10-20-2013 02:45 PM
Hi all,
I have a question about setting up an Easy VPN server on my 3725 router running IOS c3725-adventerprisek9-mz.124-25.bin
Currently I have this router set up as my home router/lab router for learning purposes. Connection wise, I have my home subnet, 10.0.0.0/24 NAT overloaded to my static public IP xx.xx.xx.xx. and all routing is done by one static route to my ISP.
After I use CCP's Easy VPN wizard to deliver the commands to my router, no computers on my LAN can access the Internet any longer.
My question is, is this by design? Is there a way I can configure my router to route my LAN traffic to the Internet and act as a Easy VPN server?
I've included my configs before and after the Easy VPN change, as well as a list of the commands CCP wants to deliver to the router.
My existing configuration before I make the VPN change:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging userinfo
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.2 10.0.0.23
ip dhcp excluded-address 10.0.0.100
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.42
ip dhcp excluded-address 10.0.0.56
ip dhcp excluded-address 10.0.0.50
ip dhcp excluded-address 10.0.0.254
ip dhcp excluded-address 10.0.0.86
ip dhcp excluded-address 10.0.0.253
!
ip dhcp pool LAN_Pool
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server xx.xx.xx.xx xx.xx.xx.xx
lease infinite
!
!
ip domain name xxxxxxxx.com
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://attack-drop.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2670148948
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2670148948
revocation-check none
rsakeypair TP-self-signed-2670148948
!
!
crypto pki certificate chain TP-self-signed-2670148948
certificate self-signed 01
<Certificate omitted>
<user info omitted>
!
!
ip ssh maxstartups 2
ip ssh logging events
ip ssh version 2
!
!
!
!
!
interface Loopback1
description $FW_INSIDE$
ip address 1.1.1.1 255.255.255.0
ip virtual-reassembly
!
interface FastEthernet0/0
description EXTERNAL CONNECTION TO ISP$ETH-WAN$$FW_OUTSIDE$
bandwidth 100000
ip address xx.xx.xx.xx xx.xx.xx.xx
ip broadcast-address xx.xx.xx.xx
ip verify unicast reverse-path
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description INTERNAL CONNECTION TO LAN$ETH-LAN$$FW_INSIDE$
bandwidth 100000
ip address 10.0.0.1 255.255.255.0
ip broadcast-address 10.0.0.255
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 125000
!
interface Serial0/2
no ip address
shutdown
clock rate 125000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
!
ip flow-export version 5
ip flow-export destination 10.0.0.25 9996
ip flow-top-talkers
top 50
sort-by packets
cache-timeout 30000
!
no ip http server
ip http authentication local
no ip http secure-server
ip http max-connections 2
ip http timeout-policy idle 300 life 300 requests 30
ip nat pool R1_Pool xx.xx.xx.xx xx.xx.xx.xx netmask xx.xx.xx.xx
ip nat inside source list 1 pool R1_Pool overload
ip nat inside source static tcp 10.0.0.3 21 xx.xx.xx.xx 21 extendable
ip nat inside source static tcp 10.0.0.7 22 xx.xx.xx.xx 22 extendable
ip nat inside source static tcp 10.0.0.11 25 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 10.0.0.3 80 xx.xx.xx.xx 80 extendable
ip nat inside source static tcp 10.0.0.56 88 xx.xx.xx.xx 88 extendable
ip nat inside source static udp 10.0.0.56 88 xx.xx.xx.xx 88 extendable
ip nat inside source static tcp 10.0.0.11 110 xx.xx.xx.xx 110 extendable
ip nat inside source static tcp 10.0.0.11 143 xx.xx.xx.xx 143 extendable
ip nat inside source static tcp 10.0.0.3 443 xx.xx.xx.xx 443 extendable
ip nat inside source static tcp 10.0.0.20 1024 xx.xx.xx.xx 1024 extendable
ip nat inside source static tcp 10.0.0.21 1100 xx.xx.xx.xx 1100 extendable
ip nat inside source static tcp 10.0.0.23 1105 xx.xx.xx.xx 1105 extendable
ip nat inside source static tcp 10.0.0.22 1110 xx.xx.xx.xx 1110 extendable
ip nat inside source static tcp 10.0.0.26 1115 xx.xx.xx.xx 1115 extendable
ip nat inside source static tcp 10.0.0.8 1723 xx.xx.xx.xx 1723 extendable
ip nat inside source static udp 10.0.0.86 1900 xx.xx.xx.xx 1900 extendable
ip nat inside source static tcp 10.0.0.1 22 xx.xx.xx.xx 2222 extendable
ip nat inside source static tcp 10.0.0.86 2869 xx.xx.xx.xx 2869 extendable
ip nat inside source static tcp 10.0.0.56 3074 xx.xx.xx.xx 3074 extendable
ip nat inside source static udp 10.0.0.56 3074 xx.xx.xx.xx 3074 extendable
ip nat inside source static tcp 10.0.0.10 5090 xx.xx.xx.xx 5090 extendable
ip nat inside source static tcp 10.0.0.3 8080 xx.xx.xx.xx 8080 extendable
!
logging history debugging
logging trap debugging
logging facility syslog
logging host xx.xx.xx.xx transport udp port 61325
access-list 1 permit 10.0.0.0 0.0.0.255
!
menu R1 title ^CMenu
Cisco 3725 ^C
menu R1 prompt ^C Please Make A Selection ^C
menu R1 text 1 Restart Router
menu R1 command 1 reload
menu R1 text 2 Ping Google [Layer 3/4]
menu R1 command 2 ping google.com
menu R1 text 3 Ping ISP [Layer 3]
menu R1 command 3 ping xx.xx.xx.xx
menu R1 text 4 Active NAT Translations [Layer 3]
menu R1 command 4 sh ip nat trans
menu R1 text 5 Clear Current NAT Translations [Layer 3]
menu R1 command 5 clear ip nat trans *
menu R1 text 6 Fan Status [Layer 1]
menu R1 command 6 sh env
menu R1 text 7 Show Interface Status [Layer 1/2]
menu R1 command 7 sh ip int bri
menu R1 text 8 Neighbors [Layer 2]
menu R1 command 8 sh cdp ne
menu R1 text 9 Show NetFlow Stats [Layer 3]
menu R1 command 9 sh ip cache flow
menu R1 text 10 Show Top Talkers [Layer 3]
menu R1 command 10 sh ip flow top-talkers
menu R1 text 11 Exit
menu R1 command 11 menu-exit
menu R1 status-line
menu R1 line-mode
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
privilege exec level 2 traceroute
privilege exec level 2 ping
privilege exec level 2 reload
privilege exec level 2 show version
privilege exec level 2 show
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
transport output ssh
line vty 5 903
privilege level 15
transport input ssh
transport output ssh
!
ntp logging
ntp clock-period 17180565
ntp server xx.xx.xx.xx
!
end
Here's what CCP wnats to deliver to my router after the wizard configuration:
IKE Policies:
___________________________________________________
Hash DH Group Authentication Encryption
-----------------------------------------------------------------------------------------
SHA_1 group2 PRE_SHARE 3DES
-----------------------------------------------------------------------------------------
Transform Set:
Name: ESP-3DES-SHA
ESP Encryption: ESP_3DES
ESP Integrity: ESP_SHA_HMAC
Mode: TUNNEL
Group Policy Lookup Method List : Local
User Authentication Method List : Local
Idle Timer : 00:15:00 (HH:MM:SS)
Number of Group Policies : 1
--------------------------------------------------------------------------
Group Policy Name : RemoteUsers
--------------------------------------------------------------------------
Key : *******
Pool : SDM_POOL_1
DNS Servers : <NONE>
Domain Name : <NONE>
WINS Servers : <NONE>
Split ACL : <NONE>
Split DNS : <NONE>
Group Lock : Disabled
Save password : Enabled
Firewall Are-U-There : Disabled
Include-local-lan : Disabled
Subnet Mask : 255.255.255.0
Backup Servers : <NONE>
Maximum connections : 5
PFS : Disabled
Maximum logins per user : 1
Auto Update : Not Configured
--------------------------------------------------------------------------
My Config after the Easy VPN change:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging userinfo
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.2 10.0.0.23
ip dhcp excluded-address 10.0.0.100
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.42
ip dhcp excluded-address 10.0.0.56
ip dhcp excluded-address 10.0.0.50
ip dhcp excluded-address 10.0.0.254
ip dhcp excluded-address 10.0.0.86
ip dhcp excluded-address 10.0.0.253
!
ip dhcp pool LAN_Pool
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 67.210.150.21 208.95.18.150
lease infinite
!
!
ip domain name morphius.com
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://attack-drop.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2670148948
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2670148948
revocation-check none
rsakeypair TP-self-signed-2670148948
!
!
<Certificate omitted>
<user info omitted>
!
!
ip ssh maxstartups 2
ip ssh logging events
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteUsers
key xxxxxxxx
pool SDM_POOL_1
max-users 2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Loopback1
description $FW_INSIDE$
ip address 1.1.1.1 255.255.255.0
ip virtual-reassembly
!
interface FastEthernet0/0
description EXTERNAL CONNECTION TO ISP$ETH-WAN$$FW_OUTSIDE$
bandwidth 100000
ip address xx.xx.xx.xx xx.xx.xx.xx
ip broadcast-address xx.xx.xx.xx
ip verify unicast reverse-path
ip flow ingress
ip flow egress
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description INTERNAL CONNECTION TO LAN$ETH-LAN$$FW_INSIDE$
bandwidth 100000
ip address 10.0.0.1 255.255.255.0
ip broadcast-address 10.0.0.255
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 125000
!
interface Serial0/2
no ip address
shutdown
clock rate 125000
!
ip local pool SDM_POOL_1 10.0.0.70 10.0.0.80
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
!
ip flow-export version 5
ip flow-export destination 10.0.0.25 9996
ip flow-top-talkers
top 50
sort-by packets
cache-timeout 30000
!
ip http server
ip http authentication local
ip http secure-server
ip http max-connections 2
ip http timeout-policy idle 300 life 300 requests 30
ip nat pool R1_Pool xx.xx.xx.xx xx.xx.xx.xx netmask xx.xx.xx.xx
ip nat inside source route-map SDM_RMAP_1 pool R1_Pool
ip nat inside source static tcp 10.0.0.3 21 xx.xx.xx.xx 21 route-map SDM_RMAP_7 extendable
ip nat inside source static tcp 10.0.0.7 22 xx.xx.xx.xx 22 route-map SDM_RMAP_6 extendable
ip nat inside source static tcp 10.0.0.11 25 xx.xx.xx.xx 25 route-map SDM_RMAP_16 extendable
ip nat inside source static tcp 10.0.0.3 80 xx.xx.xx.xx 80 route-map SDM_RMAP_10 extendable
ip nat inside source static tcp 10.0.0.56 88 xx.xx.xx.xx 88 route-map SDM_RMAP_19 extendable
ip nat inside source static udp 10.0.0.56 88 xx.xx.xx.xx 88 route-map SDM_RMAP_13 extendable
ip nat inside source static tcp 10.0.0.11 110 xx.xx.xx.xx 110 route-map SDM_RMAP_18 extendable
ip nat inside source static tcp 10.0.0.11 143 xx.xx.xx.xx 143 route-map SDM_RMAP_17 extendable
ip nat inside source static tcp 10.0.0.3 443 xx.xx.xx.xx 443 route-map SDM_RMAP_14 extendable
ip nat inside source static tcp 10.0.0.20 1024 xx.xx.xx.xx 1024 route-map SDM_RMAP_12 extendable
ip nat inside source static tcp 10.0.0.21 1100 xx.xx.xx.xx 1100 route-map SDM_RMAP_2 extendable
ip nat inside source static tcp 10.0.0.23 1105 xx.xx.xx.xx 1105 route-map SDM_RMAP_5 extendable
ip nat inside source static tcp 10.0.0.22 1110 xx.xx.xx.xx 1110 route-map SDM_RMAP_20 extendable
ip nat inside source static tcp 10.0.0.26 1115 xx.xx.xx.xx 1115 route-map SDM_RMAP_22 extendable
ip nat inside source static tcp 10.0.0.8 1723 xx.xx.xx.xx 1723 route-map SDM_RMAP_8 extendable
ip nat inside source static udp 10.0.0.86 1900 xx.xx.xx.xx 1900 route-map SDM_RMAP_21 extendable
ip nat inside source static tcp 10.0.0.1 22 xx.xx.xx.xx 2222 route-map SDM_RMAP_3 extendable
ip nat inside source static tcp 10.0.0.86 2869 xx.xx.xx.xx 2869 route-map SDM_RMAP_11 extendable
ip nat inside source static tcp 10.0.0.56 3074 xx.xx.xx.xx 3074 route-map SDM_RMAP_15 extendable
ip nat inside source static udp 10.0.0.56 3074 xx.xx.xx.xx 3074 route-map SDM_RMAP_23 extendable
ip nat inside source static tcp 10.0.0.10 5090 xx.xx.xx.xx 5090 route-map SDM_RMAP_4 extendable
ip nat inside source static tcp 10.0.0.3 8080 xx.xx.xx.xx 8080 route-map SDM_RMAP_9 extendable
!
logging history debugging
logging trap debugging
logging facility syslog
logging host xx.xx.xx.xx transport udp port 61325
access-list 1 remark CCP_ACL Category=16
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 deny ip any host 10.0.0.70
access-list 100 deny ip any host 10.0.0.71
access-list 100 deny ip any host 10.0.0.72
access-list 100 deny ip any host 10.0.0.73
access-list 100 deny ip any host 10.0.0.74
access-list 100 deny ip any host 10.0.0.75
access-list 100 deny ip any host 10.0.0.76
access-list 100 deny ip any host 10.0.0.77
access-list 100 deny ip any host 10.0.0.78
access-list 100 deny ip any host 10.0.0.79
access-list 100 deny ip any host 10.0.0.80
access-list 100 deny tcp host 10.0.0.3 eq ftp any
access-list 100 deny tcp host 10.0.0.7 eq 22 any
access-list 100 deny tcp host 10.0.0.11 eq smtp any
access-list 100 deny tcp host 10.0.0.3 eq www any
access-list 100 deny tcp host 10.0.0.56 eq 88 any
access-list 100 deny udp host 10.0.0.56 eq 88 any
access-list 100 deny tcp host 10.0.0.11 eq pop3 any
access-list 100 deny tcp host 10.0.0.11 eq 143 any
access-list 100 deny tcp host 10.0.0.3 eq 443 any
access-list 100 deny tcp host 10.0.0.20 eq 1024 any
access-list 100 deny tcp host 10.0.0.21 eq 1100 any
access-list 100 deny tcp host 10.0.0.23 eq 1105 any
access-list 100 deny tcp host 10.0.0.22 eq 1110 any
access-list 100 deny tcp host 10.0.0.26 eq 1115 any
access-list 100 deny tcp host 10.0.0.8 eq 1723 any
access-list 100 deny udp host 10.0.0.86 eq 1900 any
access-list 100 deny tcp host 10.0.0.1 eq 22 any
access-list 100 deny tcp host 10.0.0.86 eq 2869 any
access-list 100 deny tcp host 10.0.0.56 eq 3074 any
access-list 100 deny udp host 10.0.0.56 eq 3074 any
access-list 100 deny tcp host 10.0.0.10 eq 5090 any
access-list 100 deny tcp host 10.0.0.3 eq 8080 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=2
access-list 101 deny ip host 10.0.0.21 host 10.0.0.80
access-list 101 deny ip host 10.0.0.21 host 10.0.0.79
access-list 101 deny ip host 10.0.0.21 host 10.0.0.78
access-list 101 deny ip host 10.0.0.21 host 10.0.0.77
access-list 101 deny ip host 10.0.0.21 host 10.0.0.76
access-list 101 deny ip host 10.0.0.21 host 10.0.0.75
access-list 101 deny ip host 10.0.0.21 host 10.0.0.74
access-list 101 deny ip host 10.0.0.21 host 10.0.0.73
access-list 101 deny ip host 10.0.0.21 host 10.0.0.72
access-list 101 deny ip host 10.0.0.21 host 10.0.0.71
access-list 101 deny ip host 10.0.0.21 host 10.0.0.70
access-list 101 permit tcp host 10.0.0.21 eq 1100 any
access-list 102 remark CCP_ACL Category=2
access-list 102 deny ip host 10.0.0.1 host 10.0.0.80
access-list 102 deny ip host 10.0.0.1 host 10.0.0.79
access-list 102 deny ip host 10.0.0.1 host 10.0.0.78
access-list 102 deny ip host 10.0.0.1 host 10.0.0.77
access-list 102 deny ip host 10.0.0.1 host 10.0.0.76
access-list 102 deny ip host 10.0.0.1 host 10.0.0.75
access-list 102 deny ip host 10.0.0.1 host 10.0.0.74
access-list 102 deny ip host 10.0.0.1 host 10.0.0.73
access-list 102 deny ip host 10.0.0.1 host 10.0.0.72
access-list 102 deny ip host 10.0.0.1 host 10.0.0.71
access-list 102 deny ip host 10.0.0.1 host 10.0.0.70
access-list 102 permit tcp host 10.0.0.1 eq 22 any
access-list 103 remark CCP_ACL Category=2
access-list 103 deny ip host 10.0.0.10 host 10.0.0.80
access-list 103 deny ip host 10.0.0.10 host 10.0.0.79
access-list 103 deny ip host 10.0.0.10 host 10.0.0.78
access-list 103 deny ip host 10.0.0.10 host 10.0.0.77
access-list 103 deny ip host 10.0.0.10 host 10.0.0.76
access-list 103 deny ip host 10.0.0.10 host 10.0.0.75
access-list 103 deny ip host 10.0.0.10 host 10.0.0.74
access-list 103 deny ip host 10.0.0.10 host 10.0.0.73
access-list 103 deny ip host 10.0.0.10 host 10.0.0.72
access-list 103 deny ip host 10.0.0.10 host 10.0.0.71
access-list 103 deny ip host 10.0.0.10 host 10.0.0.70
access-list 103 permit tcp host 10.0.0.10 eq 5090 any
access-list 104 remark CCP_ACL Category=2
access-list 104 deny ip host 10.0.0.23 host 10.0.0.80
access-list 104 deny ip host 10.0.0.23 host 10.0.0.79
access-list 104 deny ip host 10.0.0.23 host 10.0.0.78
access-list 104 deny ip host 10.0.0.23 host 10.0.0.77
access-list 104 deny ip host 10.0.0.23 host 10.0.0.76
access-list 104 deny ip host 10.0.0.23 host 10.0.0.75
access-list 104 deny ip host 10.0.0.23 host 10.0.0.74
access-list 104 deny ip host 10.0.0.23 host 10.0.0.73
access-list 104 deny ip host 10.0.0.23 host 10.0.0.72
access-list 104 deny ip host 10.0.0.23 host 10.0.0.71
access-list 104 deny ip host 10.0.0.23 host 10.0.0.70
access-list 104 permit tcp host 10.0.0.23 eq 1105 any
access-list 105 remark CCP_ACL Category=2
access-list 105 deny ip host 10.0.0.7 host 10.0.0.80
access-list 105 deny ip host 10.0.0.7 host 10.0.0.79
access-list 105 deny ip host 10.0.0.7 host 10.0.0.78
access-list 105 deny ip host 10.0.0.7 host 10.0.0.77
access-list 105 deny ip host 10.0.0.7 host 10.0.0.76
access-list 105 deny ip host 10.0.0.7 host 10.0.0.75
access-list 105 deny ip host 10.0.0.7 host 10.0.0.74
access-list 105 deny ip host 10.0.0.7 host 10.0.0.73
access-list 105 deny ip host 10.0.0.7 host 10.0.0.72
access-list 105 deny ip host 10.0.0.7 host 10.0.0.71
access-list 105 deny ip host 10.0.0.7 host 10.0.0.70
access-list 105 permit tcp host 10.0.0.7 eq 22 any
access-list 106 remark CCP_ACL Category=2
access-list 106 deny ip host 10.0.0.3 host 10.0.0.80
access-list 106 deny ip host 10.0.0.3 host 10.0.0.79
access-list 106 deny ip host 10.0.0.3 host 10.0.0.78
access-list 106 deny ip host 10.0.0.3 host 10.0.0.77
access-list 106 deny ip host 10.0.0.3 host 10.0.0.76
access-list 106 deny ip host 10.0.0.3 host 10.0.0.75
access-list 106 deny ip host 10.0.0.3 host 10.0.0.74
access-list 106 deny ip host 10.0.0.3 host 10.0.0.73
access-list 106 deny ip host 10.0.0.3 host 10.0.0.72
access-list 106 deny ip host 10.0.0.3 host 10.0.0.71
access-list 106 deny ip host 10.0.0.3 host 10.0.0.70
access-list 106 permit tcp host 10.0.0.3 eq ftp any
access-list 107 remark CCP_ACL Category=2
access-list 107 deny ip host 10.0.0.8 host 10.0.0.80
access-list 107 deny ip host 10.0.0.8 host 10.0.0.79
access-list 107 deny ip host 10.0.0.8 host 10.0.0.78
access-list 107 deny ip host 10.0.0.8 host 10.0.0.77
access-list 107 deny ip host 10.0.0.8 host 10.0.0.76
access-list 107 deny ip host 10.0.0.8 host 10.0.0.75
access-list 107 deny ip host 10.0.0.8 host 10.0.0.74
access-list 107 deny ip host 10.0.0.8 host 10.0.0.73
access-list 107 deny ip host 10.0.0.8 host 10.0.0.72
access-list 107 deny ip host 10.0.0.8 host 10.0.0.71
access-list 107 deny ip host 10.0.0.8 host 10.0.0.70
access-list 107 permit tcp host 10.0.0.8 eq 1723 any
access-list 108 remark CCP_ACL Category=2
access-list 108 deny ip host 10.0.0.3 host 10.0.0.80
access-list 108 deny ip host 10.0.0.3 host 10.0.0.79
access-list 108 deny ip host 10.0.0.3 host 10.0.0.78
access-list 108 deny ip host 10.0.0.3 host 10.0.0.77
access-list 108 deny ip host 10.0.0.3 host 10.0.0.76
access-list 108 deny ip host 10.0.0.3 host 10.0.0.75
access-list 108 deny ip host 10.0.0.3 host 10.0.0.74
access-list 108 deny ip host 10.0.0.3 host 10.0.0.73
access-list 108 deny ip host 10.0.0.3 host 10.0.0.72
access-list 108 deny ip host 10.0.0.3 host 10.0.0.71
access-list 108 deny ip host 10.0.0.3 host 10.0.0.70
access-list 108 permit tcp host 10.0.0.3 eq 8080 any
access-list 109 remark CCP_ACL Category=2
access-list 109 deny ip host 10.0.0.3 host 10.0.0.80
access-list 109 deny ip host 10.0.0.3 host 10.0.0.79
access-list 109 deny ip host 10.0.0.3 host 10.0.0.78
access-list 109 deny ip host 10.0.0.3 host 10.0.0.77
access-list 109 deny ip host 10.0.0.3 host 10.0.0.76
access-list 109 deny ip host 10.0.0.3 host 10.0.0.75
access-list 109 deny ip host 10.0.0.3 host 10.0.0.74
access-list 109 deny ip host 10.0.0.3 host 10.0.0.73
access-list 109 deny ip host 10.0.0.3 host 10.0.0.72
access-list 109 deny ip host 10.0.0.3 host 10.0.0.71
access-list 109 deny ip host 10.0.0.3 host 10.0.0.70
access-list 109 permit tcp host 10.0.0.3 eq www any
access-list 110 remark CCP_ACL Category=2
access-list 110 deny ip host 10.0.0.86 host 10.0.0.80
access-list 110 deny ip host 10.0.0.86 host 10.0.0.79
access-list 110 deny ip host 10.0.0.86 host 10.0.0.78
access-list 110 deny ip host 10.0.0.86 host 10.0.0.77
access-list 110 deny ip host 10.0.0.86 host 10.0.0.76
access-list 110 deny ip host 10.0.0.86 host 10.0.0.75
access-list 110 deny ip host 10.0.0.86 host 10.0.0.74
access-list 110 deny ip host 10.0.0.86 host 10.0.0.73
access-list 110 deny ip host 10.0.0.86 host 10.0.0.72
access-list 110 deny ip host 10.0.0.86 host 10.0.0.71
access-list 110 deny ip host 10.0.0.86 host 10.0.0.70
access-list 110 permit tcp host 10.0.0.86 eq 2869 any
access-list 111 remark CCP_ACL Category=2
access-list 111 deny ip host 10.0.0.20 host 10.0.0.80
access-list 111 deny ip host 10.0.0.20 host 10.0.0.79
access-list 111 deny ip host 10.0.0.20 host 10.0.0.78
access-list 111 deny ip host 10.0.0.20 host 10.0.0.77
access-list 111 deny ip host 10.0.0.20 host 10.0.0.76
access-list 111 deny ip host 10.0.0.20 host 10.0.0.75
access-list 111 deny ip host 10.0.0.20 host 10.0.0.74
access-list 111 deny ip host 10.0.0.20 host 10.0.0.73
access-list 111 deny ip host 10.0.0.20 host 10.0.0.72
access-list 111 deny ip host 10.0.0.20 host 10.0.0.71
access-list 111 deny ip host 10.0.0.20 host 10.0.0.70
access-list 111 permit tcp host 10.0.0.20 eq 1024 any
access-list 112 remark CCP_ACL Category=2
access-list 112 deny ip host 10.0.0.56 host 10.0.0.80
access-list 112 deny ip host 10.0.0.56 host 10.0.0.79
access-list 112 deny ip host 10.0.0.56 host 10.0.0.78
access-list 112 deny ip host 10.0.0.56 host 10.0.0.77
access-list 112 deny ip host 10.0.0.56 host 10.0.0.76
access-list 112 deny ip host 10.0.0.56 host 10.0.0.75
access-list 112 deny ip host 10.0.0.56 host 10.0.0.74
access-list 112 deny ip host 10.0.0.56 host 10.0.0.73
access-list 112 deny ip host 10.0.0.56 host 10.0.0.72
access-list 112 deny ip host 10.0.0.56 host 10.0.0.71
access-list 112 deny ip host 10.0.0.56 host 10.0.0.70
access-list 112 permit udp host 10.0.0.56 eq 88 any
access-list 113 remark CCP_ACL Category=2
access-list 113 deny ip host 10.0.0.3 host 10.0.0.80
access-list 113 deny ip host 10.0.0.3 host 10.0.0.79
access-list 113 deny ip host 10.0.0.3 host 10.0.0.78
access-list 113 deny ip host 10.0.0.3 host 10.0.0.77
access-list 113 deny ip host 10.0.0.3 host 10.0.0.76
access-list 113 deny ip host 10.0.0.3 host 10.0.0.75
access-list 113 deny ip host 10.0.0.3 host 10.0.0.74
access-list 113 deny ip host 10.0.0.3 host 10.0.0.73
access-list 113 deny ip host 10.0.0.3 host 10.0.0.72
access-list 113 deny ip host 10.0.0.3 host 10.0.0.71
access-list 113 deny ip host 10.0.0.3 host 10.0.0.70
access-list 113 permit tcp host 10.0.0.3 eq 443 any
access-list 114 remark CCP_ACL Category=2
access-list 114 deny ip host 10.0.0.56 host 10.0.0.80
access-list 114 deny ip host 10.0.0.56 host 10.0.0.79
access-list 114 deny ip host 10.0.0.56 host 10.0.0.78
access-list 114 deny ip host 10.0.0.56 host 10.0.0.77
access-list 114 deny ip host 10.0.0.56 host 10.0.0.76
access-list 114 deny ip host 10.0.0.56 host 10.0.0.75
access-list 114 deny ip host 10.0.0.56 host 10.0.0.74
access-list 114 deny ip host 10.0.0.56 host 10.0.0.73
access-list 114 deny ip host 10.0.0.56 host 10.0.0.72
access-list 114 deny ip host 10.0.0.56 host 10.0.0.71
access-list 114 deny ip host 10.0.0.56 host 10.0.0.70
access-list 114 permit tcp host 10.0.0.56 eq 3074 any
access-list 115 remark CCP_ACL Category=2
access-list 115 deny ip host 10.0.0.11 host 10.0.0.80
access-list 115 deny ip host 10.0.0.11 host 10.0.0.79
access-list 115 deny ip host 10.0.0.11 host 10.0.0.78
access-list 115 deny ip host 10.0.0.11 host 10.0.0.77
access-list 115 deny ip host 10.0.0.11 host 10.0.0.76
access-list 115 deny ip host 10.0.0.11 host 10.0.0.75
access-list 115 deny ip host 10.0.0.11 host 10.0.0.74
access-list 115 deny ip host 10.0.0.11 host 10.0.0.73
access-list 115 deny ip host 10.0.0.11 host 10.0.0.72
access-list 115 deny ip host 10.0.0.11 host 10.0.0.71
access-list 115 deny ip host 10.0.0.11 host 10.0.0.70
access-list 115 permit tcp host 10.0.0.11 eq smtp any
access-list 116 remark CCP_ACL Category=2
access-list 116 deny ip host 10.0.0.11 host 10.0.0.80
access-list 116 deny ip host 10.0.0.11 host 10.0.0.79
access-list 116 deny ip host 10.0.0.11 host 10.0.0.78
access-list 116 deny ip host 10.0.0.11 host 10.0.0.77
access-list 116 deny ip host 10.0.0.11 host 10.0.0.76
access-list 116 deny ip host 10.0.0.11 host 10.0.0.75
access-list 116 deny ip host 10.0.0.11 host 10.0.0.74
access-list 116 deny ip host 10.0.0.11 host 10.0.0.73
access-list 116 deny ip host 10.0.0.11 host 10.0.0.72
access-list 116 deny ip host 10.0.0.11 host 10.0.0.71
access-list 116 deny ip host 10.0.0.11 host 10.0.0.70
access-list 116 permit tcp host 10.0.0.11 eq 143 any
access-list 117 remark CCP_ACL Category=2
access-list 117 deny ip host 10.0.0.11 host 10.0.0.80
access-list 117 deny ip host 10.0.0.11 host 10.0.0.79
access-list 117 deny ip host 10.0.0.11 host 10.0.0.78
access-list 117 deny ip host 10.0.0.11 host 10.0.0.77
access-list 117 deny ip host 10.0.0.11 host 10.0.0.76
access-list 117 deny ip host 10.0.0.11 host 10.0.0.75
access-list 117 deny ip host 10.0.0.11 host 10.0.0.74
access-list 117 deny ip host 10.0.0.11 host 10.0.0.73
access-list 117 deny ip host 10.0.0.11 host 10.0.0.72
access-list 117 deny ip host 10.0.0.11 host 10.0.0.71
access-list 117 deny ip host 10.0.0.11 host 10.0.0.70
access-list 117 permit tcp host 10.0.0.11 eq pop3 any
access-list 118 remark CCP_ACL Category=2
access-list 118 deny ip host 10.0.0.56 host 10.0.0.80
access-list 118 deny ip host 10.0.0.56 host 10.0.0.79
access-list 118 deny ip host 10.0.0.56 host 10.0.0.78
access-list 118 deny ip host 10.0.0.56 host 10.0.0.77
access-list 118 deny ip host 10.0.0.56 host 10.0.0.76
access-list 118 deny ip host 10.0.0.56 host 10.0.0.75
access-list 118 deny ip host 10.0.0.56 host 10.0.0.74
access-list 118 deny ip host 10.0.0.56 host 10.0.0.73
access-list 118 deny ip host 10.0.0.56 host 10.0.0.72
access-list 118 deny ip host 10.0.0.56 host 10.0.0.71
access-list 118 deny ip host 10.0.0.56 host 10.0.0.70
access-list 118 permit tcp host 10.0.0.56 eq 88 any
access-list 119 remark CCP_ACL Category=2
access-list 119 deny ip host 10.0.0.22 host 10.0.0.80
access-list 119 deny ip host 10.0.0.22 host 10.0.0.79
access-list 119 deny ip host 10.0.0.22 host 10.0.0.78
access-list 119 deny ip host 10.0.0.22 host 10.0.0.77
access-list 119 deny ip host 10.0.0.22 host 10.0.0.76
access-list 119 deny ip host 10.0.0.22 host 10.0.0.75
access-list 119 deny ip host 10.0.0.22 host 10.0.0.74
access-list 119 deny ip host 10.0.0.22 host 10.0.0.73
access-list 119 deny ip host 10.0.0.22 host 10.0.0.72
access-list 119 deny ip host 10.0.0.22 host 10.0.0.71
access-list 119 deny ip host 10.0.0.22 host 10.0.0.70
access-list 119 permit tcp host 10.0.0.22 eq 1110 any
access-list 120 remark CCP_ACL Category=2
access-list 120 deny ip host 10.0.0.86 host 10.0.0.80
access-list 120 deny ip host 10.0.0.86 host 10.0.0.79
access-list 120 deny ip host 10.0.0.86 host 10.0.0.78
access-list 120 deny ip host 10.0.0.86 host 10.0.0.77
access-list 120 deny ip host 10.0.0.86 host 10.0.0.76
access-list 120 deny ip host 10.0.0.86 host 10.0.0.75
access-list 120 deny ip host 10.0.0.86 host 10.0.0.74
access-list 120 deny ip host 10.0.0.86 host 10.0.0.73
access-list 120 deny ip host 10.0.0.86 host 10.0.0.72
access-list 120 deny ip host 10.0.0.86 host 10.0.0.71
access-list 120 deny ip host 10.0.0.86 host 10.0.0.70
access-list 120 permit udp host 10.0.0.86 eq 1900 any
access-list 121 remark CCP_ACL Category=2
access-list 121 deny ip host 10.0.0.26 host 10.0.0.80
access-list 121 deny ip host 10.0.0.26 host 10.0.0.79
access-list 121 deny ip host 10.0.0.26 host 10.0.0.78
access-list 121 deny ip host 10.0.0.26 host 10.0.0.77
access-list 121 deny ip host 10.0.0.26 host 10.0.0.76
access-list 121 deny ip host 10.0.0.26 host 10.0.0.75
access-list 121 deny ip host 10.0.0.26 host 10.0.0.74
access-list 121 deny ip host 10.0.0.26 host 10.0.0.73
access-list 121 deny ip host 10.0.0.26 host 10.0.0.72
access-list 121 deny ip host 10.0.0.26 host 10.0.0.71
access-list 121 deny ip host 10.0.0.26 host 10.0.0.70
access-list 121 permit tcp host 10.0.0.26 eq 1115 any
access-list 122 remark CCP_ACL Category=2
access-list 122 deny ip host 10.0.0.56 host 10.0.0.80
access-list 122 deny ip host 10.0.0.56 host 10.0.0.79
access-list 122 deny ip host 10.0.0.56 host 10.0.0.78
access-list 122 deny ip host 10.0.0.56 host 10.0.0.77
access-list 122 deny ip host 10.0.0.56 host 10.0.0.76
access-list 122 deny ip host 10.0.0.56 host 10.0.0.75
access-list 122 deny ip host 10.0.0.56 host 10.0.0.74
access-list 122 deny ip host 10.0.0.56 host 10.0.0.73
access-list 122 deny ip host 10.0.0.56 host 10.0.0.72
access-list 122 deny ip host 10.0.0.56 host 10.0.0.71
access-list 122 deny ip host 10.0.0.56 host 10.0.0.70
access-list 122 permit udp host 10.0.0.56 eq 3074 any
!
menu R1 title ^CMenu
Cisco 3725 ^C
menu R1 prompt ^C Please Make A Selection ^C
menu R1 text 1 Restart Router
menu R1 command 1 reload
menu R1 text 2 Ping Google [Layer 3/4]
menu R1 command 2 ping google.com
menu R1 text 3 Ping ISP [Layer 3]
menu R1 command 3 ping xx.xx.xx.xx
menu R1 text 4 Active NAT Translations [Layer 3]
menu R1 command 4 sh ip nat trans
menu R1 text 5 Clear Current NAT Translations [Layer 3]
menu R1 command 5 clear ip nat trans *
menu R1 text 6 Fan Status [Layer 1]
menu R1 command 6 sh env
menu R1 text 7 Show Interface Status [Layer 1/2]
menu R1 command 7 sh ip int bri
menu R1 text 8 Neighbors [Layer 2]
menu R1 command 8 sh cdp ne
menu R1 text 9 Show NetFlow Stats [Layer 3]
menu R1 command 9 sh ip cache flow
menu R1 text 10 Show Top Talkers [Layer 3]
menu R1 command 10 sh ip flow top-talkers
menu R1 text 11 Exit
menu R1 command 11 menu-exit
menu R1 status-line
menu R1 line-mode
!
route-map SDM_RMAP_15 permit 1
match ip address 114
!
route-map SDM_RMAP_14 permit 1
match ip address 113
!
route-map SDM_RMAP_17 permit 1
match ip address 116
!
route-map SDM_RMAP_16 permit 1
match ip address 115
!
route-map SDM_RMAP_22 permit 1
match ip address 121
!
route-map SDM_RMAP_11 permit 1
match ip address 110
!
route-map SDM_RMAP_23 permit 1
match ip address 122
!
route-map SDM_RMAP_10 permit 1
match ip address 109
!
route-map SDM_RMAP_13 permit 1
match ip address 112
!
route-map SDM_RMAP_20 permit 1
match ip address 119
!
route-map SDM_RMAP_12 permit 1
match ip address 111
!
route-map SDM_RMAP_21 permit 1
match ip address 120
!
route-map SDM_RMAP_19 permit 1
match ip address 118
!
route-map SDM_RMAP_18 permit 1
match ip address 117
!
route-map SDM_RMAP_4 permit 1
match ip address 103
!
route-map SDM_RMAP_5 permit 1
match ip address 104
!
route-map SDM_RMAP_6 permit 1
match ip address 105
!
route-map SDM_RMAP_7 permit 1
match ip address 106
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 101
!
route-map SDM_RMAP_3 permit 1
match ip address 102
!
route-map SDM_RMAP_8 permit 1
match ip address 107
!
route-map SDM_RMAP_9 permit 1
match ip address 108
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
privilege exec level 2 traceroute
privilege exec level 2 ping
privilege exec level 2 reload
privilege exec level 2 show version
privilege exec level 2 show
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input ssh
transport output ssh
line vty 5 903
privilege level 15
transport input ssh
transport output ssh
!
ntp logging
ntp clock-period 17180581
ntp server xx.xx.xx.xx
!
end
Anyone have any idea what I'm doing wrong? Any help is greatly appreciated.
10-21-2013 01:17 AM
This one is missing:
ip nat inside source list 1 pool R1_Pool overload
Or you need an overload when your nat pool is too small (you X'ed it out):
ip nat inside source route-map SDM_RMAP_1 pool R1_Pool
Michael
Please rate all helpful posts
10-21-2013 04:37 PM
Hey ciscomax thanks for the reply;
Can you elaborate? I have the first command you listed already in my config (before CCP added the VPN server) for overloading my NAT:
ip nat inside source list 1 pool R1_Pool overload
and after CCP adds the EzVPN commands, I have the second command you listed in my config:
ip nat inside source route-map SDM_RMAP_1 pool R1_Pool
For clarification, I only have one static public IP available to use.
Did you mean something else?
10-21-2013 11:11 PM
Joshua,
after adding CCP commands the first is/was missing. If you have only 1 IP address, why don't you just overload Fa0/0?
Michael
Please rate all helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide