cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
331
Views
0
Helpful
3
Replies

Cisco 871 unable to pass traffic via VPN

brandontfrank
Level 1
Level 1

I've got a cisco 871 connected via VPN to a cisco 5510 but cannot ping / access each others subnet. Site A - 192.168.50.x - Cisco ASA 5510 and Site B 192.168.100.x - Cisco 871.

 

Running configuration below of the Cisco 871W. I have another 871W with a very similar setup at a different site working with no problems. Reviewed the ACL's and NAT and they're identical besides the local IP range. Also didn't see anything on the Cisco ASA 5510 that would create the problem. Internet access is working fine from the device.

 

Building configuration...

Current configuration : 6117 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 871W
!
boot-start-marker
boot-end-marker
!
logging buffered 10000
no logging console
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-104596476
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-104596476
 revocation-check none
 rsakeypair TP-self-signed-104596476
!
!
crypto pki certificate chain TP-self-signed-104596476
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303435 39363437 36301E17 0D303230 37303430 31313331
  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3130 34353936
  34373630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C9AF8E14 BE966DE2 77697D4A 06CF0321 53AC9661 9AB93F04 C107978E 416EB7A1
  42EA8427 4122E6C8 CAA1BCF0 B67C3F87 A0EF9520 3D9673E0 6BD4A248 186A8E27
  F90FBA96 0E892A3A C6E73B82 3A212447 E1F7F01A 746952A5 838335E8 5C1C4A1E
  187604A9 3890A915 3CC92465 3931DAF5 DF41804F 343510EF 384EE133 F97CA6DF
  02030100 01A37930 77300F06 03551D13 0101FF04 05300301 01FF3024 0603551D
  11041D30 1B821953 54474F42 41494E2D 38373157 2E766F67 656C7769 2E6C616E
  301F0603 551D2304 18301680 14B838B7 2EA4F673 B43835E0 0AF9BBE5 A1354D1A
  65301D06 03551D0E 04160414 B838B72E A4F673B4 3835E00A F9BBE5A1 354D1A65
  300D0609 2A864886 F70D0101 04050003 8181003E E4698D80 2D7DD26E 39C7ACB0
  5A52611F 69BFC7A7 9F19B3A5 F0AB1F55 BD18DBE9 091BFC76 90378A00 403CBD22
  A5D915B0 04139FB8 4A8BAA01 938CAB56 2EE39E7B C70D2429 215CD7A7 F88E3AB8
  1BECABB9 377E22E6 07F69375 10929BA7 0F32BF76 ACF81DE3 4FF0C8F7 4966594D
  1EEBA4B8 D1FA784E DEAA69EA F7B66412 5895A5
        quit
dot11 syslog
!
dot11 ssid WIFI
   vlan 1
   authentication open
   authentication key-management wpa
   wpa-psk ascii 0 ***
!
dot11 ssid Guest
   vlan 2
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0 ***
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.200.1 192.168.200.10
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.100.0 255.255.255.0
   default-router 192.168.100.1
   domain-name ***.lan
   dns-server 4.2.2.2 8.8.8.8 (these will be 192.168.50.x when VPN is working)
   lease 0 2
!
ip dhcp pool sdm-pool2
   import all
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.1
   dns-server 4.2.2.2 4.2.2.1
!
!
no ip domain lookup
ip domain name ***.lan
!
vpdn enable
!
vpdn-group 1
!
!
!
!
!
!
crypto ipsec client ezvpn ASA
 connect auto
 group VPN key ***
 mode network-extension
 peer x.x.x.130
 username Remote password ***
 xauth userid mode local
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address dhcp client-id FastEthernet4
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe-client dial-pool-number 1
 crypto ipsec client ezvpn ASA
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 encryption vlan 2 mode ciphers tkip
 !
 ssid WIFI
 !
 ssid Guest
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 l2-filter bridge-group-acl
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 ip nat inside
 ip virtual-reassembly
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 port-protected
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
 encapsulation dot1Q 2
 ip nat inside
 ip virtual-reassembly
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Vlan1
 description Wired Network
 no ip address
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 load-interval 30
 fair-queue
 bridge-group 1
!
interface Vlan2
 no ip address
 ip virtual-reassembly
 ip route-cache flow
 load-interval 30
 fair-queue
 bridge-group 2
!
interface Dialer1
 description ISP Dialin
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp pap sent-username *USERNAME* password 0 *PASSWORD*
 ppp ipcp route default
 ppp ipcp address accept
!
interface BVI1
 description $ES_LAN$
 ip address 192.168.100.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 crypto ipsec client ezvpn ASA inside
!
interface BVI2
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map 150 interface FastEthernet4 overload
ip nat inside source route-map 2 interface FastEthernet4 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.168.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map 150 permit 10
 match ip address 150
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
line con 0
 logging synchronous
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input ssh
!
scheduler max-task-time 5000
end

 

show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
x.x.x.130   x.x.x.169  QM_IDLE           2001    0 ACTIVE

 

3 Replies 3

rizwanr74
Level 7
Level 7

Hi there,

 

Please add a deny line before your permit line.


access-list 150 deny ip 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255 
access-list 150 permit ip 192.168.200.0 0.0.0.255 any 

 

thanks

I have changed the ACL but that traffic is for Guest wireless which isn't being used. Still a problem.

 


Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  up                    down
FastEthernet1              unassigned      YES unset  up                    down
FastEthernet2              unassigned      YES unset  up                    down
FastEthernet3              unassigned      YES unset  up                    up
FastEthernet4              *.*.209.169  YES DHCP   up                    up
Dot11Radio0                unassigned      YES NVRAM  up                    up
Dot11Radio0.1              unassigned      YES unset  up                    up
Dot11Radio0.2              unassigned      YES unset  up                    up
Vlan1                      unassigned      YES NVRAM  up                    up
NVI0                       unassigned      YES unset  administratively down down
Vlan2                      unassigned      YES NVRAM  up                    down
Dialer1                    *.*.205.214  YES IPCP   up                    up
BVI1                       192.168.100.1   YES NVRAM  up                    up
BVI2                       192.168.200.1   YES NVRAM  up                    up
Virtual-Access1            unassigned      YES unset  up                    up

 

Please post your whole config.

 

thanks

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: