Current configuration : 5436 bytes

!

! Last configuration change at 11:11:24 BST Mon Aug 13 2012 by admin

! NVRAM config last updated at 11:01:33 BST Mon Aug 13 2012 by admin

!

version 12.4

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

no service password-encryption

!

hostname customer-name

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200

!

no aaa new-model

clock timezone GMT 0

clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

clock save interval 24

!

!

dot11 syslog

ip source-route

!

!

ip cef

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip domain name customer-name.local

ip name-server 192.168.0.100

!

!

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

!

!

!

username admin privilege 15 password 0 password

username userb password 0 1

username userc password 0 2

username userd password 0 3

username usere password 0 4

username userf password 0 5

username userg password 0 6

username userh password 0 7

username useri password 0 8

username userj password 0 9

username userk password 0 0

username userl password 0 -

username userm password 0 =

!

!

!

archive

log config

  hidekeys

!

!

ip ssh port 2222 rotary 1

ip ssh source-interface Dialer0

!

!

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1

ip unnumbered Vlan1

ip nat inside

ip virtual-reassembly

peer default ip address pool dialin

no keepalive

ppp encrypt mppe auto required

ppp authentication ms-chap-v2 ms-chap

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Dialer0

ip address negotiated

ip access-group 100 in

ip mtu 1492

ip inspect DEFAULT100 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname user@isp.realm

ppp chap password 0 password

!

ip local pool dialin 192.168.0.240 192.168.0.250

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.240 25 y.y.y.y 25 extendable

ip nat inside source static tcp 192.168.0.240 80 y.y.y.y 80 extendable

ip nat inside source static tcp 192.168.0.240 110 y.y.y.y 110 extendable

ip nat inside source static tcp 192.168.0.240 443 y.y.y.y 443 extendable

ip nat inside source static tcp 192.168.0.100 3389 y.y.y.y 3389 extendable

ip nat inside source static tcp 192.168.0.28 3389 y.y.y.y 3390 extendable

ip nat inside source static tcp 192.168.0.33 3389 y.y.y.y 3391 extendable

ip nat inside source static tcp 192.168.0.2 3389 y.y.y.y 3392 extendable

ip nat inside source static tcp 192.168.0.240 3389 y.y.y.y 3395 extendable

!

logging trap debugging

logging origin-id hostname

logging x.x.x.x

access-list 23 permit 192.168.0.0 0.0.0.255

access-list 23 permit a.b.c.d 0.0.0.63

access-list 23 permit e.f.g.h 0.0.0.7

access-list 23 permit i.j.k.l 0.0.0.127

access-list 25 permit x.x.x.x 0.0.0.127

access-list 100 permit tcp host x.x.x.1 any eq telnet

access-list 100 permit tcp any host y.y.y.y eq 3390

access-list 100 permit tcp any host y.y.y.y eq 3391

access-list 100 permit tcp any host y.y.y.y eq www

access-list 100 permit tcp any host y.y.y.y eq 443

access-list 100 permit tcp any host y.y.y.y eq smtp

access-list 100 permit tcp any host y.y.y.y eq pop3

access-list 100 permit tcp any host y.y.y.y eq 1723

access-list 100 permit gre any any

access-list 100 permit icmp any any echo

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any host y.y.y.y echo-reply

access-list 100 permit icmp any host y.y.y.y time-exceeded

access-list 100 permit icmp any host y.y.y.y unreachable

access-list 100 permit ip e.f.g.h 0.0.0.7 any

access-list 100 permit ip a.b.c.d 0.0.0.63 any

access-list 100 permit udp any host y.y.y.y eq ntp

access-list 100 permit ip e.f.g.1 0.0.0.7 any

access-list 100 permit ip x.x.x.x 0.0.0.127 any

access-list 100 deny   ip any any

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

!

!

!

snmp-server community public RO 25

snmp-server ifindex persist

!

control-plane

!

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

rotary 1

transport input all

transport output all

!

scheduler max-task-time 5000

ntp server 192.43.244.18

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Thanks Paolo,

Hope this helps.

Regards,

Tom

Try removing ip access-group. With NAT, is not needed anyway.

I have tried that and it doesn't resolve the issue. We nee the access list on the dialer as we wish to restrict access to some devices to certain subnets. Our subnet has an allow rule in the access list and this definitely works.

I have also tried removing list 23 from the vty but, again, this has had no impact on the issue.

Just to clarify, even if that does not resovle, consider that when you have NAT, it's impossible for externa packets to come in unless a translation had been created from inside. That is why ACL is not needed.

Anyway., another cause can be the rotary statement, try removing it.

Hi Paolo,

My concern is due to the static NAT translations which port forward to servers. In particular, I have seen brute force attacks on Microsoft remote desktop which is why I firewall these to only permit trusted subnets.

I've tried removing the rotary but this has made no improvement. It was only added during the troubleshooting process.

Thanks for your patience.

Regards,

Tom

Have you tried taking the access-class off the vtys?

Sent from Cisco Technical Support iPad App

I had tried that but it made no difference.

Just in case someone else runs it this issue. I've just experienced the same issue (SSH on Dialer IP triggers a TCP RST) on a C887VAG-4G-GA-K9 with IOS 15.4(3)M3. The static NAT to the loopback still works.

Hi Oleg,

Do you get an IP by IPCP? I can't test with a static IP on my dialer as the router is on a customer site and I can't cause disruption. I'm going to get out a spare 877 and try the config on that. If it exhibitsthe same issue I'll try using a static IP and see if that helps.

Regards,

Tom

I have seen this problem before. When you specify NAT with an extended access list which includes permit any it impacts remote access. The solution is simple. Since your access list is only specifying the source address and permit destination any then you can easily rewrite it as a standard access list. I suggest that you rewrite access list 102 as access list 2 specifying the same source network and then use it in your NAT configuration.

HTH

Rick

Sent from Cisco Technical Support iPad App

Rick,

Thanks for your reply. In fact I did try to play with an ACLs flipping them to standard and

it had no effect - Telnet and SSH still were treated the same with TCP RST sent back to

the initiator. As I mentioned, the workaround I implemented provides what I needed, so I

can think of that case as closed. Not sure about Tom if he tried that or not or found other

solution.

Thanks again,

Oleg