Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ROUTER NOT ROUTING

Status
Not open for further replies.
kobenaw

kobenaw

IS-IT--Management
Jan 20, 2011
3
GH
I am trying to set up a dmvpn with cisco 1800 series but i cannot get past the first stage.

1. I cannot get access to the internet after my configuration.
2. Could it be because i am using Policy based routing and OSPF?

Please find below my configuration. Any suggestions will be very much appreciated.

Current configuration : 3323 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname bostho
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$sXYv$GBzoAUrMB9b5GfS7prkyT/
!
no aaa new-model
dot11 syslog
ip cef
!
!
!
!
ip domain name hello.com.gh
ip name-server 10.10.1.3
ip name-server 80.87.78.11
ip name-server 80.87.78.4
ip name-server 10.10.11.5
ip name-server 63.216.0.6
!
multilink bundle-name authenticated
!
!
!
!
username bostho password 0 hello
archive
log config
hidekeys
!
!
crypto isakmp policy 5
encr aes
authentication pre-share
group 2
crypto isakmp key hello address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 20 3
!
!
crypto ipsec transform-set trans2 esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile bostprofile
set transform-set trans2
!
!
!
!
!
!
interface Tunnel0
description CONNECTION TO BRANCHES
bandwidth 1000
ip address 10.10.100.1 255.255.255.0
no ip redirects
ip mtu 1436
ip nhrp authentication hello
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
ip ospf network broadcast
ip ospf priority 2
delay 1000
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile bostprofile
!
interface FastEthernet0/0
mtu 1492
ip address 10.10.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map honat
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$
ip address xx.xx.54.99 255.255.255.248 secondary
ip address xx.xx.54.100 255.255.255.248 secondary
ip address xx.xx.54.98 255.255.255.248
ip access-group 100 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
network 10.10.1.0 0.0.0.255 area 0
network 10.10.100.0 0.0.0.255 area 1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.54.97
ip http server
no ip http secure-server
ip nat inside source route-map honat interface FastEthernet0/1 overload
ip nat inside source static tcp 10.10.1.8 80 xx.xx.54.99 80 extendable
ip nat inside source static tcp 10.10.1.6 25 xx.xx.54.100 25 extendable
ip nat inside source static tcp 10.10.1.6 80 xx.xx.54.100 80 extendable
ip nat inside source static tcp 10.10.1.6 110 xx.xx.54.100 110 extendable
ip nat inside source static tcp 10.10.1.6 443 xx.xx.54.100 443 extendable
!
access-list 10 permit 10.10.1.0 0.0.0.255
access-list 100 permit udp any host xx.xx.54.98 eq isakmp
access-list 100 permit esp any host xx.xx.54.98
access-list 100 permit gre any host xx.xx.54.98
access-list 100 permit ahp any host xx.xx.54.98
access-list 100 permit tcp any host xx.xx.54.100 eq pop3
access-list 100 permit tcp any host xx.xx.54.100 eq www
access-list 100 permit tcp any host xx.xx.54.100 eq 443
access-list 100 permit tcp any host xx.xx.54.100 eq smtp
access-list 100 permit tcp any host xx.xx.54.99 eq www
access-list 100 deny ip any any
access-list 110 permit ip 10.10.1.0 0.0.0.255 any
!
!
route-map honat permit 10
match ip address 110
set ip next-hop xx.xx.54.98
set interface FastEthernet0/0
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login local
transport input telnet ssh
scheduler allocate 20000 1000
end
 
Sort by date Sort by votes
Maybe I'm misreading it but it looks like with your ACL 100 on your f0/0 internet connection you are blocking your inbound connections (except for the ones listed in the ACL). I would remove the ACL and just verify you can ping to 4.2.2.2 first. Another thing I like to do is either use another interface for direct user internet access or use a separate firewall for internet access (but still internet going to your router for the dmvpn).
 
Upvote 0 Downvote
Thank you nikeair for your valuable and timely response. After adding the following CBAC statement, the internet access issue was solved.

ip inspect name in2out cusemee
ip inspect name in2out tcp
ip inspect name in2out http
ip inspect name in2out udp
ip inspect name in2out https
ip inspect name in2out smtp

However, i realised that my internal servers could not be reached. Ping my private IPs cannot be reached as well. I believe it is a firewall issue since all dmvpn show commands provide expected responses. Any suggestions?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Pankaj88
  • Locked
  • Question
BGP Routing Clarification
Replies
0
Views
225
Pankaj88
Pankaj88
telemarksman
  • Locked
  • Question
ATA Cisco SPA122 not triggering single line courtesy phone ringer
Replies
0
Views
149
telemarksman
telemarksman
mikey789
  • Locked
  • Question
Can 4000-M Routing VLANs ?
Replies
0
Views
140
mikey789
mikey789
Tariq Habaybeh
  • Locked
  • Question
Cisco 881WD-E-K9 router configuration
Replies
1
Views
180
burtsbees
burtsbees
Zia khan
  • Locked
  • Question
Cisco: 2811 Router
Replies
1
Views
160
CASSBusinessSystems
CASSBusinessSystems

Part and Inventory Search

Sponsor

Back
Top