Solved: DOH!It was a bug in the 15.2

gordon855 · ‎03-19-2013

Hello,

I have a block of eight routable IP addresses from my ISP. I have a Cisco 887VA that I want to use as my router. I know the router will take one of my IP addresses, but I'm having a problem getting the other IP addresses to route through the router. My ADSL is up and running and I can ping addresses on the outside, but I have been unsuccessful at getting anything out from the inside. Here is a copy of my running config:

- - - - - - - - - -

ip source-route

!

ip cef

no ipv6 cef

!

license udi pid CISCO887VA-K9 sn XXXXXXXXXXX

!

controller VDSL 0

operating mode ansi

!

interface Ethernet0

no ip address

no fair-queue

!

interface ATM0

description DSL Interface

no ip address

no atm ilmi-keepalive

pvc 0/32

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

no ip address

!

interface Dialer1

ip address 71.xx.xx.102 255.255.255.248

ip mtu 1492

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname xxxxxxxxxxxxx

ppp chap password 7 xxxxxxxxxxxxxxxx

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended inet

permit ip any any

!

line con 0

line aux 0

line vty 0 4

login

transport input all

!

end

- - - - - - - - - -

I've tried to blow away the default VLAN (can't do that). I have tried to create a bridge group, but that was unsuccessful. Any help will be appreciated.

kmccourt · ‎03-19-2013

Have you tried giving VLAN1 one of the IP addresses and then using ip unnumbered Vlan 1 on the dialer interface?

I've used this in the past for Cisco 877 routers with /29 blocks of IP addresses.

View solution in original post

paul driver · ‎03-19-2013

Hello Tom

Can you confirm if you using ADSL or VDSL

As I can see the ATM interface configured I am assuming its ADSL?

Can you explains a little bit more in what your issue is, Are you saying you Internal network isn't able to reach the internet?

Do you have private addressing for your internal LAN?

Res
paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gordon855 · ‎03-19-2013

Hello,

I am running ADSL.

Issue: I have four devices with public IP addresses. Those four devices cannot get out to the internet. Previously I had a DSL modem that would take one public IP address. The other devices, I would point them to the DSL modem's public IP address as the default gateway and they would go out without issue.

Do I have private addressing? I would like to have private addressing, but my primary concern is to get these four devices with public IPs out to the Internet.

Thank you.

johnlloyd_13 · ‎03-19-2013

hi tom,

just assign any one of the 8 routable IPs under VLAN 1 SVI and this will be your DG for the rest of the IP on that range.

assign other devices using the same IP subnet and connect on the available FE0-3 ports

gordon855 · ‎03-19-2013

I did not try taking one of the eight IP addresses and assigning it to VLAN1. I am reluctant to do that because my router will take two public IP addresses instead of one and that will leave me with no extra IP addresses to play with. That's why I am trying to avoid using more IPs than I absolutely have to. That why I tried doing the bridging.

Thank you for the suggestion. I will give that a shot if there are no other options.

kmccourt · ‎03-19-2013

Have you tried giving VLAN1 one of the IP addresses and then using ip unnumbered Vlan 1 on the dialer interface?

I've used this in the past for Cisco 877 routers with /29 blocks of IP addresses.

gordon855 · ‎03-19-2013

kmccourt, your suggestion worked perfectly. Thank you for sharing. I appreciate it.

johnlloyd_13 · ‎03-19-2013

Cool! Good info! +5

Sent from Cisco Technical Support iPad App

Jasper van Stijn · ‎11-12-2014

This works excellently!

Thank you very much.

However, for some reason my EZVPN Client stopped working.

I've changed the outside VPN interface from Dailer0 to VLAN2 (dialer0 is my atm dialer which is now IP unnumbered, and VLAN2 is now my WAN VLAN). The tunnel comes back up but the client(this) router will not forward any traffic through the tunnel.

Am I missing something? There is rarely any change to the original configuration where dialer0 was designated as the vpn outside interface.

Here is my sanitized config of my 887VA:

version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 4 XXX
!
no aaa new-model
memory-size iomem 10
clock timezone Paris 1 0
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-129303053
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-129303053
revocation-check none
rsakeypair TP-self-signed-129303053
!
crypto pki certificate chain TP-self-signed-129303053
certificate self-signed XX
quit
no ip source-route
!
!
no ip bootp server
ip domain lookup source-interface Dialer0
ip domain name kpn.net
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
license udi pid CISCO887VA-K9 sn FCZXXX
!
username XXX privilege 15 view root secret 4 XXX
!
controller VDSL 0
!
ip ssh version 2
!
crypto ipsec client ezvpn VPN
connect auto
group XXGroup key XXX
local-address Vlan2
mode network-extension
peer XY.ZX.IJ.ZZ
username XX password XX
xauth userid mode local
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
description KPN
no ip address
load-interval 30
no atm ilmi-keepalive
pvc 2/32
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface Vlan1
ip address 172.16.86.134 255.255.255.248
no ip route-cache
crypto ipsec client ezvpn VPN inside
!
interface Vlan2
ip address <PUBLIC IP#1> 255.255.255.252
ip virtual-reassembly in
no ip route-cache
no autostate (This statement was very important because the VPN needs to be online even though no physical devices were connected!)
crypto ipsec client ezvpn VPN
!
interface Dialer0
ip unnumbered Vlan2
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname kpn
ppp pap sent-username kpn password 7 05001601
no cdp enable
!
ip forward-protocol nd
no ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 10 remark Access CCP/SSH
access-list 10 permit XXXX
dialer-list 1 protocol ip permit
no cdp run
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
login local
transport input ssh
!
ntp update-calendar
ntp server nl.pool.ntp.org prefer source Dialer0
!
end

Jasper van Stijn · ‎11-13-2014

DOH!

It was a bug in the 15.2(4)M4 IOS software.

When I upgraded to 15.3(3)M4 and put the outside ezvpn interface back to dialer0 the problem was resolved!

(When I had vlan2 as the ezvpn outside interface the behaviour was the same as with the 15.2(4)M4 software. Tunnel up, but no tx from client side)

Routable IPs behind Cisco 887VA