Solved

Cisco config forinternet, DHCP, and GRE Tunnel

Posted on 2011-09-08
3
705 Views
Last Modified: 2012-05-12
I have a config here that was created using the CCP and has what appears to me to be a BUNCH of extra junk in it.  My GRE tunnel is not working.  In another thread, someone helped me with my 4 line tunnel config:

interface Tunnel0
 ip address 10.10.11.1 255.255.255.0
 tunnel destination 1.1.1.1
 tunnel source Dialer0

But it's not working.  I wanted to clean up my config anyway, so I posted this thread for help cleaning my config up.


Building configuration...

Current configuration : 7373 bytes
!
! Last configuration change at 07:17:36 PCTime Mon Jan 2 2006 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$74UL$tNevwIWQ5nQA53O4XyG.s.
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1824105787
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1824105787
 revocation-check none
 rsakeypair TP-self-signed-1824105787
!
!
crypto pki certificate chain TP-self-signed-1824105787
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31383234 31303537 3837301E 170D3036 30313032 31323030 
  34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323431 
  30353738 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100D7FF 976E3C96 5A034BD5 8D762354 6713E90F AE67A19B 296C02FA 7158CDA8 
  43E24FED 37D55659 2D97670A D662595E 1E447A6D 77E3FF59 3C5045AF CED941F2 
  9A3106EE 6CABA7F3 AB8BB984 E7928019 EDD6CB58 6A1ADEE3 18E943A5 B55C0529 
  3890293D FE8406A5 DC5D00F0 1AD4B5EA C3382D05 E121CC00 A7DF6091 B888E1D5 
  2F9D0203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603 
  551D1104 14301282 10726F75 7465722E 7574696C 6974796E 77301F06 03551D23 
  04183016 8014C77C 9156AD9E 90533EC1 39638D85 A9AF6671 63D9301D 0603551D 
  0E041604 14C77C91 56AD9E90 533EC139 638D85A9 AF667163 D9300D06 092A8648 
  86F70D01 01040500 03818100 3C65CDFC 3107B54B 63A6F7FB CED3ECDB F1D54DCF 
  5A5D5A92 67E20DDC C671FC41 A61CFB1B F395F2B5 7A18E480 B714A56A 9A17BAF3 
  AB81C5C5 ADF963AC A9620D1D BEA0C616 2DF8F5FA B71C28DE 2A7700FD 5E6991CD 
  4275340B 05838776 9DA0DC4A F6567437 5B9719FB F23176C4 2092C89D BF2EE0AB 
  8B15B702 DE1C0F05 3612AF84
  	quit
no ip source-route
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.201 10.10.10.254
!
ip dhcp pool ccp-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 4.2.2.1 8.8.8.8 
   default-router 10.10.10.1 
!
!
ip cef
no ip bootp server
ip domain name *******
ip name-server 4.2.2.1
ip name-server 8.8.8.8
!
!
license udi pid CISCO861-K9 sn ********************
!
!
username admin privilege 15 secret 5 *************************
!
!
ip tcp synwait-time 10
!
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
match protocol imap
 match protocol pop3
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
! 
!
!
!
!
!
!
interface Tunnel0
 ip address 10.10.11.1 255.255.255.0
 tunnel source Dialer0
 tunnel destination ****************** (Let's use 1.1.1.1 for example sake)
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 pppoe-client dial-pool-number 1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username ***********@windstream.net password 7 ***********************
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.3.0 255.255.255.0 Tunnel0
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
no cdp run

!
control-plane
!
banner exec

Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you 
want to use.
 
banner login Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
router#

Open in new window

0
Comment
Question by:dbestcomputers
3 Comments
 
LVL 26

Assisted Solution

by:Soulja
Soulja earned 150 total points
ID: 36505333
Remove your zone command from the dialer interface then see if it works. If so, then it has to do with your zone based firewall config which usually is the issue when configure with GUI's.
0
 
LVL 17

Accepted Solution

by:
MAG03 earned 350 total points
ID: 36508433
Did you by chance use the "One Step Lockdown"?

I would first test that the GRE tunnel is working, by removing the interfaces from the zones as Soulja has already mentioned.

Then, as soulja has hinted on, you will still have the issue Zone-Based Policy Firewall (ZFW). But atleast we know that one piece of the puzzle is fixed.

This is why you will still have an issue with the ZFW.  In ZFW interfaces that are within a zone will not be able to communicate with interfaces that are not in a zone and are not specifically allowed (source to destination) in a zone-pair. Interfaces that are not in a zone are able to communicate with eachother also.

so you wil. need to place the GRE tunnel interface in a zone. I would say either place it in the in-zone or create a seperate GRE zone for this. The better, but longer option would be to create a seperate GRE zone. This way adjusting the policy for the GRE will not take so much time, because if you just use the in-zone policy, you will need to create a completely new policy later if it turns out that you need to restrict or allow more access to the GRE than what is allowed for the in-zone.

Now for the rest of the config. These will not be placed in config order but in the order that I spot them hehe.

logging trap debugging<------REMOVE!!! this is logging everything and will fill up your log buffer fast not to mention it might affect performance depending on how much is being logged at a time.  If you really want logging on, I would say set it to level 5 which are Notifications, and you might eventually just set it to Warnings later.

transport input telnet ssh <----I would remove telnet and just use SSH as telnet is sent in plain text and is not very secure.

ip http server<---- more of the same, not as secure as HTTS so i suggest removing it and just using HTTPS which is enabled by use of the ip http secure-server command

Otherwise the config looks fine. A few redundant class-map commands but what to do, SDM/CCP has a tendancy to do that sometimes.
0
 

Author Comment

by:dbestcomputers
ID: 36545156
OK thanks for the work.  Not entirely helpful but I got it going.  I erased my nvram and started from scratch via CLI.  I used a tutorial for setting up the ADSL along with my old config to help me along.  Then I set up the tunnel, without and zone or class-map or crypto junk in the config.  It works OK now.  It ended being an issue with the ZFW, so you get the points.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now