Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
280
Views
0
Helpful
1
Replies

Cisco 2801 Question

Jherrera1004
Level 1
Level 1

‎11-21-2014 08:45 PM - edited ‎03-07-2019 09:37 PM

I'm trying to open a port in a Cisco 2801, the port 3001 to give internet access for a cisco switch which IP is 172.16.8.40

 

thanks in advance

 

cisco 2801 config

 

match access-group 110

class-map type inspect match-all vpn-traffic

 match access-group 111

!

!

policy-map type inspect priv-pub-pmap

 class type inspect all-private

  inspect

 class class-default

  drop

policy-map type inspect pub-priv-pmap

 class type inspect vpn-traffic

  inspect

 class class-default

  drop

!

zone security private

zone security public

zone-pair security priv-pub source private destination public

 service-policy type inspect priv-pub-pmap

zone-pair security pub-priv source public destination private

 service-policy type inspect pub-priv-pmap

!

!

crypto isakmp policy 1

 encr aes 256

 authentication pre-share

 group 2

 lifetime 84600

!

crypto isakmp policy 5

 encr 3des

 hash md5

 authentication pre-share

 group 2

 lifetime 84600

!

crypto isakmp client configuration group BFvpn

 key vPnBr1TT@ny9687!

 dns 192.168.2.10

 pool vpn_ip

 acl remotevpn

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set aes-256-sha esp-aes 256 esp-sha-hmac

!

crypto dynamic-map vpn 65535

 set transform-set ESP-3DES-MD5

!

!

crypto map vpn client authentication list AAA-VPN

crypto map vpn isakmp authorization list AAA-VPN

crypto map vpn client configuration address respond

crypto map vpn 65535 ipsec-isakmp dynamic vpn

!

!

!

!

!

interface FastEthernet0/0

 ip address 75.150.67.105 255.255.255.252

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly in

 zone-member security public

 duplex auto

 speed auto

 crypto map vpn

!

interface FastEthernet0/1

 ip address 172.16.250.1 255.255.255.252

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly in

 zone-member security private

 speed 100

 full-duplex

!

interface FastEthernet0/3/0

 switchport mode trunk

 no ip address

!

interface FastEthernet0/3/1

 no ip address

!

interface FastEthernet0/3/2

 no ip address

!

interface FastEthernet0/3/3

 no ip address

!

interface Vlan1

 no ip address

!

interface Vlan413

 ip address 170.163.128.202 255.255.255.252

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly in

 zone-member security public

!

!

router eigrp 1

 network 172.16.0.0

!

ip local policy route-map LocalPBR

ip local pool vpn_ip 172.16.251.10 172.16.251.20

ip forward-protocol nd

!

!

no ip http server

no ip http secure-server

ip nat inside source static tcp 172.16.8.40 3001 172.16.250.1 3001

ip nat inside source route-map NAT-HFC interface FastEthernet0/0 overload

ip nat inside source route-map NAT-OPT interface Vlan413 overload

ip route 0.0.0.0 0.0.0.0 75.150.67.106 track 3

ip route 0.0.0.0 0.0.0.0 170.163.128.201 5

!

ip access-list standard remotevpn

 permit 172.16.0.0 0.15.255.255

!

ip sla 1

 icmp-echo 75.150.67.106 source-interface FastEthernet0/0

 frequency 30

ip sla schedule 1 life forever start-time now

ip sla 2

 icmp-echo 170.163.128.201 source-interface Vlan413

 frequency 30

ip sla schedule 2 life forever start-time now

access-list 1 permit 170.163.0.0 0.0.255.255

access-list 1 remark for Telnet & SNMP Restrictions

access-list 1 permit 172.16.8.0 0.0.3.255

access-list 7 permit 172.16.8.40

access-list 7 permit 172.16.8.41

access-list 7 permit 172.16.8.42

access-list 7 permit 172.16.8.43

 

 

 

access-list 10 permit 75.150.67.105

access-list 20 permit 170.163.128.202

access-list 102 deny   ip any 10.0.0.0 0.255.255.255

access-list 102 deny   ip any 172.16.0.0 0.15.255.255

access-list 102 deny   ip any 192.168.0.0 0.0.255.255

access-list 102 permit ip 172.16.0.0 0.0.15.255 any

access-list 102 permit ip 172.16.0.0 0.15.255.255 any

access-list 110 permit ip any any

access-list 111 permit ip 172.16.251.0 0.0.0.255 172.16.0.0 0.15.255.255

access-list 111 deny   ip any any

!

!

!

route-map LocalPBR permit 10

 match ip address 10

 set ip default next-hop 75.150.67.106

!

route-map LocalPBR permit 20

 match ip address 20

 set ip default next-hop 170.163.128.201

!

route-map NAT-HFC permit 10

 match ip address 102

 match interface FastEthernet0/0

!

route-map NAT-OPT permit 10

 match ip address 102

 match interface Vlan413

!

snmp-server community chimenet#3000 RO 1

snmp-server enable traps tty

!

tacacs-server host 170.163.248.63

tacacs-server host 170.163.248.64

tacacs-server directed-request

tacacs-server key 7 06050728414B071C1154405B5C54

Labels:
0 Helpful
1 Reply 1

Mohit Sahai
Cisco Employee
Cisco Employee

‎11-25-2014 02:20 AM

Hello Jherrera,

 

Trust you are doing great.

 

Could you please additionally configure "ip nat outside" under interface Fastethernet 0/1 and "ip nat inside" under interface vlan 413 and interface fa 0/0 and check if the its working.

 

Regards,

Mohit 

 

**Please rate if you find this post helpfull

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card