Re: PAT, Secondary IP and Sharepoint

reuben.brown.mpl · ‎09-25-2012

I'm having some issues using a public /8 subnet from our ISP to access a Sharepoint site. The Sharepoint site is always accessible internally, but not always available externally (it goes up and down apparently randomly, and is accessible from some clients but not others).

Is someone able to have a look at the config attached and see if the secondary IP setup (Gig0/0: XXX.XX.XXX.121 and NAT: 123) is setup the way it's meant to be? I've highlighted what I think are the important bits in red.

Oh, and if you spot anything else that should change, let me know.

R1168#show run brief

Building configuration...

Current configuration : 9839 bytes

!

! Last configuration change at 11:36:02 EST Wed Sep 26 2012 by admin

! NVRAM config last updated at 16:24:24 EST Tue Sep 25 2012 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1168

!

boot-start-marker

boot system flash:c1900-universalk9-mz.SPA.151-4.M2.bin

boot-end-marker

!

logging buffered 51200 warnings

no logging console

enable secret 5 <password>

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

!

clock timezone EST 10 0

!

no ipv6 cef

ip source-route

ip cef

!

ip domain name my-domain.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2077521295

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2077521295

revocation-check none

!

crypto pki certificate chain TP-self-signed-2077521295

certificate self-signed 01

license udi pid CISCO1941/K9 sn FGL151625X0

!

username admin privilege 15 secret 5 <password>

username <username> secret 5 <password>

!

redundancy

!

controller VDSL 0/0/0

!

controller VDSL 0/1/0

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key <password> address XX

crypto isakmp key <password> address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group Remote-Users

key <password>

dns 10.0.2.31

domain my-domain.local

pool EZVPN-POOL

acl 100

save-password

max-users 10

crypto isakmp profile ciscocp-ike-profile-1

match identity group Remote-Users

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address initiate

client configuration address respond

keepalive 60 retry 5

virtual-template 1

!

crypto ipsec transform-set DRAYTEK esp-des esp-md5-hmac

crypto ipsec transform-set CISCO esp-aes esp-sha-hmac

crypto ipsec transform-set EZVPN-TRANS esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association lifetime seconds 1800

set security-association idle-time 1800

set transform-set EZVPN-TRANS

set isakmp-profile ciscocp-ike-profile-1

!

crypto ipsec profile VIRT-TUN-INT

set transform-set CISCO

!

crypto map VPN-MAP 20 ipsec-isakmp

set peer XX

set transform-set DRAYTEK

match address CRYPTO-DRAYTEK

!

interface Tunnel0

description Site1 VPN

ip address 192.168.1.1 255.255.255.252

shutdown

tunnel source XX.XXX.XXX.101

tunnel mode ipsec ipv4

tunnel destination XX

tunnel protection ipsec profile VIRT-TUN-INT

!

interface Tunnel1

description Site2 VPN

ip address 10.0.0.5 255.255.255.252

ip nat inside

ip virtual-reassembly in

shutdown

tunnel source XX.XXX.XXX.101

tunnel mode ipsec ipv4

tunnel destination XX

tunnel protection ipsec profile VIRT-TUN-INT

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description Internal LAN

ip address 10.0.2.1 255.255.254.0

ip address XXX.XX.XXX.121 255.255.255.248 secondary

ip flow ingress

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1300

ip policy route-map RMAP-OUT-DIALER

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.6.1 255.255.255.0

shutdown

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1300

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5snap

protocol ppp dialer

dialer pool-member 1

!

interface Ethernet0/0/0

description ADSL Interface 0

no ip address

shutdown

pppoe enable group global

no fair-queue

!

interface ATM0/1/0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5snap

protocol ppp dialer

dialer pool-member 2

!

interface Ethernet0/1/0

description ADSL Interface 2

no ip address

shutdown

pppoe enable group global

no fair-queue

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly in

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Dialer0

ip address XX.XXX.XXX.100 255.255.255.254

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp header-compression

ip tcp adjust-mss 1452

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname account1

ppp chap password 0 <password>

ppp pap sent-username account1 password 0 <password>

no cdp enable

!

interface Dialer1

ip address XX.XXX.XXX.101 255.255.255.254

ip address XXX.XX.XXX.121 255.255.255.248 secondary

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp header-compression

ip tcp adjust-mss 1452

dialer pool 2

dialer idle-timeout 0

dialer persistent

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname account2

ppp chap password 0 <password>

ppp pap sent-username account2 password 0 <password>

no cdp enable

crypto map VPN-MAP

!

router rip

version 2

network 10.0.0.0

network 192.168.1.0

!

ip local policy route-map LOCAL_POLICY

ip local pool EZVPN-POOL 10.0.10.1 10.0.10.20

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source route-map NAT-RMAP0 interface Dialer0 overload

ip nat inside source route-map NAT-RMAP1 interface Dialer1 overload

ip nat inside source static tcp 10.0.2.32 25 XX.XXX.XXX.100 25 extendable

ip nat inside source static tcp 10.0.2.35 80 XX.XXX.XXX.100 80 extendable

ip nat inside source static tcp 10.0.2.32 443 XX.XXX.XXX.100 443 extendable

ip nat inside source static tcp 10.0.2.32 995 XX.XXX.XXX.100 995 extendable

ip nat inside source static tcp 10.0.2.36 3389 XX.XXX.XXX.100 3389 extendable

ip nat inside source static tcp 10.0.2.35 7000 XX.XXX.XXX.100 7000 extendable

ip nat inside source static tcp 10.0.2.34 8080 XX.XXX.XXX.100 8080 extendable

ip nat inside source static tcp 10.0.2.34 8081 XX.XXX.XXX.100 8081 extendable

ip nat inside source static tcp 10.0.2.32 25 XX.XXX.XXX.101 25 extendable

ip nat inside source static tcp 10.0.2.37 80 XX.XXX.XXX.101 80 extendable

ip nat inside source static tcp 10.0.2.32 443 XX.XXX.XXX.101 443 extendable

ip nat inside source static tcp 10.0.2.32 995 XX.XXX.XXX.101 995 extendable

ip nat inside source static tcp 10.0.2.37 3389 XX.XXX.XXX.101 3389 extendable

ip nat inside source static tcp 10.0.2.38 3389 XX.XXX.XXX.101 5555 extendable

ip nat inside source static tcp 10.0.2.39 80 XXX.XX.XXX.123 80 extendable

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 8.8.4.4 255.255.255.255 Dialer0

ip route 8.8.4.4 255.255.255.255 Dialer1 254

ip route 8.8.8.8 255.255.255.255 Dialer1

ip route 8.8.8.8 255.255.255.255 Dialer0 254

ip route 10.0.5.0 255.255.255.0 Tunnel1

!

ip access-list extended CRYPTO-DRAYTEK

permit ip 10.0.0.0 0.255.255.255 192.168.4.0 0.0.0.255

ip access-list extended DIALER0_TRAFFIC

permit ip host XX.XXX.XXX.100 any

ip access-list extended DIALER1_TRAFFIC

permit ip host XX.XXX.XXX.101 any

ip access-list extended NAT

deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255

deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

permit ip 10.0.2.0 0.0.1.255 any

ip access-list extended OUT-DIALER0

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

permit ip host 10.0.2.35 any

permit ip host 10.0.2.32 any

permit ip host 10.0.2.34 any

permit ip host 10.0.2.36 any

permit ip host 10.0.2.42 any

ip access-list extended OUT-DIALER1

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

permit ip host 10.0.2.37 any

permit ip host 10.0.2.39 any

!

access-list 10 permit 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.0.2.0 0.0.1.255 10.0.10.0 0.0.0.255

!

no cdp run

!

route-map LOCAL_POLICY permit 10

match ip address DIALER0_TRAFFIC

set default interface Dialer0

!

route-map LOCAL_POLICY permit 20

match ip address DIALER1_TRAFFIC

set default interface Dialer1

!

route-map NAT-RMAP0 permit 10

match ip address NAT

match interface Dialer0

!

route-map NAT-RMAP1 permit 10

match ip address NAT

match interface Dialer1

!

route-map RMAP-OUT-DIALER permit 10

match ip address OUT-DIALER0

set interface Dialer0

!

route-map RMAP-OUT-DIALER permit 20

match ip address OUT-DIALER1

set interface Dialer1

!

snmp-server community snmp_router RO

snmp-server location Corporate

snmp-server contact Company Pty Ltd

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 10 in

transport input ssh

line vty 5 15

access-class 10 in

transport input ssh

!

scheduler allocate 20000 1000

ntp peer 192.231.203.132

end

srikanth ath · ‎09-25-2012

Hello,

can you please post

#sh ip nat translations

Just to know whether the packets are moving out from dialer1 int or getting dropped by any ACL.

Thanks,

srikanth

reuben.brown.mpl · ‎09-25-2012

There's no one using it at the moment as it's a limited test site but here it is:

R1168#show ip nat trans | i 10.0.2.39

tcp XXX.XX.XXX.123:80 10.0.2.39:80 --- ---

I just tried connecting to the site from my laptop on 3G and couldn't access it.

srikanth ath · ‎09-26-2012

I just tried connecting to the site from my laptop on 3G and couldn't access it.

First thing to confirm whether the site is accesseble/working or not (If the site is allowed to access from any where/world).

If it is opened to world and even you are not able to access it from 3g/dongle/outside internet, then its an server issue.

try this and see where you able to open a session or not.

> telnet gmail.com 80

There's no one using it at the moment as it's a limited test site but here it is:

I think Natting is good.

Regards,

srikanth

reuben.brown.mpl · ‎10-02-2012

I ended up working with our ISP to get this one resolved. The issue was that the router was sending XXX.XX.XXX.123 (secondary IP) traffic out both WAN/Dialer interfaces. Our ISP was only expecting the traffic from one WAN connection, so whenever we routed traffic out the wrong interface the ISP would drop it as an anti-spoofing measure. Our ISP kindly modified their routing to accept the traffic from both connections, and now everything is working OK.