Announcement

Collapse
No announcement yet.

Cisco 2811 - SP Services & VPN Problems

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 2811 - SP Services & VPN Problems

    Hi,
    We've got a Cisco 2811 router for our office network here, which we are just using as the gateway to the net. Currently, we are using the IP Base IOS (c2800nm-ipbasek9-mz.124-15.T5.bin) which is able to pass through our VPN connections to an internal server. We have a new IOS, however, with SP Services ( c2800nm-spservicesk9-mz.124-15.XZ.bin), which the router will boot fine from.
    However, when we boot from the SP Services IOS, we lose the ability to VPN (PPTP tunnel) into our network; it appears that the new IOS is dropping the GRE packets, although the config (below) should explicitly allow them to go through. If anyone has any ideas, or has seen this before, any help would be appreciated!
    As you can see from the conf, we've got several DSL lines coming in; the VPN is currently coming into ATM0/1/0 interface. If anybody would like to suggest how to get OER/PFR running with the SP services IOS as well, that would be brilliant! (but the VPN is definitely the big problem here)

    Thanks!


    Code:
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname gateway
    !
    boot-start-marker
    boot system flash:/c2800nm-ipbasek9-mz.124-15.T5.bin
    boot-end-marker
    !
    logging buffered 4096
    enable secret 5 <redacted>
    enable password <redacted>
    !
    no aaa new-model
    clock timezone PCTime 0
    dot11 syslog
    !
    !
    ip cef
    !
    !
    ip name-server 208.67.222.222
    multilink bundle-name authenticated
    vpdn enable
    !
    !
    !
    key chain key1
     key 1
       key-string oer
    !
    !
    !
    !
    archive
     log config
      hidekeys
    !
    !
    !
    !
    !
    interface FastEthernet0/0
     ip address a.b.2.62 255.255.255.192
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     duplex auto
     speed auto
     no mop enabled
    !
    interface FastEthernet0/1
     description $ES_LAN$
     no ip address
     ip access-group services in
     ip virtual-reassembly
     shutdown
     duplex auto
     speed auto
    !
    interface ATM0/0/0
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     ip nat outside
     ip nat enable
     ip virtual-reassembly
     logging event atm pvc state
     logging event subif-link-status
     load-interval 30
     no snmp trap link-status
     no atm ilmi-keepalive
     dsl operating-mode adsl2+ 
    !
    interface ATM0/0/0.1 point-to-point
     ip address c.d.125.43 255.255.248.0
     ip flow ingress
     ip nat outside
     ip virtual-reassembly
     atm route-bridged ip
     pvc 0/101 
      encapsulation aal5snap
     !
    !
    interface ATM0/1/0
     no ip address
     ip access-group services out
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     ip nat outside
     ip nat enable
     ip virtual-reassembly
     logging event atm pvc state
     logging event subif-link-status
     load-interval 30
     no atm ilmi-keepalive
     dsl operating-mode adsl2+ 
     pvc BeUnlimited 0/32 
     !
    !
    interface ATM0/1/0.1 point-to-point
     ip address c.d.1.158 255.255.240.0
     ip flow ingress
     ip nat outside
     ip virtual-reassembly
     atm route-bridged ip
     pvc 0/101 
      encapsulation aal5snap
     !
    !
    interface ATM0/2/0
     no ip address
     logging event atm pvc state
     no atm ilmi-keepalive
     dsl operating-mode auto 
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 11
     !
    !
    interface ATM0/3/0
     no ip address
     logging event atm pvc state
     logging event subif-link-status
     no atm ilmi-keepalive
     dsl operating-mode auto 
     pvc 0/38 
      encapsulation aal5mux ppp dialer
      dialer pool-member 12
     !
    !
    interface Virtual-Template1 
     no ip address
    !
    interface Virtual-Template2 
     no ip address
    !
    interface Virtual-Template3 
     no ip address
    !
    interface Virtual-Template10 
     mtu 1492
     no ip address
     load-interval 30
     peer default ip address pool pppoE-pool
     ppp authentication ms-chap-v2
    !
    interface Dialer11
     ip address negotiated
     ip load-sharing per-packet
     encapsulation ppp
     logging event subif-link-status
     dialer pool 11
     dialer idle-timeout 0
     dialer persistent
     ppp authentication chap callin
     ppp chap hostname <redacted>
     ppp chap password 0 <redacted>
    !
    interface Dialer12
     ip address negotiated
     ip load-sharing per-packet
     encapsulation ppp
     logging event subif-link-status
     dialer pool 12
     dialer idle-timeout 0
     dialer persistent
     ppp authentication chap callin
     ppp chap hostname <redacted>
     ppp chap password 0 <redacted>
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 c.d.1.0
    ip route a.b.0.0 255.255.255.128 a.b.2.1
    ip route a.b.0.128 255.255.255.128 a.b.2.1
    ip route a.b.1.0 255.255.255.0 a.b.2.1
    ip route a.b.2.0 255.255.255.192 a.b.2.1
    ip route a.b.2.64 255.255.255.192 a.b.2.1
    ip route a.b.2.128 255.255.255.128 a.b.2.1
    !
    !
    no ip http server
    no ip http secure-server
    ip nat pool ovrld c.d.1.158 c.d.1.158 prefix-length 20
    ip nat inside source list 7 pool ovrld overload
    ip nat inside source static tcp a.b.1.40 21 c.d.1.158 21 extendable
    ip nat inside source static tcp a.b.2.15 22 c.d.1.158 22 extendable
    ip nat inside source static tcp a.b.1.30 25 c.d.1.158 25 extendable
    ip nat inside source static tcp a.b.1.30 443 c.d.1.158 443 extendable
    ip nat inside source static tcp a.b.1.30 993 c.d.1.158 993 extendable
    ip nat inside source static tcp a.b.2.15 1723 c.d.1.158 1723 extendable
    ip nat inside source static tcp a.b.1.35 22 c.d.1.158 2222 extendable
    ip nat inside source static tcp a.b.1.40 3690 c.d.1.158 3690 extendable
    ip nat inside source static tcp a.b.1.35 80 c.d.1.158 8080 extendable
    !
    ip access-list extended services
     permit tcp any any eq 443
     permit tcp any any eq 993
     permit tcp any any eq smtp
     permit tcp any any eq 3690
     permit tcp any any eq 22
     permit tcp any any eq 1723
     permit tcp any any eq ftp
     permit tcp any any eq 8080
     permit tcp any any eq 2222
     permit gre any any
     permit gre any 0.0.0.1 255.255.255.128
     permit gre 0.0.0.1 255.255.255.128 any
    !
    access-list 7 permit a.b.0.0 0.0.255.255
    access-list 101 permit ip any any
    access-list 101 permit gre any any
    dialer-list 1 protocol ip permit
    !
    !
    control-plane
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     password <redacted>
     login
    !
    scheduler allocate 20000 1000
    !
    end
    Last edited by felix_cohen; 11th July 2008, 15:38.

  • #2
    Re: Cisco 2811 - SP Services &amp; VPN Problems

    You need the SP Services release for 12.4T and not the 12.4XZ release. Each type supports different features such as VPN, so it's usually best to upgrade to the SP Services of the same release type.

    http://tools.cisco.com/Support/Fusion/FusionHome.do


    Here's what I have so far to use OER on the DSL connections. The dialer interfaces will require static ip's for CEF load balancing to work. Usually leaving it at ip negotiated will pick up the static ip the isp assigns to you.

    interface Loopback0
    description OER Master Controller
    ip address 192.168.20.1 255.255.255.255
    !
    key chain key1
    key 1
    key-string password
    !
    oer master
    keepalive 1
    max-range-utilization percent 10
    !
    border 192.168.20.1 key-chain key1
    interface Dialer0 external
    interface Dialer1 external
    interface FastEthernet0/0 internal
    !
    learn
    delay
    periodic-interval 1
    monitor-period 2
    prefixes 200
    aggregation-type prefix-length 32
    !
    resolve range priority 1
    max range receive percent 20
    max prefix total 2000 learn 1000
    backoff 180 360
    mode route control
    mode select-exit best
    periodic 180
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    ip nat pool DSL0 65.123.123.70 65.123.123.70 netmask 255.255.255.0
    ip nat pool DSL1 65.123.123.71 65.123.123.71 netmask 255.255.255.0
    ip nat inside source route-map DSL0 pool DSL0 overload oer
    ip nat inside source route-map DSL1 pool DSL1 overload oer
    !
    access-list 2 permit (ip of firewall or hosts)
    !
    route-map DSL1 permit 20
    match ip address 2
    match interface Dialer1
    !
    route-map DSL0 permit 20
    match ip address 2
    match interface Dialer0
    Last edited by MavMange; 20th October 2008, 21:06.

    Comment

    Working...
    X