cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2028
Views
0
Helpful
10
Replies

Authenticating with Hotspot router through DMVPN tunnel

cco4mike1
Level 1
Level 1

Hi all,

I have a big bad DMVPN (Hub and 2 spokes) problem which I can't quite sort out.

There are 3 sites - A (hub), B and C - (C is not an issue however as it uses it's own link to get out to the internet)

All users from Site B need to access all traffic (internet) through the DMVPN tunnel. (through site A's ADSL 2+ link)

This part is now sorted out.

However, there are 2 VLANs on the Site A Cisco 877 router - 1 for Admin use and one for customers to pay for internet usage via an Ericsson HS 1100 Hotspot router.

VLAN 1 - Admin = 10.61.3.x

VLAN 2- Customer = 192.168.112.x (Fe3)

Also -

Site B = 10.0.0.x

Site C= 192.168.10.x

The HS 1100 has 4 Lan ports on the back and a wifi link - If users connect to the router via wifi/ethernet, they are prompted to enter a username and password to pay for internet access.

The HS1100 also has a default gateway for it's WAN port of 10.61.3.1 (Site A's VLAN1 Lan address). This gets them out to the internet ok.

So far I cannot get users from Site B to be prompted for username/password to pay for their internet usage through the DMVPN tunnel.

I have attached a rough diagram and have SITE A and SITE B's configs

Please assist.

SITE A

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TB_BB_Advantage
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
no logging console
!
no aaa new-model
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile TPLUS_Profile1
set transform-set ESP-3DES-SHA
!
!
!
dot11 ssid xxxxxxxxx
   authentication open
   authentication key-management wpa optional
   guest-mode
   wpa-psk ascii xxxxxxxxxxx
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.61.3.11
ip dhcp excluded-address 10.61.3.20
ip dhcp excluded-address 10.61.3.253
ip dhcp excluded-address 10.61.3.191
ip dhcp excluded-address 10.61.3.6
ip dhcp excluded-address 10.61.3.1
!
ip dhcp pool CUSTOMER_LAN_POOL
   network 10.61.3.0 255.255.255.0
   default-router 10.61.3.1
   dns-server 203.50.2.71 139.130.4.4
!
!
no ip bootp server
ip domain name direct.telstra.net
ip name-server 203.50.2.71
ip name-server 139.130.4.4
ip name-server 202.27.184.3
ip name-server 202.27.184.5
!
multilink bundle-name authenticated
!
!
username xxxxxxxxxxx privilege 15 secret xxxxxxxxxxxxx
archive
log config
  hidekeys
!
!
ip ssh version 2
!
bridge irb
!
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nat inside
ip nhrp authentication TPLUS_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp cache non-authoritative
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip split-horizon
delay 1000
tunnel source 111.111.111.111
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile TPLUS_Profile1
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 2
spanning-tree portfast
!
interface Dot11Radio0
no ip address
shutdown
!
encryption mode ciphers tkip wep128
!
ssid xxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description CUSTOMER_LOCAL_LAN
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache cef
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
description HS1100_VLAN
ip address 192.168.112.230 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
!
interface Dialer0
description ADSL Link FNN xxxxxxx
ip address 111.111.111.111 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxx
ppp chap password xxxxxxxxxx
!
interface BVI1
ip address 10.61.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.112.0
default-information originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
ip http access-class 22
ip http authentication local
ip http secure-server

ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 10.61.3.30 80 interface Dialer0 80
ip nat inside source static tcp 10.61.3.30 443 interface Dialer0 443
ip nat inside source static tcp 10.61.3.30 1494 interface Dialer0 1494
ip nat inside source static tcp 10.61.3.30 2598 interface Dialer0 2598
ip nat inside source static tcp 10.61.3.253 1433 interface Dialer0 1433
ip nat inside source static tcp 10.61.3.191 3389 interface Dialer0 3389
!
ip access-list extended NAT
deny   ip 10.61.3.0 0.0.0.255 10.0.0.0 0.0.0.255
deny   ip 192.168.112.0 0.0.0.255 192.168.10.0 0.0.0.255
deny   ip 10.61.3.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.61.3.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any      <-----  perhaps not required?
permit ip 192.168.112.0 0.0.0.255 any
!
!
access-list 22 permit 10.61.3.0 0.0.0.255
no cdp run
!
!
!
!
control-plane
!
bridge 1 route ip
banner login ^C

