02-25-2021 05:06 AM
Hi all, I think I am missing something really obvious in my config to get my router to work on a Virgin Media fibre connection.
Would anyone mind taking a look over my config and pointing out the obvious bit, which is stopping my router from getting an IP from Virgin?
My IP from my ISP is dynamic but when connecting to my hub, I cannot obtain any IP address.
When using BT ADSL lines I usually have to configure a dialer but on this one I have no credentials as its plugged into to my Virgin Hub which is in modem mode. I've never configured a WAN port before so I am sure it too will have some sort of dialer interface.
Current configuration : 4319 bytes ! ! Last configuration change at 12:57:18 gmt Thu Feb 25 2021 by administrator ! version 15.8 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname mytestrouter ! boot-start-marker boot-end-marker ! ! no logging console enable secret x ! aaa new-model ! ! aaa authentication login default local aaa authentication enable default enable aaa authorization exec default local ! ! ! ! ! ! aaa session-id common clock timezone gmt 0 0 clock summer-time gmt recurring ! ! ! ! ! no ip source-route ! ! ! ! ! ! ip domain name mytestdomain.local ip name-server 10.11.2.5 ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! license udi pid C927-4PM sn x ! ! object-group network MYTEST-IPs host X.X.X.X host X.X.X.X host X.X.X.X ! vtp mode transparent username administrator privilege 15 secret 5 X username test privilege 2 secret 5 X ! redundancy ! ! ! ! ! controller VDSL 0 ! vlan 102 ! ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key XXX address X.X.X.X ! ! crypto ipsec transform-set TS esp-aes esp-sha-hmac mode tunnel ! ! ! crypto map VPN-TO-HQ 10 ipsec-isakmp set peer X.X.X.X set transform-set TS match address VPN-TRAFFIC ! ! ! ! ! interface ATM0 description BT Business Broadband no ip address shutdown no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Ethernet0 no ip address pppoe enable group global pppoe-client dial-pool-number 1 ! interface GigabitEthernet0 description Link to SWITCH switchport mode trunk no ip address ! interface GigabitEthernet1 switchport access vlan 102 no ip address ! interface GigabitEthernet2 switchport access vlan 102 no ip address ! interface GigabitEthernet3 switchport access vlan 102 no ip address ! interface GigabitEthernet4 ip address dhcp client-id GigabitEthernet4 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in duplex auto speed auto no cdp enable ! interface Vlan1 no ip address ! interface Vlan102 description TEST subnet ip address 10.11.102.254 255.255.255.0 ip helper-address 10.11.202.1 no ip proxy-arp ip nat inside ip virtual-reassembly in ! ip forward-protocol nd no ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat inside source list natin interface GigabitEthernet4 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet4 ! ip access-list standard natin permit 0.0.0.0 255.255.255.0 ! ip access-list extended VPN-TRAFFIC permit ip 10.11.102.0 0.0.0.255 any ! ! ! snmp-server community test-ro RO snmp-server location MYHOUSE snmp-server contact ME snmp-server chassis-id MYROUTER tftp-server flash:/firmware/vadsl_module_img.bin ! ! ! control-plane ! privilege exec level 2 show startup-config privilege exec level 2 show banner motd ^C ************************************************************* * * * This device is owned and managed by ME. * * Unauthorized access is strictly prohibited. * * * ************************************************************* ^C ! line con 0 privilege level 15 line 4 no activation-character transport preferred none transport input all transport output all stopbits 1 line vty 0 4 exec-timeout 1440 0 privilege level 15 transport input ssh line vty 5 15 exec-timeout 1440 0 privilege level 15 transport input ssh ! scheduler allocate 20000 1000 ! end
Thanks in advance!
Solved! Go to Solution.
02-26-2021 06:49 AM - edited 02-26-2021 06:50 AM
Can you remove "ip nat inside" and "crypto map VPN-to-HQ" from the vlan 102 interface as they are not needed.
I assume you can ping the peer IP x.x.x.x ?
If so and after removing the above it still does not work try "debug crypto isakmp" and "debug crypto ipsec sa" to see what is happening .
Jon
02-25-2021 12:15 PM - edited 02-25-2021 12:16 PM
Hello,
make the changes/additions marked in bold:
Current configuration : 4319 bytes
!
! Last configuration change at 12:57:18 gmt Thu Feb 25 2021 by administrator
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname mytestrouter
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret x
!
aaa new-model
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
no ip source-route
!
ip domain name mytestdomain.local
ip name-server 10.11.2.5
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C927-4PM sn x
!
object-group network MYTEST-IPs
host X.X.X.X
host X.X.X.X
host X.X.X.X
!
vtp mode transparent
username administrator privilege 15 secret 5 X
username test privilege 2 secret 5 X
!
redundancy
!
controller VDSL 0
!
vlan 102
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key XXX address X.X.X.X
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
set peer X.X.X.X
set transform-set TS
match address VPN-TRAFFIC
!
interface ATM0
description BT Business Broadband
no ip address
shutdown
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
description Link to SWITCH
switchport mode trunk
no ip address
!
interface GigabitEthernet1
switchport access vlan 102
no ip address
!
interface GigabitEthernet2
switchport access vlan 102
no ip address
!
interface GigabitEthernet3
switchport access vlan 102
no ip address
!
interface GigabitEthernet4
--> ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Vlan1
no ip address
!
interface Vlan102
description TEST subnet
ip address 10.11.102.254 255.255.255.0
ip helper-address 10.11.202.1
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
--> ip nat inside source list 1 interface GigabitEthernet4 overload
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet4 dhcp
!
--> access-list 1 permit 10.11.102.0 0.0.0.255
!
ip access-list extended VPN-TRAFFIC
permit ip 10.11.102.0 0.0.0.255 any
!
snmp-server community test-ro RO
snmp-server location MYHOUSE
snmp-server contact ME
snmp-server chassis-id MYROUTER
tftp-server flash:/firmware/vadsl_module_img.bin
!
control-plane
!
privilege exec level 2 show startup-config
privilege exec level 2 show
banner motd ^C
*************************************************************
* *
* This device is owned and managed by ME. *
* Unauthorized access is strictly prohibited. *
* *
*************************************************************
^C
!
line con 0
privilege level 15
line 4
no activation-character
transport preferred none
transport input all
transport output all
stopbits 1
line vty 0 4
exec-timeout 1440 0
privilege level 15
transport input ssh
line vty 5 15
exec-timeout 1440 0
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
!
end
02-26-2021 02:50 AM - edited 02-26-2021 03:30 AM
Thank you @Georg Pauwen, you are a life saver! Adding those extra lines allowed my router connect.
My router gets an IP from Virgin and I can ping out from my router.
My VPN config must be slightly off too now. The VPN config currently on the router works on an ADSL line.
Do I need to adjust something slightly now to tell all traffic using Gi4 to use the VPN tunnel also?
My VPN settings are as follows:
crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key X address x.x.x.x crypto ipsec transform-set TS esp-aes esp-sha-hmac mode tunnel crypto map VPN-TO-HQ 10 ipsec-isakmp set peer x.x.x.x set transform-set TS match address VPN-TRAFFIC interface GigabitEthernet4 ip address dhcp no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in duplex auto speed auto no cdp enable crypto map VPN-TO-HQ ip access-list extended VPN-TRAFFIC permit ip 10.11.102.0 0.0.0.255 any
Thank you for your help!
02-26-2021 04:03 AM
Hi there,
Your traffic from the 10.11.102.0/24 subnet is being translated before it reaches the crypto map. You want to create a NAT exemption :
! access-list 110 deny ip 10.11.102.0 0.0.0.255 10.11.202.0 0.0.0.255 access-list 110 deny ip 10.11.102.0 0.0.0.255 <some_other_HQ_subnet_reached_via_VPN> access-list 110 permit ip 10.11.102.0 0.0.0.255 any ! route-map nonat permit 10 match ip address 110 ! no ip nat inside source list 1 interface GigabitEthernet4 overload ip nat inside source route-map nonat interface GigabitEthernet4 overload !
You may also want to keep the crypto ACL in line with the NAT exemption:
! ip access-list extended VPN-TRAFFIC no permit ip 10.11.102.0 0.0.0.255 any permit ip 10.11.102.0 0.0.0.255 10.11.202.0 0.0.0.255 permit ip 10.11.102.0 0.0.0.255 <some_other_HQ_subnet_reached_via_VPN> !
This will give you a split-tunnel setup.
cheers,
Seb.
02-26-2021 04:22 AM
Thank you @Seb Rupik
I have added the additional lines as suggested. I'm just a little confused by the <some_other_HQ_subnet_reached_via_VPN> tag.
We have many subnets in use at our HQ. Should this be a subnet local to the firewall? Or the actual firewalls IP address?
Thanks,
Becky
02-26-2021 04:57 AM
Looking at your previous config it looks like all traffic went via the VPN to the HQ even internet traffic.
Is this the case or should traffic only going to HQ subnets use the VPN and internet traffic should go direct ?
Jon
02-26-2021 05:43 AM
Hi @Jon Marshall yes that's correct. we need all traffic to be tunneled to HQ even internet traffic. Nothing should be going direct.
At the moment though, the VPN isn't even connecting. The VPN configuration works on ADSL so I must just have to tweak the WAN traffic to match but not sure how to achieve that.
