AAA blocks my isp

[zarahel]

Ok,so this is my problem

I have a cisco 800 series router and I´m using sdm version 2.3.2. I had to create a easy vpn server, and in order for me to do it I had to activate AAA.

Everything is working fine until the point where i restart ou reload my router.Then I can´t get an ip from my isp.AAA blocks it.

I have no ideia how to configure AAA to allow ou authenticate my isp connection,and I can´t find any configuration guide over the internet.

I need the vpn,so disabling AAA is out of the question,but if the router restarts there´s no internet.

Any suggestions/solutions are gladly accepted

Thkx

 

[plshlpme]

pls post your config...
AAA shouldn't be blocking your connection to your isp..

 

[zarahel]

Building configuration...

Current configuration : 5136 bytes
!
version 12.3
service config
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service udp-small-servers
service tcp-small-servers
service sequence-numbers
!
hostname XXX
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
no logging buffered
enable secret 5 $1$bCYQ$yMF5AaIhy6mhAXQdxHiC2/
!
username zarahel privilege 15 view root secret 5 $1$.7.C$9LHNvpsW9EID0yiwuHwWB/
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
ip gratuitous-arps
!
!
!
!
ip finger
ip tcp synwait-time 10
ip domain name wayofcom.pt
ip name-server 195.22.0.136
ip name-server 192.168.2.105
ip cef
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group XXX
key way
dns 192.168.2.105
domain XXX
pool SDM_POOL_1
max-users 3
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip mask-reply
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
no cdp enable
!
interface BRI0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no cdp enable
!
interface ATM0
no ip address
ip mask-reply
ip directed-broadcast
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
ip mask-reply
ip directed-broadcast
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mask-reply
ip directed-broadcast
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXX@XXX.XX
ppp chap password 7 110C145C4F2A120E12
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.1.210 192.168.1.220
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.2.0 255.255.255.0 Ethernet0
!
ip http server
ip http access-class 2
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.4 40055 interface Dialer0 40055
ip nat inside source static udp 192.168.2.4 40055 interface Dialer0 40055
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip any host 192.168.1.210
access-list 101 deny ip any host 192.168.1.211
access-list 101 deny ip any host 192.168.1.212
access-list 101 deny ip any host 192.168.1.213
access-list 101 deny ip any host 192.168.1.214
access-list 101 deny ip any host 192.168.1.215
access-list 101 deny ip any host 192.168.1.216
access-list 101 deny ip any host 192.168.1.217
access-list 101 deny ip any host 192.168.1.218
access-list 101 deny ip any host 192.168.1.219
access-list 101 deny ip any host 192.168.1.220
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CRestricted Area
^C
!
line con 0
no modem enable
transport preferred all
transport output telnet
line aux 0
transport preferred all
transport output telnet
line vty 0 4
access-class 100 in
password 7 06071A204043080F12
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
!
end


-----------------------------------------------------------


(I´ve marked some of the information with XXX for security reasons)