Re: No, it was a case of shutting

timrichards1 · ‎01-25-2017

Hey all, hoping you can help as I am pretty new to router config.

Ok, so last week switched one of our sub offices from adsl to vdsl and swapped out the old 887 router (which establishes a vpn connection back to head office) with a new one and the engineer who turned up said there would need to be some config change. We have tried but been unsuccessful so far so any help would be VERY much appreciated.

The original config on the router at the time of the change was:

!
! Last configuration change at 14:16:27 NZST Fri Jun 19 2015 by admin
! NVRAM config last updated at 09:33:38 NZST Fri Jun 19 2015 by admin
! NVRAM config last updated at 09:33:38 NZST Fri Jun 19 2015 by admin
version 15.3
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname qtht_router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 16000
logging console warnings
enable secret 5 $1$1mYn$g6TKB5R6it2MEeAu1JauP0
!
no aaa new-model
memory-size iomem 10
clock timezone NZST 12 0
clock summer-time NZDT recurring last Sun Sep 2:00 1 Sun Apr 3:00
!
crypto pki trustpoint TP-self-signed-3647631588
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3647631588
revocation-check none
rsakeypair TP-self-signed-3647631588
!
!
crypto pki certificate chain TP-self-signed-3647631588
certificate self-signed 01
blah blah blah
quit
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.200.41.1 10.200.41.99
ip dhcp excluded-address 10.200.41.200 10.200.41.255
!
ip dhcp pool HT_QT
import all
network 10.200.41.0 255.255.255.0
default-router 10.200.41.254
dns-server 192.168.2.13 10.0.10.9
domain-name blah blah blah
!
no ip bootp server
ip inspect name firewall tcp
ip inspect name firewall ftp
ip inspect name firewall https
ip inspect name firewall http
ip inspect name firewall sip
ip inspect name firewall pop3
ip inspect name firewall udp
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall icmp
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall skinny
ip cef
no ipv6 cef
!

multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FGL1715245G
!
archive
log config
hidekeys
username admin privilege 15 password 0 blah
!

controller VDSL 0
!
ip tftp source-interface Vlan1
ip ssh version 1
!
crypto isakmp key blah hostname blah blah blah
!
crypto ipsec client ezvpn EZVPN_QLDC
connect auto
group ezvpn_ht_qt key blah
mode network-extension
peer vpn.qldc.govt.nz
peer 210.55.20.210
username ezvpn_ht_qt password blah
xauth userid mode local
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description WAN_FW_OUTSIDE
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface FastEthernet0
switchport access vlan 202
switchport mode trunk
switchport voice vlan 202
bandwidth 500000
no ip address
!
interface FastEthernet1
switchport mode trunk
switchport voice vlan 202
no ip address
!
interface FastEthernet2
switchport mode trunk
switchport voice vlan 202
no ip address
!
interface FastEthernet3
switchport mode trunk
switchport voice vlan 202
no ip address
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Vlan1
description Customer LAN
ip address 10.200.41.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect firewall in
ip virtual-reassembly in
crypto ipsec client ezvpn EZVPN_QLDC inside
!
interface Dialer0
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username user@xtrabb.co.nz password 0 xtrabb07
ppp ipcp dns request
ppp ipcp route default
no cdp enable
crypto ipsec client ezvpn EZVPN_QLDC
!
ip forward-protocol nd
ip http server
ip http access-class 50
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 10.200.41.1 3389 interface Dialer0 3389
!
ip access-list extended SIP
!
dialer-list 1 protocol ip permit
!
snmp-server community qldcpub RO
snmp-server location Housing Trust
snmp-server contact System Administrator
access-list 50 remark Gen-I Dean Shaw home
access-list 50 permit 219.89.206.32
access-list 50 remark Access from QLDC External IP
access-list 50 permit 210.55.20.208 0.0.0.7
access-list 50 permit 125.236.56.40 0.0.0.7
access-list 50 permit 122.56.13.176 0.0.0.15
access-list 50 remark Access from Internal IPs
access-list 50 permit 10.0.0.0 0.255.255.255
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 remark DNS traffic
access-list 101 permit udp any eq domain any
access-list 101 remark NTP traffic
access-list 101 permit udp any any eq ntp
access-list 101 remark Crypto Traffic
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 remark Access from QLDC
access-list 101 permit ip 210.55.20.208 0.0.0.7 any
access-list 101 permit ip 125.236.56.40 0.0.0.7 any
access-list 101 permit ip 122.56.13.176 0.0.0.15 any
access-list 101 remark Spark Digital
access-list 101 permit ip host 219.88.71.1 any
access-list 101 permit ip 146.171.254.0 0.0.0.255 any
access-list 101 remark Other statements
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 deny   ip any any log
access-list 105 remark Traffic to NAT
access-list 105 permit ip 10.200.41.0 0.0.0.255 any
access-list 190 permit udp any any eq domain
access-list 199 permit ip any any
!
control-plane
!
banner login CCCCCCCCCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
logging synchronous
login local
no modem enable
transport output telnet
speed 115200
line aux 0
line vty 0 4
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 192.5.41.41 prefer source Dialer0
!
end

any suggestions would be REALLY welcome

Georg Pauwen · ‎01-25-2017

Hello,

basically, you need to make just a few adjustments:

controller VDSL 0
operating mode adsl2+

Also, the pvc pair might have to be changed on your ATM point to point subinterface. If 'pvc 0/100' doesn't work, try and change it to 'pvc 0/38'.

What country are you in ? I am just asking because a few settings could be country specific.

timrichards1 · ‎01-26-2017

Hi Georg

Many thanks for your reply, I am in NZ. Managed to get it sorted with the help of a Spark engineer, thanks again

Georg Pauwen · ‎01-26-2017

Hello Tim

just out of curiosity, what changes did you make ? PVC 0/100 by the way is the right one for New Zealand...

timrichards1 · ‎01-31-2017

No, it was a case of shutting down the ATM dialer and setting up the internal Ethernet0 interface

Avi1 · ‎10-08-2017

Hello Tim

Could you please post your running config.

Avi

Cisco 887VA router and configuring with VDSL