02-25-2019 07:38 AM
Hi all,
I've got a Dialer going through a PPPOE connection, if i connect a laptop directly to the PPPOE connection then i get internet access fine but not from a Cisco 4432. I have noticed that the ACL assigned to the Dialer interface is not showing any matches despite putting a deny any any statement on there.
Should i expect to see any matches when using a Dialer ?
Thanks
Ian
02-25-2019 07:58 AM
what is your Laptop IP when you connected and tested.
can you post the 4432 configuration to have a look and advise.
02-25-2019 08:07 AM
Thanks, i get the WAN IP (74.55.32.177, although this isn't the "real" IP) but this works fine
Building configuration...
Current configuration : 11126 bytes
!
! Last configuration change at 20:07:25 GMT Wed Feb 20 2019 by ictadmin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname company2
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$Y1st$Y7mKB1FxUfEpukhM9Mf39.
enable password 7 044F18130D204747584B56
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sslvpn_aaa local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp pool companyguest
network 10.10.10.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.10.10.1
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
crypto pki trustpoint secure.company.co.uk
enrollment mode ra
enrollment url http://secure.company.co.uk:80/certsrv/mscep/mscep.dll
subject-name cn=secure.company.co.uk,OU=company,L=Nottingham,C=GB
revocation-check none
rsakeypair rsakey
!
crypto pki trustpoint TP-self-signed-1621321660
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1621321660
revocation-check none
rsakeypair TP-self-signed-1621321660
!
!
crypto pki certificate chain secure.company.co.uk
crypto pki certificate chain TP-self-signed-1621321660
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363231 33323136 3630301E 170D3138 31313134 31303034
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36323133
32313636 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009D29 49A748FD 6DBC75C5 D7D14CDF 70307EC5 10116318 0A3DAD59 423E6D15
04B2EB8A 0530D74B EEB02E68 4D6A333F 857BBA2B 08466295 761E830B 92151051
C2B4BBBA C3B68771 6B2E1CBB 22A31A80 FEC37382 2E14B646 D0227596 673CF43D
DA7F57B5 A84DCBEB 03D4B24B B5BFC707 96C69DE7 FFFF2D5D 1C294F8F 49547186
C24F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1499DAC9 04054319 9707F096 089626A1 0AD899B6 AC301D06
03551D0E 04160414 99DAC904 05431997 07F09608 9626A10A D899B6AC 300D0609
2A864886 F70D0101 05050003 8181004F 38099B14 1412A2B4 F9E80B7E CC2806A7
F2716393 69EDDAFB 00FD9005 C6C4CD2A 66C3CA15 A3FA3CFB 08DA86EC A082EFFC
A28E65C3 1D76DD00 5AD12B00 B14E9196 CAAE55AF 4C2E4039 248BF815 88A228B1
62E30A6B B8124904 29EA1E74 9FCA6737 C19E879E 904E7562 B7056652 2ACBEA3D
65B9EBAD 38DF7975 F442CE28 EF5FFA
quit
license udi pid ISR4331/K9 sn FDO21041AT4
license boot suite FoundationSuiteK9
!
spanning-tree extend system-id
!
username scsupport privilege 15 password 7 1501040A10292A30796166
username ictadmin privilege 15 secret 5 $1$kcmM$5dkOZ4RjoWxsfj6m/Qkki/
username companyict privilege 15 secret 5 $1$CXwV$CUAMtm8.f6o1GkOzXbUE/1
username ictuk password 7 094A1F1B4A07470A
username ict secret 5 $1$dlAM$LhGUcfVtkHFZZrfpY/RX60
!
redundancy
mode none
!
crypto ikev2 authorization policy ikev2-auth-policy
pool LANPOOL
!
crypto ikev2 authorization policy ikev2-propl
!
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 2
crypto ikev2 proposal ikev2-prop1
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy IKEv2-pol
! Policy Incomplete(MUST have atleast one complete proposal attached)
crypto ikev2 policy IKEv2-prop1
proposal IKEv2-prop1
crypto ikev2 policy ikev2-pol
! Policy Incomplete(MUST have atleast one complete proposal attached)
!
!
crypto ikev2 profile anyconnect-EAP
! Profile incomplete (no local and/or remote authentication method specified)
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
!
crypto ikev2 profile AnyConnect-EAP
! Profile incomplete (no local and/or remote authentication method specified)
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
pki trustpoint secure.company.co.uk
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group anyconnect-eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user anyconnect-eap cached
virtual-template 100
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 20
authentication pre-share
lifetime 28800
crypto isakmp key LvkBGk97v6 address 157.5.72.121
crypto isakmp key @jasdjgGJUIH87!* address 191.143.4.214
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set NLSET esp-des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set ESP-3DES-SHA1
!
!
!
crypto map NLVPN 20 ipsec-isakmp
set peer 191.143.4.214
set transform-set NLSET
match address 101
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
ip address 110.56.154.193 255.255.255.252
ip mtu 1350
ip nat outside
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 157.5.72.121
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0/0
description LeasedLine
ip address 190.192.234.101 255.255.255.252
ip nat outside
no negotiation auto
!
interface GigabitEthernet0/0/1
description BT FTTC
no ip address
speed 100
no negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/2
description company_LAN
ip address 192.168.2.10 255.255.192.0
ip nat inside
speed 100
no negotiation auto
!
interface GigabitEthernet0/0/2.1
description company Guest Wifi DHCP
encapsulation dot1Q 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.1.1.28 255.255.255.0
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback0
!
interf
no ip address
shutdown
!
interface Dialer0
no ip address
!
interface Dialer1
ip address 74.55.32.177 255.255.255.248
ip mtu 1452
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname company-012@adsllogin.co.uk
ppp chap password 7 025E5D083B293F701E1759
ppp pap sent-username company-012@adsllogin.co.uk password 7 0914175A292A2743595554
crypto map NLVPN
!
ip local pool webvpn-pool 192.168.3.150 192.168.3.200
ip nat inside source static 192.168.2.111 110.56.154.117
ip nat inside source static 192.168.2.110 110.56.154.118
ip nat inside source static 192.168.2.112 110.56.154.119
ip nat inside source static 192.168.3.35 110.56.154.120
ip nat inside source static 192.168.2.107 110.56.154.121
ip nat inside source static 192.168.3.29 110.56.154.122
ip nat inside source static 192.168.3.30 110.56.154.123
ip nat inside source static 192.168.3.28 110.56.154.124
ip nat inside source static 192.168.3.32 110.56.154.125
ip nat inside source static 192.168.3.38 110.56.154.126
ip nat inside source static 192.168.3.40 110.56.154.127
ip nat inside source static 192.168.2.108 110.56.154.128
ip nat inside source static 192.168.3.6 110.56.154.134
ip nat inside source static tcp 192.168.2.9 8888 190.192.234.101 656 extendable
ip nat inside source static tcp 192.168.2.13 5555 190.192.234.101 5555 extendable
ip nat inside source list 100 interface Tunnel0 overload
ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip nat inside source list 102 interface Dialer1 overload
ip forward-protocol nd
ip ftp username ict
ip ftp password 7 120F1D4546415D54382E203B
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Dialer1 10
ip route 154.8.142.109 255.255.255.255 Tunnel0
ip route 154.8.142.110 255.255.255.255 Tunnel0
ip route 154.8.142.111 255.255.255.255 Tunnel0
ip route 154.8.142.112 255.255.255.255 Tunnel0
ip route 154.8.142.113 255.255.255.255 Tunnel0
ip route 192.168.64.0 255.255.192.0 192.168.2.254
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
ip access-list extended TAC
permit ip any host 192.168.2.18
permit ip host 192.168.2.18 any
!
logging trap notifications
logging facility local0
logging host 192.168.2.18
access-list 20 permit 192.168.0.0 0.0.63.255
access-list 100 permit ip 192.168.0.0 0.0.63.255 154.8.142.108 0.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.63.255 154.8.142.110 0.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.63.255 154.8.142.112 0.0.0.1
access-list 100 permit ip host 110.56.154.229 154.8.142.108 0.0.0.1
access-list 100 permit ip host 110.56.154.229 154.8.142.110 0.0.0.1
access-list 100 permit ip host 110.56.154.229 154.8.142.112 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 154.8.142.110 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 154.8.142.108 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 154.8.142.112 0.0.0.1
access-list 101 permit ip 192.168.0.0 0.0.63.255 any
access-list 102 permit icmp any any echo
access-list 102 permit ip any anyping
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 175 deny ip 192.168.0.0 0.0.63.255 192.168.64.0 0.0.63.255
access-list 175 permit ip 192.168.0.0 0.0.63.255 any
dialer-list 1 protocol ip permit
!
snmp-server community public RO
snmp-server community private RW
!
!
!
!
control-plane
!
banner motd ^CC
WARNING: IF YOU ARE NOT AUTHORIZED TO ACCESS THIS SYSTEM OR IF YOU
INTEND TO USE THIS SYSTEM BEYOND THE SCOPE OF YOUR AUTHORIZATION,
DISCONNECT IMMEDIATELY.
This computer system is for authorized users only. Individuals
using this system without authority, or in excess of their
authority, are subject to having all of their activities monitored
and recorded by system personnel. In the course of monitoring
individuals improperly using this system or in the course of system
maintenance, the activities of authorized users may also be
monitored. Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide
monitoring information and logs as evidence to law enforcement
officials. Crimes may be prosecuted to the fullest extent possible
under state and federal law.
^C
!
line con 0
password 7 105A1A0C071619025D5679
stopbits 1
line aux 0
stopbits 1
line vty 0
privilege level 15
password 7 014B0A11550F031D7914160B360423
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
line vty 5 14
privilege level 15
transport input ssh
line vty 15
privilege level 15
logging synchronous
transport input ssh
!
!
end
02-25-2019 08:27 AM - edited 02-25-2019 08:28 AM
Hi,
IP access-list 102 is not configured proper:
access-list 102 permit 192.168.0.0 0.0.63.255 any
Regards,
Deepak Kumar
02-25-2019 08:33 AM
Thanks, i've tried that but still not able to connect from the lan or seeing any matches on the ACL's
02-25-2019 08:38 AM
02-25-2019 08:41 AM
No but that ACL is applied to the leased line which i've disconnected to discount it from the issue.Shall i re-connect it to see if that DOES get anything (i'll need to change the default route as well)
02-28-2019 01:14 AM
FYI, i've deleted off the ACL and created a new one and i can see matches from the test PC on the lan for echo but NONE for echo-reply if that helps?
one think i could do with being able to clarify is should i be able to ping 8.8.8.8 from the router itself using the LAN interface ip (192.168.2.10) as the source because i'm using that to confirm if it's working or not but there are NO matches on the ACL when i ping this way ?
02-28-2019 02:02 AM
I think i might've found the issue....if i ping from a test PC on the LAN the NAT translation is showing the ICMP going out the disconnected leased line interface instead of the PPPOE dialer interface even though i've set the default route to the dialer interface and the leased line isn't even in the routing table ?
Any ideas on this ?
Thanks
02-28-2019 03:43 AM
I've removed the NAT rule from the leased line and put it solely on the PPPOE line and it's working fine. It looks like it's Natting twice for some reason so the lan PC will NAT to the leased line which in turn NAT's to the PPPOE line and as such can't return rather than just natting straight to the PPPOE line.
Is there something i need to do here ?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide