cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1445
Views
0
Helpful
1
Replies
Highlighted
Participant

Cisco 2911 - Dialer Interface - No Connection

Hi All - having some issues with a configuration using a Dialer interface. The interface comes up and the VPN tunnel comes up, but cannot access any network resources or the Internet. Was hoping someone could have a look at my config and provide some insight.

The things that concern me most are my access lists as I have the static IP address that we are assigned via PPPOE - the IP never changes, but not sure if I can define it in the ACL or if I should be using an ANY tag.

Note: I've changed some IPs and username for security reasons.

!
version 15.0
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname C2911-OTO01
!
boot-start-marker
boot system flash
boot-end-marker
!
logging buffered 5000000
no logging rate-limit
no logging console
!
no aaa new-model
!
!
!
clock timezone EST -5
clock summer-time EST recurring
!
no ipv6 cef
no ip source-route
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.144.1 10.10.144.50
ip dhcp excluded-address 192.168.244.1 192.168.244.50
ip dhcp excluded-address 192.168.244.254
!
ip dhcp pool DATA
   network 10.10.144.0 255.255.255.0
   default-router 10.10.144.1
   dns-server 10.1.200.50 10.1.200.51 8.8.8.8
   option 150 ip 192.168.111.20
!
ip dhcp pool VOICE
   network 192.168.244.0 255.255.255.0
   option 150 ip 192.168.111.20
   default-router 192.168.244.1
!
!
no ip domain lookup
ip domain name notyours.com
ip name-server 8.8.8.8
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect one-minute high 1000
ip inspect one-minute low 800
ip inspect tcp max-incomplete host 150 block-time 0
ip inspect name FIREWALL dns
ip inspect name FIREWALL tcp router-traffic
ip inspect name FIREWALL udp
ip inspect name FIREWALL ftp
ip inspect name FIREWALL fragment maximum 256 timeout 1
ip inspect name FIREWALL icmp
ip inspect name FIREWALL ntp
ip inspect name FIREWALL pptp
ip inspect name FIREWALL skinny
!
multilink bundle-name authenticated
!
!

!
!

!
archive
log config
  hidekeys
username
!
redundancy
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key mykey address 66.55.33.11 no-xauth
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set AES128 esp-aes esp-sha-hmac
!
crypto map COOKE_VPN 1 ipsec-isakmp
set peer 66.55.33.11
set transform-set AES128
match address VPN-NETWORKS
!
!
!
!
!
interface GigabitEthernet0/0
bandwidth 10240
no ip address
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed 100
!
!
interface GigabitEthernet0/1.144
encapsulation dot1Q 144
ip address 10.10.144.1 255.255.255.0
ip access-group OUTBOUND in
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.244
description VOICE NETWORK
encapsulation dot1Q 244
ip address 192.168.244.1 255.255.255.0
ip access-group OUTBOUND in
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/2
no ip address
shutdown
!
!
interface Dialer0
description ADSL WAN Dialer
ip address negotiated
ip access-group INBOUND in
no ip redirects
no ip unreachables
ip mtu 1492
ip verify unicast reverse-path
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username myusername password mypassword
no cdp enable
crypto map COOKE_VPN
!
!
ip forward-protocol nd
!
no ip http server
ip http secure-server
!
ip nat inside source list NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list standard SNMP
permit 10.1.200.63
!
ip access-list extended DF
permit tcp any any
ip access-list extended INBOUND
permit udp host 66.55.33.11 host 65.76.252.11 eq isakmp
permit esp host 66.55.33.11 host 65.76.252.11
permit tcp host 205.174.163.163 host 65.76.252.11 eq 22
permit tcp host 66.55.33.11 host 65.76.252.11 eq 22
permit icmp host 66.55.33.11 host 65.76.252.11
deny   ip any any log-input
ip access-list extended NAT
deny   ip any 10.0.0.0 0.255.255.255
deny   ip any 192.168.0.0 0.0.255.255
deny   ip any 172.16.0.0 0.15.255.255
deny   ip any 172.17.0.0 0.0.255.255
permit ip 10.10.144.0 0.0.0.255 any
permit ip 192.168.244.0 0.0.0.255 any
ip access-list extended OUTBOUND
deny   udp any host 66.55.33.11 eq isakmp
deny   udp any host 66.55.33.11 eq non500-isakmp
deny   esp any host 66.55.33.11
permit ip any any
ip access-list extended VPN-NETWORKS
permit ip 10.10.144.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.244.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.10.144.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.244.0 0.0.0.255 192.168.0.0 0.0.255.255
!
!
!
!
!
route-map clear-df-bit permit 10
match ip address DF
set ip df 0
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
login local
transport input ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/1.144
ntp master
ntp server 10.1.200.50
end

1 REPLY 1
Highlighted
Engager

hi

can you tweak you NAT ACL to deny only 10.10.144.0 0.0.0.255 to remote subnet similarly 192.168.244.0 0.0.0.255 to remote subnet and give

permit ip 10.10.144.0 0.0.0.255 any / permit ip 192.168.244.0 0.0.0.255 any ?

If its not working then check for the logs and find out where the packets are getting filtered and dropped. In addition to this have you tried removing the ACLs and accessing the remote net and the internet?

regds