Hey Portu,

Thanks for hitting back.

Here is the output of the first command:

Result of the command: "show capture capin"

14 packets captured

   1: 21:40:36.200902 192.168.20.1 > 192.168.2.10: icmp: echo request

   2: 21:40:46.139076 192.168.20.1 > 192.168.2.10: icmp: echo request

   3: 21:41:00.894790 192.168.20.1 > 192.168.2.9: icmp: echo request

   4: 21:41:01.137154 192.168.20.1 > 192.168.2.10: icmp: echo request

   5: 21:41:06.487310 192.168.20.1 > 192.168.2.10: icmp: echo request

   6: 21:41:10.754782 192.168.20.1 > 192.168.2.9: icmp: echo request

   7: 21:41:11.158362 192.168.20.1 > 192.168.2.10: icmp: echo request

   8: 21:41:12.141487 192.168.20.1 > 192.168.2.150: icmp: echo request

   9: 21:41:15.628431 192.168.20.1 > 192.168.2.9: icmp: echo request

  10: 21:41:16.129464 192.168.20.1 > 192.168.2.10: icmp: echo request

  11: 21:41:17.133415 192.168.20.1 > 192.168.2.150: icmp: echo request

  12: 21:41:31.168646 192.168.20.1 > 192.168.2.10: icmp: echo request

  13: 21:41:36.130547 192.168.20.1 > 192.168.2.10: icmp: echo request

  14: 21:42:11.143043 192.168.20.1 > 192.168.2.10: icmp: echo request

14 packets shown

and 2nd command output goes here:

Result of the command: "conf term"

The command has been sent to the device

Result of the command: "packet-tracer input inside icmp 192.168.2.35 8 0 192.168.20.1 detail"

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xa798f720, priority=12, domain=capture, deny=false

    hits=18807, user_data=0xa798f4f8, cs_id=0x0, l3_type=0x0

    src mac=0000.0000.0000, mask=0000.0000.0000

    dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xa7343ef8, priority=1, domain=permit, deny=false

    hits=3740, user_data=0x0, cs_id=0x0, l3_type=0x8

    src mac=0000.0000.0000, mask=0000.0000.0000

    dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 3

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found no matching flow, creating a new flow

Phase: 4

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   192.168.20.1    255.255.255.255 outside

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xa73469c8, priority=0, domain=permit-ip-option, deny=true

    hits=97, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xa7345cd8, priority=66, domain=inspect-icmp-error, deny=false

    hits=14, user_data=0xa7345c08, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xa73b48d8, priority=12, domain=capture, deny=false

    hits=2, user_data=0xa798f4f8, cs_id=0xa71c6278, reverse, flags=0x0, protocol=1

    src ip=192.168.2.0, mask=255.255.255.0, port=0

    dst ip=192.168.20.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 8

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

  match ip inside 192.168.2.0 255.255.255.0 outside 192.168.20.0 255.255.255.192

    NAT exempt

    translate_hits = 8, untranslate_hits = 234

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xa61d1ec8, priority=6, domain=nat-exempt, deny=false

    hits=7, user_data=0xa73b0ce0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

    src ip=192.168.2.0, mask=255.255.255.0, port=0

    dst ip=192.168.20.0, mask=255.255.255.192, port=0, dscp=0x0

Phase: 9

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (110.93.211.67 [Interface PAT])

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xa73b4708, priority=1, domain=nat, deny=false

    hits=7, user_data=0xa73b4668, cs_id=0x0, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (inside) 1 0.0.0.0 0.0.0.0

  match ip inside any outside any

    dynamic translation to pool 1 (110.93.211.67 [Interface PAT])

    translate_hits = 0, untranslate_hits = 0

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xa73b4a20, priority=1, domain=host, deny=false

    hits=274, user_data=0xa73b4668, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xa6dc2858, priority=70, domain=encrypt, deny=false

    hits=45, user_data=0x2654, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip=0.0.0.0, mask=0.0.0.0, port=0

    dst ip=192.168.20.1, mask=255.255.255.255, port=0, dscp=0x0

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 295, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow.

The default gateway was something else, when i put the actual gateway, ping is lost now.

What could be wrong?

thanks.

Dear Ali,

According to the previous outputs, everything points to a routing issue.

Please check if there is any difference between the one working and the ones failing.

Thanks.

Portu.

Hi Portu,

Thanks for replying.  I tried few things over the weekend, here is my scenario:

1) I have a Cisco 1941 Router connected to Internet with x.x.x.66 IP, and my LAN users access Internet through this IP

2) I have setup x.x.x.67 ip on ASA outside (which is coming from the same WAN Switch as x.x.x.66)

3) LAN users are on 192.168.2.0/24

4) VPN-users are on 193.168.20.0/24

Now  the VPN connects fine users are able to use my INternet and access LAN  resources but the problem is inside LAN.  My LAN users get an IP address  of x.x.x.67 instead of x.x.x.66 (which is configured on my router)   dynamically.  It creates problem and Internet disconnects for these  users, not all users face this problem, and this is happening  intermittently.  There is some routing issue that I'm unable to track.   I'm pasting my 'show run' and 'show route' command output here:

Show rroute:

Result of the command: "show route"

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route

Gateway of last resort is x.x.x.65 to network 0.0.0.0

C    x.x.x.64 255.255.255.240 is directly connected, outside

S    192.168.20.1 255.255.255.255 [1/0] via 110.93.211.67, outside

C    192.168.2.0 255.255.255.0 is directly connected, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 110.93.211.65, outside

Result of the command: "show run"

: Saved

:

ASA Version 8.0(4)

!

hostname ciscoasa

domain-name GVS.Khi

enable password PYCOFbMCV52U4BMk encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.67 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 192.168.2.251 255.255.255.0

!

interface Ethernet0/2

nameif Proxy

security-level 0

ip address 10.10.10.1 255.255.255.0

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.5.1 255.255.255.0

management-only

!

ftp mode passive

dns domain-lookup outside

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.2.32

name-server 221.132.112.8

domain-name GVS.Khi

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list NONAT extended permit ip any 192.168.20.0 255.255.255.192

access-list NONAT remark ***VPN****

access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.192

access-list GVSKhiNW standard permit 192.168.20.0 255.255.255.0

access-list outside_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 inactive

access-list outside_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0 inactive

access-list outside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu Proxy 1500

mtu management 1500

ip local pool VPNPOOL 192.168.20.1-192.168.20.50

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-635.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (outside) 1 192.168.20.0 255.255.255.0

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

static (outside,inside) 192.168.2.0 192.168.20.0 netmask 255.255.255.0

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 110.93.211.65 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.2.0 255.255.255.0 inside

http 192.168.5.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set pfs group1

crypto dynamic-map DYN_MAP 10 set transform-set RA-TS

crypto dynamic-map DYN_MAP 10 set security-association lifetime seconds 28800

crypto dynamic-map DYN_MAP 10 set security-association lifetime kilobytes 4608000

crypto dynamic-map DYN_MAP 10 set reverse-route

crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP

crypto map VPN_MAP interface outside

crypto isakmp enable outside

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 3600

telnet timeout 5

ssh 10.10.10.0 255.255.255.0 Proxy

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.5.2-192.168.5.254 management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy mike internal

group-policy mike attributes

dns-server value 192.168.2.32 221.132.112.8

vpn-tunnel-protocol IPSec

group-policy newgrp internal

group-policy newgrp attributes

dns-server value 192.168.2.32 221.132.112.8

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value GVSKhiNW

default-domain value GVS.Khi

group-policy company-vpn-policy internal

group-policy company-vpn-policy attributes

dns-server value 192.168.2.32

vpn-tunnel-protocol IPSec l2tp-ipsec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value GVSKhiNW

username mike password toD4sjjR/2JqetDT encrypted privilege 0

username mike attributes

vpn-group-policy mike

username ajmal password RFhaYswjfEEiEFRF encrypted privilege 15

username ajmal attributes

vpn-group-policy company-vpn-policy

username mali password xPY4CsMWghZDv83P encrypted privilege 0

username mali attributes

vpn-group-policy mike

username alijp password 9Q013RdPhfwzmUho encrypted privilege 0

username alijp attributes

vpn-group-policy mike

tunnel-group vpnclient type remote-access

tunnel-group vpnclient general-attributes

address-pool VPNPOOL

default-group-policy company-vpn-policy

tunnel-group vpnclient ipsec-attributes

pre-shared-key *

tunnel-group newgrp type remote-access

tunnel-group newgrp general-attributes

address-pool VPNPOOL

default-group-policy newgrp

tunnel-group newgrp ipsec-attributes

pre-shared-key *

tunnel-group mike type remote-access

tunnel-group mike general-attributes

address-pool VPNPOOL

default-group-policy mike

tunnel-group mike ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b852a4d95ee424dc367d2131ec7ddcda

: end

There must be a NAT issue as well... I'm yet not able to track it.. i will be thankful for any helpful suggestions.

