Solved

Added a few tunnels, now I cannot access the Internet

Posted on 2009-05-19
4
218 Views
Last Modified: 2012-05-07
I have a Cisco 871 router where I created a few tunnels and now I cannot access the Internet (I could before).  Tunnel Below is the sh run.  Tunnels are working...

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname
!
boot-start-marker
boot system flash:/c870-advsecurityk9-mz.124-15.T5.bin
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$CXtc$acSIPPqNLqJgnhPtjQmDy1
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1467142664
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1467142664
 revocation-check none
 rsakeypair TP-self-signed-1467142664
!
!
crypto pki certificate chain TP-self-signed-1467142664
 certificate self-signed 01

dot11 syslog
!
dot11 ssid Preservation
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 08355E4B080D0013055B5C00
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.3.150.1 10.3.150.99
!
ip dhcp pool sdm-pool1
 import all
   network 10.3.150.0 255.255.255.0
   dns-server 10.3.101.21 166.102.165.13
   default-router 10.3.150.1
   domain-name domain
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name *********
ip name-server 10.3.101.21
ip name-server 4.2.2.1
!
!
!
username admin privilege 15 secret 5 $1$F6di$lwjN3B/aiFxOLy5DMu1nW/
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ********* address x.x.x.x
crypto isakmp key ********* address X.X.X.X
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
Crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel toX.X.X.X
 set peer X.X.X.X
 set transform-set ESP-3DES-SHA5
 match address 104
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel toX.X.X.X
 set peer X.X.X.X
 set transform-set ESP-3DES-SHA6
 match address 105
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel toX.X.X.X
 set peer X.X.X.X
 set transform-set ESP-3DES-SHA7
 match address 106
crypto map SDM_CMAP_1 4 ipsec-isakmp
 description Tunnel toX.X.X.X
 set peer X.X.X.X
 set transform-set ESP-3DES-SHA8
 match address 107
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any shape
 match any
class-map match-any voice
 match access-group 5
!
!
policy-map voice-traffic
 class voice
  priority 64
 class class-default
fair-queue
policy-map shape-traffic
 class shape
  shape average 256000
  service-policy voice-traffic
!
!
bridge irb
!
!
interface FastEthernet0
 service-policy output shape-traffic
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers tkip
 !
 ssid Preservation
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 10.3.150.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.3.150.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain any
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.3.110.0 0.0.0.255 10.3.150.0 0.0.0.255
access-list 101 permit udp host 12.22.187.194 any eq non500-isakmp
access-list 101 permit udp host 12.22.187.194 any eq isakmp
access-list 101 permit esp host 12.22.187.194 any
access-list 101 permit ahp host 12.22.187.194 any
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.6.101.0 0.0.0.255 10.3.150.0 0.0.0.255
access-list 101 permit udp host 166.82.89.178 any eq non500-isakmp
access-list 101 permit udp host 166.82.89.178 any eq isakmp
access-list 101 permit esp host 166.82.89.178 any
access-list 101 permit ahp host 166.82.89.178 any
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.3.101.0 0.0.0.255 10.3.150.0 0.0.0.255
access-list 101 permit udp host 166.82.1.3 eq domain any
access-list 101 permit udp host 10.3.101.21 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip 10.3.150.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any
access-list 101 permit ip 10.11.14.0 0.0.0.255 10.3.150.0 0.0.0.255
access-list 101 permit ip 10.6.101.0 0.0.0.255 10.3.151.0 0.0.0.255
access-list 103 remark SDM_ACL Category=6
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.3.150.0 0.0.0.255 10.3.110.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.3.150.0 0.0.0.255 10.6.101.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.3.150.0 0.0.0.255 10.11.14.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.3.150.0 0.0.0.255 10.3.101.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.3.150.0 0.0.0.255 10.3.101.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.3.150.0 0.0.0.255 10.11.14.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.3.150.0 0.0.0.255 10.6.101.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.3.150.0 0.0.0.255 10.3.110.0 0.0.0.255
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 1444070C0B100A233122
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

hostname# exit
0
Comment
Question by:vianceadmin
  • 2
  • 2
4 Comments
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24421465
Add this:

conf t
ip access-list ext 103
permit ip 10.3.150.0 0.0.0.255 any
0
 

Author Comment

by:vianceadmin
ID: 24421523
Is that it?  How did it get removed?  Also I think I need to add the access list for the qos statement right?
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24423575
Not sure how it got removed but it is necessary for your Internet access.  Yeah, your class-map is referencing access-list 5 which doesn't exist.  You'll want to add that list.
0
 

Author Comment

by:vianceadmin
ID: 24423619
Thanks, I'll give it a shot tonight!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now