[Config] NVI and VPN - Cisco | DSLReports Forums (Page 2)

Author	All Replies
TomS_ Git-r-done Premium,MVM join:2002-07-19 London, UK kudos:4	reply to DarkLogix Re: [Config] NVI and VPN said by DarkLogix: I guess no one has any idea even for additional troubleshooting steps. Are you for real? People here give their time voluntarily between jobs, family, and any other commitments they have. Show some appreciation instead of expecting us to wait on you 24/7. If you want guaranteed response times with someone dedicated to your problem, get yourself a support contract. If youre looking for help here, be prepared to wait, patiently, until someone has the time to help you. Tips? Start from scratch with your config and build it back up from the bare basics. Then make a backup. Then start mucking with NVI again. At the very least get your config back to a working state.
	to forum · permalink · 2013-03-19 19:06:28 ·

DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3 1 edit	Sorry if I came off as rude, I was getting the feeling of someone just saying "oh I know what it is and I'm going to let you drive yourself crazy while telling you you have a pile of crap" just very lost on this and kinda get the feeling that theres no interest in helping me find the issue (not basing that on time) At present the config works for nowmal use, just not for allowing me to vpn to work from my computer -- »www.change.org/petitions/create-···imcity-4
	to forum · permalink · 2013-03-20 02:20:53 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	reply to RyanG1 said by RyanG1: when you reverted to no NVI, did you change the ip nat source list to ip nat inside source list ? Also, please post a full config minus any sensitive information if you do not mind. Ryan When I tried reverting I issued the following commands, along with a long list of static translations interface GigabitEthernet2/0 no ip nat enable interface GigabitEthernet1/0 no ip nat enable interface GigabitEthernet3/0 no ip nat enable no ip nat source list 1 pool RLH1 overload no ip nat source list 2 pool RLH2 overload no ip nat source list 3 pool RLH3 overload interface GigabitEthernet2/0 ip nat outside interface GigabitEthernet1/0 ip nat inside interface GigabitEthernet3/0 ip nat inside ip nat inside source list 1 pool RLH1 overload yes ip nat inside source list 2 pool RLH2 overload yes ip nat inside source list 3 pool RLH3 overload yes -- »www.change.org/petitions/create-···imcity-4
	to forum · permalink · 2013-03-20 02:26:38 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	Heres the full config as it is now quote: ! ! Last configuration change at 01:26:00 -0500 Wed Mar 20 2013 by rlh ! NVRAM config last updated at 01:26:04 -0500 Wed Mar 20 2013 by rlh ! version 12.4 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname RLH_router ! boot-start-marker boot system flash:c3745-adventerprisek9-mz.124-25d.bin boot-end-marker ! no logging buffered ! no aaa new-model clock timezone central -6 clock summer-time -0500 recurring ip cef ! ! ! ! ip domain name RLH-domain.net ip name-server 10.0.3.5 ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ipv6 unicast-routing ipv6 cef ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! username rlh privilege 15 password 7 archive log config hidekeys ! ! ip ftp username rlh-domain.net\admin ip ftp password 7 ! class-map match-all game match access-group 101 class-map match-any Xbox360 match ip dscp ef ! ! policy-map game class game set ip dscp ef policy-map Xbox360 class Xbox360 bandwidth 1024 ! ! ! ! ! ! interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker bandwidth 30000 no ip address ipv6 address 2001:x::2/64 ipv6 enable ipv6 traffic-filter Internet in ipv6 ospf 1 area 0 keepalive 10 3 tunnel source 75.x.x.33 tunnel destination 216.218.224.42 tunnel mode ipv6ip tunnel checksum ! interface FastEthernet0/0 !just added this today and plan to use to test bypassing the etherswitches ip address 10.255.255.1 255.255.255.252 ip nat enable ip ospf 1 area 0 shutdown speed auto full-duplex ! interface FastEthernet0/1 no ip address shutdown duplex auto speed 100 ! interface GigabitEthernet1/0 description Link to NME-16ES-1G-p ip address 10.254.254.1 255.255.255.252 ip nat enable ip virtual-reassembly ip ospf 1 area 0 ipv6 address 2001:x:200::1/64 ipv6 ospf 1 area 0 ! interface GigabitEthernet2/0 description Link to Comcast bandwidth 76000 ip address 75.x.x.35 255.255.255.248 secondary ip address 75.x.x.36 255.255.255.248 secondary ip address 75.x.x.37 255.255.255.248 secondary ip address 75.x.x.33 255.255.255.248 ip access-group 110 in ip nat enable ip virtual-reassembly ip ospf 1 area 0 negotiation auto ! interface GigabitEthernet3/0 description Link to NME-16ES-1G-p (number 2) ip address 10.254.254.5 255.255.255.252 ip nat enable ip virtual-reassembly ip ospf 1 area 0 ipv6 address 2001:x:201::1/64 ipv6 ospf 1 area 0 ! router ospf 1 log-adjacency-changes redistribute static passive-interface GigabitEthernet2/0 network 10.254.254.0 0.0.0.3 area 0 network 10.254.254.4 0.0.0.3 area 0 network 10.255.255.0 0.0.0.3 area 0 !part of the FA 0/0 test thats planned default-information originate ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 75.148.235.38 ! ! no ip http server ip http port 1025 ip http authentication local no ip http secure-server ip nat translation timeout 2 ip nat pool RLH1 75.x.x.35 75.x.x.35 netmask 255.255.255.248 add-route ip nat pool RLH2 75.x.x.36 75.x.x.36 netmask 255.255.255.248 add-route ip nat pool RLH3 75.x.x.37 75.x.x.37 netmask 255.255.255.248 add-route ip nat pool RLH4 75.x.x.33 75.x.x.33 netmask 255.255.255.248 add-route ip nat source list 1 pool RLH1 overload ip nat source list 2 pool RLH2 overload ip nat source list 3 pool RLH3 overload ip nat source list 4 pool RLH4 overload !part of the planned test ip nat source static tcp 10.0.3.5 21 75.x.x.33 21 extendable ip nat source static tcp 10.0.3.5 25 75.x.x.33 25 extendable ip nat source static tcp 10.0.3.5 53 75.x.x.33 53 extendable ip nat source static udp 10.0.3.5 53 75.x.x.33 53 extendable ip nat source static tcp 10.0.3.5 80 75.x.x.33 80 extendable ip nat source static tcp 10.0.3.5 443 75.x.x.33 443 extendable ip nat source static tcp 10.0.2.5 444 75.x.x.33 444 extendable ip nat source static tcp 10.0.2.11 3724 75.x.x.35 3724 extendable ip nat source static udp 10.0.2.11 3724 75.x.x.35 3724 extendable ip nat source static tcp 10.0.2.11 43768 75.x.x.35 43768 extendable ip nat source static udp 10.0.2.11 43768 75.x.x.35 43768 extendable ip nat source static tcp 10.0.2.11 45912 75.x.x.35 45912 extendable ip nat source static udp 10.0.2.11 45912 75.x.x.35 45912 extendable ip nat source static tcp 10.0.3.11 88 75.x.x.36 88 extendable ip nat source static udp 10.0.3.11 88 75.x.x.36 88 extendable ip nat source static tcp 10.0.3.11 3074 75.x.x.36 3074 extendable ip nat source static udp 10.0.3.11 3074 75.x.x.36 3074 extendable ip nat source static tcp 10.0.3.5 3784 75.x.x.36 3784 extendable ip nat source static udp 10.0.3.5 3784 75.x.x.36 3784 extendable ip nat source static tcp 10.0.3.5 6100 75.x.x.36 6100 extendable ip nat source static udp 10.0.3.5 6100 75.x.x.36 6100 extendable ip nat source static tcp 10.0.3.17 27175 75.x.x.36 27175 extendable ip nat source static udp 10.0.3.17 27175 75.x.x.36 27175 extendable ip nat source static tcp 10.0.3.17 27176 75.x.x.36 27176 extendable ip nat source static udp 10.0.3.17 27176 75.x.x.36 27176 extendable ip nat source static tcp 10.0.3.10 27177 75.x.x.36 27177 extendable ip nat source static udp 10.0.3.10 27177 75.x.x.36 27177 extendable ip nat source static tcp 10.0.3.10 27178 75.x.x.36 27178 extendable ip nat source static udp 10.0.3.10 27178 75.x.x.36 27178 extendable ip nat source static tcp 10.0.4.11 28227 75.x.x.37 28227 extendable ip nat source static udp 10.0.4.11 28227 75.x.x.37 28227 extendable ! access-list 1 permit 10.0.2.0 0.0.0.255 access-list 1 deny any access-list 2 permit 10.0.3.0 0.0.0.255 access-list 2 deny any access-list 3 permit 10.0.4.0 0.0.0.255 access-list 3 deny any access-list 4 permit 10.255.255.0 0.0.0.3 access-list 4 deny any access-list 50 permit 10.0.0.0 0.0.0.255 access-list 50 deny any access-list 101 permit ip host 10.0.3.11 any access-list 101 deny ip any any access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq discard access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq daytime access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq chargen access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq telnet access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq finger access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 135 access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 136 access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 137 access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 138 access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 139 access-list 110 deny udp any 75.x.x.32 0.0.0.7 eq snmp access-list 110 deny udp any 75.x.x.32 0.0.0.7 eq snmptrap access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 445 access-list 110 deny tcp any 75.x.x.32 0.0.0.7 eq 593 access-list 110 deny ip host 12.203.209.1 any access-list 110 permit ip any any snmp-server community 99Sh00t3r$ RW ipv6 route ::/0 Tunnel0 ipv6 router ospf 1 log-adjacency-changes area 0 range 2001:470:B801:200::/64 area 0 range 2001:470:B801:201::/64 area 0 range 2001:470:B801::/48 default-information originate passive-interface Tunnel0 redistribute connected ! ! ! ! ipv6 access-list Internet deny tcp any host 2001:x:2::2 eq echo deny tcp any host 2001:x:2::2 eq discard deny tcp any host 2001:x:2::2 eq daytime deny tcp any host 2001:x:2::2 eq chargen deny tcp any host 2001:x:2::2 eq telnet deny tcp any host 2001:x:2::2 eq finger deny tcp any host 2001:x:2::2 eq 135 deny tcp any host 2001:x:2::2 eq 136 deny tcp any host 2001:x:2::2 eq 137 deny tcp any host 2001:x:2::2 eq 138 deny tcp any host 2001:x:2::2 eq 139 deny udp any host 2001:x:2::2 eq snmp deny udp any host 2001:x:2::2 eq snmptrap deny tcp any host 2001:x:2::2 eq 445 deny tcp any host 2001:x:2::2 eq 593 permit ipv6 any any ! ipv6 access-list VTY sequence 40 permit tcp 2001:470:B801::/48 any permit udp 2001:470:B801::/48 any deny ipv6 any any ! control-plane ! ! ! ! ! ! ! ! ! banner motd Keep Out ! line con 0 speed 19200 line 33 exec-timeout 0 0 login local no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh telnet refuse-negotiations line 97 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh line aux 0 line vty 0 4 exec-timeout 0 0 ipv6 access-class VTY in login local telnet refuse-negotiations line vty 5 15 exec-timeout 0 0 ipv6 access-class VTY in login local telnet refuse-negotiations ! ntp clock-period 17179223 ntp master 2 ntp server 128.138.140.44 ntp server 207.200.81.113 ntp server 132.163.4.101 ntp server 132.163.4.102 ntp server 132.163.4.103 ntp server 201.155.229.129 ntp server 131.107.1.10 ntp server 69.25.96.13 ntp server 207.126.98.204 ntp server 129.6.15.29 ntp server 129.6.15.28 ntp server 216.200.93.8 ntp server 64.236.96.53 ntp server 208.184.49.9 ntp server 68.216.79.113 ! end -- »www.change.org/petitions/create-···imcity-4
	to forum · permalink · 2013-03-20 02:35:31 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	reply to RyanG1 said by RyanG1: Also, please post a full config minus any sensitive information if you do not mind. Ryan So any suggestion?
	to forum · permalink · 2013-03-22 22:45:39 ·
tubbynet reminds me of the danse russe Premium,MVM join:2008-01-16 Chandler, AZ kudos:1	said by DarkLogix: said by RyanG1: Also, please post a full config minus any sensitive information if you do not mind. Ryan So any suggestion? have you been able to revert to 'classic nat' and still have your vpn work? q. -- "...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."
	to forum · permalink · 2013-03-22 22:54:07 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	I've been getting home so late this week and having to get some stuff done for work that I haven't had a chance to mess with it yet. I was hoping some part of the config would jump out to more experianced techs. -- »www.change.org/petitions/create-···imcity-4
	to forum · permalink · 2013-03-23 01:37:05 ·
RyanG1 Premium join:2002-02-10 San Antonio, TX	reply to DarkLogix Ive been offline lately plus my new place does not have internet access yet. If all of the ports are still the same for what you have forwarded and all you changed was the NVI option (nat enable) then something else changed as well. Unless im missing a key element aside from the route processing that NVI does vs prior nat implementations. Ryan -- Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams
	to forum · permalink · 2013-03-24 22:58:37 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	It's my understanding that there isn't a requirement for a port forward for a vpn client behind a ios router (IE all the cisco docs say no config needed) But if I do need a port forward I can add it. Though i'm thinking there must be something I overlooked (as when I applied above commands to revert to pre-nvi it didn't work so I figure I missed something. -- »www.change.org/petitions/create-···imcity-4
	to forum · permalink · 2013-03-25 12:31:08 ·
RyanG1 Premium join:2002-02-10 San Antonio, TX	reply to DarkLogix well it depends on the type of VPN... PPTP requires port 1723 and GRE pass through. IPSEC w/ nat uses port udp 4500 (typically). If you are using SSL based vpn you need to open whatever port you have it set to use (of course default is 443). Ryan -- Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams
	to forum · permalink · 2013-03-25 14:50:21 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	The cisco docs say that's only for the router hats in front of the VPN server not the VPN client.
	to forum · permalink · 2013-03-25 15:06:54 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	Well now I see this doc »www.cisco.com/en/US/docs/ios-xml···nsv.html Mentioned using VRF in the nat pool assignment command Does that seem like it might effect my issue? -- »www.change.org/petitions/create-···imcity-4
	to forum · permalink · 2013-03-25 15:15:00 ·
RyanG1 Premium join:2002-02-10 San Antonio, TX	reply to DarkLogix from your prior replies it was assumed you are VPN'ing into your home network... is that not the case? Are you connecting OUT of your homr network to a corporate server? Ryan
	to forum · permalink · 2013-03-26 12:34:02 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	Ya out of my home network into my work network.
	to forum · permalink · 2013-03-26 12:49:04 ·
RyanG1 Premium join:2002-02-10 San Antonio, TX	reply to DarkLogix well then assuming you are coming from one of the specified networks that are tied to each specific pool outbound should not be an issue. You may have an error somewhere else in your network. You need to roll back to what you had before and test it again, you may have changed something else and overlooked it. Not really much else to tell you at this point if all other services are working fine. The only thing that comes to mind is theres an issue with NVI and pools of addresses. Try removing the pool and in its place put a static nat entry in for the interface itself (interface connecting to your modem). Im skeptical it will really help but its worth a shot. Beyond that, i dont know what else to tell ya... it seems theres a piece of the puzzle missing....Good luck. Ryan -- Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so. -Douglas Adams
	to forum · permalink · 2013-03-26 13:10:35 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	Adding the interface in place of the public IP's though wouldn't give the desired effect as the public interface has 4 ip's I'll give it a go this weekend though
	to forum · permalink · 2013-03-26 13:49:40 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	I'm going to guess now that one of two things 1. NVI and IPsec passthrough have some bug that might be fixed in a newer IOS. and 2. When I last tried reverting to pre-NVI I missed something -- »www.change.org/petitions/create-···imcity-4
	to forum · permalink · 2013-03-26 14:26:07 ·
tubbynet reminds me of the danse russe Premium,MVM join:2008-01-16 Chandler, AZ kudos:1	said by DarkLogix: When I last tried reverting to pre-NVI I missed something bingo. q.
	to forum · permalink · 2013-03-26 20:58:49 ·
DarkLogix Texan and Proud Premium join:2008-10-23 Baytown, TX kudos:3	said by tubbynet: said by DarkLogix: When I last tried reverting to pre-NVI I missed something bingo. q. Well I listed the list of commands I used to revert you see what I missed? -- »www.change.org/petitions/create-···imcity-4
	to forum · permalink · 2013-03-26 21:40:13 ·
tubbynet reminds me of the danse russe Premium,MVM join:2008-01-16 Chandler, AZ kudos:1	said by DarkLogix: said by tubbynet: said by DarkLogix: When I last tried reverting to pre-NVI I missed something bingo. q. Well I listed the list of commands I used to revert you see what I missed? give me time young grasshopper. not to discount your need -- but you have a workaround. i've got bigger fish to fry in the short term. you've missed something, but i can't tell at first glance what (if you didn't -- it would work). this is why backups are always critical. save run to flash. run diff. done. either way -- give me time. q. -- "...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."
	to forum · permalink · 2013-03-26 21:45:14 ·

Equipment Support > Hardware By Brand > Cisco > [Config] NVI and VPN

Re: [Config] NVI and VPN