having problem with vpn connection to access devices in customer

ronakpa · ‎09-05-2012

Hi i am trying to build a ipsec tunnel to access the devices in customer's network.

here is the scenario

router 192.133.193.242-192.133.193.241 inside Pix 192.133.193.249 outside ------internet-------customer's router----devices

Router config

devices actuall ips are 10.124.90.250-251-252

on the router i am doing pat by using the pool 192.133.192.243

build a route-map and overload with pat pool

in route-map i match permit ip any 10.200.200.0/24

i also statically combine 10.200.200.1---10.124.90.250

10.200.200.2---10.124.90.251

10.200.200.3---10.124.90.252

also add route ip route 10.200.200.0/24 192.133.193.241( inside pix)

PIX config

build a crypto map and isakmp policy

in crypto acl put 192.133.192.243 216.46.255.0/26(customer subnet)

nat 0 permit ip 192,133,192,243 10.124.90.240/28

access-list outside_access_in permit icmp 10.124.90.240/28 192.133.192.243 echo-reply

access-list inside_access_in permit ip 192,133,192,243 10.124.90.240/28

add route 192.133.192.243 255.255.255.255 192.133.193.242(actual router ip is connected with pix.)

Can any one help what is wrong?

Javier Portuguez · ‎09-05-2012

Hi Ronak,

Could you please add the configuration of both devices as it is (show run)?

* You can remove usernames, passwords, additional commands which are not VPN related.

Thanks in advance.

Portu.

ronakpa · ‎09-06-2012

for my router sh run is too large. sh just added full pix sh run and added router's config vpn related

PIX Sh run

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.06 08:58:04 =~=~=~=~=~=~=~=~=~=~=~=
Using username "Manager".

*******************************************

WARNING: Authorized users only!!!

Unauthorized attempts to access this system
are logged, reported, and prosecuted to the
fullest extent of the law.

*******************************************
Using keyboard-interactive authentication.
Password:

**********************************************

WARNING: Authorized users only!!!

Unauthorized attempts to access this system
are logged, reported, and prosecuted to the
fullest extent of the law.

If you are not an authorized user LOG OUT NOW!

**********************************************

lwr05-ca-vpn1#ssh 192.133.193.241

Password:
Type help or '?' for a list of available commands.

lwr05-t-nsc-fw1>

lwr05-t-nsc-fw1> en
Password: *************

lwr05-t-nsc-fw1# sh run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
interface ethernet3 auto shutdown
interface ethernet4 auto shutdown
interface ethernet5 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
nameif ethernet3 intf3 security6
nameif ethernet4 intf4 security8
nameif ethernet5 pub_dmz security10
enable password Q.kWaaSUnawXMOX9 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname lwr05-t-nsc-fw1
domain-name cisco.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
<--- More --->

fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 70.249.116.228 ATT_MissionKS
name 192.133.193.242 VPN_3845
name 24.164.128.248 TW_NY_Backup
name 208.198.20.152 TW_NY_Primary
name 24.199.197.68 TW_Raleigh_Corp
name 24.24.1.163 TW_Syracuse_Office
name 66.138.92.12 ATT_MissionVPN
name 64.236.202.160 TW_Rochester3
name 24.29.109.136 TW_Rochester2
name 24.24.5.72 TW_Rochester1
name 24.93.1.61 TW_Rochester
name 10.88.44.0 Verizon_VLAN3
name 10.88.44.64 Verizon_VLAN4
name 10.88.128.128 Verizon_VLAN5
name 192.133.192.242 PAT_to_PIX-VPN
name 10.4.254.0 Verizon_copernicus
name 151.200.191.12 Verizon_VPN
name 10.90.136.128 Fred_Zendt_Lab_NEW
name 24.93.67.155 TW_Raleigh_BNobles
name 24.29.109.0 TW_NY_Range
name 200.94.160.10 CableMas_Juarez
name 200.79.192.23 CableMas_Chihuahua
name 192.133.192.248 Verizon_Pool
name 198.23.5.27 Verizon_MD_VPN
name 10.90.139.249 ION-NEW
<--- More --->

name 204.235.114.4 TW_Syracuse_SSL
name 10.4.1.0 Verizon_Reston1
name 10.85.2.0 Verizon_Reston2
name 192.168.41.0 SciCare_Pool
name 10.85.4.128 Verizon_TaBlm1
name 10.85.8.128 Verizon_TaBlm2
name 10.88.63.128 Verizon_TaBlm3
name 24.24.5.70 TW_Rochester4
name 10.116.129.208 larbisho_CVO
name 10.82.192.0 rtp-vpn-cluster
name 10.20.245.224 jasmill2_CVO
name 10.124.90.240 verizon_redbox1
name 10.124.95.240 verizon_redbox2
name 192.133.192.243 verizon_redbox_pat_pool
object-group network SciCare.servers
network-object ION-NEW 255.255.255.255
object-group service default.services tcp
port-object eq telnet
port-object eq www
port-object eq ssh
port-object eq ftp
port-object eq ftp-data
port-object eq pop3
port-object eq nntp
port-object eq https
object-group network VPN_Access_Control
network-object TW_Syracuse_Office 255.255.255.255
network-object TW_Syracuse_SSL 255.255.255.255
network-object TW_Raleigh_Corp 255.255.255.255
network-object TW_NY_Primary 255.255.255.255
<--- More --->

network-object TW_NY_Backup 255.255.255.252
network-object TW_Rochester1 255.255.255.248
network-object TW_Rochester2 255.255.255.248
network-object TW_Rochester3 255.255.255.248
network-object TW_Rochester 255.255.255.255
network-object TW_Raleigh_BNobles 255.255.255.255
network-object TW_NY_Range 255.255.255.0
network-object 97.80.177.231 255.255.255.255
network-object host TW_Rochester4
network-object 64.100.119.72 255.255.255.255
network-object 166.137.11.162 255.255.255.255
network-object 76.21.121.47 255.255.255.255
object-group network Verizon_Baltimore
network-object 113.50.84.182 255.255.255.255
network-object 113.50.84.183 255.255.255.255
network-object 113.50.84.222 255.255.255.255
network-object 192.168.164.4 255.255.255.255
network-object 156.145.136.84 255.255.255.255
network-object 156.145.136.254 255.255.255.255
object-group network Verizon_RestonVA
description Temporary VPN to Verizon - Reston, VA lab.
network-object Verizon_Reston1 255.255.255.0
network-object Verizon_Reston2 255.255.255.0
object-group network ATT_MobilityLab
description This is for the new non-standard VPN to ATT Mobility Lab. Brought online on May-7-2009
network-object 155.165.224.133 255.255.255.255
network-object 155.165.196.21 255.255.255.255
network-object 155.165.224.134 255.255.255.255
network-object 155.165.224.135 255.255.255.255
network-object 155.165.224.136 255.255.255.255
<--- More --->

object-group network Verizon_Multi
description Verizon VPN that goes to multiple sites. Copernicus - Tampa, FL - Bloomington, IL
network-object Verizon_TaBlm1 255.255.255.240
network-object Verizon_TaBlm2 255.255.255.240
network-object Verizon_TaBlm3 255.255.255.224
network-object 10.85.252.68 255.255.255.255
network-object Verizon_copernicus 255.255.255.192
object-group network PAT-AND-NATPOOL
description Contains both the PAT address and SciCare NAT Pool
network-object PAT_to_PIX-VPN 255.255.255.255
network-object SciCare_Pool 255.255.255.0
object-group network VPN_Access_Contro
object-group network verizon_redbox_multi
network-object verizon_redbox1 255.255.255.240
network-object verizon_redbox2 255.255.255.240
object-group network verizon_redbox
network-object verizon_redbox_pat_pool 255.255.255.255
network-object SciCare_Pool 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host VPN_3845 any
access-list inside_outbound_nat0_acl permit ip host PAT_to_PIX-VPN ATT_MissionKS 255.255.255.254
access-list inside_outbound_nat0_acl permit ip Verizon_Pool 255.255.255.248 object-group Verizon_Baltimore
access-list inside_outbound_nat0_acl permit ip SciCare_Pool 255.255.255.0 object-group Verizon_RestonVA
access-list inside_outbound_nat0_acl permit ip host PAT_to_PIX-VPN object-group ATT_MobilityLab
access-list inside_outbound_nat0_acl permit ip object-group PAT-AND-NATPOOL object-group Verizon_Multi
access-list inside_outbound_nat0_acl permit ip object-group verizon_redbox object-group verizon_redbox_multi
access-list outside_access_in permit gre any host VPN_3845
access-list outside_access_in permit esp any host VPN_3845
access-list outside_access_in permit ah any host VPN_3845
access-list outside_access_in permit udp any host VPN_3845 eq isakmp
access-list outside_access_in permit icmp any host VPN_3845 echo-reply
<--- More --->

access-list outside_access_in permit icmp any host VPN_3845 time-exceeded
access-list outside_access_in permit tcp any host 192.133.193.243 eq smtp
access-list outside_access_in permit icmp any host 192.133.193.243 echo-reply
access-list outside_access_in permit tcp object-group VPN_Access_Control host 192.133.193.243 eq www log
access-list outside_access_in permit icmp object-group Verizon_Baltimore Verizon_Pool 255.255.255.248 echo-reply
access-list outside_access_in permit icmp object-group Verizon_RestonVA SciCare_Pool 255.255.255.0 echo-reply
access-list outside_access_in permit icmp object-group ATT_MobilityLab host PAT_to_PIX-VPN echo-reply
access-list outside_access_in permit icmp object-group Verizon_Multi object-group PAT-AND-NATPOOL echo-reply
access-list outside_access_in permit icmp object-group verizon_redbox_multi object-group verizon_redbox echo-reply
access-list outside_access_in permit icmp any any log
access-list pub_dmz_access_in permit tcp host ION-NEW any object-group default.services
access-list pub_dmz_access_in permit tcp host ION-NEW any eq smtp
access-list pub_dmz_access_in permit udp host ION-NEW any eq domain
access-list pub_dmz_access_in permit icmp host ION-NEW any echo
access-list outside_cryptomap_10 permit ip host PAT_to_PIX-VPN ATT_MissionKS 255.255.255.254
access-list outside_cryptomap_20 remark The SciCare POOL in this group is legacy, but still in the policy to keep the tunnel up.
access-list outside_cryptomap_20 permit ip object-group PAT-AND-NATPOOL object-group Verizon_Multi
access-list inside_access_in permit ip host VPN_3845 any
access-list inside_access_in permit ip host PAT_to_PIX-VPN ATT_MissionKS 255.255.255.254
access-list inside_access_in permit ip Verizon_Pool 255.255.255.248 object-group Verizon_Baltimore
access-list inside_access_in permit ip SciCare_Pool 255.255.255.0 object-group Verizon_RestonVA
access-list inside_access_in permit ip host PAT_to_PIX-VPN object-group ATT_MobilityLab
access-list inside_access_in permit ip object-group PAT-AND-NATPOOL object-group Verizon_Multi
access-list inside_access_in permit ip 10.155.0.0 255.255.0.0 any
access-list inside_access_in permit ip 64.100.116.0 255.255.255.0 host 192.133.193.243
access-list inside_access_in permit ip object-group verizon_redbox object-group verizon_redbox_multi
access-list capin permit ip host PAT_to_PIX-VPN host CableMas_Chihuahua
access-list capin permit ip host PAT_to_PIX-VPN host CableMas_Juarez
access-list capout permit ip host PAT_to_PIX-VPN host CableMas_Chihuahua
access-list capout permit ip host PAT_to_PIX-VPN host CableMas_Juarez
<--- More --->

access-list capout permit ip any host CableMas_Chihuahua
access-list capout permit ip any host CableMas_Juarez
access-list capout permit ip host CableMas_Chihuahua any
access-list capout permit ip host CableMas_Juarez any
access-list outside_cryptomap_30 permit ip Verizon_Pool 255.255.255.248 object-group Verizon_Baltimore
access-list outside_cryptomap_40 permit ip SciCare_Pool 255.255.255.0 object-group Verizon_RestonVA
access-list outside_cryptomap_50 permit ip host PAT_to_PIX-VPN object-group ATT_MobilityLab
access-list outside_cryptomap_60 permit ip object-group verizon_redbox object-group verizon_redbox_multi
access-list outside_cryptomap_60 permit ip host verizon_redbox_pat_pool 216.46.255.0 255.255.255.192
access-list test permit tcp any any eq ssh
pager lines 30
logging on
logging buffered warnings
icmp permit 192.133.193.248 255.255.255.252 outside
icmp permit 192.133.193.240 255.255.255.248 inside
icmp permit host 192.133.216.135 inside
icmp permit 10.90.139.0 255.255.255.0 pub_dmz
mtu outside 1500
mtu inside 1500
mtu intf2 1500
mtu intf3 1500
mtu intf4 1500
mtu pub_dmz 1500
ip address outside 192.133.193.249 255.255.255.252
ip address inside 192.133.193.241 255.255.255.248
no ip address intf2
no ip address intf3
no ip address intf4
ip address pub_dmz 10.90.139.250 255.255.255.0
ip audit info action alarm
<--- More --->

ip audit attack action alarm
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address intf2
no failover ip address intf3
no failover ip address intf4
no failover ip address pub_dmz
pdm location 172.18.175.0 255.255.255.0 inside
pdm location 172.18.176.0 255.255.255.0 inside
pdm location 172.18.177.0 255.255.255.0 inside
pdm location VPN_3845 255.255.255.255 inside
pdm location ATT_MissionKS 255.255.255.254 outside
pdm location PAT_to_PIX-VPN 255.255.255.255 inside
pdm location TW_NY_Backup 255.255.255.252 outside
pdm location TW_NY_Primary 255.255.255.255 outside
pdm location TW_Raleigh_Corp 255.255.255.255 outside
pdm location TW_Syracuse_Office 255.255.255.255 outside
pdm location ATT_MissionVPN 255.255.255.255 outside
pdm location 10.90.128.0 255.255.192.0 pub_dmz
pdm location TW_Rochester1 255.255.255.248 outside
pdm location TW_Rochester2 255.255.255.248 outside
pdm location TW_Rochester3 255.255.255.248 outside
pdm location TW_Rochester 255.255.255.255 outside
pdm location Verizon_VLAN3 255.255.255.192 outside
pdm location Verizon_VLAN4 255.255.255.192 outside
pdm location Verizon_VLAN5 255.255.255.192 outside
pdm location 17.254.17.246 255.255.255.255 outside
<--- More --->

pdm location Verizon_copernicus 255.255.255.192 outside
pdm location Verizon_VPN 255.255.255.255 outside
pdm location Fred_Zendt_Lab_NEW 255.255.255.192 inside
pdm location TW_Raleigh_BNobles 255.255.255.255 outside
pdm location 64.100.94.0 255.255.254.0 inside
pdm location 64.100.64.0 255.255.192.0 inside
pdm location TW_NY_Range 255.255.255.0 outside
pdm location CableMas_Chihuahua 255.255.255.255 outside
pdm location CableMas_Juarez 255.255.255.255 outside
pdm location 192.133.216.135 255.255.255.255 inside
pdm location SciCare_Pool 255.255.255.0 inside
pdm location 113.50.84.77 255.255.255.255 outside
pdm location 113.50.84.78 255.255.255.255 outside
pdm location 113.50.84.80 255.255.255.255 outside
pdm location 113.50.84.182 255.255.255.255 outside
pdm location 113.50.84.183 255.255.255.255 outside
pdm location 113.50.84.222 255.255.255.255 outside
pdm location 156.145.136.157 255.255.255.255 outside
pdm location 156.145.136.158 255.255.255.255 outside
pdm location 156.145.136.174 255.255.255.255 outside
pdm location 192.168.164.4 255.255.255.255 outside
pdm location Verizon_Pool 255.255.255.248 inside
pdm location Verizon_MD_VPN 255.255.255.255 outside
pdm location ION-NEW 255.255.255.255 pub_dmz
pdm location TW_Syracuse_SSL 255.255.255.255 outside
pdm location Verizon_Reston1 255.255.255.0 outside
pdm location Verizon_Reston2 255.255.255.0 outside
pdm location 155.165.224.133 255.255.255.255 outside
pdm location 155.165.196.21 255.255.255.255 outside
pdm location Verizon_TaBlm1 255.255.255.240 outside
<--- More --->

pdm location Verizon_TaBlm2 255.255.255.240 outside
pdm location Verizon_TaBlm3 255.255.255.224 outside
pdm location 64.100.82.0 255.255.254.0 inside
pdm location 64.100.0.0 255.252.0.0 inside
pdm location 10.85.252.68 255.255.255.255 outside
pdm location 155.165.224.134 255.255.255.255 outside
pdm location 155.165.224.135 255.255.255.255 outside
pdm location 155.165.224.136 255.255.255.255 outside
pdm location larbisho_CVO 255.255.255.240 inside
pdm location TW_Rochester4 255.255.255.255 outside
pdm location 97.80.177.231 255.255.255.255 outside
pdm location 156.145.136.84 255.255.255.255 outside
pdm location 156.145.136.254 255.255.255.255 outside
pdm location jasmill2_CVO 255.255.255.240 inside
pdm location rtp-vpn-cluster 255.255.192.0 inside
pdm location 10.21.0.0 255.255.0.0 inside
pdm location 10.20.0.0 255.254.0.0 inside
pdm location 171.71.86.0 255.255.254.0 inside
pdm location 10.155.0.0 255.255.0.0 inside
pdm location verizon_redbox1 255.255.255.240 outside
pdm location verizon_redbox2 255.255.255.240 outside
pdm group SciCare.servers pub_dmz
pdm group VPN_Access_Control outside
pdm group Verizon_Baltimore outside
pdm group Verizon_RestonVA outside
pdm group ATT_MobilityLab outside
pdm group Verizon_Multi outside
pdm group PAT-AND-NATPOOL inside
pdm group verizon_redbox_multi outside
pdm group verizon_redbox inside
<--- More --->

pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (pub_dmz) 1 0.0.0.0 0.0.0.0 0 0
static (pub_dmz,outside) 192.133.193.243 ION-NEW netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group pub_dmz_access_in in interface pub_dmz
route outside 0.0.0.0 0.0.0.0 192.133.193.250 1
route inside 10.20.0.0 255.254.0.0 VPN_3845 1
route inside jasmill2_CVO 255.255.255.240 VPN_3845 1
route inside rtp-vpn-cluster 255.255.192.0 VPN_3845 1
route inside larbisho_CVO 255.255.255.240 VPN_3845 1
route inside 10.155.16.0 255.255.252.0 VPN_3845 1
route inside 64.100.64.0 255.255.192.0 VPN_3845 1
route inside 171.71.86.0 255.255.254.0 VPN_3845 1
route inside PAT_to_PIX-VPN 255.255.255.255 VPN_3845 1
route inside verizon_redbox_pat_pool 255.255.255.255 VPN_3845 1
route inside Verizon_Pool 255.255.255.248 VPN_3845 1
route inside 192.133.216.135 255.255.255.255 VPN_3845 1
route inside SciCare_Pool 255.255.255.0 VPN_3845 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
<--- More --->

aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http SciCare_Pool 255.255.255.0 inside
http 64.100.82.0 255.255.254.0 inside
http larbisho_CVO 255.255.255.240 inside
http jasmill2_CVO 255.255.255.240 inside
http rtp-vpn-cluster 255.255.192.0 inside
http 10.20.0.0 255.254.0.0 inside
http 171.71.86.0 255.255.254.0 inside
http 10.155.16.0 255.255.252.0 inside
http 10.155.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community 329ixwort
no snmp-server enable traps
floodguard enable
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 10 ipsec-isakmp
crypto map outside_map 10 match address outside_cryptomap_10
crypto map outside_map 10 set peer ATT_MissionVPN
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 96.252.254.5
crypto map outside_map 20 set transform-set ESP-3DES-SHA
<--- More --->

crypto map outside_map 30 ipsec-isakmp
crypto map outside_map 30 match address outside_cryptomap_30
crypto map outside_map 30 set peer 198.23.5.32
crypto map outside_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 30 set security-association lifetime seconds 28800 kilobytes 4194303
crypto map outside_map 40 ipsec-isakmp
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer 199.45.47.132
crypto map outside_map 40 set transform-set ESP-AES-256-SHA
crypto map outside_map 50 ipsec-isakmp
crypto map outside_map 50 match address outside_cryptomap_50
crypto map outside_map 50 set pfs group2
crypto map outside_map 50 set peer 155.165.255.4
crypto map outside_map 50 set transform-set ESP-3DES-SHA
crypto map outside_map 60 ipsec-isakmp
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 208.39.107.230
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address ATT_MissionVPN netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address Verizon_VPN netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 96.252.254.5 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 199.45.47.132 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 155.165.255.4 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 198.23.5.32 netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 208.39.107.230 netmask 255.255.255.255
isakmp key ******** address 208.39.107.233 netmask 255.255.255.255
isakmp identity address
isakmp nat-traversal 20
<--- More --->

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
telnet timeout 5
ssh 192.133.216.135 255.255.255.255 inside
ssh SciCare_Pool 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 inside
ssh 64.100.0.0 255.252.0.0 inside
ssh timeout 5
console timeout 0
username Manager password Q.kWaaSUnawXMOX9 encrypted privilege 15
terminal width 80
Cryptochecksum:11e39925a7492911668dea0ec3eba720
: end

lwr05-t-nsc-fw1# exi

Logoff

[Connection to 192.133.193.241 closed by foreign host]
lwr05-ca-vpn1#sh run | i pool
ip nat pool PAT_POOL 192.133.192.242 192.133.192.242 netmask 255.255.255.248
ip nat pool VZ_POOL 192.133.192.248 192.133.192.255 netmask 255.255.255.248
ip nat pool SA_POOL 192.168.41.121 192.168.41.250 netmask 255.255.255.0
ip nat pool TUN_POOL 10.200.255.8 10.200.255.15 netmask 255.255.255.248 add-route
ip nat pool PAT_POOL_VERIZON_REDBOX 192.133.192.243 192.133.192.243 netmask 255.255.255.248
ip nat source list TUN_TO_MGMT pool TUN_POOL
ip nat inside source list SA_USERS pool SA_POOL
ip nat inside source route-map PAT_TO_PIX-VPN pool PAT_POOL overload
ip nat inside source route-map PAT_TO_PIX-VPN-VERIZON-REDBOX pool PAT_POOL_VERIZON_REDBOX overload
ip nat inside source route-map VZ_NAT pool VZ_POOL
lwr05-ca-vpn1#sh rpoute               ou
lwr05-ca-vpn1#sh route-map
route-map VZ_NAT, permit, sequence 10
Match clauses:
    ip address (access-lists): VZ_USERS
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map IF_PAT, permit, sequence 10
Match clauses:
    ip address (access-lists): SA_IFPAT
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map SA_NAT, permit, sequence 10
Match clauses:
    ip address (access-lists): SA_USERS
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map TEST, permit, sequence 10
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map PAT_TO_PIX-VPN-VERIZON-REDBOX, permit, sequence 10
Match clauses:
    ip address (access-lists): VERIZON_REDBOX
Set clauses:
--More--                           Policy routing matches: 0 packets, 0 bytes
route-map PAT_TO_PIX-VPN, permit, sequence 10
Match clauses:
    ip address (access-lists): SA_TO_PAT
Set clauses:
Policy routing matches: 0 packets, 0 bytes
lwr05-ca-vpn1#sh acce
lwr05-ca-vpn1#sh access-li
lwr05-ca-vpn1#sh access-lists R   VERIZON_REDBOX   X
Extended IP access list VERIZON_REDBOX
    10 permit ip any 10.200.200.0 0.0.0.255 (19 matches)
lwr05-ca-vpn1#sh run | i ip route
ip route 0.0.0.0 0.0.0.0 192.133.193.241 name Default_to_PIX
ip route 10.4.254.0 255.255.255.192 192.133.193.241 name Verizon_copernicus
ip route 10.10.10.4 255.255.255.255 192.133.193.241 name MusicChoice_TEMP
ip route 10.85.8.143 255.255.255.255 192.133.193.241 name VerizonHost
ip route 10.135.2.27 255.255.255.255 192.133.193.241 name FairpointNH_VPN
ip route 10.168.84.238 255.255.255.255 192.133.193.241 name Contec_Mexico
ip route 10.185.24.194 255.255.255.255 192.133.193.241 name Turner_Lab_VPN_TEMP
ip route 10.200.148.208 255.255.255.240 10.1.4.194 name TEMP_FAIRPOINT
ip route 10.200.149.208 255.255.255.240 10.1.4.234 name Temp_HKC
ip route 10.200.198.0 255.255.255.240 192.133.193.241 name Verizon_NAT
ip route 10.200.198.16 255.255.255.240 192.133.193.241 name VZ_Baltimore_VPN
ip route 10.200.198.32 255.255.255.240 192.133.193.241 name Verizon_RestonVA_temp
ip route 10.200.198.48 255.255.255.240 192.133.193.241
ip route 10.200.198.64 255.255.255.224 192.133.193.241
ip route 10.200.199.0 255.255.255.240 192.133.193.241 name Cox_SSL
ip route 10.200.200.0 255.255.255.0 192.133.193.241 name verizon_redbox
ip route 70.249.116.228 255.255.255.254 192.133.193.241 name ATT_MissionKS
ip route 172.16.64.16 255.255.255.240 192.133.193.241 name TW_Herndon_TEMP
ip route 172.20.100.10 255.255.255.255 192.133.193.241 name Seachage_VPN
ip route 192.133.200.0 255.255.255.224 192.133.193.241 name ISDS_NCC
ip route 192.133.200.32 255.255.255.240 192.133.193.241 name ISDS_NCC_P2P
ip route 192.133.202.2 255.255.255.255 192.133.193.241 name NCC_VPN
--More--                           ip route 192.133.203.88 255.255.255.248 192.133.193.241 name ISDS_NCC
ip route 192.168.1.2 255.255.255.255 192.133.193.241 name NDS_Israel_VPN
ip route 192.168.41.0 255.255.255.0 Null0
ip route 192.168.116.34 255.255.255.255 192.133.193.241 name SBB_VPN_L2681
ip route 192.168.125.38 255.255.255.255 192.133.193.241 name SBB_VPN_L2380
ip route 200.79.192.23 255.255.255.255 192.133.193.241 name CableMas_ChihuahuaMX
ip route 200.94.160.10 255.255.255.255 192.133.193.241 name CableMas_JuarezMX
lwr05-ca-vpn1#sh run                               exi

ronakpa · ‎09-06-2012

also router nat static statements

ip nat outside source static 10.124.90.250 10.200.200.4

ip nat outside source static 10.124.90.251 10.200.200.5

ip nat outside source static 10.124.90.252 10.200.200.6

ip nat outside source static 10.124.95.250 10.200.200.1

ip nat outside source static 10.124.95.251 10.200.200.2

ip nat outside source static 10.124.95.252 10.200.200.3

having problem with vpn connection to access devices in customer's network