stanhubble
MIS
Hi,
I have a number of these deployed but this is the first that is using pppoe on the internet connection.
I seem to have a connection ok, from the router i can ping externally and i can ping ok to anything on vlan 1 (haven't tried vlan 2 in this case but it works in other locations).
The problem is i can not get thru the router from anything on vlan 1. from the workstation i can ping the internal router address and i can ping the external router address but nothing further than that.
any suggestions?
config as follows:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr001
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
!
no aaa new-model
clock timezone PCTime -5
!
crypto pki trustpoint TP-self-signed-4223950073
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4223950073
revocation-check none
rsakeypair TP-self-signed-4223950073
!
!
crypto pki certificate chain TP-self-signed-4223950073
certificate self-signed 01
dot11 syslog
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.12.6.1 10.12.6.199
ip dhcp excluded-address 10.12.6.251 10.12.6.254
!
ip dhcp pool hp1206
import all
network 10.12.6.0 255.255.255.0
dns-server 10.12.6.2 4.2.2.2
default-router 10.12.6.1
domain-name <DOMAINNAME>
!
!
no ip bootp server
no ip domain lookup
ip domain name <DOMAINNAME>
ip name-server 10.12.6.2
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH udp
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
vpdn enable
!
!
!
username <ADMINUSERNAME> privilege 15 password 7 141F1D0609567E7A73
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 480
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 10.12.6.1
!
crypto isakmp client configuration group rtr-remote
key junk
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map hhvpn 10 ipsec-isakmp
! Incomplete
set peer 10.12.6.1
set transform-set myset
match address 118
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_HIGH
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
!
!
!
!
interface FastEthernet0
description isp-dhcp
ip address dhcp
ip access-group 103 in
ip access-group 103 out
ip verify unicast reverse-path
ip mask-reply
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip inspect SDM_HIGH out
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface FastEthernet1
description isp-pppoe
no ip address
ip access-group 103 in
ip access-group 103 out
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
description trunk to switch
switchport mode trunk
vlan-range dot1q 1 2
exit-vlan-config
!
!
interface Virtual-Template1
no ip address
ip nat outside
ip virtual-reassembly
!
interface Vlan1
description lan
ip address 10.12.6.1 255.255.255.0
ip access-group 111 in
ip access-group 111 out
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description cdi
ip address 10.112.6.1 255.255.255.0
ip access-group 106 in
ip access-group 106 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
encapsulation slip
shutdown
!
interface Dialer0
ip address negotiated
ip access-group 103 in
ip access-group 103 out
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname <USERNAME>
ppp chap password 7 05595659741517
ppp pap sent-username <USERNAME> password 7 00564350510252
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat pool ovrld 10.12.6.1 10.12.6.1 prefix-length 24
ip nat pool ovrldv 10.112.6.1 10.112.6.1 prefix-length 24
ip nat inside source list 1 interface FastEthernet1 overload
ip nat inside source list 2 pool ovrld overload
ip nat inside source list 3 pool ovrldv overload
ip nat inside source list 111 interface FastEthernet1 overload
ip nat inside source static tcp 10.12.6.2 22 interface FastEthernet1 65001
ip nat inside source static tcp 10.112.6.2 22 interface FastEthernet1 65002
!
logging trap debugging
access-list 1 permit <EXTERNAL IP2>
access-list 1 permit <EXTERNAL IP>
access-list 1 permit 10.12.6.0 0.0.0.255
access-list 1 permit 10.112.6.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.12.6.0 0.0.0.255
access-list 3 permit 10.112.6.0 0.0.0.255
access-list 7 permit any
access-list 10 permit 10.12.6.2
access-list 103 permit ip any any
access-list 103 permit udp any any
access-list 103 permit tcp any any
access-list 103 permit icmp any any
access-list 103 permit gre any any
access-list 103 deny tcp any host 10.12.6.1 eq telnet
access-list 105 permit ip 10.12.6.0 0.0.0.255 any
access-list 105 permit ip 10.112.6.0 0.0.0.255 any
access-list 105 permit ip host <EXTERNAL IP> any
access-list 105 permit ip host <EXTERNAL IP2> any
access-list 105 permit icmp any any
access-list 105 deny ip any any log
access-list 106 permit ip host 10.12.6.2 any
access-list 106 permit ip 10.112.6.0 0.0.0.255 any
access-list 106 permit icmp any any
access-list 106 deny ip any any log
access-list 111 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^C Authorized access only
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
access-class 103 in
privilege level 15
login local
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
I have a number of these deployed but this is the first that is using pppoe on the internet connection.
I seem to have a connection ok, from the router i can ping externally and i can ping ok to anything on vlan 1 (haven't tried vlan 2 in this case but it works in other locations).
The problem is i can not get thru the router from anything on vlan 1. from the workstation i can ping the internal router address and i can ping the external router address but nothing further than that.
any suggestions?
config as follows:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname rtr001
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
!
no aaa new-model
clock timezone PCTime -5
!
crypto pki trustpoint TP-self-signed-4223950073
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4223950073
revocation-check none
rsakeypair TP-self-signed-4223950073
!
!
crypto pki certificate chain TP-self-signed-4223950073
certificate self-signed 01
dot11 syslog
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.12.6.1 10.12.6.199
ip dhcp excluded-address 10.12.6.251 10.12.6.254
!
ip dhcp pool hp1206
import all
network 10.12.6.0 255.255.255.0
dns-server 10.12.6.2 4.2.2.2
default-router 10.12.6.1
domain-name <DOMAINNAME>
!
!
no ip bootp server
no ip domain lookup
ip domain name <DOMAINNAME>
ip name-server 10.12.6.2
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH udp
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH esmtp
ip inspect name SDM_HIGH https
ip inspect name SDM_HIGH imap reset
ip inspect name SDM_HIGH pop3 reset
ip inspect name SDM_HIGH tcp
!
appfw policy-name SDM_HIGH
application im aol
service default action reset alarm
service text-chat action reset alarm
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action reset alarm
service text-chat action reset alarm
server deny name messenger.hotmail.com
server deny name gateway.messenger.hotmail.com
server deny name webmessenger.msn.com
audit-trail on
application http
strict-http action reset alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
application im yahoo
service default action reset alarm
service text-chat action reset alarm
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail on
!
multilink bundle-name authenticated
vpdn enable
!
!
!
username <ADMINUSERNAME> privilege 15 password 7 141F1D0609567E7A73
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 480
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 10.12.6.1
!
crypto isakmp client configuration group rtr-remote
key junk
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map hhvpn 10 ipsec-isakmp
! Incomplete
set peer 10.12.6.1
set transform-set myset
match address 118
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_HIGH
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
!
!
!
!
interface FastEthernet0
description isp-dhcp
ip address dhcp
ip access-group 103 in
ip access-group 103 out
ip verify unicast reverse-path
ip mask-reply
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip inspect SDM_HIGH out
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface FastEthernet1
description isp-pppoe
no ip address
ip access-group 103 in
ip access-group 103 out
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
description trunk to switch
switchport mode trunk
vlan-range dot1q 1 2
exit-vlan-config
!
!
interface Virtual-Template1
no ip address
ip nat outside
ip virtual-reassembly
!
interface Vlan1
description lan
ip address 10.12.6.1 255.255.255.0
ip access-group 111 in
ip access-group 111 out
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan2
description cdi
ip address 10.112.6.1 255.255.255.0
ip access-group 106 in
ip access-group 106 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
encapsulation slip
shutdown
!
interface Dialer0
ip address negotiated
ip access-group 103 in
ip access-group 103 out
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname <USERNAME>
ppp chap password 7 05595659741517
ppp pap sent-username <USERNAME> password 7 00564350510252
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat pool ovrld 10.12.6.1 10.12.6.1 prefix-length 24
ip nat pool ovrldv 10.112.6.1 10.112.6.1 prefix-length 24
ip nat inside source list 1 interface FastEthernet1 overload
ip nat inside source list 2 pool ovrld overload
ip nat inside source list 3 pool ovrldv overload
ip nat inside source list 111 interface FastEthernet1 overload
ip nat inside source static tcp 10.12.6.2 22 interface FastEthernet1 65001
ip nat inside source static tcp 10.112.6.2 22 interface FastEthernet1 65002
!
logging trap debugging
access-list 1 permit <EXTERNAL IP2>
access-list 1 permit <EXTERNAL IP>
access-list 1 permit 10.12.6.0 0.0.0.255
access-list 1 permit 10.112.6.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.12.6.0 0.0.0.255
access-list 3 permit 10.112.6.0 0.0.0.255
access-list 7 permit any
access-list 10 permit 10.12.6.2
access-list 103 permit ip any any
access-list 103 permit udp any any
access-list 103 permit tcp any any
access-list 103 permit icmp any any
access-list 103 permit gre any any
access-list 103 deny tcp any host 10.12.6.1 eq telnet
access-list 105 permit ip 10.12.6.0 0.0.0.255 any
access-list 105 permit ip 10.112.6.0 0.0.0.255 any
access-list 105 permit ip host <EXTERNAL IP> any
access-list 105 permit ip host <EXTERNAL IP2> any
access-list 105 permit icmp any any
access-list 105 deny ip any any log
access-list 106 permit ip host 10.12.6.2 any
access-list 106 permit ip 10.112.6.0 0.0.0.255 any
access-list 106 permit icmp any any
access-list 106 deny ip any any log
access-list 111 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^C Authorized access only
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
access-class 103 in
privilege level 15
login local
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport preferred ssh
transport input telnet ssh
transport output telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end