04-15-2016 12:36 PM
Hello,
I have a new Cisco 819 router that was provided to me by Verizon when they upgraded my T1 line to a 10-megabit connection. Before the upgrade, I had a site-to-site pfSense VPN that worked perfectly. (The pfSense sits on the LAN side of the Cisco 819, and it sat on the LAN side of my previous router). I also used OpenVPN to connect remotely to the pfSense router. I have a new SonicWall firewall, also sitting on the LAN side of the Cisco 819 that I hope to set up VPN connections to as well. The problem is that since the upgrade happened I cannot connect any kind of VPN. The pfSense site-to-site, OpenVPN, and SonicWall connections all time out. Interestingly, I can connect a VPN Client to the SonicWall if the client is also connected to the LAN side of the Cisco 819. This leads me to believe that the Cisco 819 is not passing VPN traffic.
I have turned on logging, and can see packets come in when I try to connect the VPN. For now I configured the access-list to permit any-any, in the hopes of gaining a successful connection. I wish to dial that back once I am in. I have pasted the configuration of the 819 below. I have changed the IP information for security purposes, of course. I did so in a way that should not change the substance of the problem.
Any help would be greatly appreciated. I am relatively new to Cisco, and have spent > 40 hours trying to solve this problem. I feel it likely that I am to the point where I may be missing something obvious.
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
no cdp run
!
track 10 ip sla 11 reachability
!
interface Cellular0
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer string LTE
dialer watch-group 1
async mode interactive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
description Verizon WAN
ip address 204.138.69.2 255.255.255.252
ip access-group 150 in
ip nat outside
ip virtual-reassembly in
duplex full
speed 100
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
description Customer LAN
ip address 65.204.55.1 255.255.255.224
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static udp 65.204.55.10 500 interface GigabitEthernet0 500
ip nat inside source static udp 65.204.55.10 4500 interface GigabitEthernet0 4500
ip nat inside source static udp 65.204.55.10 443 interface GigabitEthernet0 443
ip nat inside source static tcp 65.204.55.10 443 interface GigabitEthernet0 443
ip nat inside source static esp 65.204.55.10 interface GigabitEthernet0
ip nat inside source route-map NAT-BACKUP interface Cellular0 overload
ip nat inside source route-map NAT-PRIMARY interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 204.138.69.1 track 10
ip route 0.0.0.0 0.0.0.0 204.138.69.1
ip route 0.0.0.0 0.0.0.0 Cellular0 250
!
ip access-list extended NAT
permit ip 65.204.55.0 0.0.0.31 any
!
ip sla auto discovery
ip sla 11
icmp-echo 204.138.69.1 source-interface GigabitEthernet0
frequency 15
ip sla schedule 11 life forever start-time now
logging trap debugging
logging host 65.204.55.2
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
!
route-map NAT-PRIMARY permit 10
match ip address NAT
match interface GigabitEthernet0
!
route-map NAT-BACKUP permit 10
match ip address NAT
match interface Cellular0
!
access-list 150 permit ip any any log
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
04-21-2016 02:31 AM
Is 65.204.55.0/255.255.255.224 a block being routed to you, or have you just randomly chosen to use it, which is why you have also configured NAT on top of it?
04-21-2016 04:00 AM
Hi, the block 65.204.55.0 was assigned to me by my ISP. I turned off NAT and that fixed the problem. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide