Help with accesslists on Double Wan

edgsoccer · ‎08-28-2012

Hello

I'm having trouble because I can only have one internet connection at a time for it to work. If I connect the 2 wan to the router then the 2 of them doesn't work. I'm pretty sure is a access list problem that I dont know about. Please help me to properly set up the 2 wans and load balancing if posible thanks for the help!!

ip dhcp pool quest

network 10.10.11.0 255.255.255.0

default-router 10.10.11.1

dns-server 8.8.8.8 8.8.4.4

!

ip dhcp pool roadrunner

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 8.8.8.8 8.8.4.4

!

ip cef

ip name-server 8.8.8.8

ip name-server 8.8.4.4

no ipv6 cef

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key test1 address xx.xx.xx.153

crypto isakmp key test2 address xx.xx.xx.24

!

crypto ipsec transform-set qwest esp-3des esp-md5-hmac

crypto ipsec transform-set roadrunner esp-3des esp-md5-hmac

!

crypto map qwest 1 ipsec-isakmp

set peer xx.xx.xx.24

set transform-set qwest

match address 100

!

crypto map roadrunner 1 ipsec-isakmp

set peer xx.xx.xx.153

set transform-set roadrunner

match address 101

!

interface FastEthernet0

description roadrunner

switchport access vlan 2

!

interface FastEthernet1

description roadrunner

switchport access vlan 2

!

interface FastEthernet2

description roadrunner

switchport access vlan 2

!

interface FastEthernet3

description roadrunner

switchport access vlan 2

!

interface FastEthernet4

description qwest

!

interface FastEthernet5

description qwest

!

interface FastEthernet6

description qwest

!

interface FastEthernet7

description qwest

!

interface FastEthernet8

description qwest connection

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0

description roadrunner connection

ip address xx.xx.xx.xx 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map roadrunner

!

interface wlan-ap0

description Service module interface to manage the embedded AP

no ip address

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

!

interface Vlan1

description quest

ip address 10.10.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan2

description roadrunner

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password 0 xxxxxxx

crypto map qwest

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list nat interface Dialer1 overload

ip nat inside source list roadrunner interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0

!

ip access-list extended nat

deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 10.10.11.0 0.0.0.255 any

ip access-list extended roadrunner

deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

access-list 1 permit 10.10.11.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

dialer-list 100 protocol ip permit

cadet alain · ‎08-29-2012

Hi,

there is 2 things you must modify:

1)

no ip route 0.0.0.0 0.0.0.0 gig0

ip route 0.0.0.0 0.0.0.0 x.x.x.x where x.x.x.x is next-hop out Gig0 interface

2)

no ip nat inside source list nat interface Dialer1 overload

no ip nat inside source list roadrunner interface GigabitEthernet0 overload

ip nat inside source route-map Dialer1 interface Dialer1

ip nat inside source route-map Roadrunner interface Gig0

route-map Roadrunner

match ip address roadrunner

match interface Gig0

route-map Dialer1

match ip address nat

match interface Dialer1

Regards.

Alain

Don't forget to rate helpful posts.

edgsoccer · ‎08-29-2012

thank you for the responce...changes were made but now the vpn stoped working any idea???

ip nat inside source route-map Dialer1 interface Dialer1 overload

ip nat inside source route-map Roadrunner interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.133

!

ip access-list extended nat

deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 10.10.11.0 0.0.0.255 any

ip access-list extended nat1

deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

access-list 1 permit 10.10.11.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

dialer-list 1 protocol ip permit

!

route-map Dialer1 permit 10

match ip address nat

match interface Dialer1

!

route-map Roadrunner permit 10

match ip address roadrunner

match interface GigabitEthernet0

cadet alain · ‎08-29-2012

Hi,

I don't see any ACL roadrunner anymore it was replaced by ACL nat1 so

route-map Roadrunner permit 10

match ip address roadrunne

match interface GigabitEthernet0

should become

route-map Roadrunner permit 10

match ip address nat1

match interface GigabitEthernet0

Regards.

Alain

Don't forget to rate helpful posts.

edgsoccer · ‎08-29-2012

changes were made but vpn from qwest on dial1 doesnt connect...and i was connected and working before we did the changes...any idea why? thanks

route-map Roadrunner permit 10

match ip address nat1

match interface GigabitEthernet0

cadet alain · ‎08-29-2012

Hi,

if you ping a host in 10.10.10.0 from a host in 10.10.11.0 post following outputs:

sh crypto isa sa

sh crypto ipsec sa

sh access-list nat before and after the ping

Regards.

Alain

Don't forget to rate helpful posts.

edgsoccer · ‎08-29-2012

I disconected the roadrunner wan and have only dialer1 connected to test vpn...

sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

xx.xx.xx.210 xx.xx.xx.24 QM_IDLE 2003 ACTIVE

IPv6 Crypto ISAKMP SA

-----------------------------------------------------------------------------

sh crypto ipsec sa

interface: GigabitEthernet0

Crypto map tag: roadrunner, local addr xx.xx.xx.134

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)

current_peer xx.xx.xx.153 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xx.xx.xx.134, remote crypto endpt.: xx.xx.xx.153

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Dialer1

Crypto map tag: qwest, local addr xx.xx.xx.210

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer xx.xx.xx.24 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: xx.xx.xx.210, remote crypto endpt.: xx.xx.xx.24

path mtu 1492, ip mtu 1492, ip mtu idb Dialer1

current outbound spi: 0x44A290C0(1151504576)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xAA278E1E(2854719006)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000046, crypto map: qwest

sa timing: remaining key lifetime (k/sec): (4445205/3232)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x44A290C0(1151504576)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000046, crypto map: qwest

sa timing: remaining key lifetime (k/sec): (4445205/3232)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2

Crypto map tag: qwest, local addr 0.0.0.0

protected vrf: (none)

local ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer xx.xx.xx.24 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 0.0.0.0, remote crypto endpt.: xx.xx.xx.24

path mtu 1492, ip mtu 1492, ip mtu idb Virtual-Access2

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

----------------------------------------------------------------

Extended IP access list nat

10 deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

20 permit ip 10.10.11.0 0.0.0.255 any (96 matches)

----------------------------------------------------------------

ping 10.10.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

----------------------------------------------------------------

host on 10.10.10.4

PING 10.10.11.1 (10.10.11.1): 32 data bytes
From 10.10.11.1 icmp_seq=0 timed out
From 10.10.11.1 icmp_seq=1 timed out
From 10.10.11.1 icmp_seq=2 timed out
From 10.10.11.1 icmp_seq=3 timed out
--- 10.10.11.1 ping statistics ---
5 packets transmitted
0 packets received
100% packet loss ------------------------------------------- Extended IP access list nat 10 deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 20 permit ip 10.10.11.0 0.0.0.255 any (96 matches)

cadet alain · ‎08-29-2012

Hi,

can you post sh run | s crypto map|access-list

Regards.

Alain

Don't forget to rate helpful posts.

edgsoccer · ‎08-29-2012

sh run | s crypto map|access-list

crypto map qwest 1 ipsec-isakmp

set peer xx.xx.xx.24

set transform-set qwest

match address 100

crypto map roadrunner 1 ipsec-isakmp

set peer xx.xx.xx.153

set transform-set roadrunner

match address 101

crypto map roadrunner

crypto map qwest

ip access-list extended nat

deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 10.10.11.0 0.0.0.255 any

ip access-list extended nat1

deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

access-list 1 permit 10.10.11.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark maptest1 category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark maptest1 category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

cadet alain · ‎08-29-2012

Hi,

ok can you do this:

repost your new config

then issue following:

logging buff 100000

logging buff 7

no service time debug

do clear log

do debug crypto isa

do debug crypto ipsec

then on a 10.10.11.0 host do ping 10.10.10.x with a high repeat count

then issue do sh log and post here.

Regards.

Alain.

Don't forget to rate helpful posts.

edgsoccer · ‎08-29-2012

sh log

Syslog logging: enabled (0 messages dropped, 2 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 153 messages logged, xml disabled,

filtering disabled

Exception Logging: size (4096 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

No active filter modules.

Trap logging: level informational, 78 message lines logged

Log Buffer (4096 bytes):

in) state 1"

ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP:(2007):DPD/R_U_THERE received from peer xx.xx.xx.24, sequence 0x7082

ISAKMP: set new node 1311669545 to QM_IDLE

ISAKMP:(2007):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 2246487680, message ID = 1311669545

ISAKMP:(2007): seq. no 0x7082

ISAKMP:(2007): sending packet to xx.xx.xx.24 my_port 500 peer_port 500 (R) QM_IDLE

ISAKMP:(2007):Sending an IKE IPv4 Packet.

ISAKMP:(2007):purging node 1311669545

ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP:(2007):purging node 1962558591

ISAKMP (2007): received packet from xx.xx.xx.24 dport 500 sport 500 Global (R) QM_IDLE

ISAKMP: set new node -842448404 to QM_IDLE

ISAKMP:(2007): processing HASH payload. message ID = -842448404

ISAKMP:(2007): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = -842448404, sa = 0x86BEAB44

ISAKMP:(2007):deleting node -842448404 error FALSE reason "Informational (in) state 1"

ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP:(2007):DPD/R_U_THERE received from peer xx.xx.xx.24, sequence 0x7083

ISAKMP: set new node -1044866510 to QM_IDLE

ISAKMP:(2007):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 2246487680, message ID = -1044866510

ISAKMP:(2007): seq. no 0x7083

ISAKMP:(2007): sending packet to xx.xx.xx.24 my_port 500 peer_port 500 (R) QM_IDLE

ISAKMP:(2007):Sending an IKE IPv4 Packet.

ISAKMP:(2007):purging node -1044866510

ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP:(2007):purging node 1534298901

ISAKMP (2007): received packet from xx.xx.xx.24 dport 500 sport 500 Global (R) QM_IDLE

ISAKMP: set new node 1111418898 to QM_IDLE

ISAKMP:(2007): processing HASH payload. message ID = 1111418898

ISAKMP:(2007): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = 1111418898, sa = 0x86BEAB44

ISAKMP:(2007):deleting node 1111418898 error FALSE reason "Informational (in) state 1"

ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP:(2007):DPD/R_U_THERE received from peer xx.xx.xx.24, sequence 0x7084

ISAKMP: set new node 1321991604 to QM_IDLE

ISAKMP:(2007):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 2246487680, message ID = 1321991604

ISAKMP:(2007): seq. no 0x7084

ISAKMP:(2007): sending packet to xx.xx.xx.24 my_port 500 peer_port 500 (R) QM_IDLE

ISAKMP:(2007):Sending an IKE IPv4 Packet.

ISAKMP:(2007):purging node 1321991604

ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP:(2007):purging node -842448404

ISAKMP (2007): received packet from xx.xx.xx.24 dport 500 sport 500 Global (R) QM_IDLE

ISAKMP: set new node 1782352186 to QM_IDLE

ISAKMP:(2007): processing HASH payload. message ID = 1782352186

ISAKMP:(2007): processing NOTIFY DPD/R_U_THERE protocol 1

spi 0, message ID = 1782352186, sa = 0x86BEAB44

ISAKMP:(2007):deleting node 1782352186 error FALSE reason "Informational (in) state 1"

ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

ISAKMP:(2007):DPD/R_U_THERE received from peer xx.xx.xx.24, sequence 0x7085

ISAKMP: set new node 1147495273 to QM_IDLE

ISAKMP:(2007):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1

spi 2246487680, message ID = 1147495273

ISAKMP:(2007): seq. no 0x7085

ISAKMP:(2007): sending packet to xx.xx.xx.24 my_port 500 peer_port 500 (R) QM_IDLE

ISAKMP:(2007):Sending an IKE IPv4 Packet.

ISAKMP:(2007):purging node 1147495273

ISAKMP:(2007):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE

ISAKMP:(2007):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

edgsoccer · ‎08-31-2012

Any suggestions?

cadet alain · ‎08-31-2012

Hi,

gonna take a closer look at your config and try to lab it on GNS3 and will let you know after the weekend.

Regards.

Alain

Don't forget to rate helpful posts.

edgsoccer · ‎09-11-2012

Any luck on the lab config on GNS3?

cadet alain · ‎09-11-2012

Hi Manny,

I'm really sorry but I was so busy that I completely forgot to test it.

I'm gonna try to do it this evening.If I find out something I will post here.

Don't forget to rate helpful posts.