03-08-2013 08:30 AM - edited 03-04-2019 07:14 PM
I am doing a booth at the end of this month. They have public WIFI access. I'd like to bring some phones with me to connect back to my hub router. My thoughts are to connect my laptop to the wifi, bridge the wireless card to the LAN card, and then connect my 871W to the laptop. Then just have a multipoint GRE tunnel from the 871W back to the hub. Anyone see any issues with the setup?
03-15-2013 01:40 PM
Unforetunately even turning on NAT didn't help. I did get a few more results. The hub side said "incomplete" when I do a 'show ip nhrp'. That never appeared at all. The spoke still says it was created, but I know it's not up yet. The Tunnel interface is up/up on both sides, but it never completely establishes. I'm not even concentrating on the LAN subnets right now. Just being able to ping the other side of the tunnel will suffice. I'm starting to think maybe my HUB side is messed up. Below is the hub config. Maybe I am doing something wrong.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 13:33:50 =~=~=~=~=~=~=~=~=~=~=~=
show run
Building configuration...
Current configuration : 11833 bytes
!
! Last configuration change at 13:30:10 Arizona Fri Mar 15 2013 by robert.l.craig
! NVRAM config last updated at 13:30:11 Arizona Fri Mar 15 2013 by robert.l.craig
! NVRAM config last updated at 13:30:11 Arizona Fri Mar 15 2013 by robert.l.craig
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname core_router
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M4.bin
boot system flash:c3825-adventerprisek9-mz.151-4.M6.bin
boot-end-marker
!
!
no logging console
enable secret XXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa group server radius RadiusServers
server 192.168.4.44 auth-port 1812 acct-port 1813
!
aaa authentication login default group RadiusServers local
aaa authentication login vty_ssh group RadiusServers local
aaa authentication enable default enable
aaa authorization network default group RadiusServers local
aaa accounting exec default
action-type start-stop
group RadiusServers
!
!
!
!
!
!
aaa session-id common
!
clock timezone Arizona -7 0
!
crypto pki token default removal timeout 0
!
!
dot11 syslog
no ip source-route
no ip gratuitous-arps
!
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name craig.net
ip name-server 4.2.2.1
ip multicast-routing
ip inspect name FW tcp
ip inspect name FW udp
ip inspect name FW dns
ip inspect name FW ftp
ip inspect name FW ntp
ip inspect name FW tftp
ip inspect name FW sip
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
password encryption aes
voice-card 0
!
!
!
!
!
!
!
!
!
license udi pid CISCO3825 sn FTX1041A39S
archive
log config
hidekeys
username craigrobertlee privilege 15 password XXXXXXXXXXXXXXXXXX
!
redundancy
!
!
ip ssh time-out 60
ip ssh source-interface Loopback0
ip ssh version 2
!
class-map match-any VOIP_TRAFFIC
match ip dscp ef
match protocol rtp
!
!
policy-map Voip-for-Tunnel-to-Rogers
class VOIP_TRAFFIC
priority percent 50
class class-default
bandwidth remaining percent 99
policy-map Tunnel-to-Rogers
class class-default
shape average 5000000
service-policy Voip-for-Tunnel-to-Rogers
policy-map VOIP_POLICY
class VOIP_TRAFFIC
priority percent 50
class class-default
bandwidth remaining percent 99
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key XXXXXXXXXXXXXXX address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group vpn_client
key XXXXXXXXXXXXXXXXXXXXXXXXXXX
dns 192.168.1.126 192.168.15.10
domain atw.local
pool vpn-pool
acl VPN-CLIENT
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
!
crypto ipsec profile CRYPTO-GRE
set security-association lifetime seconds 86400
set transform-set VPNSET
!
crypto ipsec profile Rogers-VPN
set transform-set ESP-3DES-SHA
!
crypto ipsec profile VPN-Clients
set transform-set ESP-3DES-SHA
!
!
!
!
!
!
!
interface Loopback0
ip address 192.168.0.5 255.255.255.255
ip ospf 1 area 0
!
interface Tunnel1
bandwidth 5000
bandwidth receive 2000
ip address 10.10.10.1 255.255.255.248
ip mtu 1278
load-interval 30
qos pre-classify
keepalive 10 3
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 184.X.X.X
tunnel protection ipsec profile Rogers-VPN
service-policy output Tunnel-to-Rogers
!
interface Tunnel2
ip address 10.77.140.2 255.255.255.0
no ip redirects
ip mtu 1472
ip nhrp map 10.77.140.1 8.11.X.X
ip nhrp map multicast 8.11.X.X
ip nhrp network-id XX
ip nhrp nhs 10.77.140.1
ip tcp adjust-mss 1400
load-interval 30
keepalive 10 3
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XX
!
interface Tunnel5
description Test DMVPN
ip address 10.10.20.1 255.255.255.0
no ip redirects
ip mtu 1472
ip nhrp map multicast dynamic
ip nhrp network-id XX
ip tcp adjust-mss 1400
ip ospf network broadcast
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XX
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
bandwidth 5000
ip address dhcp
ip access-group Outside_In in
ip access-group BLOCK_PRIV_ADDRS out
ip nat outside
ip inspect FW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
media-type rj45
no cdp enable
service-policy output VOIP_POLICY
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
ip ospf 1 area 0
load-interval 30
duplex auto
speed auto
media-type rj45
!
router ospf 1
redistribute static subnets
passive-interface default
no passive-interface Tunnel1
network 10.10.10.0 0.0.0.255 area 0
network 10.10.20.0 0.0.0.255 area 0
network 192.168.0.5 0.0.0.0 area 0
network 192.168.2.0 0.0.0.255 area 0
network 192.168.3.0 0.0.0.255 area 0
distribute-list Deny_OSPF_Routes out
!
ip local pool vpn-pool 192.168.0.129 192.168.0.140
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.4.48 443 interface GigabitEthernet0/0 443
ip nat inside source static tcp 192.168.4.48 22 interface GigabitEthernet0/0 22
ip nat inside source static tcp 192.168.4.48 21 interface GigabitEthernet0/0 21
ip nat inside source static udp 192.168.4.2 5060 interface GigabitEthernet0/0 5060
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip route 8.11.254.0 255.255.255.0 10.77.140.1 name Smartchoice
ip route 8.11.254.245 255.255.255.255 GigabitEthernet0/0
ip route 8.22.188.0 255.255.255.0 10.77.140.1 name Smartchoice
ip route 8.22.188.100 255.255.255.255 GigabitEthernet0/0
ip route 10.77.146.0 255.255.255.0 192.168.0.2
ip route 192.168.1.0 255.255.255.0 192.168.0.2
ip route 192.168.2.0 255.255.255.0 192.168.0.2
ip route 192.168.3.0 255.255.255.0 192.168.0.2
ip route 192.168.4.0 255.255.255.224 192.168.0.2
ip route 192.168.4.32 255.255.255.224 192.168.0.2
ip route 192.168.4.64 255.255.255.224 192.168.0.2
ip route 192.168.4.96 255.255.255.224 192.168.0.2
ip route 192.168.4.128 255.255.255.224 192.168.0.2
ip route 192.168.50.0 255.255.255.0 10.10.20.2 name Test
!
ip access-list standard CME-SIP-Traffic
permit 192.168.2.6
ip access-list standard Deny_OSPF_Routes
deny 8.11.254.245
deny 8.22.188.0
deny 8.22.188.100
deny 10.77.140.0
deny 10.77.146.0
deny 172.19.73.13
deny 8.11.254.0
permit any
ip access-list standard SNMP
permit 192.168.4.48
ip access-list standard Test
permit any
ip access-list standard Test_In
permit any
!
ip access-list extended BLOCK_PRIV_ADDRS
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
permit ip any any
ip access-list extended NO_NAT_WAN
deny ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255
deny ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.15.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 192.168.16.0 0.0.0.255
permit ip 192.168.0.0 0.0.3.255 any
permit ip 192.168.4.0 0.0.0.255 any
ip access-list extended Outside_In
permit udp any any eq bootpc log
permit udp any any eq bootps log
permit udp any eq bootps any eq bootpc log
permit udp any host 68.3.X.X eq isakmp log
permit udp any host 68.3.X.X eq non500-isakmp log
permit esp any host 68.3.X.X log
permit tcp any host 68.3.X.X eq 443 log
permit ip host 8.11.X.X host 68.3.X.X log
permit udp any eq domain host 68.3.X.X log
permit udp any host 68.3.102.45 range 16384 32767 log
permit ip host 216.115.69.144 host 68.3.X.X log
permit ip host 70.167.153.130 host 68.3.X.X log
permit ip host 50.63.176.99 host 68.3.X.X log
permit tcp host 50.63.176.99 host 68.3.X.X eq 22 log
permit gre any host 68.3.X.X log
permit tcp host 72.167.34.44 host 68.3.X.X eq 22 log
permit udp host 72.167.34.44 host 68.3.X.X eq 5060 log
permit ip host 72.167.34.44 host 68.3.X.X log
permit icmp any any echo log
permit icmp any any echo-reply log
permit icmp any any time-exceeded log
permit icmp any any unreachable log
permit icmp any any packet-too-big log
permit udp host 208.110.65.18 host 68.3.X.X log
permit udp host 192.43.244.18 eq ntp any eq ntp log
permit udp host 204.34.198.40 eq ntp any eq ntp log
deny ip host 139.130.130.34 host 139.130.130.34 log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip host 255.255.255.255 any log
deny ip host 0.0.0.0 any log
deny icmp any any redirect log
deny icmp any any mask-request log
deny ip any any log
ip access-list extended UDP_RTP
permit udp host 192.168.4.15 any range 16384 32768
permit udp any any range 16384 32768
permit udp any any range 10000 20000
ip access-list extended VPN-CLIENT
permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.16.0 0.0.0.255 192.168.0.0 0.0.0.255
!
