Afrihost Static IP Setup on a Cisco 800 Series

Guys

Does anyone know how to setup a cisco router to connect the l2tp vpn to afrihost, I have been pulling my hair out for days, I was told It would work but I cant make head or tails from vpdn dail - in or out or....

Please help a guy out

Thanks

You need to connect to our L2TP server (196.30.121.50) and use your ADSL username and password to login. I'm not exaclty sure of how the Cisco routers interface works, but that should be all the info you need. Also remember that we don't support IPSEC on L2TP for the moment.

Here's some basic settings

Connection type Remote Access
Type Dial Out
Server IP 196.30.121.50
Username Your ADSL username
Password Your ADSL password
Authentication Type PAP
Tunnel Authentication YES
Secret h3lp
Active as default route YES
IPSec NO

Yea its kinda not that easy.... the router you do support: Billion B7402GX, where can I get x 3 ?

metalice said:

Yea its kinda not that easy.... the router you do support: Billion B7402GX, where can I get x 3 ?

Click to expand...

I am having endless trouble with the Billion router, it works and then the NAT stalls and stops forwarding traffic, I have to reboot it about 2-4 times a day.

metalice said:

Yea its kinda not that easy.... the router you do support: Billion B7402GX, where can I get x 3 ?

Click to expand...

If you want to forward ports through it then I suggest you don't.
http://mybroadband.co.za/vb/showthread.php/556405-Axxess-Afrihost-static-IP-Routing/page2

This should get you started:

interface Virtual-PPP1

ip address negotiated

ip virtual-reassembly

ip mtu 1452

ip tcp adjust-mss 1412

no cdp enable

ppp pap sent-username *Username* password *Password*

pseudowire 196.30.121.50 pw-class Afrihost

no shut

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

ip route 196.30.121.50 255.255.255.255 Dialer0

Then you must just configure the Dailer interface and also assign the static IP you have been given to the Ethernet interface.

TheGuy said:

This should get you started:

interface Virtual-PPP1

ip address negotiated

ip virtual-reassembly

ip mtu 1452

ip tcp adjust-mss 1412

no cdp enable

ppp pap sent-username *Username* password *Password*

pseudowire 196.30.121.50 pw-class Afrihost

no shut

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1

ip route 196.30.121.50 255.255.255.255 Dialer0

Then you must just configure the Dailer interface and also assign the static IP you have been given to the Ethernet interface.

Click to expand...

Thank a ton, I managed to get as far as getting the L2tp Connected and up, I can ping the static ip from outside. I however sit with the problem if I change my default route away from

ip route 0.0.0.0 0.0.0.0 dialer1 to ip route 0.0.0.0 0.0.0.0 virtual-ppp1

My local pc's can't see the outside world. I'll paste my config next, maybe someone can point out the problem

thank you

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname adsl-r1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 XXX
!
aaa new-model
!
!
aaa authentication ppp default local
!
!
aaa session-id common
!
!
dot11 syslog
ip cef
!
!
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ddns update method DynDNS
HTTP
add http://XXX:[email protected]/nic/updatesystem=dyndns&hostname=XXX&myip=
remove http://XXX:[email protected]/nic/updatesystem=dyndns&hostname=XXX&myip=
interval maximum 1 0 0 0
!
l2tp-class 1234
hidden
authentication
hello 10
password 7 0453580A1F
!
!
vpdn enable
!
vpdn-group CLIENT-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username XXX privilege 15 password 7 XXX
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key 6 XXX address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set TRANSFORM esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer XXX dynamic
set transform-set TRANSFORM
match address 101
reverse-route
crypto map VPN 2 ipsec-isakmp
set peer YYY dynamic
set transform-set TRANSFORM
match address 103
reverse-route
!
archive
log config
hidekeys
!
!
ip ssh port 3536 rotary 1
ip ssh version 2
pseudowire-class ISP
encapsulation l2tpv2
protocol l2tpv2 1234
ip local interface Dialer1
ip pmtu
!
!
!
!
interface Loopback1
ip address 10.5.5.6 255.255.255.255
!
interface Loopback2
ip address 10.5.5.7 255.255.255.255
!
interface Tunnel1
ip address 192.168.0.6 255.255.255.252
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.5.5.5
tunnel path-mtu-discovery
crypto map VPN
!
interface Tunnel2
ip address 192.168.1.6 255.255.255.252
keepalive 10 3
tunnel source Loopback2
tunnel destination 10.5.5.4
tunnel path-mtu-discovery
!
interface ATM0
description DSL interface
no ip address
ip mask-reply
ip directed-broadcast
ip route-cache flow
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
shutdown
!
interface Virtual-Template1
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly
peer default ip address pool defaultpool
keepalive 32767
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Virtual-PPP1
description L2TP dialer to ISP
ip address negotiated
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
down-when-looped
no cdp enable
ppp pap sent-username XXX password 7 XXX
ppp ipcp dns request accept
pseudowire 196.30.121.50 1 pw-class ISP
!
interface Vlan1
description internal interface
ip address 172.21.138.65 255.255.0.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
!
interface Dialer1
bandwidth 4096
ip ddns update hostname XXX
ip ddns update DynDNS host members.dyndns.org
ip address negotiated
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp pap sent-username XXX password 7 XXX
crypto map VPN
!
ip local pool defaultpool 172.21.138.50 172.21.138.60
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 172.21.146.0 255.255.255.0 Tunnel1
ip route 172.21.147.0 255.255.255.0 Tunnel2
ip route 196.30.121.50 255.255.255.255 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 172.21.128.10 21 interface Dialer1 21
ip nat inside source static tcp 172.21.128.10 25 interface Dialer1 25
ip nat inside source static tcp 172.21.128.10 110 interface Dialer1 110
ip nat inside source static tcp 172.21.128.10 119 interface Dialer1 119
ip nat inside source static tcp 172.21.128.10 389 interface Dialer1 389
ip nat inside source static tcp 172.21.128.10 443 interface Dialer1 443
ip nat inside source static tcp 172.21.128.30 5500 interface Dialer1 5500
ip nat inside source static tcp 172.21.128.30 5901 interface Dialer1 5901
ip nat inside source static tcp 172.21.138.1 1119 interface Dialer1 1119
ip nat inside source static tcp 172.21.138.1 1120 interface Dialer1 1120
ip nat inside source static tcp 172.21.138.1 3724 interface Dialer1 3724
ip nat inside source static tcp 172.21.138.1 4000 interface Dialer1 4000
ip nat inside source static tcp 172.21.138.1 6112 interface Dialer1 6112
ip nat inside source static tcp 172.21.138.1 6113 interface Dialer1 6113
ip nat inside source static tcp 172.21.138.1 6114 interface Dialer1 6114
ip nat inside source static tcp 172.21.138.1 6881 interface Dialer1 6881
ip nat inside source static tcp 172.21.138.1 6999 interface Dialer1 6999
ip nat inside source static tcp 172.21.128.30 5912 interface Dialer1 5912
ip nat inside source static tcp 172.21.128.50 80 interface Dialer1 80
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
ip access-list extended VPN_ACL
permit ip 172.21.138.0 0.0.0.255 172.21.146.0 0.0.0.255 log
!
access-list 1 permit 172.21.138.1
access-list 10 permit 172.21.138.16
access-list 101 permit gre host 10.5.5.6 host 10.5.5.5
access-list 103 permit gre host 10.5.5.7 host 10.5.5.4
access-list 123 deny ip 172.21.128.0 0.0.0.255 172.21.146.0 0.0.0.255
access-list 123 deny ip 172.21.138.0 0.0.0.255 172.21.146.0 0.0.0.255
access-list 123 deny ip 172.21.128.0 0.0.0.255 172.21.147.0 0.0.0.255
access-list 123 deny ip 172.21.138.0 0.0.0.255 172.21.147.0 0.0.0.255
access-list 123 permit ip 172.21.128.0 0.0.0.255 any
access-list 123 permit ip 172.21.138.0 0.0.0.255 any
access-list 123 deny ip any any any
snmp-server community public RO 10
!
!
route-map SDM_RMAP_1 permit 1
match ip address 123
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 XXX
transport input ssh
!
scheduler max-task-time 5000
end

metalice said:

Yea its kinda not that easy.... the router you do support: Billion B7402GX, where can I get x 3 ?

Click to expand...

Don't go Billion. They suck big time with L2TP.
Get one of these ZyXEL with L2TP from Axxess:
https://www.axxess.co.za/dslmodems

Super easy to setup!

If I set:

ip route 0.0.0.0 0.0.0.0 Virtual-PPP1
ip route 172.21.146.0 255.255.255.0 Tunnel1
ip route 172.21.147.0 255.255.255.0 Tunnel2
ip route 196.30.121.50 255.255.255.255 Dialer1

I can ping from local lan, but cannot browse. I can remote from external on all open ports. What am I missing ?

So after many frustrating attempts at this, this dawned on me. Would the MTU need to be changed for the PPP1 ? When I set the PPP1 as default route I get the following behaviour:

Can ping dhcp and static IP from outside. Can VPN into router on both and then remote and use network internally as normal.
Can ping "google.co.za" from inside. Can tracert from inside. When I try and browse it says waiting.... then times out.

Really looks like a MTU / MSS issue. I have looked at many examples and havnt found one working yet.

TheGuy, any suggestions ?

Many Thanks

Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FCZ1323600N
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface

metalice said:

Yea its kinda not that easy.... the router you do support: Billion B7402GX, where can I get x 3 ?

Click to expand...

You should be able to purchase them at leading IT stores, or online. We don't sell them but we do officially recommend them

Hi Metalice

Not too clued up but should you not be natting between the L2tp interface and not dailer interface.

How many IP address do they give you?

TheGuy said:

Hi Metalice

Not too clued up but should you not be natting between the L2tp interface and not dailer interface.

How many IP address do they give you?

Click to expand...

They gave me 1 IP address

I am lost when it comes to NAT setup, I have messed with the nat setup, mirroring the Dialer1 setup on the Virtual-PPP but that only made it worse.

Will check for you tomorrow when I'm at my laptop

Must I reboot the router after I changed NAT from 1 interface to another ?

Do you know of any other Modems that support this?

I am specifically looking for ADSL modem only (no wifi router).

We have several ADSL lines with a load balancer behind them, which is why we want modems only without wifi or router...

Any suggestions appreciated.

Is anyone still struggling with this? I setup my router today, here is the relevant part of the config you will need:

pseudowire-class AFRIHOST-STATIC
encapsulation l2tpv2
protocol l2tpv2 AFRIHOST-PASS
ip local interface Dialer1
!
l2tp-class AFRIHOST-PASS
hidden
authentication
password h3lp
!
interface Virtual-PPP0
ip address negotiated
ip virtual-reassembly
ip mtu 1452
ip tcp adjust-mss 1412
no cdp enable
ip nat outside
ppp pap sent-username XXXXXXXX password XXXXXXX
pseudowire 196.30.121.50 1 pw-class AFRIHOST-STATIC
no shut
!
ip nat inside source list 170 interface Virtual-PPP3 overload
!
access-list 170 permit ip 172.20.13.0 0.0.0.255 any
!
ip route 196.30.121.50 255.255.255.255 Dialer0
ip route 0.0.0.0 0.0.0.0 Virtual-PPP3
!
interface vlan 13
ip nat outside

Stratt mind sharing the rest of that config? I have a cisco 867 and i'm pulling my hair out trying to get this to work.

luddie said:

Stratt mind sharing the rest of that config? I have a cisco 867 and i'm pulling my hair out trying to get this to work.

Click to expand...

I see now I made a mistake with that config, the nat should be inside on the vlan interface. That is pretty much the relevant part, and my config is really large so its a lot of work to sanitize it. You can PM me a sanitized version of your config and Ill check it out for you?

If you do a "sh ip int brief" does the static IP show "up up" on the Virtual-PPP interface?

It should look like this:

stratt#sh ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM up up
ATM0.1 unassigned YES unset up up
Dialer1 XXX.XXX.XXX YES IPCP up up
Dialer2 XXX.XXX.XXX YES IPCP up up
Dialer3 XXX.XXX.XXX YES IPCP up up
Dialer4 XXX.XXX.XXX YES IPCP up up
Dialer5 XXX.XXX.XXX YES IPCP up up
Dialer6 XXX.XXX.XXX YES IPCP up up
Ethernet0 unassigned YES NVRAM down down
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 XXX.XXX.XXX YES unset up up
Tunnel0 unassigned YES unset up up
Tunnel1 unassigned YES unset up up
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned YES unset up up
Virtual-Access3 unassigned YES unset up up
Virtual-Access4 unassigned YES unset up up
Virtual-Access5 unassigned YES unset up up
Virtual-Access6 unassigned YES unset up up
Virtual-Access7 unassigned YES unset up up
Virtual-PPP1 172.20.13.241 YES IPCP up up
Virtual-PPP2 172.20.13.233 YES IPCP up up
Virtual-PPP3 105.208.7.XXX YES IPCP up up
Virtual-Template1 172.20.13.1 YES unset down down
Vlan1 10.0.0.1 YES NVRAM up up
Vlan2 192.168.13.1 YES NVRAM up up
Vlan5 192.168.14.1 YES NVRAM up up
Vlan13 172.20.13.1 YES NVRAM up up