cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
527
Views
20
Helpful
13
Replies
BeckyBoo123
Beginner

Cisco C927 with Virgin Media connection

Hi all, I think I am missing something really obvious in my config to get my router to work on a Virgin Media fibre connection.

Would anyone mind taking a look over my config and pointing out the obvious bit, which is stopping my router from getting an IP from Virgin?

 

My IP from my ISP is dynamic but when connecting to my hub, I cannot obtain any IP address.

 

When using BT ADSL lines I usually have to configure a dialer but on this one I have no credentials as its plugged into to my Virgin Hub which is in modem mode. I've never configured a WAN port before so I am sure it too will have some sort of dialer interface.

 

Current configuration : 4319 bytes
!
! Last configuration change at 12:57:18 gmt Thu Feb 25 2021 by administrator
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname mytestrouter
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret x
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
ip domain name mytestdomain.local
ip name-server 10.11.2.5
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid C927-4PM sn x
!
!
object-group network MYTEST-IPs
 host X.X.X.X
 host X.X.X.X
 host X.X.X.X
!
vtp mode transparent
username administrator privilege 15 secret 5 X
username test privilege 2 secret 5 X
!
redundancy
!
!
!
!
!
controller VDSL 0
!
vlan 102
!
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key XXX address X.X.X.X
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
 set peer X.X.X.X
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
interface ATM0
 description BT Business Broadband
 no ip address
 shutdown
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
 description Link to SWITCH
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 102
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 102
 no ip address
!
interface GigabitEthernet3
 switchport access vlan 102
 no ip address
!
interface GigabitEthernet4
 ip address dhcp client-id GigabitEthernet4
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 no ip address
!
interface Vlan102
 description TEST subnet
 ip address 10.11.102.254 255.255.255.0
 ip helper-address 10.11.202.1
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list natin interface GigabitEthernet4 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet4
!
ip access-list standard natin
 permit 0.0.0.0 255.255.255.0
!

ip access-list extended VPN-TRAFFIC
 permit ip 10.11.102.0 0.0.0.255 any
!
!
!
snmp-server community test-ro RO
snmp-server location MYHOUSE
snmp-server contact ME
snmp-server chassis-id MYROUTER
tftp-server flash:/firmware/vadsl_module_img.bin
!
!
!
control-plane
!
privilege exec level 2 show startup-config
privilege exec level 2 show
banner motd ^C
*************************************************************
*                                                           *
* This device is owned and managed by ME. *
* Unauthorized access is strictly prohibited.               *
*                                                           *
*************************************************************
^C
!
line con 0
 privilege level 15
line 4
 no activation-character
 transport preferred none
 transport input all
 transport output all
 stopbits 1
line vty 0 4
 exec-timeout 1440 0
 privilege level 15
 transport input ssh
line vty 5 15
 exec-timeout 1440 0
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
!
end

Thanks in advance!

 

1 ACCEPTED SOLUTION

Accepted Solutions

 

Can you remove "ip nat inside" and "crypto map VPN-to-HQ" from the vlan 102 interface as they are not needed. 

 

I assume you can ping the peer IP x.x.x.x ? 

 

If so and after removing the above it still does not work try "debug crypto isakmp" and "debug crypto ipsec sa" to see what is happening .

Jon

 

 

View solution in original post

13 REPLIES 13
Georg Pauwen
VIP Expert

Hello,

 

make the changes/additions marked in bold:

 

Current configuration : 4319 bytes
!
! Last configuration change at 12:57:18 gmt Thu Feb 25 2021 by administrator
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname mytestrouter
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret x
!
aaa new-model
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
no ip source-route
!
ip domain name mytestdomain.local
ip name-server 10.11.2.5
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C927-4PM sn x
!
object-group network MYTEST-IPs
host X.X.X.X
host X.X.X.X
host X.X.X.X
!
vtp mode transparent
username administrator privilege 15 secret 5 X
username test privilege 2 secret 5 X
!
redundancy
!
controller VDSL 0
!
vlan 102
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key XXX address X.X.X.X
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
set peer X.X.X.X
set transform-set TS
match address VPN-TRAFFIC
!
interface ATM0
description BT Business Broadband
no ip address
shutdown
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
description Link to SWITCH
switchport mode trunk
no ip address
!
interface GigabitEthernet1
switchport access vlan 102
no ip address
!
interface GigabitEthernet2
switchport access vlan 102
no ip address
!
interface GigabitEthernet3
switchport access vlan 102
no ip address
!
interface GigabitEthernet4
--> ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface Vlan1
no ip address
!
interface Vlan102
description TEST subnet
ip address 10.11.102.254 255.255.255.0
ip helper-address 10.11.202.1
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
--> ip nat inside source list 1 interface GigabitEthernet4 overload
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet4 dhcp
!
--> access-list 1 permit 10.11.102.0 0.0.0.255
!
ip access-list extended VPN-TRAFFIC
permit ip 10.11.102.0 0.0.0.255 any
!
snmp-server community test-ro RO
snmp-server location MYHOUSE
snmp-server contact ME
snmp-server chassis-id MYROUTER
tftp-server flash:/firmware/vadsl_module_img.bin
!
control-plane
!
privilege exec level 2 show startup-config
privilege exec level 2 show
banner motd ^C
*************************************************************
* *
* This device is owned and managed by ME. *
* Unauthorized access is strictly prohibited. *
* *
*************************************************************
^C
!
line con 0
privilege level 15
line 4
no activation-character
transport preferred none
transport input all
transport output all
stopbits 1
line vty 0 4
exec-timeout 1440 0
privilege level 15
transport input ssh
line vty 5 15
exec-timeout 1440 0
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
!
end

Thank you @Georg Pauwen, you are a life saver! Adding those extra lines allowed my router connect.

My router gets an IP from Virgin and I can ping out from my router.

 

My VPN config must be slightly off too now. The VPN config currently on the router works on an ADSL line. 

Do I need to adjust something slightly now to tell all traffic using Gi4 to use the VPN tunnel also?

 

My VPN settings are as follows:

 

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key X address x.x.x.x

crypto ipsec transform-set TS esp-aes esp-sha-hmac
 mode tunnel

crypto map VPN-TO-HQ 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set TS
 match address VPN-TRAFFIC

interface GigabitEthernet4
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 crypto map VPN-TO-HQ

ip access-list extended VPN-TRAFFIC
 permit ip 10.11.102.0 0.0.0.255 any

Thank you for your help!

Hi there,

Your traffic from the 10.11.102.0/24 subnet is being translated before it reaches the crypto map. You want to create a NAT exemption :

 

 

!
access-list 110 deny ip 10.11.102.0 0.0.0.255 10.11.202.0 0.0.0.255
access-list 110 deny ip 10.11.102.0 0.0.0.255 <some_other_HQ_subnet_reached_via_VPN>
access-list 110 permit ip 10.11.102.0 0.0.0.255 any
!
route-map nonat permit 10
  match ip address 110 
!
no ip nat inside source list 1 interface GigabitEthernet4 overload
ip nat inside source route-map nonat interface GigabitEthernet4 overload 
!

You may also want to keep the crypto ACL in line with the NAT exemption:

 

 

!
ip access-list extended VPN-TRAFFIC
  no permit ip 10.11.102.0 0.0.0.255 any
  permit ip 10.11.102.0 0.0.0.255 10.11.202.0 0.0.0.255
  permit ip 10.11.102.0 0.0.0.255 <some_other_HQ_subnet_reached_via_VPN>
!

 

This will give you a split-tunnel setup.

 

cheers,

Seb.

 

Thank you @Seb Rupik 

I have added the additional lines as suggested. I'm just a little confused by the <some_other_HQ_subnet_reached_via_VPN> tag.

We have many subnets in use at our HQ. Should this be a subnet local to the firewall? Or the actual firewalls IP address?

 

Thanks,

Becky

 

Looking at your previous config it looks like all traffic went via the VPN to the HQ even internet traffic. 

 

Is this the case or should traffic only going to HQ subnets use the VPN and internet traffic should go direct ? 

 

Jon

Hi @Jon Marshall yes that's correct. we need all traffic to be tunneled to HQ even internet traffic. Nothing should be going direct.

At the moment though, the VPN isn't even connecting. The VPN configuration works on ADSL so I must just have to tweak the WAN traffic to match but not sure how to achieve that.

 

If you need all traffic to go via the VPN then just remove the NAT configuration then as you never go direct to the internet and it is the NAT configuration that is messing up the VPN. 

 

Jon

@Jon Marshall I feel a little silly but I am still struggling with this. I have removed all of the NAT config and it still will not establish the VPN.

Is something still wrong?

 

Current configuration : 4205 bytes
!
! Last configuration change at 14:17:49 gmt Fri Feb 26 2021 by administrator
!
version 15.8
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname MYROUTER
!
boot-start-marker
boot-end-marker
!
!
no logging console
enable secret 5 X
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
ip domain name MYTEST
ip name-server 10.11.2.5
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid C927-4PM sn FGL2447L522
!
!
object-group network MY-IPs
 host X.X.X.X
 
vtp mode transparent
username administrator privilege 15 secret 5 X
redundancy
!
!
!
!
!
controller VDSL 0
!
vlan 102
!
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
crypto isakmp key X address X.X.X.X
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto map VPN-TO-HQ 10 ipsec-isakmp
 set peer X.X.X.X
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
!
!
interface ATM0
 description BT Business Broadband
 no ip address
 shutdown
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Ethernet0
 no ip address
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
 description Link to MYSWITCH
 switchport mode trunk
 no ip address
!
interface GigabitEthernet1
 switchport access vlan 102
 no ip address
!
interface GigabitEthernet2
 switchport access vlan 102
 no ip address
!
interface GigabitEthernet3
 description MY LAPTOP PLUGGED IN
 switchport access vlan 102
 no ip address
!
interface GigabitEthernet4
 ip address dhcp
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 crypto map VPN-TO-HQ
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan102
 description MY subnet
 ip address 10.11.102.254 255.255.255.0
 ip helper-address 10.11.202.1
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 crypto map VPN-TO-HQ
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet4 dhcp
!
ip access-list extended VPN-TRAFFIC
 permit ip 10.11.102.0 0.0.0.255 any
!
!
!
snmp-server community MY RO
snmp-server location MYHOUSE
snmp-server contact ME
snmp-server chassis-id MYROUTER
tftp-server flash:/firmware/vadsl_module_img.bin
!
!
!
control-plane
!
privilege exec level 2 show startup-config
privilege exec level 2 show
banner motd ^C
*************************************************************
*                                                           *
* This device is owned and managed by ME. *
* Unauthorized access is strictly prohibited.               *
*                                                           *
*************************************************************
^C
!
line con 0
 privilege level 15
line 4
 no activation-character
 transport preferred none
 transport input all
 transport output all
 stopbits 1
line vty 0 4
 exec-timeout 1440 0
 privilege level 15
 transport input ssh
line vty 5 15
 exec-timeout 1440 0
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
!
end

 

 

 

Can you remove "ip nat inside" and "crypto map VPN-to-HQ" from the vlan 102 interface as they are not needed. 

 

I assume you can ping the peer IP x.x.x.x ? 

 

If so and after removing the above it still does not work try "debug crypto isakmp" and "debug crypto ipsec sa" to see what is happening .

Jon

 

 

View solution in original post

You @Jon Marshall are a genius! Thank you for your patience.

I removed those 2 lines, it didn't work to start so I rebooted the Cisco router and the Virgin Hub and it worked straight after!

 

All sorted now and I can happily report back that all is working as hoped!

 

No problem, glad it's all working now. 

 

Jon

Seb Rupik
VIP Advisor

Hi there,

A common gotcha with the VM home hubs, is that when in modem mode only one of the switchports is functional. Can you confirm that the C927 Gi4 is connected to the Port1 on the home hub?

 

cheers,

Seb.

Thanks for the suggestion, its worth knowing that for future. I was already into port 1 on the hub though