ip radius source-interface Loopback0
logging source-interface Loopback0
logging 192.168.4.49
access-list 10 permit 192.168.1.254
access-list 12 remark SSH_ACL
access-list 12 permit 192.168.4.0 0.0.0.255
access-list 101 permit udp any eq 5060 any eq 5060
access-list 101 remark VOIP_ACL
access-list 101 permit ip any any precedence critical
access-list 101 permit ip any any dscp ef
access-list 102 permit ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255
access-list 102 remark ROGERS_IP_NETWORK
access-list 103 permit ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255
access-list 103 remark TTOWN_VPN
access-list 110 remark NO_NAT
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.16.0 0.0.0.255
access-list 110 deny ip 192.168.0.0 0.0.255.255 192.168.0.128 0.0.0.127
access-list 110 permit ip 192.168.0.0 0.0.3.255 any
access-list 110 permit ip 192.168.4.0 0.0.0.255 any
access-list 177 permit ip 192.168.0.0 0.0.255.255 192.168.0.128 0.0.0.127
access-list 177 remark VPN_CLIENT_SPLIT_TUNNEL
no cdp run
!
!
!
!
route-map CME-SIP-Traffic permit 10
match ip address CME-SIP-Traffic
set ip default next-hop 172.16.1.1
!
route-map SIP_NAT permit 10
match ip address UDP_RTP
!
route-map nonat permit 10
match ip address NO_NAT_WAN
!
snmp-server community craighome1 RO SNMP
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server location Gear Closet
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps xgcp
snmp-server enable traps envmon
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps atm subif
!
!
radius-server host 192.168.4.44 auth-port 1812 acct-port 1813 key XXXXXXXXXXXXXXXXX
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 60 0
logging synchronous
line aux 0
no exec
line vty 0 4
access-class 12 in
exec-timeout 30 0
logging synchronous
login authentication vty_ssh
transport input ssh
transport output none
line vty 5
exec-timeout 0 0
login authentication vty_ssh
no exec
transport input ssh
transport output none
line vty 6 15
exec-timeout 0 0
no exec
transport input ssh
transport output none
!
scheduler allocate 20000 1000
ntp master 5
ntp server 192.43.244.18
ntp server 204.34.198.40
end
core_router#
03-16-2013 03:01 AM
Hello Robert,
I tested you HUB and Spoke config in GNS, and OSPF neighborship over GRE tunnel came up instantly. From my point of view everything should work.
Best Regards
Please rate all helpful posts and close solved questions
03-16-2013 09:34 PM
OK, I'm wondering if its the internet connection I'm using. I was turning on the Wifi hotspot on my cell phone, attaching the laptop, and then piggybacking the router off of the laptop. I'm going down the street to a friends house tomorrow and testing it via their wifi. Just ouf curiosity, would there be any foresable problems with the hub router being DHCP?
03-17-2013 12:43 AM
I think DHCP should not be a problem if both HUB router always obtain same IP. Also check if default route is installed correctly via DHCP on both HUB&Spoke.
Is ping from spoke to HUB WAN IP successful?
Best Regards
Please rate all helpful posts and close solved questions
03-12-2013 07:37 PM
Ok, I'll give it a shot and let you guys know. Thanks!
Sent from Cisco Technical Support iPhone App
03-17-2013 06:27 PM
Yes, I believe it's some type of firewall on the Verizon side as I can't ping the Verizon public IP from the hub. I even tried a different spoke router all together and got same results. I'm gonna try it from a regular wifi hotspot and see what I can come up with. Thanks for the help. I'll update you on the results from a different Internet connection.
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide