11-17-2010 01:39 PM
I have cisco 851w router that is connected to att 2wire 3800hgv-b modem (att uverse) in DMZ mode. I configured the cisco router with Cisco Easy VPN. From outside I can establish VPN connection to 851w router using Cisco VPN Client and I can access LAN behind 851w. However, the internet connection goes down and I have to reset the 2wire 3800hgv-b modem to get internet back up. Any suggestions why this happens?
11-17-2010 01:55 PM
can you paste your 851 configuration here?
11-17-2010 02:08 PM
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname rt1
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 ***************
enable password 7 ******************
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3543785435
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3543785435
revocation-check none
rsakeypair TP-self-signed-3543785435
!
!
crypto pki certificate chain TP-self-signed-3543785435
certificate self-signed 01 nvram:IOS-Self-Sig#E.cer
dot11 association mac-list 700
dot11 syslog
!
dot11 ssid Guest
vlan 20
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 *************
!
dot11 ssid cwifi
vlan 1
authentication open
authentication key-management wpa
wpa-psk ascii 7 *****************
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.10
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool open
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
lease 3
!
ip dhcp pool Guest
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
lease 3
!
!
ip cef
no ip domain lookup
ip domain name peterglab.local
!
!
!
username ***** privilege 15 secret 5 **********
username ****** privilege 15 secret 5 *********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key ******
dns 192.168.5.1
pool SDM_POOL_1
acl 100
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpngroup
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 10000
archive
log config
hidekeys
!
!
ip ssh version 2
!
bridge irb
!
!
interface Loopback0
ip address 131.108.1.1 255.255.255.0
!
interface FastEthernet0
speed 100
spanning-tree portfast
!
interface FastEthernet1
speed 100
spanning-tree portfast
!
interface FastEthernet2
speed 100
spanning-tree portfast
!
interface FastEthernet3
speed 100
!
interface FastEthernet4
description INTERNET WAN CONNECTION
ip address dhcp
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid Guest
!
ssid cwifi
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
!
interface BVI1
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.4.1 192.168.4.50
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.3.4 21 ********** 21 extendable
ip nat inside source static tcp 192.168.3.4 80 ********* 80 extendable
ip nat inside source static tcp 192.168.3.4 443 ******** 443 extendable
ip nat inside source static tcp 192.168.3.4 3389 ********** 3389 extendable
!
ip access-list extended Guest-ACL
deny ip any 192.168.3.0 0.0.0.255
permit ip any any
!
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.3.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner motd
***Warning***
Authorized access only
***Warning***
!
line con 0
password 7 ***********
logging synchronous
no modem enable
line aux 0
line vty 0 4
password 7 ************
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
end
11-17-2010 03:27 PM
I did not see any issue in your config file by a quick look.
Does it happen wheneven you connect a VPN client?
If you disconnect the VPN client, does user behind 851 get internet connectivity back?
By the way, what is the IP "131.108.1.1" under lo0 interface?
If the issue happens whenever you connect the vpn client, you might need check routing stuff on 851 after vpn client is connected.
11-17-2010 04:30 PM
This happens when I connect VPN client. When I disconnect the VPN client a user behind 851 router does not get Internet connection. The VPN session does not get disconnected. Ip 131.108.1.1 is the loopback ip address. I have to reboot the modem to get Internet back. Maybe the modem is acting up. I'm not sure.
11-19-2010 07:08 PM
Is the 2-wire configured for DMZPlus mode to hand off the outside IP to the 851?
11-19-2010 07:15 PM
Yes. 2 wire is configured in DMZmode. The ip address of the 2 wire is 192.168.5.1 subnet 255.255.255.0. The ip address of 851w is 192.168.3.1 on bvi interface.
11-20-2010 11:36 AM
I have had an 871 with EZVPN behind my 2 wire in DMZPlus mode for almost 2 years and it worked great on 5.X firmware, when AT&T upgraded it to 6.X I started having strange problems. The tunnel would lock up, I would intermittantly loose internet on the inside clients. Recently I turned off DMZPlus mode and everything works great now. Of course I am only a EZ-VPN Client not a server and obviously this will not work if you are a EEZ-VPN server.
So you may want to give that a try.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide