0.0.0.7 any
access-list 115 remark CORPORATE-INTERFACE-ACL
access-list 115 permit ip 192.168.231.32 0.0.0.7 any
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
exec-timeout 60 0
password (ANOTHERPASS)
logging synchronous
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 60 0
password (ANOTHERPASS)
logging synchronous
login local
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
!
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Georg Pauwen
VIP
VIP
In response to ICTinfrastructure

‎06-01-2018 07:06 AM

Hello,

 

I made some changes to your config which I think should get your VPN connected (important parts marked in bold):

 

no service slave-log
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16384 informational
enable password *PASSWORD*
!
no aaa new-model
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ip source-route
!
no ip domain lookup
ip domain name basildon.gov.uk
ip inspect name IOSFW tcp timeout 3600
ip inspect name IOSFW udp timeout 30
ip inspect name IOSFW ftp timeout 3600
ip inspect name IOSFW h323 timeout 3600
ip inspect name IOSFW http timeout 3600
ip inspect name IOSFW rcmd timeout 3600
ip inspect name IOSFW realaudio timeout 3600
ip inspect name IOSFW smtp timeout 3600
ip inspect name IOSFW sqlnet timeout 3600
ip inspect name IOSFW streamworks timeout 3600
ip inspect name IOSFW tftp timeout 30
ip inspect name IOSFW vdolive timeout 3600
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
username *USER* privilege 15 password *PASSWORD*
!
controller VDSL 0
!
ip ssh time-out 20
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key *SECRETKEY* address *Address of interface on ASA*
!
crypto ipsec transform-set 1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map VPN 10 ipsec-isakmp
set peer *Address of External interface on ASA*
set transform-set 1
match address 112
!
interface ATM0
description ADSL PHYSICAL INTERFACE

no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
no shutdown
!
interface FastEthernet0
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface FastEthernet1
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface FastEthernet2
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface FastEthernet3
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description CORPORATE
ip address 192.168.231.33 255.255.255.248
!
interface Dialer1
description ADSL VIRTUAL INTERFACE
ip address negotiated
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname (Hostname from ISP)
ppp chap password (Password from ISP)
ppp pap sent-username (Hostname from ISP) password (Password from ISP)
ppp ipcp dns request
ppp ipcp wins request
crypto map VPN
hold-queue 224 in
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
!
access-list 1 permit *MD NW Address* 0.0.0.63
access-list 1 permit 192.168.112.0 0.0.0.255
access-list 1 permit 192.168.231.32 0.0.0.7
access-list 111 remark OUTSIDE-IN-ACL
access-list 111 permit icmp *MD NW Address* 0.0.0.63 any echo
access-list 111 permit icmp *MD NW Address* 0.0.0.63 any echo-reply
access-list 111 permit icmp *MD NW Address* 0.0.0.63 any traceroute
access-list 111 permit icmp *Virgin Network Address* 0.0.0.31 any echo
access-list 111 permit icmp *Virgin Network Address* 0.0.0.31 any echo-reply
access-list 111 permit icmp *Virgin Network Address* 0.0.0.31 any traceroute
access-list 111 permit esp *MD NW Address* 0.0.0.63 any
access-list 111 permit udp *MD NW Address* 0.0.0.63 any eq isakmp
access-list 111 permit udp *MD NW Address* 0.0.0.63 any eq 10000
access-list 111 permit tcp *MD NW Address* 0.0.0.63 any eq 22
access-list 111 permit tcp *Virgin Network Address* 0.0.0.31 any eq 22
access-list 111 permit ip 192.168.0.0 0.0.255.255 192.168.231.32 0.0.0.7
access-list 112 remark CRYPTO_TRAFFIC
access-list 112 permit ip 192.168.231.32 0.0.0.7 any
access-list 115 remark CORPORATE-INTERFACE-ACL
access-list 115 permit ip 192.168.231.32 0.0.0.7 any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
exec-timeout 60 0
password (ANOTHERPASS)
logging synchronous
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 60 0
password (ANOTHERPASS)
logging synchronous
login local
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
!
end

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Georg Pauwen
VIP
VIP

‎06-01-2018 05:26 AM

Hello,

 

there is no 'ip nat inside' configured anywhere. Are you getting your Internet through the VPN, or is it supposed to come directly from the DSL connection ?

0 Helpful

Go to solution
ICTinfrastructure
Level 1
Level 1
In response to Georg Pauwen

‎06-01-2018 06:41 AM

Internet should come through the VPN,  Is a direct site to site connection.  No connectivity to WWW outside of corporate network.

 

Thanks.

0 Helpful

Go to solution
ICTinfrastructure
Level 1
Level 1
In response to ICTinfrastructure

‎06-01-2018 06:47 AM - edited ‎06-01-2018 06:47 AM

For some more clarity,  Site to Site Vpn, should use AES256, profile on ASA then configures things like proxy for devices.  They used to be split tunnel VPN but a corporate decision was made to pass everything through to our ASA.

 

When looking at the ASA I am seeing no attempted communication from the router at all.  As soon as we plug in the old router it all works as normal.

 

Thanks.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to ICTinfrastructure

‎06-01-2018 07:06 AM

Hello,

 

I made some changes to your config which I think should get your VPN connected (important parts marked in bold):

 

no service slave-log
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16384 informational
enable password *PASSWORD*
!
no aaa new-model
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ip source-route
!
no ip domain lookup
ip domain name basildon.gov.uk
ip inspect name IOSFW tcp timeout 3600
ip inspect name IOSFW udp timeout 30
ip inspect name IOSFW ftp timeout 3600
ip inspect name IOSFW h323 timeout 3600
ip inspect name IOSFW http timeout 3600
ip inspect name IOSFW rcmd timeout 3600
ip inspect name IOSFW realaudio timeout 3600
ip inspect name IOSFW smtp timeout 3600
ip inspect name IOSFW sqlnet timeout 3600
ip inspect name IOSFW streamworks timeout 3600
ip inspect name IOSFW tftp timeout 30
ip inspect name IOSFW vdolive timeout 3600
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
username *USER* privilege 15 password *PASSWORD*
!
controller VDSL 0
!
ip ssh time-out 20
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key *SECRETKEY* address *Address of interface on ASA*
!
crypto ipsec transform-set 1 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map VPN 10 ipsec-isakmp
set peer *Address of External interface on ASA*
set transform-set 1
match address 112
!
interface ATM0
description ADSL PHYSICAL INTERFACE

no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
no shutdown
!
interface FastEthernet0
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface FastEthernet1
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface FastEthernet2
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface FastEthernet3
description CORPORATE ACCESS
switchport access vlan 10
no ip address
no shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description CORPORATE
ip address 192.168.231.33 255.255.255.248
!
interface Dialer1
description ADSL VIRTUAL INTERFACE
ip address negotiated
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname (Hostname from ISP)
ppp chap password (Password from ISP)
ppp pap sent-username (Hostname from ISP) password (Password from ISP)
ppp ipcp dns request
ppp ipcp wins request
crypto map VPN
hold-queue 224 in
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
!
access-list 1 permit *MD NW Address* 0.0.0.63
access-list 1 permit 192.168.112.0 0.0.0.255
access-list 1 permit 192.168.231.32 0.0.0.7
access-list 111 remark OUTSIDE-IN-ACL
access-list 111 permit icmp *MD NW Address* 0.0.0.63 any echo
access-list 111 permit icmp *MD NW Address* 0.0.0.63 any echo-reply
access-list 111 permit icmp *MD NW Address* 0.0.0.63 any traceroute
access-list 111 permit icmp *Virgin Network Address* 0.0.0.31 any echo
access-list 111 permit icmp *Virgin Network Address* 0.0.0.31 any echo-reply
access-list 111 permit icmp *Virgin Network Address* 0.0.0.31 any traceroute
access-list 111 permit esp *MD NW Address* 0.0.0.63 any
access-list 111 permit udp *MD NW Address* 0.0.0.63 any eq isakmp
access-list 111 permit udp *MD NW Address* 0.0.0.63 any eq 10000
access-list 111 permit tcp *MD NW Address* 0.0.0.63 any eq 22
access-list 111 permit tcp *Virgin Network Address* 0.0.0.31 any eq 22
access-list 111 permit ip 192.168.0.0 0.0.255.255 192.168.231.32 0.0.0.7
access-list 112 remark CRYPTO_TRAFFIC
access-list 112 permit ip 192.168.231.32 0.0.0.7 any
access-list 115 remark CORPORATE-INTERFACE-ACL
access-list 115 permit ip 192.168.231.32 0.0.0.7 any
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
exec-timeout 60 0
password (ANOTHERPASS)
logging synchronous
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 60 0
password (ANOTHERPASS)
logging synchronous
login local
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
!
end

0 Helpful

Go to solution
ICTinfrastructure
Level 1
Level 1
In response to Georg Pauwen

‎06-01-2018 07:09 AM

Thanking thee muchly, 

 

I probably won't get a chance to get that tested now until Monday morning.  I will update the thread with results after that.

 

 

 

 

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to ICTinfrastructure

‎06-01-2018 07:48 AM

Curious to know if it works...have a great weekend.

0 Helpful

Go to solution
ICTinfrastructure
Level 1
Level 1
In response to Georg Pauwen

‎06-06-2018 01:16 AM

Well that worked, I don't understand why but it does resolve the vpn connecting issue. Thanks for the assist, Site are a lot happier now their connection isn't dropping all the time.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card