CONFIGURING CISCO 891 ISR

Beneto · ‎01-01-2025

Hello there, i hope someone can help me. I have a Cisco 891 ISR that im trying to configure, im quite new with CISCO but so far i was able to get the LTE module to connect and the router has external connectivity. I created a few DHCP Pools as per config bellow, but im unable to ping either the gateway or any other address in the internet, there is defenitely something wrong with the setup. Can someone shed some light and put me in the right direction please.

ip dhcp pool Building Management
!Switching, Branch Router
ip dhcp pool CORP
network 192.168.48.0 255.255.255.224
default-router 192.168.48.254
dns-server 192.168.1.5 192.168.1.6 8.8.8.8
domain-name xxxxxxxx.local
lease 8
!
ip dhcp pool BUILDING MANAGEMENT
network 192.168.48.96 255.255.255.224
dns-server 192.168.1.5 192.168.1.6 8.8.8.8
domain-name xxxxx.local
default-router 192.168.48.254
lease 8
!
ip dhcp pool MANAGEMENT
network 192.168.48.128 255.255.255.224
default-router 192.168.48.254
domain-name xxxxx.local
dns-server 192.168.1.5 192.168.1.6 8.8.8.8
lease 8
!
ip dhcp pool PRINTERS
network 192.168.48.64 255.255.255.224
dns-server 192.168.1.5 192.168.1.6 8.8.8.8
domain-name xxxxx.local
default-router 192.168.48.254
lease 8
!
ip dhcp pool test
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
lease 8
!
!
!
no ip domain lookup
ip domain name xxxxx.local
ip name-server 192.168.1.5
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
!
license udi pid C897VAG-LTE-GA-K9 sn FCZ202590LY
!
!
!
!
!
!
!
controller VDSL 0
!
controller Cellular 0
lte failovertimer 1
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer-group 1
pulse-time 1
!
interface Cellular1
ip address negotiated
encapsulation slip
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
switchport access vlan 10
no ip address
!
interface GigabitEthernet1
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet3
switchport access vlan 20
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 40
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
switchport access vlan 50
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Vlan2
ip address 10.10.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.48.254 255.255.255.224
ip nat outside
ip virtual-reassembly in
!
interface Vlan20
ip address 192.168.48.65 255.255.255.224
ip nat outside
ip virtual-reassembly in
!
interface Vlan40
ip address 192.168.48.129 255.255.255.224
ip nat outside
ip virtual-reassembly in
!
interface Vlan50
ip address 192.168.48.97 255.255.255.224
ip nat outside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet1 overload
ip nat inside source list 2 interface Cellular0 overload
ip nat inside source list NAT interface GigabitEthernet1 overload
ip nat outside source list 2 interface Cellular1
ip nat outside source list NAT interface GigabitEthernet1
ip route 0.0.0.0 0.0.0.0 Cellular0
ip route 192.168.1.0 255.255.255.0 Cellular0
ip route 192.168.48.0 255.255.255.0 Cellular0
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended NAT
permit ip 192.168.48.0 0.0.0.255 any
!
ip sla 1
icmp-echo 8.8.8.8
ip sla schedule 1 start-time after 00:05:00
dialer-list 1 protocol ip permit
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
!
!
-

Flavio Miranda · ‎01-01-2025

@Beneto

For start, change the NAT below to "ip nat inside "

In all vlans

interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
!
interface Vlan2
ip address 10.10.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.48.254 255.255.255.224
ip nat outside
ip virtual-reassembly in
!
interface Vlan20
ip address 192.168.48.65 255.255.255.224
ip nat outside
ip virtual-reassembly in
!
interface Vlan40
ip address 192.168.48.129 255.255.255.224
ip nat outside
ip virtual-reassembly in
!
interface Vlan50
ip address 192.168.48.97 255.255.255.224
ip nat outside
ip virtual-reassembly in
!

You are doing NAT overload on the interface GigabitEthernet1. what do you have connected to this interface? It is another internet gateway?

ip nat inside source list 1 interface GigabitEthernet1 overload

You are doing NAT overload with Access List 2, I dont see Access List 2 anywhere.

ip nat inside source list 2 interface Cellular0 overload
ip nat inside source list NAT interface GigabitEthernet1 overload
ip nat outside source list 2 interface Cellular1
ip nat outside source list NAT interface GigabitEthernet1

Beneto · ‎01-02-2025

Obrigado Flavio

I dont have an ACL2 this was probably a typo, i have removed it not, i end up with only ip nat inside source list NAT interface Cellular0 overload "cellular0" is my LTE modem and for my NAT ACL i have permit ip 192.168.48.0 0.0.0.255 any and changed to IP Nat inside on the VLANS

I still have no outside access, and more weird is i cannot pping the GW 192.168.48.254

Flavio Miranda · ‎01-02-2025

Can I see the whole show running-config again?

One more question, 192.168.48.254 is not vlan 10 on your router?

interface Vlan10
ip address 192.168.48.254 255.255.255.224

Flavio Miranda · ‎01-02-2025

@Beneto

configuration looks much better.

Site to site VPN with DHCP is complicate. The problem is not on this router but in the other end. If your router change the IP address, the other end need to know.

Devaa · ‎01-02-2025

Hi @Beneto

network in Corp DHCP pool is wrong, which is not present in any of your vlan. Also, default-router is same in all the pools, which is incorrect. You should update the default-router as the appropriate IP configured in that vlan interface.

! For VLAN 10, I believe
ip dhcp pool CORP
 no network 192.168.48.0 255.255.255.224
 network 192.168.48.224 255.255.255.224
 default-router 192.168.48.254
!

! For VLAN 50
ip dhcp pool BUILDING MANAGEMENT
 network 192.168.48.96 255.255.255.224
 no default-router 192.168.48.254
 default-router 192.168.48.97
!

! For VLAN 40
ip dhcp pool MANAGEMENT
 network 192.168.48.128 255.255.255.224
 no default-router 192.168.48.254
 default-router 192.168.48.129
!

! For VLAN 20
ip dhcp pool PRINTERS
 network 192.168.48.64 255.255.255.224
 no default-router 192.168.48.254
 default-router 192.168.48.65
!

Update your DHCP pools as above and check if the devices get IP and gateway is reachable or not. Also check internet.

If gw is reachable and if internet don't work still, share output of below cmd

sh runn | i route|nat|access

Beneto · ‎01-03-2025

Hi Devaa

It does works i can now ping the GW on respective DHCP pools, i guess i had the mask outside of the range?

Do you happen to know how can i go about configuring an IPSEC vpn to a fortigate device using this Router with the downside of using a dynamic IP address over a cellular wan ? Any guidance or documentation would be appreciated

Devaa · ‎01-04-2025

You had network id in Corp DHCP pool wrong. Also, the default-gateway was wrong on all other pools.

To configure IPSec VPN between Router and Firewall, you should Public IP at both ends or at least in one end.

You can refer the below config for Site to Site IPSEC tunnel in router side.

conf t
! Feel free to change any attributes as per your requirement
 crypto isakmp policy 1 
  hash sha
  auth pre-share
  group 5
  lifetime 7200
  encryption aes 256
  exit

 crypto isakmp key 0 <password> address <firewall-public-ip>

! Create transform set same as in firewall
 crypto ipsec transform-set TSET1 esp-aes 256 esp-sha-hmac
 crypto ipsec security-association lifetime seconds 7200

! Match Interesting Traffic as per your need
ip access-list extended IPSEC_ACL
 permit ip 192.168.48.0 0.0.0.255 192.168.0.0 0.0.255.255


crypto map CMAP1 10 ipsec-isakmp
 match address IPSEC_ACL
 set peer <firewall-public-ip>
 set transform-set TSET1

! LAN to LAN IPSEC
interface <outgoing-interface>
 crypto map CMAP1

Config will defer if you need remote access VPN. Check if the below link helps for Fortinet side.

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/783623/configuring-ipsec-vpn-on-hq

Beneto · ‎01-04-2025

Manny thanks Devaa, I will give it a go i think the main challenge poses with the dynamic IP address. I will look at the possibility of having the tunnel on demand initiated from the Cisco side perhaps .

Beneto · ‎01-04-2025

I managed to get the IPSEC tunnel up using the configuration bellow, the issue is i can only get the tunnel up if i use the ACL with "any" in the access list, if i revert to 192.168.48.0 0.0.0.255 192.168.0.0 0.0.255.255 the tunnel doesnt form, also with the any in place i loose internet access at both ends and cant ping anything. There is eventually a misconfiguration here that i havent been able to spot, any chances of putting me in the right direction ?

Interface: Cellular0

Profile: profile-tickets

Session status: UP-ACTIVE

Peer: 10.176.19.199 port 500

Session ID: 1

IKEv2 SA: local 10.70.180.156/500 remote 10.176.19.199/500 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 192.168.48.0/255.255.255.0 192.168.0.0/255.255.0.0

Active SAs: 0, origin: crypto map

crypto ikev2 proposal proposal-tickets

encryption aes-cbc-256

integrity sha256

group 14

!

crypto ikev2 policy policy-tickets

proposal proposal-tickets

!

crypto ikev2 keyring keyring-tickets

peer tickets

address 10.176.19.199

pre-shared-key local xxxxxx

pre-shared-key remote xxxxxx

crypto ikev2 profile profile-tickets

match identity remote address 10.176.19.199 255.255.255.255

identity local address 10.70.180.156

authentication remote pre-share

authentication local pre-share

keyring local keyring-tickets

!

controller VDSL 0

!

controller Cellular 0

lte failovertimer 1

lte modem link-recovery rssi onset-threshold -110

lte modem link-recovery monitor-timer 20

lte modem link-recovery wait-timer 10

lte modem link-recovery debounce-count 6

!

crypto ipsec transform-set trans-tickets esp-aes 256 esp-sha256-hmac

mode tunnel

!

crypto map map-tickets 10 ipsec-isakmp

set peer 10.176.19.199

set transform-set trans-tickets

set ikev2-profile profile-tickets

match address acl-tickets

!

interface ATM0

no ip address

ip nat inside

ip virtual-reassembly in

no atm ilmi-keepalive

!

interface Cellular0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation slip

load-interval 30

dialer in-band

dialer idle-timeout 0

dialer string lte

dialer-group 1

pulse-time 1

crypto map map-tickets

!

interface Cellular1

ip address negotiated

encapsulation slip

!

interface Ethernet0

no ip address

shutdown

!

interface GigabitEthernet0

switchport access vlan 10

no ip address

!

interface GigabitEthernet1

switchport access vlan 10

no ip address

spanning-tree portfast

!

interface GigabitEthernet2

switchport access vlan 20

no ip address

spanning-tree portfast

!

interface GigabitEthernet3

switchport access vlan 20

no ip address

spanning-tree portfast

!

interface GigabitEthernet4

switchport access vlan 40

no ip address

spanning-tree portfast

!

interface GigabitEthernet5

switchport access vlan 50

no ip address

spanning-tree portfast

!

interface GigabitEthernet6

no ip address

spanning-tree portfast

!

interface GigabitEthernet7

no ip address

spanning-tree portfast

!

interface GigabitEthernet8

no ip address

shutdown

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip virtual-reassembly in

!

interface Vlan2

ip address 10.10.1.1 255.255.255.0

!

interface Vlan10

ip address 192.168.48.1 255.255.255.224

ip nat inside

ip virtual-reassembly in

!

interface Vlan20

ip address 192.168.48.65 255.255.255.224

ip nat inside

ip virtual-reassembly in

!

interface Vlan40

ip address 192.168.48.129 255.255.255.224

ip nat inside

ip virtual-reassembly in

!

interface Vlan50

ip address 192.168.48.97 255.255.255.224

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

ip http secure-server

!

ip nat inside source list 1 interface Cellular0 overload

ip nat inside source list NAT interface Cellular0 overload

ip route 0.0.0.0 0.0.0.0 Cellular0

ip route 192.168.1.0 255.255.255.0 Cellular0

ip route 192.168.48.0 255.255.255.0 Cellular0

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list extended acl-tickets

permit ip 192.168.48.0 0.0.0.255 192.168.0.0 0.0.255.255

!

ip sla 1

icmp-echo 8.8.8.8

ip sla schedule 1 start-time after 00:05:00

dialer-list 1 protocol ip permit

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.48.0 0.0.0.255

Devaa · ‎01-04-2025

ACL should match your interesting traffic. permit ip any any will try to tunnel your internet traffic as well. Is that what you need?

Draft ACL based on your need. The Private destination IPs that has to be accessed via tunnel should be in ACL. Leave rest all for your internet to work.

Also, you use peer IPs as private IPs. Is that expected? Are you using any VPN service from ISP? FYI, Some ISPs may block IPSEC traffic in some countries.

You can use PBR as well, if required.

Beneto · ‎01-28-2025

The IP is CGNAT provided by my mobile SIM provider I'm able to VPN between devices in the same CGNAT range but traffic doesn't flow. Will need to request a true not natted public IP to have this solved. Manny thanks for your help Devaa