02-26-2021 05:48 AM
If you need all traffic to go via the VPN then just remove the NAT configuration then as you never go direct to the internet and it is the NAT configuration that is messing up the VPN.
Jon
02-26-2021 06:38 AM
@Jon Marshall I feel a little silly but I am still struggling with this. I have removed all of the NAT config and it still will not establish the VPN.
Is something still wrong?
Current configuration : 4205 bytes ! ! Last configuration change at 14:17:49 gmt Fri Feb 26 2021 by administrator ! version 15.8 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname MYROUTER ! boot-start-marker boot-end-marker ! ! no logging console enable secret 5 X ! aaa new-model ! ! aaa authentication login default local aaa authentication enable default enable aaa authorization exec default local ! ! ! ! ! ! aaa session-id common clock timezone gmt 0 0 clock summer-time gmt recurring ! ! ! ! ! no ip source-route ! ! ! ! ! ! ip domain name MYTEST ip name-server 10.11.2.5 ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! ! license udi pid C927-4PM sn FGL2447L522 ! ! object-group network MY-IPs host X.X.X.X vtp mode transparent username administrator privilege 15 secret 5 X redundancy ! ! ! ! ! controller VDSL 0 ! vlan 102 ! ! ! crypto isakmp policy 1 encr aes authentication pre-share group 2 crypto isakmp key X address X.X.X.X ! ! crypto ipsec transform-set TS esp-aes esp-sha-hmac mode tunnel ! ! ! crypto map VPN-TO-HQ 10 ipsec-isakmp set peer X.X.X.X set transform-set TS match address VPN-TRAFFIC ! ! ! ! ! interface ATM0 description BT Business Broadband no ip address shutdown no atm ilmi-keepalive pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface Ethernet0 no ip address pppoe enable group global pppoe-client dial-pool-number 1 ! interface GigabitEthernet0 description Link to MYSWITCH switchport mode trunk no ip address ! interface GigabitEthernet1 switchport access vlan 102 no ip address ! interface GigabitEthernet2 switchport access vlan 102 no ip address ! interface GigabitEthernet3 description MY LAPTOP PLUGGED IN switchport access vlan 102 no ip address ! interface GigabitEthernet4 ip address dhcp no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly in duplex auto speed auto no cdp enable crypto map VPN-TO-HQ ! interface Vlan1 no ip address shutdown ! interface Vlan102 description MY subnet ip address 10.11.102.254 255.255.255.0 ip helper-address 10.11.202.1 no ip proxy-arp ip nat inside ip virtual-reassembly in crypto map VPN-TO-HQ ! ip forward-protocol nd no ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip route 0.0.0.0 0.0.0.0 GigabitEthernet4 dhcp ! ip access-list extended VPN-TRAFFIC permit ip 10.11.102.0 0.0.0.255 any ! ! ! snmp-server community MY RO snmp-server location MYHOUSE snmp-server contact ME snmp-server chassis-id MYROUTER tftp-server flash:/firmware/vadsl_module_img.bin ! ! ! control-plane ! privilege exec level 2 show startup-config privilege exec level 2 show banner motd ^C ************************************************************* * * * This device is owned and managed by ME. * * Unauthorized access is strictly prohibited. * * * ************************************************************* ^C ! line con 0 privilege level 15 line 4 no activation-character transport preferred none transport input all transport output all stopbits 1 line vty 0 4 exec-timeout 1440 0 privilege level 15 transport input ssh line vty 5 15 exec-timeout 1440 0 privilege level 15 transport input ssh ! scheduler allocate 20000 1000 ! end
02-26-2021 06:49 AM - edited 02-26-2021 06:50 AM
Can you remove "ip nat inside" and "crypto map VPN-to-HQ" from the vlan 102 interface as they are not needed.
I assume you can ping the peer IP x.x.x.x ?
If so and after removing the above it still does not work try "debug crypto isakmp" and "debug crypto ipsec sa" to see what is happening .
Jon
02-26-2021 07:31 AM
You @Jon Marshall are a genius! Thank you for your patience.
I removed those 2 lines, it didn't work to start so I rebooted the Cisco router and the Virgin Hub and it worked straight after!
All sorted now and I can happily report back that all is working as hoped!
02-26-2021 07:39 AM
No problem, glad it's all working now.
Jon
02-25-2021 12:23 PM
Hi there,
A common gotcha with the VM home hubs, is that when in modem mode only one of the switchports is functional. Can you confirm that the C927 Gi4 is connected to the Port1 on the home hub?
cheers,
Seb.
02-26-2021 02:53 AM
Thanks for the suggestion, its worth knowing that for future. I was already into port 1 on the hub though
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide