Nat issue? 887VAM-W

Johan Christensson · ‎12-03-2011

Hi.

I'm trying to configure a Cisco 887VAM-W router. The unit is connected to a ADSL WAN, and have two VLAN/WAN, one for public use and one the also connected to a corporate network via EZVpn. Everything worked fine for a while, untill I restarted the router and moved it.

Now, the router seems to boot just fine, it connects to the ADSL connection, get an IP adress on the ATM interface and connects to VON tunnel goes up. The problem is that non of the localy connected devices get IP-adresses or are abel to access the internet or communicate with anything on the other side of the VPN tunnel. The router itself can communicate with devices over the VPN tunnel and I'm abel to access the router from the corporate network over the VPN connection.

I'm pretty sure that I saved the configuration before I cold booted the router, but since it dosen't work as expected any more I'm guessing that something is missing, but I can't figure out what. I have also noticed that the NVI0 interface never goes up, it stays down both link and administrativly.

I current configuration is pasted bellow. The only diference right now is that I have removed the following access-lists bindings:

From ATM0.1 - ip access-group 102 in

From VLAN 1 - ip access-group 101 in

From VLAN 6 - ip access-group 103 in

Any ideas?

Best regards,

Johan Christensson

------- CONFIG START -------

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname ISR01-xxx-xxx-xxx-SE

!

boot-start-marker

boot system flash:/c800-universalk9-mz.SPA.152-2.T.bin

boot-end-marker

!

enable secret 5 xxx

!

no aaa new-model

clock timezone Berlin 1 0

clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-xxxx

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-xxxx

revocation-check none

rsakeypair TP-self-signed-xxxx

!

crypto pki certificate chain TP-self-signed-xxxx

certificate self-signed 01

xxxx

quit

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.10.200 192.168.10.254

ip dhcp excluded-address 172.18.7.65 172.18.7.96

!

ip dhcp pool HomeNetDHCPPool

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 85.235.0.10

domain-name homenet.local

!

ip dhcp pool InsideDHCPPool

network 172.18.7.64 255.255.255.192

domain-name manhattan.local

default-router 172.18.7.65

dns-server 172.16.20.12 172.16.20.13

!

ip domain lookup source-interface Vlan1

ip domain name xxx.local

ip name-server 172.16.20.12

ip name-server 172.16.20.13

ip cef

!

license udi pid C887VAM-W-E-K9 sn Fxxxx

!

username xxx-xxx-xxx privilege 15 password 0 xxxx

!

controller VDSL 0

firmware filename flash:/vdsl.bin-A2pv6C035d_d23j

!

ip ssh version 2

!

crypto ipsec client ezvpn xxxx

connect auto

group xxx-xxx-xxx key xxx

mode network-extension

peer xxx.xxx.xxx.xxx

virtual-interface 1

username xxx-xxx-xxx-User password xxx

xauth userid mode local

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

ip address dhcp

ip nat outside

ip virtual-reassembly in

atm route-bridged ip

crypto ipsec client ezvpn xxx

pvc 8/35

encapsulation aal5snap

!

interface Ethernet0

no ip address

shutdown

!

interface FastEthernet0

switchport access vlan 6

no ip address

spanning-tree portfast

!

interface FastEthernet1

switchport access vlan 6

no ip address

spanning-tree portfast

!

interface FastEthernet2

switchport access vlan 6

no ip address

spanning-tree portfast

!

interface FastEthernet3

no ip address

spanning-tree portfast

!

interface Virtual-Template1 type tunnel

no ip address

tunnel mode ipsec ipv4

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface wlan-ap0

description Embedded Service module interface to manage the embedded AP

ip address 10.0.0.1 255.255.255.0

!

interface Vlan1

ip address 172.18.7.65 255.255.255.192

ip nat inside

ip virtual-reassembly in

crypto ipsec client ezvpn xxxx inside

!

interface Vlan6

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

ip http secure-server

!

ip nat inside source list inside_NAT_outside interface ATM0.1 overload

!

ip access-list extended inside_NAT_outside

deny ip 172.18.7.64 0.0.0.63 172.18.7.64 0.0.0.63

deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 172.18.7.64 0.0.0.63 any

permit ip 192.168.10.0 0.0.0.255 any

!

access-list 100 permit ip host xxx.xxx.xxx.xxx any

access-list 100 permit ip 172.16.52.0 0.0.0.255 any

access-list 100 permit ip 172.18.7.64 0.0.0.63 any

access-list 101 permit tcp 172.16.52.0 0.0.0.255 host 172.18.7.65 eq 22

access-list 101 permit tcp 172.18.7.64 0.0.0.63 host 172.18.7.65 eq 22

access-list 101 permit tcp 172.16.52.0 0.0.0.255 host 172.18.7.65 eq 443

access-list 101 permit tcp 172.18.7.64 0.0.0.63 host 172.18.7.65 eq 443

access-list 101 permit tcp 172.16.52.0 0.0.0.255 host 172.18.7.65 eq cmd

access-list 101 permit tcp 172.18.7.64 0.0.0.63 host 172.18.7.65 eq cmd

access-list 101 deny tcp any host 172.18.7.65 eq telnet

access-list 101 deny tcp any host 172.18.7.65 eq 22

access-list 101 deny tcp any host 172.18.7.65 eq www

access-list 101 deny tcp any host 172.18.7.65 eq 443

access-list 101 deny tcp any host 172.18.7.65 eq cmd

access-list 101 deny udp any host 172.18.7.65 eq snmp

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 permit udp host xxx.xxx.xxx.xxx any eq 10000

access-list 102 permit udp host xxx.xxx.xxx.xxx any eq non500-isakmp

access-list 102 permit udp host xxx.xxx.xxx.xxx any eq isakmp

access-list 102 permit esp host xxx.xxx.xxx.xxx any

access-list 102 permit ahp host xxx.xxx.xxx.xxx any

access-list 102 permit udp host 172.16.20.13 eq domain any

access-list 102 permit udp host 172.16.20.12 eq domain any

access-list 102 permit tcp host xxx.xxx.xxx.xxx any eq 22

access-list 102 permit icmp host xxx.xxx.xxx.xxx any

access-list 102 deny ip 172.18.7.64 0.0.0.63 any

access-list 102 permit udp any eq bootps any eq bootpc

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip any any log

access-list 103 deny ip 192.168.10.0 0.0.0.255 172.18.7.64 0.0.0.63

access-list 103 permit ip any any

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

stopbits 1

line vty 0 4

session-timeout 60

access-class 100 in

login local

transport preferred ssh

transport input ssh

!

scheduler allocate 20000 1000

sntp server 172.16.20.12

sntp server 172.16.20.13

sntp source-interface Vlan1

!

end

------- CONFIG END ------

Johan Christensson · ‎12-04-2011

No one that have any tips?

Almost all of the interfaces have the "status" Internet protocol processing disabled. Any clue to why?

/Johan Ch

Johan Christensson · ‎12-04-2011

I don't have any idea why, but I got one of the teo routers working again. I formated all the flash: drives and retyped the configuration, and so far, everything seems to work just fine.

Will try to preform the same thing on the other one tomorrow.

/Johan Christensson