Hi Team,
I am setting up a dual WAN connection in one of our remote offices
ISP1 has a static IP and route. Up and running GigabitEthernet 0/1
ISP2 assigns IP and route with DHCP. GigabitEthernet 0/0
Cannot get the router to take an IP from the DHCP server from the server side. If I plug the cable directly to a laptop, everything works.
Originally I thought the EHWIC card cannot be used to setup the second ISP link so I migrated the LAN to VLAN1. So, VLAN1 works with ISP one. Clients on LAN are able to use internet and VPN tunnels. Ping from router as well as.
When I try to setup ISP2 and try to ping with source GigabitEthernet0/0 I get an error
% Invalid source. Must use same-VRF IP address or full interface name without sp
aces (e.g. Serial0/1)
If I test the connection with CCP it fails: "Please contact your UPS or WAN administrator and check if the server has been configured to lease UP address to the clients connection through DHCP. Retest connection"
I thought later that my firewall is blocking the DHCP requests, I tried to setup udp 67 and udp 68 to pass on the self-out zone but it did not help.
if I do show dhcp lease, it has no information:
#show dhcp lease
Temp IP addr: 0.0.0.0 for peer on Interface: GigabitEthernet0/0
Temp sub net mask: 0.0.0.0
DHCP Lease server: 0.0.0.0, state: 3 Selecting
DHCP transaction id: 1B38
Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
Next timer fires after: 00:00:04
Retry count: 2 Client-ID: cisco-74a0.2f33.4140-Gi0/0
Client-ID hex dump: 636973636F2D373461302E326633332E
343134302D4769302F30
Hostname:
#
Am I missing something ?
Is there something wrong with the setup of the 0.0.0.0 route ?
Do I need to specify the DNS-Servers from ISP2 ?
Or something with the firewall ?
Here is the config:
!
hostname dummyHOSTNAME
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
no aaa new-model
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address xxx.xxx.xxx.1 xxx.xxx.xxx.14
ip dhcp excluded-address xxx.xxx.xxx.143 xxx.xxx.xxx.254
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool inside
import all
network xxx.xxx.xxx.0 255.255.255.0
dns-server xxx.xxx.xxx.3 195.222.60.60
default-router xxx.xxx.xxx.1
!
!
!
ip domain name dummyDOMIAN.local
ip name-server 8.8.8.8
ip name-server xxx.xxx.xxx.3
ip cef
no ipv6 cef
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-3579448516
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3579448516
revocation-check none
rsakeypair TP-self-signed-3579448516
!
!
crypto pki certificate chain TP-self-signed-3579448516
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353739 34343835 3136301E 170D3134 31323133 30373337
34385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35373934
34383531 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ACA0 5F4EDFA4 6219CFA4 BCE4FEE4 C0DCCEF5 BB7E8E4F 6C9239E3 A07D64B4
1F81FE96 F50CA9E7 6997E233 685DA74E 7F75CDA4 33937072 C5FDD5E0 461685A7
9C152EAB 8190673F 8EAE6886 DC845162 FF4D4C48 3058D4E9 3D921EF5 2C9CFEB4
0C84B82A FDBAE63F 1F183CBB 814736DF F524EFF1 E41A10CF A33329BB 902534A7
64DB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1454783C 991DAF6C 8E327EB9 4EB7989C A592B11A 02301D06
03551D0E 04160414 54783C99 1DAF6C8E 327EB94E B7989CA5 92B11A02 300D0609
2A864886 F70D0101 05050003 8181009B D7A3892E 6BEDCBF0 FCC41F56 DBCF6606
86E67A09 BCF0F29C 7BF2AF91 49E83D62 04377F2F 21319288 CB57185A 0DEE895F
C9321B83 B49EE1C1 AC4E2C3A 8508910E 2C00DEB0 0D8B4909 B33394EE 59C1A9E8
7BA75AFB FD556243 FF07318D E1E15093 5361F647 319475CD 1F676DCF E10D9FDF
F4B88D0E 1AF528C6 95F59F81 1ACAB6
quit
license udi pid CISCO1921/K9 sn FGL185023UK
!
!
object-group network LAN_A
xxx.xxx.xxx.0 255.255.255.0
!
object-group network LAN_B
yyy.yyy.yyy.0 255.255.255.0
!
object-group network LAN_C
zzz.zzz.zzz.0 255.255.255.0
!
object-group network LAN_D
vvv.vvv.vvv.0 255.255.255.0
!
object-group network temp
host xxx.xxx.xxx.59
!
username bosnia privilege 15 secret 5 $1$fniM$7LUEbyp0SN0FFxTbhHRbq0
username admin privilege 15 secret 5 $1$AABT$hK7VihYXN9dX3blmuDq3w1
!
redundancy
!
!
!
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 106
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 108
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
!
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class class-default
drop
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-4
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
drop
!
zone security A_LAN
zone security WAN
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 4
encr aes 256
authentication pre-share
group 2
crypto isakmp key dummyPASSWORD address dummyIP_D
crypto isakmp key dummyPASSWORD address dummyIP_B
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set set2 esp-des esp-sha-hmac
mode tunnel
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel todummyIP_B
set peer dummyIP_B
set security-association lifetime seconds 28800
set transform-set set1
match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel todummyIP_D
set peer dummyIP_D
set security-association lifetime seconds 28800
set transform-set set1
match address 105
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description 2nd ISP dynamic IP$FW_INSIDE$$ETH-WAN$
ip address dhcp
ip nat inside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface GigabitEthernet0/1
description outside$ETH-WAN$$FW_OUTSIDE$
ip address staticIP dummySUBNET
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
ip address xxx.xxx.xxx.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 dummyGATEWAY_staticIP 128
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit xxx.xxx.xxx.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip dummyISPnetwork 0.0.0.127 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 yyy.yyy.yyy.0 0.0.0.255
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host dummyIP_D any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip vvv.vvv.vvv.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
access-list 103 permit ip yyy.yyy.yyy.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny ip xxx.xxx.xxx.0 0.0.0.255 yyy.yyy.yyy.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny ip xxx.xxx.xxx.0 0.0.0.255 vvv.vvv.vvv.0 0.0.0.255
access-list 104 permit ip xxx.xxx.xxx.0 0.0.0.255 any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 vvv.vvv.vvv.0 0.0.0.255
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip vvv.vvv.vvv.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip vvv.vvv.vvv.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
access-list 108 permit ip yyy.yyy.yyy.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
!
control-plane
!
!
end