[cisco-bba] Cisco 877 with L2TP to ISP Help

Mon Sep 30 07:13:33 EDT 2013

Hi Guys

I need some help with my config, it was working without the L2TP
setting, if I change my default route to the virtual-ppp1 I can still
ping to the outside but cannot browse at all, everything times out.

my config:

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname adsl-r1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 $1$EJyC$nAeDSSphBi96PbN4eXhkA1
!
aaa new-model
!
!
aaa authentication ppp default local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
ip name-server 208.67.222.222
ip name-server 208.67.220.220

!
l2tp-class 1234
 hidden
 authentication
 hello 10
 password 7 XXX
!
!
vpdn enable
!
vpdn-group CLIENT-VPN
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
username user privilege 15 password 7 XXX
!
!
crypto isakmp policy 1
 authentication pre-share
 group 2
crypto isakmp key 6 XXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
 set peer XXX dynamic
 set transform-set TRANSFORM
 match address 101
 reverse-route
crypto map VPN 2 ipsec-isakmp
 set peer XXX dynamic
 set transform-set TRANSFORM
 match address 103
 reverse-route
!
archive
 log config
  hidekeys
!
!
ip ssh port 3536 rotary 1
ip ssh version 2
pseudowire-class ISP
 encapsulation l2tpv2
 protocol l2tpv2 1234
 ip local interface Dialer1
 ip pmtu
!
!
!
!
interface Loopback1
 ip address 10.5.5.6 255.255.255.255
!
interface Loopback2
 ip address 10.5.5.7 255.255.255.255
!
interface Tunnel1
 ip address 192.168.0.6 255.255.255.252
 keepalive 10 3
 tunnel source Loopback1
 tunnel destination 10.5.5.5
 tunnel path-mtu-discovery
 crypto map VPN
!
interface Tunnel2
 ip address 192.168.1.6 255.255.255.252
 keepalive 10 3
 tunnel source Loopback2
 tunnel destination 10.5.5.4
 tunnel path-mtu-discovery
!
interface ATM0
 description DSL interface
 no ip address
 ip mask-reply
 ip directed-broadcast
 ip route-cache flow
 no atm ilmi-keepalive
 pvc 8/35
  pppoe-client dial-pool-number 2
  pppoe-client dial-pool-number 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
 ip unnumbered Vlan1
 ip nat inside
 ip virtual-reassembly
 peer default ip address pool defaultpool
 keepalive 32767
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
interface Virtual-PPP1
 description L2TP dialer to ISP
 ip address negotiated
 ip mtu 1452
 ip tcp adjust-mss 1412
 ip nat outside
 ip virtual-reassembly
 load-interval 30
 no cdp enable
 ppp pap sent-username XXX password 7 XXX
 ppp ipcp dns request accept
 pseudowire 196.30.121.50 1 pw-class ISP
!
interface Vlan1
 description internal interface
 ip address 172.21.138.65 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer1
 bandwidth 4096
 ip ddns update hostname sct-george.getmyip.com
 ip ddns update DynDNS host members.dyndns.org
 ip address negotiated
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip mtu 1492
 ip route-cache flow
 dialer pool 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXX password 7 XXX
 crypto map VPN
!
ip local pool defaultpool 172.21.138.50 172.21.138.60
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 172.21.146.0 255.255.255.0 Tunnel1
ip route 172.21.147.0 255.255.255.0 Tunnel2
ip route 196.30.121.50 255.255.255.255 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 172.21.128.10 21 interface Dialer1 21
ip nat inside source static tcp 172.21.128.10 25 interface Dialer1 25
ip nat inside source static tcp 172.21.128.10 110 interface Dialer1 110
ip nat inside source static tcp 172.21.128.10 119 interface Dialer1 119
ip nat inside source static tcp 172.21.128.10 389 interface Dialer1 389
ip nat inside source static tcp 172.21.128.10 443 interface Dialer1 443
ip nat inside source static tcp 172.21.128.30 5500 interface Dialer1 5500
ip nat inside source static tcp 172.21.128.30 5901 interface Dialer1 5901
ip nat inside source static tcp 172.21.138.1 1119 interface Dialer1 1119
ip nat inside source static tcp 172.21.138.1 1120 interface Dialer1 1120
ip nat inside source static tcp 172.21.138.1 3724 interface Dialer1 3724
ip nat inside source static tcp 172.21.138.1 4000 interface Dialer1 4000
ip nat inside source static tcp 172.21.138.1 6112 interface Dialer1 6112
ip nat inside source static tcp 172.21.138.1 6113 interface Dialer1 6113
ip nat inside source static tcp 172.21.138.1 6114 interface Dialer1 6114
ip nat inside source static tcp 172.21.138.1 6881 interface Dialer1 6881
ip nat inside source static tcp 172.21.138.1 6999 interface Dialer1 6999
ip nat inside source static tcp 172.21.128.30 5912 interface Dialer1 5912
ip nat inside source static tcp 172.21.128.50 80 interface Dialer1 80
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
ip access-list extended VPN_ACL
 permit ip 172.21.138.0 0.0.0.255 172.21.146.0 0.0.0.255 log
!
access-list 1 permit 172.21.138.1
access-list 10 permit 172.21.138.16
access-list 101 permit gre host 10.5.5.6 host 10.5.5.5
access-list 103 permit gre host 10.5.5.7 host 10.5.5.4
access-list 123 deny   ip 172.21.128.0 0.0.0.255 172.21.146.0 0.0.0.255
access-list 123 deny   ip 172.21.138.0 0.0.0.255 172.21.146.0 0.0.0.255
access-list 123 deny   ip 172.21.128.0 0.0.0.255 172.21.147.0 0.0.0.255
access-list 123 deny   ip 172.21.138.0 0.0.0.255 172.21.147.0 0.0.0.255
access-list 123 permit ip 172.21.128.0 0.0.0.255 any
access-list 123 permit ip 172.21.138.0 0.0.0.255 any
snmp-server community public RO 10
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 123
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 password 7 1415131804477B7977
 transport input ssh
!
scheduler max-task-time 5000
end

Can anyone please help me with this