09-25-2012 05:12 AM
Hi Everyone,
I have a similar problem, I'm able to connect via VPN client and ping only one host on the remote lan and nothing else. I'm using both split-tunnel and non-split-tunnel, but none has worked. My main objective is to make the remote user connect to office lan (remote lan for him) and office Internet connection. Both these objectives are not fulfilled by my configuration given below:
Please have a look, any help will be highly appreciated.
Result of the command: "show run"
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name xxx.xxx
enable password PYCOFbMCV52U4BMk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.251 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.32
name-server 221.132.112.8
domain-name xxx.xxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NONAT remark ***VPN****
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.192
access-list GVSKhiNW standard permit 192.168.2.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool VPNPOOL 192.168.20.1-192.168.20.50
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 192.168.20.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.5.0 255.255.255.0 management
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set pfs group1
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto dynamic-map DYN_MAP 10 set security-association lifetime seconds 28800
crypto dynamic-map DYN_MAP 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set reverse-route
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy newgrp internal
group-policy newgrp attributes
dns-server value 192.168.2.32 221.132.112.8
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GVSKhiNW
default-domain value GVS.Khi
group-policy company-vpn-policy internal
group-policy company-vpn-policy attributes
dns-server value 192.168.2.32
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelall
split-tunnel-network-list none
username ajmal password RFhaYswjfEEiEFRF encrypted privilege 15
username ajmal attributes
vpn-group-policy company-vpn-policy
username mali password xPY4CsMWghZDv83P encrypted privilege 0
username mali attributes
vpn-group-policy newgrp
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool VPNPOOL
default-group-policy company-vpn-policy
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
tunnel-group newgrp type remote-access
tunnel-group newgrp general-attributes
address-pool VPNPOOL
default-group-policy newgrp
tunnel-group newgrp ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a7720c723cdc74148690b044fee171c3
: end
Thanks.
09-25-2012 05:35 AM
Hi Ali,
Relevant configuration:
access-list NONAT remark ***VPN****
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.192
nat (inside) 0 access-list NONAT
!
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool VPNPOOL
default-group-policy company-vpn-policy
!
group-policy company-vpn-policy internal
group-policy company-vpn-policy attributes
dns-server value 192.168.2.32
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelall
split-tunnel-network-list none
!
ip local pool VPNPOOL 192.168.20.1-192.168.20.50
******************************
Now, you said you can only ping one host, does this host have the same default-gateway as the rest?
Please do the following:
capture capin interface inside match icmp 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
capture drop type asp all
Then try to ping a couple of internal devices, once done, issue the following commands:
show capture capin
show capture drop | inc 192.168.20.
In addition, run this packet-tracer and attach the output:
packet-tracer input inside icmp 192.168.2.80 8 0 192.168.20.x detail ----> "192.168.20.x" should be the IP address of your VPN client, "192.168.2.80" is just a test, does not matter if it is not alive.
Thanks.
Portu.
Please rate any helpful posts.
Message was edited by: Javier Portuguez
09-25-2012 06:21 AM
Hey Portu,
Thanks for hitting back.
Here is the output of the first command:
Result of the command: "show capture capin"
14 packets captured
1: 21:40:36.200902 192.168.20.1 > 192.168.2.10: icmp: echo request
2: 21:40:46.139076 192.168.20.1 > 192.168.2.10: icmp: echo request
3: 21:41:00.894790 192.168.20.1 > 192.168.2.9: icmp: echo request
4: 21:41:01.137154 192.168.20.1 > 192.168.2.10: icmp: echo request
5: 21:41:06.487310 192.168.20.1 > 192.168.2.10: icmp: echo request
6: 21:41:10.754782 192.168.20.1 > 192.168.2.9: icmp: echo request
7: 21:41:11.158362 192.168.20.1 > 192.168.2.10: icmp: echo request
8: 21:41:12.141487 192.168.20.1 > 192.168.2.150: icmp: echo request
9: 21:41:15.628431 192.168.20.1 > 192.168.2.9: icmp: echo request
10: 21:41:16.129464 192.168.20.1 > 192.168.2.10: icmp: echo request
11: 21:41:17.133415 192.168.20.1 > 192.168.2.150: icmp: echo request
12: 21:41:31.168646 192.168.20.1 > 192.168.2.10: icmp: echo request
13: 21:41:36.130547 192.168.20.1 > 192.168.2.10: icmp: echo request
14: 21:42:11.143043 192.168.20.1 > 192.168.2.10: icmp: echo request
14 packets shown
and 2nd command output goes here:
Result of the command: "conf term"
The command has been sent to the device
Result of the command: "packet-tracer input inside icmp 192.168.2.35 8 0 192.168.20.1 detail"
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa798f720, priority=12, domain=capture, deny=false
hits=18807, user_data=0xa798f4f8, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa7343ef8, priority=1, domain=permit, deny=false
hits=3740, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.20.1 255.255.255.255 outside
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa73469c8, priority=0, domain=permit-ip-option, deny=true
hits=97, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa7345cd8, priority=66, domain=inspect-icmp-error, deny=false
hits=14, user_data=0xa7345c08, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa73b48d8, priority=12, domain=capture, deny=false
hits=2, user_data=0xa798f4f8, cs_id=0xa71c6278, reverse, flags=0x0, protocol=1
src ip=192.168.2.0, mask=255.255.255.0, port=0
dst ip=192.168.20.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 8
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 192.168.2.0 255.255.255.0 outside 192.168.20.0 255.255.255.192
NAT exempt
translate_hits = 8, untranslate_hits = 234
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa61d1ec8, priority=6, domain=nat-exempt, deny=false
hits=7, user_data=0xa73b0ce0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.2.0, mask=255.255.255.0, port=0
dst ip=192.168.20.0, mask=255.255.255.192, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (110.93.211.67 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa73b4708, priority=1, domain=nat, deny=false
hits=7, user_data=0xa73b4668, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (110.93.211.67 [Interface PAT])
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xa73b4a20, priority=1, domain=host, deny=false
hits=274, user_data=0xa73b4668, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xa6dc2858, priority=70, domain=encrypt, deny=false
hits=45, user_data=0x2654, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=192.168.20.1, mask=255.255.255.255, port=0, dscp=0x0
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 295, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
Module information for reverse flow ...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow.
The default gateway was something else, when i put the actual gateway, ping is lost now.
What could be wrong?
thanks.
09-25-2012 12:31 PM
Dear Ali,
According to the previous outputs, everything points to a routing issue.
Please check if there is any difference between the one working and the ones failing.
Thanks.
Portu.
09-30-2012 12:18 PM
Hi Portu,
Thanks for replying. I tried few things over the weekend, here is my scenario:
1) I have a Cisco 1941 Router connected to Internet with x.x.x.66 IP, and my LAN users access Internet through this IP
2) I have setup x.x.x.67 ip on ASA outside (which is coming from the same WAN Switch as x.x.x.66)
3) LAN users are on 192.168.2.0/24
4) VPN-users are on 193.168.20.0/24
Now the VPN connects fine users are able to use my INternet and access LAN resources but the problem is inside LAN. My LAN users get an IP address of x.x.x.67 instead of x.x.x.66 (which is configured on my router) dynamically. It creates problem and Internet disconnects for these users, not all users face this problem, and this is happening intermittently. There is some routing issue that I'm unable to track. I'm pasting my 'show run' and 'show route' command output here:
Show rroute:
Result of the command: "show route"
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is x.x.x.65 to network 0.0.0.0
C x.x.x.64 255.255.255.240 is directly connected, outside
S 192.168.20.1 255.255.255.255 [1/0] via 110.93.211.67, outside
C 192.168.2.0 255.255.255.0 is directly connected, inside
S* 0.0.0.0 0.0.0.0 [1/0] via 110.93.211.65, outside
Result of the command: "show run"
: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasa
domain-name GVS.Khi
enable password PYCOFbMCV52U4BMk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.67 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.2.251 255.255.255.0
!
interface Ethernet0/2
nameif Proxy
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.5.1 255.255.255.0
management-only
!
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.2.32
name-server 221.132.112.8
domain-name GVS.Khi
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list NONAT extended permit ip any 192.168.20.0 255.255.255.192
access-list NONAT remark ***VPN****
access-list NONAT extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.192
access-list GVSKhiNW standard permit 192.168.20.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 inactive
access-list outside_access_in extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0 inactive
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Proxy 1500
mtu management 1500
ip local pool VPNPOOL 192.168.20.1-192.168.20.50
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 192.168.20.0 255.255.255.0
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (outside,inside) 192.168.2.0 192.168.20.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 110.93.211.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.5.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set RA-TS esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set pfs group1
crypto dynamic-map DYN_MAP 10 set transform-set RA-TS
crypto dynamic-map DYN_MAP 10 set security-association lifetime seconds 28800
crypto dynamic-map DYN_MAP 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map DYN_MAP 10 set reverse-route
crypto map VPN_MAP 30 ipsec-isakmp dynamic DYN_MAP
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
telnet timeout 5
ssh 10.10.10.0 255.255.255.0 Proxy
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 192.168.5.2-192.168.5.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy mike internal
group-policy mike attributes
dns-server value 192.168.2.32 221.132.112.8
vpn-tunnel-protocol IPSec
group-policy newgrp internal
group-policy newgrp attributes
dns-server value 192.168.2.32 221.132.112.8
vpn-tunnel-protocol IPSec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GVSKhiNW
default-domain value GVS.Khi
group-policy company-vpn-policy internal
group-policy company-vpn-policy attributes
dns-server value 192.168.2.32
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value GVSKhiNW
username mike password toD4sjjR/2JqetDT encrypted privilege 0
username mike attributes
vpn-group-policy mike
username ajmal password RFhaYswjfEEiEFRF encrypted privilege 15
username ajmal attributes
vpn-group-policy company-vpn-policy
username mali password xPY4CsMWghZDv83P encrypted privilege 0
username mali attributes
vpn-group-policy mike
username alijp password 9Q013RdPhfwzmUho encrypted privilege 0
username alijp attributes
vpn-group-policy mike
tunnel-group vpnclient type remote-access
tunnel-group vpnclient general-attributes
address-pool VPNPOOL
default-group-policy company-vpn-policy
tunnel-group vpnclient ipsec-attributes
pre-shared-key *
tunnel-group newgrp type remote-access
tunnel-group newgrp general-attributes
address-pool VPNPOOL
default-group-policy newgrp
tunnel-group newgrp ipsec-attributes
pre-shared-key *
tunnel-group mike type remote-access
tunnel-group mike general-attributes
address-pool VPNPOOL
default-group-policy mike
tunnel-group mike ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:b852a4d95ee424dc367d2131ec7ddcda
: end
There must be a NAT issue as well... I'm yet not able to track it.. i will be thankful for any helpful suggestions.
Thanks
09-30-2012 01:10 PM
Hello Ali,
could you able to post the configuration of 1941 router as well ?
regards
Harish
10-01-2012 05:00 AM
Hi Harish,
Here you go:
I-NET-RTR#show run
I-NET-RTR#show running-config
Building configuration...
Current configuration : 7931 bytes
!
! Last configuration change at 07:54:37 UTC Mon Oct 1 2012
! NVRAM config last updated at 07:54:39 UTC Mon Oct 1 2012
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname I-NET-RTR
!
boot-start-marker
boot system flash:c1900-universalk9-mz.SPA.151-3.T3.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable password cisco
!
no aaa new-model
!
!
no ipv6 cef
ip source-route
no ip cef
!
!
!
ip dhcp binding cleanup interval 10
ip dhcp excluded-address 192.168.2.1 192.168.2.99
!
ip dhcp pool LAN-POOL-192.168.2.x
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server x.x.x.8
!
ip dhcp pool Hassan
host 192.168.130.130 255.255.255.0
client-identifier 0021.70f2.4283
default-router 192.168.130.1
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server x.x.x.8
ip name-server x.x.x.216
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4115022026
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4115022026
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-4115022026
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313135 30323230 3236301E 170D3132 30393239 30393030
35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313530
32323032 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B952 BFF21CA1 652B78A4 085080A9 F32B573E 7C4FDFFF C09D6E06 2B172FB1
96C8F379 9F0FDD56 74E86530 03306F40 CCF6D660 6BEE2989 E947513E 135AA0CC
3753DD4B D00FF446 FCF74E57 D4C25FD5 FBE289E9 34B135D7 F2D0C334 08EEEE62
DEB852CB 8964963F 7D891469 5CBF6EB4 401A8471 39A40F58 1CE56339 52B98390
AA010203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 146DC4B5 40E216FA 7CD4530F 04E862FC 33BB646F DD301D06
03551D0E 04160414 6DC4B540 E216FA7C D4530F04 E862FC33 BB646FDD 300D0609
2A864886 F70D0101 04050003 818100A7 709C3E0C EE2C5CE5 049D251B 846631BA
ECF529F4 6D1A0864 6467CA38 989D70E5 411F8B93 B6CBFFF3 82BC7AD2 445D896E
C75C86BA B0FEB57C B9FBC9E3 9CC071EA 3E3E0617 2324755B 2C25C3D5 906681C2
59D44CFA 9234C486 BD0D8FB0 799FF550 334942D2 C1CE1B0E 23E91A9F A154C957
0B831690 950604EC C98372E6 BCCA93
quit
license udi pid CISCO1941/K9 sn FGL153920HR
!
!
username admin privilege 15 secret 5 $1$XxeE$Vf2jPofcCJdvdxzKKoDY0/
username hassan secret 5 $1$QrC5$hH1EufXaqP71T1hGYv/Oz0
!
redundancy
!
!
!
!
!
track 2 ip sla 1 reachability
delay down 5 up 5
!
track 20 ip sla 20 reachability
delay down 2 up 2
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description *** Installed on 28/6/2012 ****
ip address x.x.x.66 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description *** LAN Interface ****
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1300
ip policy route-map FORHTTP
duplex auto
speed auto
!
interface FastEthernet0/0/0
description *** Connected to TCLDSL ***
ip address 10.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/0/1
description **** Proxy Server *****
no ip address
ip nat outside
ip virtual-reassembly in
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map MULTINET interface GigabitEthernet0/0 overload
ip nat inside source route-map TCL interface FastEthernet0/0/0 overload
ip nat inside source static tcp 192.168.2.26 22 x.x.x.66 22 extendable
ip nat inside source static tcp 192.168.2.26 80 x.x.x.66 80 extendable
ip nat inside source static udp 192.168.2.12 1194 x.x.x.66 1194 extendable
ip nat inside source static tcp 192.168.2.12 2200 x.x.x.66 2200 extendable
ip nat inside source static tcp 192.168.2.53 2223 x.x.x.66 2223 extendable
ip nat inside source static tcp 192.168.2.54 2224 x.x.x.66 2224 extendable
ip nat inside source static tcp 192.168.2.52 2225 x.x.x.66 2225 extendable
ip nat inside source static tcp 192.168.2.26 3000 x.x.x.66 3000 extendable
ip nat inside source static tcp 192.168.2.52 3306 x.x.x.66 3306 extendable
ip nat inside source static tcp 192.168.2.26 8080 x.x.x.66 8080 extendable
ip nat inside source static tcp 192.168.2.30 8081 x.x.x.66 8081 extendable
ip nat inside source static tcp 192.168.2.37 8082 x.x.x.66 8082 extendable
ip nat inside source static tcp 192.168.2.37 8085 x.x.x.66 8085 extendable
ip nat inside source static tcp 192.168.2.37 8088 x.x.x.66 8088 extendable
ip nat inside source static tcp 192.168.2.28 8090 x.x.x.66 8090 extendable
ip nat inside source static tcp 192.168.2.53 8091 x.x.x.66 8091 extendable
ip nat inside source static tcp 192.168.2.53 8092 x.x.x.66 8092 extendable
ip nat inside source static tcp 192.168.2.28 8093 x.x.x.66 8093 extendable
ip nat inside source static tcp 192.168.2.28 8094 x.x.x.66 8094 extendable
ip nat inside source static tcp 192.168.2.52 8095 x.x.x.66 8095 extendable
ip nat inside source static tcp 192.168.2.52 8096 x.x.x.66 8096 extendable
ip route 0.0.0.0 0.0.0.0 10.1.1.2 100 track 2
ip route 0.0.0.0 0.0.0.0 x.x.x.65 track 20
ip route 192.168.2.0 255.255.255.0 10.10.10.3
ip route x.x.x.1 255.255.255.255 10.1.1.2 permanent
!
ip access-list extended FORHTTP
deny ip host 192.168.2.26 any
deny ip host 192.168.2.32 any
deny ip host 192.168.2.31 any
deny ip host 192.168.2.28 any
deny ip host 192.168.2.33 any
permit udp 192.168.2.0 0.0.0.255 any eq domain
permit tcp 192.168.2.0 0.0.0.255 any eq pop3
permit tcp 192.168.2.0 0.0.0.255 any eq 22
permit tcp 192.168.2.0 0.0.0.255 any eq smtp
permit tcp 192.168.2.0 0.0.0.255 any eq 143
permit tcp 192.168.2.0 0.0.0.255 any eq telnet
permit udp 192.168.2.0 0.0.0.255 any eq 33434
permit tcp 10.10.10.0 0.0.0.255 any eq pop3
permit tcp 10.10.10.0 0.0.0.255 any eq smtp
ip access-list extended FTP
permit tcp 10.10.10.0 0.0.0.255 any eq 22
permit tcp 10.10.10.0 0.0.0.255 any eq ftp
permit tcp 10.10.10.0 0.0.0.255 any eq ftp-data
permit tcp 10.10.10.0 0.0.0.255 any gt 1024
deny ip any any
ip access-list extended NAT-INTERNET
permit ip 10.10.10.0 0.0.0.255 any
!
ip sla 1
icmp-echo x.x.x.1 source-interface FastEthernet0/0/0
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 20
icmp-echo x.x.x.65 source-interface GigabitEthernet0/0
frequency 5
ip sla schedule 20 life forever start-time now
logging esm config
logging trap warnings
!
!
!
!
route-map TCLpermit 10
match ip address NAT-INTERNET
match interface FastEthernet0/0/0
!
route-map MULTINET permit 10
match ip address NAT-INTERNET
match interface GigabitEthernet0/0
!
route-map TCL-server permit 10
match interface FastEthernet0/0/0
!
route-map FORHTTP permit 10
match ip address FORHTTP
set ip next-hop verify-availability 10.1.1.2 10 track 2
!
route-map FORHTTP permit 15
match ip address FTP
!
route-map multinetservers permit 10
match interface GigabitEthernet0/0
!
route-map multiserver permit 10
!
!
snmp-server community XXX
!
control-plane
!
!
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
privilege level 15
password XXX
logging synchronous
login
transport input telnet ssh
line vty 5 15
privilege level 15
password XXX
logging synchronous
login
transport input telnet ssh
!
scheduler allocate 20000 1000
end
I-NET-RTR#
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide