Re: No routing through Dialer

WonderfulIT · ‎02-20-2019

Hi all,

I've not used dialers before but i've got an ASR that has gigabit 0/0/1 setup as a dialer interface and i've set it up and confirmed it is connected (it's into a VDSL modem) .There is a LAN interface on gigabit 0/0/2 that has an IP of 192.168.2.10 and there is a loopback interface also on 172.16.1.1

I can ping 8.8.8.8 from the command prompt on the router and also if i select the source of the ping from the loopback but i cannot ping from the LAN interface on 192.168.2.10 as the source to 8.8.8.8

The odd thing is that i have connected a PC to the LAN interface and i can ping the WAN ip of the dialer interface (so in effect "through" the LAN interface ?

I have put an ACL on the dialer interface to allow any IP and ICMP and also added an overload NAT to the dialer interface but do i need to do anything with the actual interface that connects the dialer (i.e gigabit 0/0/1) ?

Thanks

Georg Pauwen · ‎02-20-2019

Hello, ip nat outside goes on the dialer interface, not on the physical intetface, ip nat inside on the LAN interface. Make sure your NAT access list contains the LAN subnet: access-list 1 permit 192.168.2.0 ip nat inside source list 1 interface dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1

Georg Pauwen · ‎02-20-2019

Better yet, post the config you currently have...

WonderfulIT · ‎02-20-2019

Thanks, i've put the config below (obviously changed some IP's for security)

router2#sh run
Building configuration...

Current configuration : 11132 bytes
!
! Last configuration change at 15:18:15 GMT Wed Feb 20 2019 by ictadmin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname router2
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$Y1st$Y7mKB1FxUfEpukhM9Mf39.
enable password 7 044F18130D204747584B56
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sslvpn_aaa local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
!
!
!
!
!
!
!
!
!
!
!

!
ip dhcp pool routerguest
network 10.10.10.0 255.255.255.0
dns-server 8.8.8.8
default-router 10.10.10.1
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
crypto pki trustpoint secure.router.co.uk
enrollment mode ra
enrollment url http://secure.router.co.uk:80/certsrv/mscep/mscep.dll
subject-name cn=secure.router.co.uk,OU=router,L=city,C=GB
revocation-check none
rsakeypair rsakey
!
crypto pki trustpoint TP-self-signed-1621321660
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1621321660
revocation-check none
rsakeypair TP-self-signed-1621321660
!
!
crypto pki certificate chain secure.router.co.uk
crypto pki certificate chain TP-self-signed-1621321660
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363231 33323136 3630301E 170D3138 31313134 31303034
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36323133
32313636 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009D29 49A748FD 6DBC75C5 D7D14CDF 70307EC5 10116318 0A3DAD59 423E6D15
04B2EB8A 0530D74B EEB02E68 4D6A333F 857BBA2B 08466295 761E830B 92151051
C2B4BBBA C3B68771 6B2E1CBB 22A31A80 FEC37382 2E14B646 D0227596 673CF43D
DA7F57B5 A84DCBEB 03D4B24B B5BFC707 96C69DE7 FFFF2D5D 1C294F8F 49547186
C24F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1499DAC9 04054319 9707F096 089626A1 0AD899B6 AC301D06
03551D0E 04160414 99DAC904 05431997 07F09608 9626A10A D899B6AC 300D0609
2A864886 F70D0101 05050003 8181004F 38099B14 1412A2B4 F9E80B7E CC2806A7
F2716393 69EDDAFB 00FD9005 C6C4CD2A 66C3CA15 A3FA3CFB 08DA86EC A082EFFC
A28E65C3 1D76DD00 5AD12B00 B14E9196 CAAE55AF 4C2E4039 248BF815 88A228B1
62E30A6B B8124904 29EA1E74 9FCA6737 C19E879E 904E7562 B7056652 2ACBEA3D
65B9EBAD 38DF7975 F442CE28 EF5FFA
quit
license udi pid ISR4331/K9 sn FDO21041AT4
license boot suite FoundationSuiteK9
!
spanning-tree extend system-id
!
username ictadmin privilege 15 secret 5 $1$kcmM$5dkOZ4RjoWxsfj6m/Qkki/
username routerict privilege 15 secret 5 $1$CXwV$CUAMtm8.f6o1GkOzXbUE/1
username ictuk password 7 094A1F1B4A07470A
username ict secret 5 $1$dlAM$LhGUcfVtkHFZZrfpY/RX60
!
redundancy
mode none
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
ip address 2.2.2.2 255.255.255.252
ip mtu 1350
ip nat outside
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0/0
description LeasedLine
ip address 200.200.200.200 255.255.255.252
ip nat outside
no negotiation auto
!
interface GigabitEthernet0/0/1
description BT FTTC
no ip address
ip nat outside
speed 100
no negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/2
description router_LAN
ip address 192.168.2.10 255.255.192.0
ip nat inside
speed 100
no negotiation auto
!
interface GigabitEthernet0/0/2.1
description router Guest Wifi DHCP
encapsulation dot1Q 100
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 10.1.1.28 255.255.255.0
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback0
!
interface Vlan1
no ip address
shutdown
!
interface Dialer0
no ip address
!
interface Dialer1
ip address 78.16.24.12 255.255.255.248
ip mtu 1452
ip nat outside
ip access-group 102 in
encapsulation ppp
ip tcp adjust-mss 1452
shutdown
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname router-001@adsllogin.com
ppp chap password 7 025E5D083B293F701E1759
ppp pap sent-username router-001@adsllogin.com password 7 0914175A292A2743595554
crypto map NLVPN
!
ip local pool webvpn-pool 192.168.3.150 192.168.3.200
ip nat inside source static 192.168.2.111 110.75.182.127
ip nat inside source static 192.168.2.110 110.75.182.118
ip nat inside source static 192.168.2.112 110.75.182.119
ip nat inside source static 192.168.3.35 110.75.182.120
ip nat inside source static 192.168.2.107 110.75.182.121
ip nat inside source static 192.168.3.29 110.75.182.122
ip nat inside source static 192.168.3.30 110.75.182.123
ip nat inside source static 192.168.3.28 110.75.182.124
ip nat inside source static 192.168.3.32 110.75.182.125
ip nat inside source static 192.168.3.38 110.75.182.126
ip nat inside source static 192.168.3.40 110.75.182.127
ip nat inside source static 192.168.2.108 110.75.182.128
ip nat inside source static 192.168.3.6 110.75.182.134
ip nat inside source static tcp 192.168.2.9 8888 190.192.234.101 656 extendable
ip nat inside source static tcp 192.168.2.13 5555 190.192.234.101 5555 extendable
ip nat inside source list 100 interface Tunnel0 overload
ip nat inside source list 101 interface GigabitEthernet0/0/0 overload
ip nat inside source list 102 interface Dialer1 overload
ip forward-protocol nd
ip ftp username ict
ip ftp password 7 120F1D4546415D54382E203B
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 167.3.137.109 255.255.255.255 Tunnel0
ip route 167.3.137.110 255.255.255.255 Tunnel0
ip route 167.3.137.111 255.255.255.255 Tunnel0
ip route 167.3.137.112 255.255.255.255 Tunnel0
ip route 167.3.137.113 255.255.255.255 Tunnel0
ip route 192.168.64.0 255.255.192.0 192.168.2.254
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
ip access-list extended TAC
permit ip any host 192.168.2.18
permit ip host 192.168.2.18 any
!
logging trap notifications
logging facility local0
logging host 192.168.2.18
access-list 20 permit 192.168.0.0 0.0.63.255
access-list 100 permit ip 192.168.0.0 0.0.63.255 167.3.137.108 0.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.63.255 167.3.137.110 0.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.63.255 167.3.137.112 0.0.0.1
access-list 100 permit ip host 110.75.182.229 167.3.137.108 0.0.0.1
access-list 100 permit ip host 110.75.182.229 167.3.137.110 0.0.0.1
access-list 100 permit ip host 110.75.182.229 167.3.137.112 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 167.3.137.110 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 167.3.137.108 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 167.3.137.112 0.0.0.1
access-list 101 permit ip 192.168.0.0 0.0.63.255 any
access-list 102 permit ip any any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 175 deny ip 192.168.0.0 0.0.63.255 192.168.64.0 0.0.63.255
access-list 175 permit ip 192.168.0.0 0.0.63.255 any
dialer-list 1 protocol ip permit
!
snmp-server community public RO
snmp-server community private RW
!
!
!
!
control-plane
!
banner motd ^CC
WARNING: IF YOU ARE NOT AUTHORIZED TO ACCESS THIS SYSTEM OR IF YOU
INTEND TO USE THIS SYSTEM BEYOND THE SCOPE OF YOUR AUTHORIZATION,
DISCONNECT IMMEDIATELY.
This computer system is for authorized users only. Individuals
using this system without authority, or in excess of their
authority, are subject to having all of their activities monitored
and recorded by system personnel. In the course of monitoring
individuals improperly using this system or in the course of system
maintenance, the activities of authorized users may also be
monitored. Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide
monitoring information and logs as evidence to law enforcement
officials. Crimes may be prosecuted to the fullest extent possible
under state and federal law.
^C
!
line con 0
password 7 105A1A0C071619025D5679
stopbits 1
line aux 0
stopbits 1
line vty 0
privilege level 15
password 7 014B0A11550F031D7914160B360423
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
line vty 5 14
privilege level 15
transport input ssh
line vty 15
privilege level 15
logging synchronous
transport input ssh
!
!
end

router2#

Deepak Kumar · ‎02-20-2019

Hi,

I noticed below configuration seems not correct:

interface Dialer1
ip address 78.16.24.12 255.255.255.248
ip mtu 1452
ip nat outside
ip access-group 102 in
encapsulation ppp
ip tcp adjust-mss 1452
shutdown
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname router-001@adsllogin.com
ppp chap password 7 025E5D083B293F701E1759
ppp pap sent-username router-001@adsllogin.com password 7 0914175A292A2743595554
crypto map NLVPN

Why dialer 1 interface is administrative down? and I am not sure that what is the purpose of "ip access-group 102 in" command?

Make those corrections and test it again.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Georg Pauwen · ‎02-20-2019

Hello,

post a schematic drawing of your topology. You have a crypto map on the dialer interface, a VTI tunnel with a non-existing profile...what do you want to accomplish, a VPN with a split tunnel Internet ?

WonderfulIT · ‎02-20-2019

Apologies, not sure why the shutdown was there as it's not in the current running config but i've removed the access-group from the dialer interface but still no joy.

Also i edited some of the VPN parts of the config out as i don't think they are part of this issue (but i can post it complete if it will help)

One thing i don't think i've mentioned though is that there is a leased line connection to interface gigabit 0/0/0 and i can ping and route through that fine from the lan interface and i've connected a laptop straight into the pppoe line to test and can route with that.

The setup i have is:

Internet ---- pppoe modem ----- dialer 1 (into gigabit 0/0/1) ------ lan 192.168.2.10 (into gigabit 0/0/2)

leased line -------- gigabit 0/0/0------------------|

So just to clarify (as i'm rushing this post) that the LAN is on interface gigabit 0/0/0 on 192.168.2.10 and then there are 2 ports, gigabit 0/0/0 which plugs into a leased line box and the other port (gigabit 0/0/1) plugs into the pppoe modem using dialer 1

Georg Pauwen · ‎02-20-2019

Hello,

the reason I was asking for a schematic drawing of what you want to accomplish is that it is unclear from your post and your subsequent explanations what your goal is. You have a leased line, a PPP link, a tunnel (that is not working I suppose), static NAT entries with public IP addresses that are not configured on any interface or in a NAT pool, and static routes pointing to a tunnel that goes...where ? In short, without further information of what you want it is just guesswork. Do you want both links to work simultaneously, one as a backup of the other, and if so, in which order ?

WonderfulIT · ‎02-21-2019

Apologies but the overall goal is to have the leased line as the main broadband line and then the PPPOE line as a backup. The leased line connection works fine but obviously can't get internet connection through the PPPOE line from the LAN, i can ping from the cisco to it. The VPN is on the leased line and this does also work fine (i just omitted some portions of the config relating to this to keep the post shorter.

Hope this helps.

Thanks

Georg Pauwen · ‎02-21-2019

Hello,

if you want to use the leased line as the primary connection and the PPPoE as a backup, the easiest way to achieve this would be an IP SLA and a tracked primary route.

Post the ENTIRE configuration of your router, otherwise I cannot tell what is there and what is not...