***********************************************************************
* Access to this computer system is limited to authorised users only. *
* Unauthorised users may be subject to prosecution under the Crimes   *
*                       Act or State legislation                      *
*                                                                     *
* Please note, ALL CUSTOMER DETAILS are confidential and must         *
*                         not be disclosed.                           *
***********************************************************************
^C
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 2
access-class 22 in
exec-timeout 20 0
login local
transport input telnet
line vty 3 4
exec-timeout 20 0
login local
transport input ssh
!
scheduler max-task-time 5000

!
webvpn cef
end

SITE B

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TB_BB_Advantage
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
no logging console
!
no aaa new-model
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool CUSTOMER_LAN_POOL
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1
   dns-server 203.50.2.71 139.130.4.4
!
!
ip cef
no ip bootp server
ip domain name direct.telstra.net
ip name-server 203.50.2.71
ip name-server 139.130.4.4
ip ssh version 2
!
!
!
!
username xxxxxxxxxx privilege 15 secret xxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address 111.111.111.111
crypto isakmp keepalive 60 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile TPLUS_Profile1
set transform-set ESP-3DES-SHA
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.3 255.255.255.0
ip mtu 1400
ip nhrp authentication TPLUS_NW
ip nhrp map 172.16.0.1 111.111.111.111
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 172.16.0.1
ip nhrp registration no-unique
ip nhrp cache non-authoritative
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 111.111.111.111
tunnel key 100000
tunnel protection ipsec profile TPLUS_Profile1
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description CUSTOMER_LOCAL_LAN
ip address 10.0.0.1 255.255.255.0
ip virtual-reassembly
no ip route-cache cef
!
interface Dialer0
description ADSL Link FNN xxxxxxx
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxx
ppp chap password xxxxxxxxxxxxx
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
no auto-summary
!
ip route 111.111.111.0 255.255.255.0 Dialer0
!
no ip http server
ip http access-class 22
ip http authentication local
ip http secure-server
!
no cdp run
!
control-plane
!
banner login ^C

***********************************************************************
* Access to this computer system is limited to authorised users only. *
* Unauthorised users may be subject to prosecution under the Crimes   *
*                       Act or State legislation                      *
*                                                                     *
* Please note, ALL CUSTOMER DETAILS are confidential and must         *
*                         not be disclosed.                           *
***********************************************************************
^C
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 2
exec-timeout 20 0
login local
transport input telnet
line vty 3 4
exec-timeout 20 0
login local
transport input ssh
!
scheduler max-task-time 5000
end

10 Replies 10

jhubel
Level 1
Level 1

Hi cco4mike1 -

What file type is that diagram you attached?  I can't open it up because it doesn't have an extension.  Maybe it's just me.

What I'm understanding is this; tell me if I'm wrong.  You have people at Site B who *should* connect to the internet via the following: RouterB --> DMVPN --> RouterA --> HS1100 --> RouterA --> Internet.  You also mentioned that connecting via wireless at Site A works, but I see that your wireless interface is shutdown on RouterA.

So, I'm thinking that when people at SiteA go to the internet, they must be connecting to the wireless on the HS1100.  That device then sends default traffic to RouterA, which then sends default traffic to the internet.  Thus it works.

So, what I'm thinking is that your routing logic is amiss at RouterA.   You have a default route that points to the internet, but you actually  want Site B traffic to go through the HS1100.  Thus, when traffic comes in  off the DMVPN, it goes right out to the internet, bypassing the HS1100.  But, if you changed the default route to point to the HS1100, you'd create a routing loop between RouterA and the HS1100.

The way I see it, there are two ways to solve the problem.  One is Policy Based Routing.  The policy would say "if traffic is coming from SiteB and it arrives on interface Tunnel0, then the next-hop IP should be the HS1100.  That way the policy would override the static route that you have in place.

More info on PBR:

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

The second option is to throw another router at it; either a virutual router using VRFs, or a physical router.  One router would bring traffic in off the DMVPN and have a default route pointing to the HS1100 and the other router would be the internet gateway that has a default route pointing to the internet.

More info on VRFs:

http://en.wikipedia.org/wiki/VRF

Hope this helps,

Jeff

Hi Jeff,

I noticed that about the attachment as well, but open as .PDF and you should be ok.

You are right in saying that the clients at Site A get to the Internet via the wireless on the HS1100 and not the Cisco 877.

The clients at Site B get to the internet also like you suggested--  RouterB --> DMVPN --> RouterA -->(ethernet) HS1100 --> RouterA --> Internet.

Unfortunately getting another physical router is out of the question and my experience with VRF is limited at this stage.

I've thought about some sort of policy based routing but am not sure how to implement at this stage, do you have anything in mind and would the policy be applied to Tunnel 0?

I will have a look at your link on VRF now.

thanks for the reply

Mike.

Mike -

Ahh, I tried adding a .jpg, and a .vsd without any luck, but I didn't try .pdf.

To pull off a solution with PBR, I believe the following config should do it for you.  Note that the "permit 20" line of the route-map allows any traffic that "permit 10" did not permit.  If you do not include that line, the default is to drop all remaining traffic, much like an access-list has that implicit "deny any" at the end.  Also, note that return traffic from the internet will not be routed through the HS1100.  If this is a problem, you can craft a similar route-map and apply it to the dialer interface.

access-list 100 permit ip 10.0.0.0 0.0.0.255 any
!
route-map policy-route permit 10
  match ip address 100
  set ip next-hop 192.168.112.254
route-map policy-route permit 20
!
interface Tunnel0
  ip policy route-map policy-route

However, if you want to go with VRFs, I believe the following config should work.  Note that you should apply this config using the router console becasuse when you bind an interface to a VRF, the router removes the IP from the interface.  You then simply need to readd it.

ip vrf one
ip vrf two
!
interface Dialer0
  ip vrf forwarding one
interface BVI1
  ip vrf forwarding one
interface Tunnel0
  ip vrf forwarding two
  tunnel vrf one
interface Vlan2
  ip vrf forwarding two
!
no ip route 0.0.0.0 0.0.0.0 Dialer0

ip route vrf one 10.0.0.0 255.255.255.0 10.61.3.[the-hs1100]

ip route vrf one 0.0.0.0 0.0.0.0 Dialer0
ip route vrf two 0.0.0.0 0.0.0.0 192.168.112.254

This link might be helpful in understanding the VRF solution as it applies to GRE tunnels:
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml

Thanks,
Jeff

Jeff,

Ive just tried the policy-based method and also taken out "ip nat inside" from VLAN2 and  "ip permit 10.0.0.0 0.0.0.255 any" from the PAT statement. but when I try a traceroute from SITE B to the internet from a source of 10.0.0.1 I get stuck at the HUB's GRE IP 172.16.0.1

SITEB#traceroute 4.2.2.2 source 10.0.0.1

Type escape sequence to abort.
Tracing the route to 4.2.2.2

  1 172.16.0.1 36 msec 32 msec 32 msec
  2  *  *  *
  3  *  *  *
  4  *  *  *
  5  *  *  *
  6  *  *  *
  7  *  *

Perhaps, my issue is more fundamental, or possibly the HS1100 won't accept traffic from 10.0.0.0 network?

The config now looks like this-

SITE-A

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TB_BB_Advantage
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
no logging console
!
no aaa new-model
!

!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key caroline address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile TPLUS_Profile1
set transform-set ESP-3DES-SHA
!
!
!
dot11 ssid xxxxxxxx
   authentication open
   authentication key-management wpa optional
   guest-mode
   wpa-psk ascii xxxxxxxx
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.61.3.11
ip dhcp excluded-address 10.61.3.20
ip dhcp excluded-address 10.61.3.253
ip dhcp excluded-address 10.61.3.191
ip dhcp excluded-address 10.61.3.6
ip dhcp excluded-address 10.61.3.1
!
ip dhcp pool CUSTOMER_LAN_POOL
   network 10.61.3.0 255.255.255.0
   default-router 10.61.3.1
   dns-server 203.50.2.71 139.130.4.4
!
!
no ip bootp server
ip domain name direct.telstra.net
ip name-server 203.50.2.71
ip name-server 139.130.4.4
ip name-server 202.27.184.3
ip name-server 202.27.184.5
!
multilink bundle-name authenticated
!
!
username advantage privilege 15 secret xxxxxxxxxxxxx
archive
log config
  hidekeys
!
!
ip ssh version 2
!
bridge irb
!
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nat inside
ip nhrp authentication TPLUS_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp cache non-authoritative
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip split-horizon
ip policy route-map policy-route
delay 1000
tunnel source 111.111.111.111
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile TPLUS_Profile1
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 2
spanning-tree portfast
!
interface Dot11Radio0
no ip address
shutdown
!
encryption mode ciphers tkip wep128
!
ssid xxxxxxx

!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description CUSTOMER_LOCAL_LAN
no ip address
ip nat inside
ip virtual-reassembly
no ip route-cache cef
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
description HS1100_VLAN
ip address 192.168.112.230 255.255.255.0
ip virtual-reassembly
no ip route-cache cef
!
interface Dialer0
description ADSL Link FNN xxxxxxx
ip address 111.111.111.111 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxx
ppp chap password xxxxxxxx
!
interface BVI1
ip address 10.61.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.112.0
default-information originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
ip http access-class 22
ip http authentication local
ip http secure-server
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 10.61.3.30 80 interface Dialer0 80
ip nat inside source static tcp 10.61.3.30 443 interface Dialer0 443
ip nat inside source static tcp 10.61.3.30 1494 interface Dialer0 1494
ip nat inside source static tcp 10.61.3.30 2598 interface Dialer0 2598
ip nat inside source static tcp 10.61.3.253 1433 interface Dialer0 1433
ip nat inside source static tcp 10.61.3.191 3389 interface Dialer0 3389
!
ip access-list extended NAT
deny   ip 10.61.3.0 0.0.0.255 10.0.0.0 0.0.0.255
deny   ip 192.168.112.0 0.0.0.255 192.168.10.0 0.0.0.255
deny   ip 10.61.3.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.61.3.0 0.0.0.255 any
permit ip 192.168.112.0 0.0.0.255 any
!
access-list 22 permit 10.61.3.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map policy-route permit 10
match ip address 100
set ip next-hop 192.168.112.254
!
route-map policy-route permit 20
!
!
control-plane
!
bridge 1 route ip
banner login ^C

***********************************************************************
* Access to this computer system is limited to authorised users only. *
* Unauthorised users may be subject to prosecution under the Crimes   *
*                       Act or State legislation                      *
*                                                                     *
* Please note, ALL CUSTOMER DETAILS are confidential and must         *
*                         not be disclosed.                           *
***********************************************************************
^C
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 2
access-class 22 in
exec-timeout 20 0
login local
transport input telnet
line vty 3 4
exec-timeout 20 0
login local
transport input ssh
!
scheduler max-task-time 5000

!
webvpn cef
end

Mike -

Because I don't know how an HS1100 works, I can't tell anything for sure.  But here are a few ideas.

1) Keep in mind that a traceroute is only a test; it does not determine if something actually works or not.  Since traceroutes work by depending on routers to send icmp messages, your results can be hit-or-miss based upon whether a router responds properly.  Results can also vary based upon whether intermediate routers pass icmp messages.  The best way to test this scenario is to actually use a computer at Site B and hit the internet using a web browser.

2) Could it be possible that the traceroute is being dropped by the HS1100 because you have not authenticated in order to gain internet access?

3) Do you know if the HS1100 is performing any type of NAT?  You can tell if it is by looking at the NAT table on the router when a wireless computer at Site A goes to the internet.  On the router, type "show ip nat translation" and see if the source address is the client's real IP or the HS1100 IP.

4) I noticed that you removed that ACL line that permits NAT for 10.0.0.0/24.  If the HS1100 is not performing any NAT, this line is important and should be inserted back into the ACL.

Maybe one of these thoughts will get us on the right track.
Jeff

Hi Jeff,

The HS1100 will need to NAT 192.168.112.x traffic out 10.61.3.1 (VLAN1) and then 10.61.3.x traffic will need to NAT out dialer0 of the cisco 877.

This is where it gets confusing since the HS1100 will only be NATTing out 192.168.112.x traffic, however do we need the 10.0.0.x network to 'appear' as if it's coming from 192.168.112.x in order for the HS1100 Natting to work properly.

The HS1100 is setup to accept ping and even though I didn't expect the traceroute to get out the the internet (due to the auth requirement) I would have thought it may have made it to 192.168.112.254 before being dropped.

Right now the HS1100s WAN interface is setup to receive it's default gateway automatically via DHCP, which it is, and is working successfully for local wireless clients at Site A.

Perhaps another public IP is required, so it can sit on VLAN1 so there is not this 'double nat' situation going on.

A colleague of mine has the following ideas that we'll have to also explore-

" the solution might require bridging the two ends over the vpn so layer 2 info can pass and the remote router can just get dhcp from the hub, so remote clients are basically on the local network. apparently l2tpv3 is the way to go for this? Or any other way to bridge over the current VPN so layer 2 info can go through?

add the tunnel to the bridge group?

assign bvi on remote router a ip address on the hub subnet

"  ??

Thanks so much for you info so far Jeff, really appreciated!

Mike -

While bridging the two subnets together might work, that is definately not a "best practice" fix.  You would accomplish bridging by first removing the IP addresses from the tunnel0 and vlan2 interfaces, then by adding "bridge-group 2" to those same two interfaces.  Then, you would apply the 192.168.112.230 IP address to the newly created BVI2 interface.  Then, a similar config would be applied to RouterB.  But, again, I wouldn't do that.

It sounds to me like your problem might be that the HS1100 does not have a static route for the 10.0.0.0/24 network that points at 192.168.112.230.  Without this route, the HS1100 will receive traffic from Site B, NAT it to the internet, and, when the reply comes back, will not know where to send it.  This would produce a result that I can't predict, as I'm not familiar with how an HS1100 behaves.  I bet it would most likely drop the traffic because it wouldn't allow traffic to leave an interface it came in on.

You idea of giving the HS1100 its own public IP address is probably the best solution.  However, can you add an ADSL card to it?

Do you get replies if you ping 192.168.112.254 from RouterA?

Jeff

Jeff,

Yes I can ping 192.168.112.254 from router A.

I will look at getting that static route to 10.0.0.0/24 via 192.168.112.230 added to the HS1100 and see how that goes.

Unfortunately the HS1100 isn't modular

regards,

Mike.

The plot thickens.

I've only just been told that the HS1100 is split up into 3 VLANS  .110.x , 111.x , .112.x

the 112.x subnet is for the wireless clients and the .111.x .110.x ar for ethernet . fe0-1 = VLAN 110,  fe2-3 = VLAN 111.

The Cisco 877 I am told is plugged into Fe3, hence VLAN 2 of the Cisco 877 now has the address of - 192.168.111.230  (HS1100 = 111.1)

I have also confirmed that the HS1100 now has a static route in it to the 10.0.0.0/24 network via 192.168.111.230

The current config is as follows- (note VLAN 2 has been setup for future bridging with another interface if required)

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TB_BB_Advantage
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
no logging console
!
no aaa new-model
!

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile TPLUS_Profile1
set transform-set ESP-3DES-SHA
!
!
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.61.3.11
ip dhcp excluded-address 10.61.3.20
ip dhcp excluded-address 10.61.3.253
ip dhcp excluded-address 10.61.3.191
ip dhcp excluded-address 10.61.3.6
ip dhcp excluded-address 10.61.3.1
!
ip dhcp pool CUSTOMER_LAN_POOL
   network 10.61.3.0 255.255.255.0
   default-router 10.61.3.1
   dns-server 203.50.2.71 139.130.4.4
!
!
no ip bootp server
ip domain name direct.telstra.net
ip name-server 203.50.2.71
ip name-server 139.130.4.4
ip name-server 202.27.184.3
ip name-server 202.27.184.5
!
multilink bundle-name authenticated
!
!
username xxxxxx privilege 15 secret xxxxxxxxx
log config
  hidekeys
!
!
ip ssh version 2
!
bridge irb
!
!
interface Tunnel0
bandwidth 1000
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nat inside
ip nhrp authentication TPLUS_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp cache non-authoritative
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip split-horizon
ip policy route-map policy-route
delay 1000
tunnel source 111.111.111.111
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile TPLUS_Profile1
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
load-interval 30
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 2
spanning-tree portfast
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description CUSTOMER_LOCAL_LAN
ip address 10.61.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
!
interface Vlan2
description HS1100_VLAN
no ip address
ip virtual-reassembly
no ip route-cache cef
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
description ADSL Link FNN xxxxxxx
ip address 111.111.111.111 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxx
ppp chap password xxxxxxxxx
!
interface BVI1
ip address 192.168.111.230 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.111.0
default-information originate
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
ip http access-class 22
ip http authentication local
ip http secure-server
ip nat inside source list NAT interface Dialer0 overload
ip nat inside source static tcp 10.61.3.30 80 interface Dialer0 80
ip nat inside source static tcp 10.61.3.30 443 interface Dialer0 443
ip nat inside source static tcp 10.61.3.30 1494 interface Dialer0 1494
ip nat inside source static tcp 10.61.3.30 2598 interface Dialer0 2598
ip nat inside source static tcp 10.61.3.253 1433 interface Dialer0 1433
ip nat inside source static tcp 10.61.3.191 3389 interface Dialer0 3389
!
ip access-list extended NAT
deny   ip 10.61.3.0 0.0.0.255 10.0.0.0 0.0.0.255
deny   ip 192.168.111.0 0.0.0.255 192.168.10.0 0.0.0.255
deny   ip 10.61.3.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 10.61.3.0 0.0.0.255 any
!
access-list 22 permit 10.61.3.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map policy-route permit 10
match ip address 100
set ip next-hop 192.168.111.1
!
route-map policy-route permit 20
!
!
control-plane
!
bridge 1 route ip
banner login ^C

***********************************************************************
* Access to this computer system is limited to authorised users only. *
* Unauthorised users may be subject to prosecution under the Crimes   *
*                       Act or State legislation                      *
*                                                                     *
* Please note, ALL CUSTOMER DETAILS are confidential and must         *
*                         not be disclosed.                           *
***********************************************************************
^C
!
line con 0
no modem enable
transport output all
line aux 0
transport output all
line vty 0 2
access-class 22 in
exec-timeout 20 0
login local
transport input telnet
line vty 3 4
exec-timeout 20 0
login local
transport input ssh
!
scheduler max-task-time 5000

!
webvpn cef
end

Now from SITE B a traceroute to the internet  sucessfully yields the following result -

TB_BB_Advantage#traceroute 4.2.2.2 source 10.0.0.1

Type escape sequence to abort.
Tracing the route to 4.2.2.2

  1 172.16.0.1 32 msec 36 msec 36 msec
  2 10.61.3.9 36 msec 32 msec 36 msec
  3 10.61.3.1 36 msec 36 msec 36 msec
  4 165.228.0.1 56 msec 48 msec 52 msec
  5 203.50.80.1 120 msec 48 msec 52 msec
  6 203.50.6.13 68 msec 64 msec 68 msec
  7 203.50.6.90 64 msec 64 msec 68 msec
  8 203.50.13.78 64 msec 68 msec 64 msec
  9 202.84.221.85 64 msec 64 msec 64 msec
10 202.84.140.153 256 msec 256 msec 256 msec
11 202.84.251.85 228 msec 220 msec 224 msec
12 134.159.62.198 260 msec 280 msec 256 msec
13 4.68.18.126 220 msec 224 msec
    4.68.18.62 220 msec
14 4.68.123.6 260 msec 256 msec 256 msec
15 4.2.2.2 220 msec 220 msec 220 msec
TB_BB_Advantage#

the trace is successful, however the HS1100 is not being queried?

Any ideas?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: