Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
786
Views
0
Helpful
1
Replies

Secondary ip address on Nat outside causing VPN problem?

tmcfeely
Level 1
Level 1

‎06-17-2002 04:03 PM - edited ‎02-21-2020 11:48 AM

-- begin ciscomoderator note -- The following post has been edited to remove potentially confidential information. Since this was posted on a public forum, it is recommended that passwords be changed including encrypted passwords. Please refrain from posting confidential information on the site to reduce security risks involved. -- end ciscomoderator note -–

Hi,

I am trying to use a 1720 router with IOS version 12.2.8.T4 to try to connect to a NT server and a NT Exchange server. I am using nat with a secondary address on the nat outside. I can ping the NT server and see the Microsoft Exchange’s information stores but can not authenticate with the with either or browse the local lan. I believe the secondary address on the Nat outside is causing the problem. I have included my configuration. Any help would be appreciated.

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname coin_mach

!

boot system flash c17001228t4.bin

enable secret 5 --moderator edit--

!

memory-size iomem 25

clock timezone est -5

clock summer-time est recurring

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

no ip domain-lookup

ip host roslynnt 10.223.223.3

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

authentication pre-share

group 2

crypto isakmp client configuration address-pool local remotepool

!

crypto isakmp client configuration group remoteuser

key XXXXXXXXXX

pool remotepool

!

!

crypto ipsec transform-set trans1 esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set trans1

!

!

crypto map intmap isakmp authorization list groupauthor

crypto map intmap client configuration address initiate

crypto map intmap client configuration address respond

crypto map intmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0

ip address 10.223.223.35 255.255.255.0 secondary

ip address --moderator edit-- 255.255.255.240

ip nat inside

speed auto

!

interface Serial0

description link to CTC

mtu 1492

no ip address

encapsulation frame-relay IETF

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0.1 point-to-point

ip unnumbered FastEthernet0

ip nat outside

frame-relay interface-dlci 40

crypto map intmap

!

ip local pool remotepool 10.4.0.1 10.4.0.254

ip nat pool COIN_MACH --moderator edit-- 64.69.121.21 netmask 255.255.255.240

ip nat inside source list 1 pool COIN_MACH overload

ip nat inside source route-map nonat interface Serial0.1 overload

ip nat inside source static tcp 10.223.223.2 9471 64.69.121.18 9471 extendable

ip nat inside source static tcp 10.223.223.2 9476 64.69.121.18 9476 extendable

ip nat inside source static tcp 10.223.223.2 9470 64.69.121.18 9470 extendable

ip nat inside source static tcp 10.223.223.2 992 64.69.121.18 992 extendable

ip nat inside source static tcp 10.223.223.2 449 64.69.121.18 449 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0.1

ip route 10.0.0.0 255.255.255.0 10.223.223.8

ip route 10.4.0.0 255.255.255.0 Serial0.1

ip route 10.10.0.0 255.255.255.0 10.223.223.8

ip route 10.11.0.0 255.255.255.0 10.223.223.8

ip route 10.12.0.0 255.255.255.0 10.223.223.8

no ip http server

ip pim bidir-enable

!

!

access-list 1 permit 10.223.223.0 0.0.0.255

access-list 1 permit 10.11.0.0 0.0.0.255

access-list 1 permit 10.12.0.0 0.0.0.255

access-list 1 permit 10.4.0.0 0.0.0.255

access-list 120 deny ip --moderator edit-- 0.0.0.255 10.4.0.0 0.0.0.255

access-list 120 deny ip 10.223.223.0 0.0.0.255 10.4.0.0 0.0.0.255

access-list 120 permit ip 10.223.223.0 0.0.0.255 10.4.0.0 0.0.0.255

access-list 120 permit ip --moderator edit--0.0.0.255 10.4.0.0 0.0.0.255

!The following ports are used to try to connect to my Exchange Servers information Stores

access-list 120 permit udp 10.223.223.0 0.0.0.255 10.4.0.0 0.0.0.255 eq 135

access-list 120 permit udp 10.223.223.0 0.0.0.255 10.4.0.0 0.0.0.255 eq netbios-ns

access-list 120 permit udp 10.223.223.0 0.0.0.255 10.4.0.0 0.0.0.255 eq netbios-dgm

access-list 120 permit udp 10.223.223.0 0.0.0.255 10.4.0.0 0.0.0.255 eq netbios-ss

access-list 120 permit udp 10.223.223.0 0.0.0.255 10.4.0.0 0.0.0.255 eq 140

access-list 120 permit udp 10.223.223.0 0.0.0.255 10.4.0.0 0.0.0.255 eq 141

!

route-map nonat permit 10

match ip address 120

!

!

line con 0

password xxxxxxxxx

login

line aux 0

line vty 0 4

password xxxxxxxxx

login

!

end

Labels:
0 Helpful
1 Reply 1

ciscomoderator
Community Manager
Community Manager

‎06-21-2002 11:08 AM

Often times complex troubleshooting issues are best addressed in an interactive session with one of our trained technical assistance engineers. While other forum users may be able to help, it’s often difficult to do so for this type of issue.

To utilize the resources at our Technical Assistance Center, please visit http://www.cisco.com/tac and to open a case with one of our TAC engineers, visit http://www.cisco.com/tac/caseopen

If anyone else in the forum has some advice, please reply to this thread.

Thank you for posting.

0 Helpful
Customers Also Viewed These Support Documents