Solved

Cisco 877 - No internet access for PCs

Posted on 2013-05-13
6
442 Views
Last Modified: 2013-05-13
Hello all,

I'm having trouble with one of our Cisco routers, I can't seem to locate the problem.
VPN tunnel is working fine, but the PCs and server are unable to access the internet.

I can ping by IP and DNS fine from the Cisco CLI.
Is there anything glaring here that I am missing or should remove?

Apologies for the state of the config, this is one I inherited so it's a bit of a mess.

nwbrs#sh run
Building configuration...

Current configuration : 7781 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname nwbrs
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$KxId$tVmtCGIuY/3EG6vwe64dl1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1893503893
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1893503893
 revocation-check none
 rsakeypair TP-self-signed-1893503893
!
!
crypto pki certificate chain TP-self-signed-1893503893
 certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31383933 35303338 3933301E 170D3032 30333031 30303038
  30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38393335
  30333839 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A14D 41103E2A 04D0699C B38FDBBF 75D96EBD 62B2BF62 80AE45F2 92684AB8
  59337659 B90AA495 4EE82BF0 05356D1F 634AACBD 2EFC71BA 281C9AEC 7104732B
  8D048ADC 095D57B5 1CD3CFD4 AACDAB3E 430FCB43 E30931AC 85051A4F C2197C63
  B534C8DE 4BEE3C1F 4CFD808D 79C5CB48 31B00AB5 55B7C839 D39EACEE A0350A43
  91110203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
  551D1104 1D301B82 196E7762 72732E6E 6963686F 6C617377 796C6465 2E6C6F63
  616C301F 0603551D 23041830 168014DC B6B69FBA E5985CF5 298BC474 0712E2FB
  3AFBDB30 1D060355 1D0E0416 0414DCB6 B69FBAE5 985CF529 8BC47407 12E2FB3A
  FBDB300D 06092A86 4886F70D 01010405 00038181 001C9225 DD0504A7 18456F9A
  F49071C1 77B3F975 DB564AE8 F949AD22 F827836F E4866BD3 21149452 54C347E0
  00AC37B4 4A2287B9 F7BA7AFB 918E0151 9CFDD000 6AEC0D21 2CEEA146 E0A1F663
  F7BE0495 FA02B041 5C09A6D3 86B7A61A 971BA02F C6808A47 64664F1D 283E73A3
  45F4A494 1AC88715 798081B1 44D6A540 1D43305A 24
        quit
dot11 syslog
!
dot11 ssid NWBRS
   authentication open
   guest-mode
   infrastructure-ssid
   wpa-psk ascii 7 00544254560E5F5459791C
!
no ip source-route
ip cef
!
!
no ip bootp server
ip domain name domain.local
ip name-server 111.111.111.111
ip name-server 111.111.111.111
!
!
!
username admin privilege 15 secret 5 $1$pnWo$7ht1sOESB5//ExOFlLcSz.
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ****** address 111.111.111.111
!
crypto isakmp client configuration group ******
 key ********
 dns 192.168.3.5
 wins 192.168.3.5
 pool SDM_POOL_1
 acl 102
crypto isakmp profile ciscocp-ike-profile-1
   match identity group nwuser
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA1
 set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to111.111.111.111
 set peer 111.111.111.111
 set transform-set ESP-3DES-SHA
 match address 100
!
crypto ctcp port 10000
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
bridge irb
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Dialer0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 40bit 7 16132165E08C transmit-key
 encryption mode wep mandatory
 !
 ssid NWBRS
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.
 54.0
 channel 2452
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 mtu 1490
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 ip tcp adjust-mss 1300
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ******************
 ppp chap password 7 071B704B1D1B
 ppp pap sent-username ******************* password 7 140
430C5F16
 crypto map SDM_CMAP_1
!
interface BVI1
 description $ES_LAN$
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 192.168.80.200 192.168.80.250
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.3.5 3389 interface Dialer0 3390
ip nat inside source static tcp 192.168.3.18 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.3.160 80 interface Dialer0 80
ip nat inside source static tcp 192.168.3.160 8000 interface Dialer0 8000
ip nat inside source static tcp 192.168.3.23 3389 interface Dialer0 3391
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window



Many thanks
Arran
0
Comment
Question by:systemagic
  • 3
  • 2
6 Comments
 
LVL 9

Expert Comment

by:BigPapaGotti
Comment Utility
It looks like the ACL that you are using for your NAT configuration only has a single deny statement and no permit statements. If i'm not mistaken you need to add a entry to permit the network that you would like to be able to grant access to the Internet. Please note you will need to add this entry BEFORE the deny statement.
0
 
LVL 10

Expert Comment

by:ienaxxx
Comment Utility
you can use match ip address 100, instead of match ip address 101, if BigPapaGotti is right.

I was looking through the config and didn't find anything else wrong (if you did not change inside subnet's addresses or other, obviously)

HTH
Bye!
0
 
LVL 1

Author Comment

by:systemagic
Comment Utility
Thanks for your suggestions.

If I change the 'match ip address' to 100 I gain internet but lose VPN.

Do we think these are in the wrong order then?

access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny   ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.3.0 0.0.0.255 any
dialer-list 1 protocol ip permit

Open in new window


I had the alter the VPN tunnel and access lists on Friday as the other site changed internal IP range for one reason or another. It seems that this is possibly what may have caused this little problem.

Thanks
Arran
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 9

Accepted Solution

by:
BigPapaGotti earned 500 total points
Comment Utility
I would put the configuration back to what it was where the VPN works but the internet does not. Then try the following commands to see if this resolves the problem.

Router(config)#no access-list 101
Router (config)#access-list 101 permit 192.168.3.0 0.0.0.255 any

Please note that this will delete the access-list 101 and recreate it. I am assuming that your LAN subnet is 192.168.3.0, which is why I put the second command above. If this is incorrect please adjust accordingly to suit you needs. After that I would test to see if the VPN works and the internet. If it does that I would go ahead and add the deny statement that you had in the initial configuration if it is still necessary. Please let me know the results
0
 
LVL 9

Assisted Solution

by:BigPapaGotti
BigPapaGotti earned 500 total points
Comment Utility
My apologies the second command should be:

Router(config)#access-list 101 permit ip 192.168.3.0 0.0.0.255 any

I forgot the "ip" in the first commend but have corrected it for you above.
0
 
LVL 1

Author Comment

by:systemagic
Comment Utility
BigPapaGotti, thank you very much for your help.

All sorted now :)
I had a play with the access lists, thank you for pointing me in the right direction.

Arran
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now