06-29-2015 02:57 PM
I've got a cisco 871 connected via VPN to a cisco 5510 but cannot ping / access each others subnet. Site A - 192.168.50.x - Cisco ASA 5510 and Site B 192.168.100.x - Cisco 871.
Running configuration below of the Cisco 871W. I have another 871W with a very similar setup at a different site working with no problems. Reviewed the ACL's and NAT and they're identical besides the local IP range. Also didn't see anything on the Cisco ASA 5510 that would create the problem. Internet access is working fine from the device.
Building configuration...
Current configuration : 6117 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 871W
!
boot-start-marker
boot-end-marker
!
logging buffered 10000
no logging console
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-104596476
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-104596476
revocation-check none
rsakeypair TP-self-signed-104596476
!
!
crypto pki certificate chain TP-self-signed-104596476
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303435 39363437 36301E17 0D303230 37303430 31313331
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3130 34353936
34373630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
C9AF8E14 BE966DE2 77697D4A 06CF0321 53AC9661 9AB93F04 C107978E 416EB7A1
42EA8427 4122E6C8 CAA1BCF0 B67C3F87 A0EF9520 3D9673E0 6BD4A248 186A8E27
F90FBA96 0E892A3A C6E73B82 3A212447 E1F7F01A 746952A5 838335E8 5C1C4A1E
187604A9 3890A915 3CC92465 3931DAF5 DF41804F 343510EF 384EE133 F97CA6DF
02030100 01A37930 77300F06 03551D13 0101FF04 05300301 01FF3024 0603551D
11041D30 1B821953 54474F42 41494E2D 38373157 2E766F67 656C7769 2E6C616E
301F0603 551D2304 18301680 14B838B7 2EA4F673 B43835E0 0AF9BBE5 A1354D1A
65301D06 03551D0E 04160414 B838B72E A4F673B4 3835E00A F9BBE5A1 354D1A65
300D0609 2A864886 F70D0101 04050003 8181003E E4698D80 2D7DD26E 39C7ACB0
5A52611F 69BFC7A7 9F19B3A5 F0AB1F55 BD18DBE9 091BFC76 90378A00 403CBD22
A5D915B0 04139FB8 4A8BAA01 938CAB56 2EE39E7B C70D2429 215CD7A7 F88E3AB8
1BECABB9 377E22E6 07F69375 10929BA7 0F32BF76 ACF81DE3 4FF0C8F7 4966594D
1EEBA4B8 D1FA784E DEAA69EA F7B66412 5895A5
quit
dot11 syslog
!
dot11 ssid WIFI
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 0 ***
!
dot11 ssid Guest
vlan 2
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 ***
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.100
ip dhcp excluded-address 192.168.200.1 192.168.200.10
!
ip dhcp pool sdm-pool1
import all
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
domain-name ***.lan
dns-server 4.2.2.2 8.8.8.8 (these will be 192.168.50.x when VPN is working)
lease 0 2
!
ip dhcp pool sdm-pool2
import all
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
dns-server 4.2.2.2 4.2.2.1
!
!
no ip domain lookup
ip domain name ***.lan
!
vpdn enable
!
vpdn-group 1
!
!
!
!
!
!
crypto ipsec client ezvpn ASA
connect auto
group VPN key ***
mode network-extension
peer x.x.x.130
username Remote password ***
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address dhcp client-id FastEthernet4
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe-client dial-pool-number 1
crypto ipsec client ezvpn ASA
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 2 mode ciphers tkip
!
ssid WIFI
!
ssid Guest
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
l2-filter bridge-group-acl
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
ip nat inside
ip virtual-reassembly
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.2
encapsulation dot1Q 2
ip nat inside
ip virtual-reassembly
no cdp enable
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 spanning-disabled
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
!
interface Vlan1
description Wired Network
no ip address
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
load-interval 30
fair-queue
bridge-group 1
!
interface Vlan2
no ip address
ip virtual-reassembly
ip route-cache flow
load-interval 30
fair-queue
bridge-group 2
!
interface Dialer1
description ISP Dialin
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp pap sent-username *USERNAME* password 0 *PASSWORD*
ppp ipcp route default
ppp ipcp address accept
!
interface BVI1
description $ES_LAN$
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ASA inside
!
interface BVI2
ip address 192.168.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map 150 interface FastEthernet4 overload
ip nat inside source route-map 2 interface FastEthernet4 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.168.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map 150 permit 10
match ip address 150
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
end
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
x.x.x.130 x.x.x.169 QM_IDLE 2001 0 ACTIVE
06-30-2015 07:08 AM
Hi there,
Please add a deny line before your permit line.
access-list 150 deny ip 192.168.200.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 150 permit ip 192.168.200.0 0.0.0.255 any
thanks
06-30-2015 07:17 AM
I have changed the ACL but that traffic is for Guest wireless which isn't being used. Still a problem.
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up down
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up up
FastEthernet4 *.*.209.169 YES DHCP up up
Dot11Radio0 unassigned YES NVRAM up up
Dot11Radio0.1 unassigned YES unset up up
Dot11Radio0.2 unassigned YES unset up up
Vlan1 unassigned YES NVRAM up up
NVI0 unassigned YES unset administratively down down
Vlan2 unassigned YES NVRAM up down
Dialer1 *.*.205.214 YES IPCP up up
BVI1 192.168.100.1 YES NVRAM up up
BVI2 192.168.200.1 YES NVRAM up up
Virtual-Access1 unassigned YES unset up up
06-30-2015 07:18 AM
Please post your whole config.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide