cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
564
Views
0
Helpful
2
Replies
vtodorovv
Beginner

cisco 1921 dual WAN second ISP dhcp

Hi Team, 

 

I am setting up a dual WAN connection in one of our remote offices

ISP1 has a static IP and route. Up and running GigabitEthernet 0/1

ISP2 assigns IP and route with DHCP. GigabitEthernet 0/0

 

Cannot get the router to take an IP from the DHCP server from the server side. If I plug the cable directly to a laptop, everything works. 

Originally I thought the EHWIC card cannot be used to setup the second ISP link so I migrated the LAN to VLAN1. So, VLAN1 works with ISP one. Clients on LAN are able to use internet and VPN tunnels. Ping from router as well as.

 

 

When I try to setup ISP2 and try to ping with source GigabitEthernet0/0 I get an error

% Invalid source. Must use same-VRF IP address or full interface name without sp
aces (e.g. Serial0/1)

 

If I test the connection with CCP it fails: "Please contact your UPS or WAN administrator and check if the server has been configured to lease UP address to the clients connection through DHCP. Retest connection"

 

I thought later that my firewall is blocking the DHCP requests, I tried to setup udp 67 and udp 68 to pass on the self-out zone but it did not help. 

 

if I do show dhcp lease, it has no information:

#show dhcp lease
Temp IP addr: 0.0.0.0  for peer on Interface: GigabitEthernet0/0
Temp  sub net mask: 0.0.0.0
   DHCP Lease server: 0.0.0.0, state: 3 Selecting
   DHCP transaction id: 1B38
   Lease: 0 secs,  Renewal: 0 secs,  Rebind: 0 secs
   Next timer fires after: 00:00:04
   Retry count: 2   Client-ID: cisco-74a0.2f33.4140-Gi0/0
   Client-ID hex dump: 636973636F2D373461302E326633332E
                       343134302D4769302F30
   Hostname: 
#

 

 

Am I missing something ?

Is there something wrong with the setup of the 0.0.0.0 route ?

Do I need to specify the DNS-Servers from ISP2 ?

Or something with the firewall ? 

 

Here is the config:

 

 
!
hostname dummyHOSTNAME
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
no aaa new-model
!
!
!
!
 
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address xxx.xxx.xxx.1 xxx.xxx.xxx.14
ip dhcp excluded-address xxx.xxx.xxx.143 xxx.xxx.xxx.254
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1 
 lease 0 2
!
ip dhcp pool inside
 import all
 network xxx.xxx.xxx.0 255.255.255.0
 dns-server xxx.xxx.xxx.3 195.222.60.60 
 default-router xxx.xxx.xxx.1 
!
!
!
ip domain name dummyDOMIAN.local
ip name-server 8.8.8.8
ip name-server xxx.xxx.xxx.3
ip cef
no ipv6 cef
!
parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com
 
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com
 
parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com
 
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-3579448516
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3579448516
 revocation-check none
 rsakeypair TP-self-signed-3579448516
!
!
crypto pki certificate chain TP-self-signed-3579448516
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33353739 34343835 3136301E 170D3134 31323133 30373337 
  34385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35373934 
  34383531 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100ACA0 5F4EDFA4 6219CFA4 BCE4FEE4 C0DCCEF5 BB7E8E4F 6C9239E3 A07D64B4 
  1F81FE96 F50CA9E7 6997E233 685DA74E 7F75CDA4 33937072 C5FDD5E0 461685A7 
  9C152EAB 8190673F 8EAE6886 DC845162 FF4D4C48 3058D4E9 3D921EF5 2C9CFEB4 
  0C84B82A FDBAE63F 1F183CBB 814736DF F524EFF1 E41A10CF A33329BB 902534A7 
  64DB0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 1454783C 991DAF6C 8E327EB9 4EB7989C A592B11A 02301D06 
  03551D0E 04160414 54783C99 1DAF6C8E 327EB94E B7989CA5 92B11A02 300D0609 
  2A864886 F70D0101 05050003 8181009B D7A3892E 6BEDCBF0 FCC41F56 DBCF6606 
  86E67A09 BCF0F29C 7BF2AF91 49E83D62 04377F2F 21319288 CB57185A 0DEE895F 
  C9321B83 B49EE1C1 AC4E2C3A 8508910E 2C00DEB0 0D8B4909 B33394EE 59C1A9E8 
  7BA75AFB FD556243 FF07318D E1E15093 5361F647 319475CD 1F676DCF E10D9FDF 
  F4B88D0E 1AF528C6 95F59F81 1ACAB6
  quit
license udi pid CISCO1921/K9 sn FGL185023UK
!
!
object-group network LAN_A 
 xxx.xxx.xxx.0 255.255.255.0
!
object-group network LAN_B 
 yyy.yyy.yyy.0 255.255.255.0
!
object-group network LAN_C 
 zzz.zzz.zzz.0 255.255.255.0
!
object-group network LAN_D 
 vvv.vvv.vvv.0 255.255.255.0
!
object-group network temp 
 host xxx.xxx.xxx.59
!
username bosnia privilege 15 secret 5 $1$fniM$7LUEbyp0SN0FFxTbhHRbq0
username admin privilege 15 secret 5 $1$AABT$hK7VihYXN9dX3blmuDq3w1
!
redundancy
!
!
!
!
!
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 106
class-map type inspect imap match-any ccp-app-imap
 match invalid-command
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 108
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
 match service any 
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
 match service any 
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
 match service any 
class-map type inspect match-all ccp-protocol-pop3
 match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect pop3 match-any ccp-app-pop3
 match invalid-command
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
 match service text-chat 
class-map type inspect ymsgr match-any ccp-app-yahoo
 match service text-chat 
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
 match request method bcopy
 match request method bdelete
 match request method bmove
 match request method bpropfind
 match request method bproppatch
 match request method connect
 match request method copy
 match request method delete
 match request method edit
 match request method getattribute
 match request method getattributenames
 match request method getproperties
 match request method index
 match request method lock
 match request method mkcol
 match request method mkdir
 match request method move
 match request method notify
 match request method options
 match request method poll
 match request method propfind
 match request method proppatch
 match request method put
 match request method revadd
 match request method revlabel
 match request method revlog
 match request method revnum
 match request method save
 match request method search
 match request method setattribute
 match request method startrev
 match request method stoprev
 match request method subscribe
 match request method trace
 match request method unedit
 match request method unlock
 match request method unsubscribe
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect http match-any ccp-http-blockparam
 match request port-misuse im
 match request port-misuse p2p
 match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
 match protocol imap
class-map type inspect aol match-any ccp-app-aol
 match service text-chat 
class-map type inspect http match-any ccp-http-allowparam
 match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all ccp-protocol-im
 match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all SDM_VPN_PT
 match access-group 102
 match class-map SDM_VPN_TRAFFIC
!
policy-map type inspect pop3 ccp-action-pop3
 class type inspect pop3 ccp-app-pop3
  log
policy-map type inspect imap ccp-action-imap
 class type inspect imap ccp-app-imap
  log
policy-map type inspect http ccp-action-app-http
 class type inspect http ccp-http-blockparam
  log
 class type inspect http ccp-app-httpmethods
  log
  reset
 class type inspect http ccp-http-allowparam
  log
  allow
policy-map type inspect im ccp-action-app-im
 class type inspect aol ccp-app-aol
  log
  allow
 class type inspect msnmsgr ccp-app-msn
  log
  allow
 class type inspect ymsgr ccp-app-yahoo
  log
  allow
 class type inspect aol ccp-app-aol-otherservices
  log
  reset
 class type inspect msnmsgr ccp-app-msn-otherservices
  log
  reset
 class type inspect ymsgr ccp-app-yahoo-otherservices
  log
  reset
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
  service-policy http ccp-action-app-http
 class type inspect ccp-protocol-imap
  inspect 
  service-policy imap ccp-action-imap
 class type inspect ccp-protocol-pop3
  inspect 
  service-policy pop3 ccp-action-pop3
 class type inspect ccp-protocol-im
  inspect 
  service-policy im ccp-action-app-im
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class class-default
  drop
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect 
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect 
 class type inspect sdm-cls-VPNOutsideToInside-4
  pass
 class class-default
  drop
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  drop
!
zone security A_LAN
zone security WAN
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 4
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key dummyPASSWORD address dummyIP_D   
crypto isakmp key dummyPASSWORD address dummyIP_B
crypto isakmp keepalive 15
!
!
crypto ipsec transform-set set2 esp-des esp-sha-hmac 
 mode tunnel
crypto ipsec transform-set set1 esp-aes 256 esp-sha-hmac 
 mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel todummyIP_B
 set peer dummyIP_B
 set security-association lifetime seconds 28800
 set transform-set set1 
 match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 description Tunnel todummyIP_D
 set peer dummyIP_D
 set security-association lifetime seconds 28800
 set transform-set set1 
 match address 105
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description 2nd ISP dynamic IP$FW_INSIDE$$ETH-WAN$
 ip address dhcp
 ip nat inside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description outside$ETH-WAN$$FW_OUTSIDE$
 ip address staticIP dummySUBNET
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface GigabitEthernet0/0/0
 no ip address
!
interface GigabitEthernet0/0/1
 no ip address
!
interface GigabitEthernet0/0/2
 no ip address
!
interface GigabitEthernet0/0/3
 no ip address
!
interface Vlan1
 ip address xxx.xxx.xxx.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
!
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 dummyGATEWAY_staticIP 128
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
!
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit xxx.xxx.xxx.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip dummyISPnetwork 0.0.0.127 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip xxx.xxx.xxx.0 0.0.0.255 yyy.yyy.yyy.0 0.0.0.255
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host dummyIP_D any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip vvv.vvv.vvv.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
access-list 103 permit ip yyy.yyy.yyy.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip xxx.xxx.xxx.0 0.0.0.255 yyy.yyy.yyy.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip xxx.xxx.xxx.0 0.0.0.255 vvv.vvv.vvv.0 0.0.0.255
access-list 104 permit ip xxx.xxx.xxx.0 0.0.0.255 any
access-list 105 remark CCP_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip xxx.xxx.xxx.0 0.0.0.255 vvv.vvv.vvv.0 0.0.0.255
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip vvv.vvv.vvv.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip vvv.vvv.vvv.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
access-list 108 permit ip yyy.yyy.yyy.0 0.0.0.255 xxx.xxx.xxx.0 0.0.0.255
!
control-plane
!
!
 
 
end

 

 

 

2 REPLIES 2
vtodorovv
Beginner

up

up