Thanks

Hello Ali,

could you able to post the configuration of 1941 router as well ?

regards

Harish

Hi Harish,

Here you go:

I-NET-RTR#show run

I-NET-RTR#show running-config

Building configuration...

Current configuration : 7931 bytes

!

! Last configuration change at 07:54:37 UTC Mon Oct 1 2012

! NVRAM config last updated at 07:54:39 UTC Mon Oct 1 2012

!

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname I-NET-RTR

!

boot-start-marker

boot system flash:c1900-universalk9-mz.SPA.151-3.T3.bin

boot-end-marker

!

!

logging buffered 51200 warnings

enable password cisco

!

no aaa new-model

!

!

no ipv6 cef

ip source-route

no ip cef

!

!

!

ip dhcp binding cleanup interval 10

ip dhcp excluded-address 192.168.2.1 192.168.2.99

!

ip dhcp pool LAN-POOL-192.168.2.x

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1

   dns-server x.x.x.8

!

ip dhcp pool Hassan

   host 192.168.130.130 255.255.255.0

   client-identifier 0021.70f2.4283

   default-router 192.168.130.1

!

!

no ip domain lookup

ip domain name yourdomain.com

ip name-server x.x.x.8

ip name-server x.x.x.216

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-4115022026

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4115022026

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-4115022026

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313135 30323230 3236301E 170D3132 30393239 30393030

  35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313530

  32323032 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B952 BFF21CA1 652B78A4 085080A9 F32B573E 7C4FDFFF C09D6E06 2B172FB1

  96C8F379 9F0FDD56 74E86530 03306F40 CCF6D660 6BEE2989 E947513E 135AA0CC

  3753DD4B D00FF446 FCF74E57 D4C25FD5 FBE289E9 34B135D7 F2D0C334 08EEEE62

  DEB852CB 8964963F 7D891469 5CBF6EB4 401A8471 39A40F58 1CE56339 52B98390

  AA010203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 146DC4B5 40E216FA 7CD4530F 04E862FC 33BB646F DD301D06

  03551D0E 04160414 6DC4B540 E216FA7C D4530F04 E862FC33 BB646FDD 300D0609

  2A864886 F70D0101 04050003 818100A7 709C3E0C EE2C5CE5 049D251B 846631BA

  ECF529F4 6D1A0864 6467CA38 989D70E5 411F8B93 B6CBFFF3 82BC7AD2 445D896E

  C75C86BA B0FEB57C B9FBC9E3 9CC071EA 3E3E0617 2324755B 2C25C3D5 906681C2

  59D44CFA 9234C486 BD0D8FB0 799FF550 334942D2 C1CE1B0E 23E91A9F A154C957

  0B831690 950604EC C98372E6 BCCA93

        quit

license udi pid CISCO1941/K9 sn FGL153920HR

!

!

username admin privilege 15 secret 5 $1$XxeE$Vf2jPofcCJdvdxzKKoDY0/

username hassan secret 5 $1$QrC5$hH1EufXaqP71T1hGYv/Oz0

!

redundancy

!

!        

!

!

!

track 2 ip sla 1 reachability

delay down 5 up 5

!

track 20 ip sla 20 reachability

delay down 2 up 2

!

!

!

!

!

!

!

interface GigabitEthernet0/0

description *** Installed on 28/6/2012 ****

ip address x.x.x.66 255.255.255.240

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description *** LAN Interface ****

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1300

ip policy route-map FORHTTP

duplex auto

speed auto

!

interface FastEthernet0/0/0

description *** Connected to TCLDSL ***

ip address 10.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/0/1

description **** Proxy Server *****

no ip address

ip nat outside

ip virtual-reassembly in

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source route-map MULTINET interface GigabitEthernet0/0 overload

ip nat inside source route-map TCL interface FastEthernet0/0/0 overload

ip nat inside source static tcp 192.168.2.26 22 x.x.x.66 22 extendable

ip nat inside source static tcp 192.168.2.26 80 x.x.x.66 80 extendable

ip nat inside source static udp 192.168.2.12 1194 x.x.x.66 1194 extendable

ip nat inside source static tcp 192.168.2.12 2200 x.x.x.66 2200 extendable

ip nat inside source static tcp 192.168.2.53 2223 x.x.x.66 2223 extendable

ip nat inside source static tcp 192.168.2.54 2224 x.x.x.66 2224 extendable

ip nat inside source static tcp 192.168.2.52 2225 x.x.x.66 2225 extendable

ip nat inside source static tcp 192.168.2.26 3000 x.x.x.66 3000 extendable

ip nat inside source static tcp 192.168.2.52 3306 x.x.x.66 3306 extendable

ip nat inside source static tcp 192.168.2.26 8080 x.x.x.66 8080 extendable

ip nat inside source static tcp 192.168.2.30 8081 x.x.x.66 8081 extendable

ip nat inside source static tcp 192.168.2.37 8082 x.x.x.66 8082 extendable

ip nat inside source static tcp 192.168.2.37 8085 x.x.x.66 8085 extendable

ip nat inside source static tcp 192.168.2.37 8088 x.x.x.66 8088 extendable

ip nat inside source static tcp 192.168.2.28 8090 x.x.x.66 8090 extendable

ip nat inside source static tcp 192.168.2.53 8091 x.x.x.66 8091 extendable

ip nat inside source static tcp 192.168.2.53 8092 x.x.x.66 8092 extendable

ip nat inside source static tcp 192.168.2.28 8093 x.x.x.66 8093 extendable

ip nat inside source static tcp 192.168.2.28 8094 x.x.x.66 8094 extendable

ip nat inside source static tcp 192.168.2.52 8095 x.x.x.66 8095 extendable

ip nat inside source static tcp 192.168.2.52 8096 x.x.x.66 8096 extendable

ip route 0.0.0.0 0.0.0.0 10.1.1.2 100 track 2

ip route 0.0.0.0 0.0.0.0 x.x.x.65 track 20

ip route 192.168.2.0 255.255.255.0 10.10.10.3

ip route x.x.x.1 255.255.255.255 10.1.1.2 permanent

!

ip access-list extended FORHTTP

deny   ip host 192.168.2.26 any

deny   ip host 192.168.2.32 any

deny   ip host 192.168.2.31 any

deny   ip host 192.168.2.28 any

deny   ip host 192.168.2.33 any

permit udp 192.168.2.0 0.0.0.255 any eq domain

permit tcp 192.168.2.0 0.0.0.255 any eq pop3

permit tcp 192.168.2.0 0.0.0.255 any eq 22

permit tcp 192.168.2.0 0.0.0.255 any eq smtp

permit tcp 192.168.2.0 0.0.0.255 any eq 143

permit tcp 192.168.2.0 0.0.0.255 any eq telnet

permit udp 192.168.2.0 0.0.0.255 any eq 33434

permit tcp 10.10.10.0 0.0.0.255 any eq pop3

permit tcp 10.10.10.0 0.0.0.255 any eq smtp

ip access-list extended FTP

permit tcp 10.10.10.0 0.0.0.255 any eq 22

permit tcp 10.10.10.0 0.0.0.255 any eq ftp

permit tcp 10.10.10.0 0.0.0.255 any eq ftp-data

permit tcp 10.10.10.0 0.0.0.255 any gt 1024

deny   ip any any

ip access-list extended NAT-INTERNET

permit ip 10.10.10.0 0.0.0.255 any

!

ip sla 1

icmp-echo x.x.x.1 source-interface FastEthernet0/0/0

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 20

icmp-echo x.x.x.65 source-interface GigabitEthernet0/0

frequency 5

ip sla schedule 20 life forever start-time now

logging esm config

logging trap warnings

!

!

!

!

route-map TCLpermit 10

match ip address NAT-INTERNET

match interface FastEthernet0/0/0

!

route-map MULTINET permit 10

match ip address NAT-INTERNET

match interface GigabitEthernet0/0

!

route-map TCL-server permit 10

match interface FastEthernet0/0/0

!

route-map FORHTTP permit 10

match ip address FORHTTP

set ip next-hop verify-availability 10.1.1.2 10 track 2

!

route-map FORHTTP permit 15

match ip address FTP

!

route-map multinetservers permit 10

match interface GigabitEthernet0/0

!

route-map multiserver permit 10

!

!

snmp-server community XXX

!

control-plane

!

!

!

line con 0

logging synchronous

login local

line aux 0

line vty 0 4

privilege level 15

password XXX

logging synchronous

login

transport input telnet ssh

line vty 5 15

privilege level 15

password XXX

logging synchronous

login

transport input telnet ssh

!

scheduler allocate 20000 1000

end

I-NET-RTR#

Thanks.