Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9719
Views
0
Helpful
78
Replies

Spoke to Spoke routing (VIGOR to CISCO)

Go to solution
markyd1985
Level 1
Level 1

‎11-29-2010 01:42 PM

Hi All,

I have a problem with my config, it's a hub and spoke setup with 7 spokes. The hub network address is 192.168.6.0.

I would like the spoke sites to be able to communicate to other spokes via the hub. The spoke site are vigor routers and the hub is a cisco 1842, the routing table is present on the vigors. I'm presuming it's an ACL problem but i've spent the last 3 hrs trying to figure this one out and have got no where, can anyone assist?

Also I have nat'd ports 80, 443 which work fine from outside the local lan but do not work inside? Anyone got any suggestions?

Thanks

Mark

192.168.6.0 HUB

192.168.18.0 SPOKE

192.168.23.0 SPOKE

192.168.28.0 SPOKE

192.168.48.0 SPOKE

192.168.78.0 SPOKE

192.168.88.0 SPOKE

192.168.108.0 SPOKE

10.0.0.0 SPOKE

Current configuration : 4558 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname BURTON

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxxxxx

!

no aaa new-model

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

ip name-server 62.xx.x.2

ip name-server 195.xxx.xxx.10

!

!

crypto pki trustpoint TP-self-signed-692553461

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-692553461

revocation-check none

rsakeypair TP-self-signed-692553461

!

!

crypto pki certificate chain TP-self-signed-692553461

certificate self-signed 01

  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 36393235 35333436 31301E17 0D313031 31323530 39353934

  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533

  34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308xxx 02818100

  BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED

  B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43

  20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387

  FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67

  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D

  11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90

  A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8

  77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100

  914EE910 C1EFCDB3 2C3B277B 45E4149F B8A78E94 94D6558F 7A1D5B45 D057DC02

  1FCF0C28 5B29728B 9480E807 D7E7DF9E 751DD005 E108D94B 6B3FC03B 8EB1603B

  49067084 9AF1E4CA 5B906C74 4D07217A 13FD0113 B721068A 3EC6C990 54101B4B

  FC9860E4 3xxxB064 586EC91D EF7C5A8F 8BBF33C6 29BCF148 A7E2B987 F2A028F8

  quit

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxx address 77.xxx.xxx.176

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.85

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.9

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.81

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.228

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.153

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.10

crypto isakmp key xxxxxxxxxx address 85.xxx.xxx.61

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac

crypto ipsec transform-set this_should_work esp-des esp-sha-hmac

!

crypto map VPN-Map-1 10 ipsec-isakmp

set peer 77.xxx.xxx.176

set transform-set this_should_work

match address stores

!

crypto map VPN-Map-1 11 ipsec-isakmp

set peer 85.xxx.xxx.85

set transform-set this_should_work

match address dalby

!

crypto map VPN-Map-1 12 ipsec-isakmp

set peer 85.xxx.xxx.9

set transform-set this_should_work

match address braintree

!

crypto map VPN-Map-1 13 ipsec-isakmp

set peer 85.xxx.xxx.81

set transform-set this_should_work

match address corby

!

crypto map VPN-Map-1 14 ipsec-isakmp

set peer 85.xxx.xxx.228

set transform-set this_should_work

match address glasgow

!

crypto map VPN-Map-1 15 ipsec-isakmp

set peer 85.xxx.xxx.153

set transform-set this_should_work

match address hadleigh

!

crypto map VPN-Map-1 16 ipsec-isakmp

set peer 85.xxx.xxx.10

set transform-set this_should_work

match address northwich

!

crypto map VPN-Map-1 17 ipsec-isakmp

set peer 85.xxx.xxx.61

set transform-set this_should_work

match address wycombe

!

!

!

interface FastEthernet0/0

description $ETH-LAN$

ip address 192.168.6.40 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface ATM0/0/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0/1/0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp reliable-link

ppp authentication chap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password 0 xxxxxxxx

ppp ipcp dns request

ppp link reorders

ppp multilink

ppp multilink slippage mru 16

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink multiclass

crypto map VPN-Map-1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http secure-server

ip nat inside source list 100 interface Dialer0 overload

!

ip access-list extended corby

permit ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255

ip access-list extended northwich

permit ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255

ip access-list extended wycombe

permit ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255

ip access-list extended hadleigh

permit ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255

ip access-list extended stores

permit ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

ip access-list extended dalby

permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

ip access-list extended glasgow

permit ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255

ip access-list extended braintree

permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255

ip access-list extended Internet-inbound-ACL

permit udp host 77.xxx.xxx.176 any eq isakmp

permit esp host 77.xxx.xxx.176 any

permit udp host 85.xxx.xxx.85 any eq isakmp

permit esp host 85.xxx.xxx.85 any

permit udp host 85.xxx.xxx.9 any eq isakmp

permit esp host 85.xxx.xxx.9 any

permit udp host 85.xxx.xxx.81 any eq isakmp

permit esp host 85.xxx.xxx.81 any

permit udp host 85.xxx.xxx.228 any eq isakmp

permit esp host 85.xxx.xxx.228 any

permit udp host 85.xxx.xxx.153 any eq isakmp

permit esp host 85.xxx.xxx.153 any

permit udp host 85.xxx.xxx.10 any eq isakmp

permit esp host 85.xxx.xxx.10 any

permit udp host 85.xxx.xxx.61 any eq isakmp

permit esp host 85.xxx.xxx.61 any

!

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255

access-list 100 deny   ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255

access-list 100 permit ip 192.168.6.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community public RO

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxxxxxxxxx

login

!

scheduler allocate 20000 1000

end

Labels:
0 Helpful
78 Replies 78

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎01-19-2011 11:40 AM

Did you already made changes to the Nat configuration ?

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎01-19-2011 02:31 PM

No i haven't changed nat yet

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎01-19-2011 02:49 PM

Ok Mark,

Please check this link out before configuring or placing any interface ACL. then create an access list that suites you company;s need + policies.

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml

as far as NAT for smtp server, you have to configure static nat not port redirection for it to take same ip inbound+outbound.

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎01-20-2011 12:49 AM

Manish i've had a good read of that link thanks. What do think of below? I take it i need to apply these ACL's to the dialer (outside nat)?

Also i have this in my config ip access-list extended Internet-inbound-ACL with some ACL's for the VPN i don't think they are being used or even applied to any interface, do i need these?

Thanks

Mark

access-list 101 permit tcp host 78.xx.xx.245 any eq smtp
access-list 101 permit tcp host 78.xx.xx.245 any eq www
access-list 101 permit tcp host 78.xx.xx.245 any eq 443


access-list 102 permit tcp any host 78.xx.xx.245 eq smtp
access-list 102 permit tcp any host 78.xx.xx.245 eq www
access-list 102 permit tcp any host 78.xx.xx.245 eq 443

int dialer0
access-group 101 out
access-group 102 in


ip nat inside source static tcp 192.168.88.30 25 78.xx.xx.245 25
ip nat inside source static tcp 192.168.88.30 443 78.xx.xx.245 443
ip nat inside source static tcp 192.168.88.30 80 78.xx.xx.245 80

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎01-20-2011 09:05 AM

Mark,

That doesn't look good to me , Please post the current configuration of the spoke that you are working on and what you need to accomplish. I will post the required changes as soon as I get time today .

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎01-20-2011 10:17 AM

Okay thanks Manish, as you have probably gathered im not too good with these cisco's yet!

What I have is 3 ip's

78.xx.xx.188

78.xx.xx.245

78.xx.xx.246

188 is the fixed ip of the line, 245 and 246 are our extras.

I would like port 80, 443 and 25 being nat'd from 245 to our local mail server 192.168.88.30. I was trying to make sure that only 80, 443 and port 25 are open on 245. The problem I have at the moment is mail coming in on 245 and going out on 188, I would like it to go out on 245.

We have ts web apps on 246 which is port 443 forwarded to local ip 192.168.88.65 again trying to make sure that 443 is the only port open.

188 should provide internet access for all local clients.

Thanks

Mark

Config:-

Current configuration : 6078 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname DALBY

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxxxxx

!

no aaa new-model

ip cef

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

ip name-server 62.121.0.2

ip name-server 195.54.225.10

!

!

crypto pki trustpoint TP-self-signed-692553461

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-692553461

revocation-check none

rsakeypair TP-self-signed-692553461

!

!

crypto pki certificate chain TP-self-signed-692553461

certificate self-signed 01

  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 36393235 35333436 31301E17 0D313130 31313932 32333431

  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533

  34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED

  B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43

  20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387

  FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67

  02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D

  11040930 07820544 414C4259 301F0603 551D2304 18301680 14645E3F DE4E90A8

  77358081 EE4217F4 82123899 3A301D06 03551D0E 04160414 645E3FDE 4E90A877

  358081EE 4217F482 1238993A 300D0609 2A864886 F70D0101 04050003 81810026

  C48F5FA3 C783D3F6 B0B7CEB7 A77D51A1 E59BF750 1FED1D2E 115DE5AC 9CFA3E19

  20F703B6 B3150107 E371B862 8FB46F33 349675A0 16D31C1A AC57C2BC A8EC161E

  C846D5EB E9087F98 DBA064AE 4D00FCD1 3F9BE648 1EEEA49F 14833C2D 0FF4961E

  C345990A 0F95A03C A4BA80DA 1FB8FFC1 82CE49FB 927472C7 A092E408 81F826

  quit

!

!

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key Dalby%19 address 78.xx.xxx.48

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac

crypto ipsec transform-set this_should_work esp-des esp-sha-hmac

crypto ipsec transform-set cm-transformset-2 esp-des esp-md5-hmac

!

crypto map VPN-Map-1 11 ipsec-isakmp

set peer 78.xx.xxx.48

set transform-set 3DES-SHA

set pfs group2

match address dalby

!

!

!

interface FastEthernet0/0

description $ETH-LAN$

ip address 192.168.88.40 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

no cdp enable

!

interface ATM0/0/0

no ip address

no ip route-cache cef

no ip route-cache

no ip mroute-cache

atm restart timer 300

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface ATM0/1/0

no ip address

no ip route-cache cef

no ip route-cache

no ip mroute-cache

atm restart timer 300

no atm ilmi-keepalive

bundle-enable

dsl operating-mode auto

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

no ip route-cache

dialer pool 1

dialer-group 1

ppp reliable-link

ppp authentication chap callin

ppp chap hostname xxxxxxxxxxxxxxxxxxx

ppp chap password 0 xxxxxxxxx

ppp ipcp dns request

ppp link reorders

ppp multilink

ppp multilink slippage mru 16

ppp multilink fragment delay 10

ppp multilink interleave

ppp multilink multiclass

crypto map VPN-Map-1

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http secure-server

ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static tcp 192.168.88.30 25 78.xx.xxx.245 25 extendable

ip nat inside source static tcp 192.168.88.30 80 78.xx.xxx.245 80 extendable

ip nat inside source static tcp 192.168.88.30 443 78.xx.xxx.245 443 extendable

ip nat inside source static tcp 192.168.88.65 443 78.xx.xxx.246 443 extendable

!

ip access-list extended Internet-inbound-ACL

permit udp host 78.xx.xxx.48 any eq isakmp

permit esp host 78.xx.xxx.48 any

ip access-list extended dalby

permit ip 192.168.88.0 0.0.0.255 192.168.0.0 0.0.255.255

permit ip 192.168.88.0 0.0.0.255 10.0.0.0 0.0.0.255

!

access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.78.0 0.0.0.255

access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 100 deny   ip 192.168.88.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.23.0 0.0.0.255

access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.28.0 0.0.0.255

access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.108.0 0.0.0.255

access-list 100 permit ip 192.168.88.0 0.0.0.255 any

dialer-list 1 protocol ip permit

snmp-server community public RO

!

!

control-plane

!

banner motd ^CCC

******************************************

* Welcome to xxxxxxxxxxxxxxxxxxxxxxxxxxx

* Dalby Router

* Unauthorized access prohibited

******************************************

^C

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password xxxxxxxxxxxxxxxx

login

!

scheduler allocate 20000 1000

no process cpu extended

no process cpu autoprofile hog

end

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎01-20-2011 01:53 PM

Mark ,

I do see an access-list configured on the router but isn't applied anywhere, so Its useless . Here's what you need change for Nat & accesslist :-

Nat Changes :-

From ( Remove these )  :-

ip nat inside source static tcp 192.168.88.30 25 78.xx.xxx.245 25 extendable

ip nat inside source static tcp 192.168.88.30 80 78.xx.xxx.245 80 extendable

ip nat inside source static tcp 192.168.88.30 443 78.xx.xxx.245 443 extendable

ip nat inside source static tcp 192.168.88.65 443 78.xx.xxx.246 443 extendable

To ( add these ) :-

ip nat inside source static 192.168.88.30 25 78.xx.xxx.245

ip nat inside source static 192.168.88.65 443 78.xx.xxx.246

For Access-list :-

ip access-list extended Internet-inbound-ACL-Working

Permit tcp any host 78.xx.xxx.245 eq 25

Permit tcp any host 78.xx.xxx.245 eq 80

Permit tcp any host 78.xx.xxx.245 eq 443

Permit tcp any host 78.xx.xxx.246 eq 443

Deny ip any host 78.xx.xxx.245

Deny ip any host 78.xx.xxx.246

permit ip any any ( This statement will allow everything eles to come in , which is not a good idea but you don't have much options on router with access-lists , I am not sure about using ZBF on cisco 1841 but you can research on it or try replacing other vigor with an ASA 5505-5510 etc )

interface Dialer0

ip access-group Internet-inbound-ACL-Working in

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎01-24-2011 01:44 AM

Thanks Manish, i'll give these a go next time im at this site.

Im replacing the vigor at 10.0.0.0 network this week so hopefully they should be able to communicate with the other sites on the VPN.

Thanks for your help it's much appreciated.

Mark

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to markyd1985

‎01-31-2011 04:01 AM

Hi Manish,

I've tried the below changes, the two nat changes below came up with invalid marker problem...

 

ip nat inside source static 192.168.88.30 25 78.25.240.245
ip nat inside source static 192.168.88.65 443 78.25.240.246

Thanks

Mark

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎01-31-2011 08:53 AM

Sorry Mark , my bad ... didn't edited those line properly

To ( add these ) :-

ip nat inside source static 192.168.88.30  78.xx.xxx.245

ip nat inside source static 192.168.88.65  78.xx.xxx.246

For Access-list :-

ip access-list extended Internet-inbound-ACL-Working

Permit tcp any host 78.xx.xxx.245 eq 25

Permit tcp any host 78.xx.xxx.245 eq 80

Permit tcp any host 78.xx.xxx.245 eq 443

Permit tcp any host 78.xx.xxx.246 eq 443

Deny ip any host 78.xx.xxx.245

Deny ip any host 78.xx.xxx.246

permit  ip any any ( This statement will allow everything eles to come in ,  which is not a good idea but you don't have much options on router with  access-lists , I am not sure about using ZBF on cisco 1841 but you can  research on it or try replacing other vigor with an ASA 5505-5510 etc )

interface Dialer0

ip access-group Internet-inbound-ACL-Working in

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎01-31-2011 04:17 PM

Hi Manish,

Thanks i'll try these.

On another note that cisco i put in last week still has trouble access the vigor spokes. It's the one with the 10.0.0.0 network address. I thought it might solve the problem replacing this sites router with a Cisco but unfortunately not :-( It seems these vigors are basic for our needs now.

I'll probably end up changing the 10.0.0.0 network address like you mentioned in an earlier post or maybe i should buy some cheap cisco's? Would the 850 series work okay?

Thanks

Mark

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎01-31-2011 04:26 PM

Mark,

Buying a new device really depends on your needs. But if you have an ethernet handoff from your ISP then i would want to purchase a cisco ASA 5505 or 5510 with security license, The ASA's give you far more capabilities and are not that expensive or personnally I have used far more ASA's then these small routers myself.

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎02-02-2011 03:23 AM

Hi Manish,

I put those nat changes through, couldn't ping the server from site to site though?

The mail also stopped sending out.

Any ideas?

Thanks

Mark

0 Helpful

Go to solution
manish arora
Level 6
Level 6
In response to markyd1985

‎02-02-2011 09:02 AM

Mark,

Please paste the current configuration of the router, might have to look again on the configuration .

Manish

0 Helpful

Go to solution
markyd1985
Level 1
Level 1
In response to manish arora

‎02-02-2011 09:09 AM

Hi Manish,

This is our current config (nat and ACL's)

Thanks

Mark

ip http server
ip http secure-server
ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static 192.168.88.30  78.xx.xxx.245

ip nat inside source static 192.168.88.65  78.xx.xxx.246

!

ip access-group Internet-inbound-ACL-Working

Permit tcp any host 78.xx.xxx.245 eq 25

Permit tcp any host 78.xx.xxx.245 eq 80

Permit tcp any host 78.xx.xxx.245 eq 443

Permit tcp any host 78.xx.xxx.246 eq 443
Deny ip any host 78.xx.xxx.245
Deny ip any host 78.xx.xxx.246
permit  ip any any

ip access-list extended dalby
permit ip 192.168.88.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 192.168.88.0 0.0.0.255 10.0.0.0 0.0.0.255
!
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny   ip 192.168.88.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.88.0 0.0.0.255 any
dialer-list 1 protocol ip permit

0 Helpful
Customers Also Viewed These Support Documents