09-25-2012 08:36 PM - edited 03-07-2019 09:06 AM
I'm having some issues using a public /8 subnet from our ISP to access a Sharepoint site. The Sharepoint site is always accessible internally, but not always available externally (it goes up and down apparently randomly, and is accessible from some clients but not others).
Is someone able to have a look at the config attached and see if the secondary IP setup (Gig0/0: XXX.XX.XXX.121 and NAT: 123) is setup the way it's meant to be? I've highlighted what I think are the important bits in red.
Oh, and if you spot anything else that should change, let me know.
R1168#show run brief
Building configuration...
Current configuration : 9839 bytes
!
! Last configuration change at 11:36:02 EST Wed Sep 26 2012 by admin
! NVRAM config last updated at 16:24:24 EST Tue Sep 25 2012 by admin
! NVRAM config last updated at 16:24:24 EST Tue Sep 25 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1168
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.151-4.M2.bin
boot-end-marker
!
!
logging buffered 51200 warnings
no logging console
enable secret 5 <password>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
clock timezone EST 10 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name my-domain.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2077521295
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2077521295
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-2077521295
certificate self-signed 01
license udi pid CISCO1941/K9 sn FGL151625X0
!
!
username admin privilege 15 secret 5 <password>
username <username> secret 5 <password>
!
redundancy
!
!
!
!
controller VDSL 0/0/0
!
controller VDSL 0/1/0
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
crypto isakmp key <password> address XX
crypto isakmp key <password> address XX
crypto isakmp key <password> address XX
crypto isakmp key <password> address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group Remote-Users
key <password>
dns 10.0.2.31
domain my-domain.local
pool EZVPN-POOL
acl 100
save-password
max-users 10
crypto isakmp profile ciscocp-ike-profile-1
match identity group Remote-Users
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address initiate
client configuration address respond
keepalive 60 retry 5
virtual-template 1
!
!
crypto ipsec transform-set DRAYTEK esp-des esp-md5-hmac
crypto ipsec transform-set CISCO esp-aes esp-sha-hmac
crypto ipsec transform-set EZVPN-TRANS esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association lifetime seconds 1800
set security-association idle-time 1800
set transform-set EZVPN-TRANS
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile VIRT-TUN-INT
set transform-set CISCO
!
!
crypto map VPN-MAP 20 ipsec-isakmp
set peer XX
set transform-set DRAYTEK
match address CRYPTO-DRAYTEK
!
!
!
!
!
interface Tunnel0
description Site1 VPN
ip address 192.168.1.1 255.255.255.252
shutdown
tunnel source XX.XXX.XXX.101
tunnel mode ipsec ipv4
tunnel destination XX
tunnel protection ipsec profile VIRT-TUN-INT
!
interface Tunnel1
description Site2 VPN
ip address 10.0.0.5 255.255.255.252
ip nat inside
ip virtual-reassembly in
shutdown
tunnel source XX.XXX.XXX.101
tunnel mode ipsec ipv4
tunnel destination XX
tunnel protection ipsec profile VIRT-TUN-INT
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internal LAN
ip address 10.0.2.1 255.255.254.0
ip address XXX.XX.XXX.121 255.255.255.248 secondary
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300
ip policy route-map RMAP-OUT-DIALER
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.6.1 255.255.255.0
shutdown
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface Ethernet0/0/0
description ADSL Interface 0
no ip address
shutdown
pppoe enable group global
no fair-queue
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 2
!
!
interface Ethernet0/1/0
description ADSL Interface 2
no ip address
shutdown
pppoe enable group global
no fair-queue
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dialer0
ip address XX.XXX.XXX.100 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp header-compression
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname account1
ppp chap password 0 <password>
ppp pap sent-username account1 password 0 <password>
no cdp enable
!
interface Dialer1
ip address XX.XXX.XXX.101 255.255.255.254
ip address XXX.XX.XXX.121 255.255.255.248 secondary
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp header-compression
ip tcp adjust-mss 1452
dialer pool 2
dialer idle-timeout 0
dialer persistent
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname account2
ppp chap password 0 <password>
ppp pap sent-username account2 password 0 <password>
no cdp enable
crypto map VPN-MAP
!
router rip
version 2
network 10.0.0.0
network 192.168.1.0
!
ip local policy route-map LOCAL_POLICY
ip local pool EZVPN-POOL 10.0.10.1 10.0.10.20
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map NAT-RMAP0 interface Dialer0 overload
ip nat inside source route-map NAT-RMAP1 interface Dialer1 overload
ip nat inside source static tcp 10.0.2.32 25 XX.XXX.XXX.100 25 extendable
ip nat inside source static tcp 10.0.2.35 80 XX.XXX.XXX.100 80 extendable
ip nat inside source static tcp 10.0.2.32 443 XX.XXX.XXX.100 443 extendable
ip nat inside source static tcp 10.0.2.32 995 XX.XXX.XXX.100 995 extendable
ip nat inside source static tcp 10.0.2.36 3389 XX.XXX.XXX.100 3389 extendable
ip nat inside source static tcp 10.0.2.35 7000 XX.XXX.XXX.100 7000 extendable
ip nat inside source static tcp 10.0.2.34 8080 XX.XXX.XXX.100 8080 extendable
ip nat inside source static tcp 10.0.2.34 8081 XX.XXX.XXX.100 8081 extendable
ip nat inside source static tcp 10.0.2.32 25 XX.XXX.XXX.101 25 extendable
ip nat inside source static tcp 10.0.2.37 80 XX.XXX.XXX.101 80 extendable
ip nat inside source static tcp 10.0.2.32 443 XX.XXX.XXX.101 443 extendable
ip nat inside source static tcp 10.0.2.32 995 XX.XXX.XXX.101 995 extendable
ip nat inside source static tcp 10.0.2.37 3389 XX.XXX.XXX.101 3389 extendable
ip nat inside source static tcp 10.0.2.38 3389 XX.XXX.XXX.101 5555 extendable
ip nat inside source static tcp 10.0.2.39 80 XXX.XX.XXX.123 80 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 8.8.4.4 255.255.255.255 Dialer0
ip route 8.8.4.4 255.255.255.255 Dialer1 254
ip route 8.8.8.8 255.255.255.255 Dialer1
ip route 8.8.8.8 255.255.255.255 Dialer0 254
ip route 10.0.5.0 255.255.255.0 Tunnel1
!
ip access-list extended CRYPTO-DRAYTEK
permit ip 10.0.0.0 0.255.255.255 192.168.4.0 0.0.0.255
ip access-list extended DIALER0_TRAFFIC
permit ip host XX.XXX.XXX.100 any
ip access-list extended DIALER1_TRAFFIC
permit ip host XX.XXX.XXX.101 any
ip access-list extended NAT
deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 10.0.2.0 0.0.1.255 any
ip access-list extended OUT-DIALER0
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip host 10.0.2.35 any
permit ip host 10.0.2.32 any
permit ip host 10.0.2.34 any
permit ip host 10.0.2.36 any
permit ip host 10.0.2.42 any
ip access-list extended OUT-DIALER1
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip host 10.0.2.37 any
permit ip host 10.0.2.39 any
!
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 permit ip 10.0.2.0 0.0.1.255 10.0.10.0 0.0.0.255
!
no cdp run
!
!
!
route-map LOCAL_POLICY permit 10
match ip address DIALER0_TRAFFIC
set default interface Dialer0
!
route-map LOCAL_POLICY permit 20
match ip address DIALER1_TRAFFIC
set default interface Dialer1
!
route-map NAT-RMAP0 permit 10
match ip address NAT
match interface Dialer0
!
route-map NAT-RMAP1 permit 10
match ip address NAT
match interface Dialer1
!
route-map RMAP-OUT-DIALER permit 10
match ip address OUT-DIALER0
set interface Dialer0
!
route-map RMAP-OUT-DIALER permit 20
match ip address OUT-DIALER1
set interface Dialer1
!
!
snmp-server community snmp_router RO
snmp-server location Corporate
snmp-server contact Company Pty Ltd
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 10 in
transport input ssh
line vty 5 15
access-class 10 in
transport input ssh
!
scheduler allocate 20000 1000
ntp peer 192.231.203.132
end
09-25-2012 09:29 PM
Hello,
can you please post
#sh ip nat translations
Just to know whether the packets are moving out from dialer1 int or getting dropped by any ACL.
Thanks,
srikanth
09-25-2012 09:34 PM
There's no one using it at the moment as it's a limited test site but here it is:
R1168#show ip nat trans | i 10.0.2.39
tcp XXX.XX.XXX.123:80 10.0.2.39:80 --- ---
I just tried connecting to the site from my laptop on 3G and couldn't access it.
09-26-2012 01:56 AM
I just tried connecting to the site from my laptop on 3G and couldn't access it.
First thing to confirm whether the site is accesseble/working or not (If the site is allowed to access from any where/world).
If it is opened to world and even you are not able to access it from 3g/dongle/outside internet, then its an server issue.
try this and see where you able to open a session or not.
> telnet gmail.com 80
There's no one using it at the moment as it's a limited test site but here it is:
I think Natting is good.
Regards,
srikanth
10-02-2012 04:23 PM
I ended up working with our ISP to get this one resolved. The issue was that the router was sending XXX.XX.XXX.123 (secondary IP) traffic out both WAN/Dialer interfaces. Our ISP was only expecting the traffic from one WAN connection, so whenever we routed traffic out the wrong interface the ISP would drop it as an anti-spoofing measure. Our ISP kindly modified their routing to accept the traffic from both connections, and now everything is working OK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide