Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Mon, 27 Sep 2004 21:57:38



Hey Guys,

I have been trying to configure this router for 4 weeks.  So  far, I
have succeeded in getting the router to the following:

I can ping both ISP's default router from computers within the
network.
It appears that computers from within the network can route out:

Total active translations: 19 (0 static, 19 dynamic; 19 extended)
Outside interfaces:
  Ethernet0/0, Serial0/0
Inside interfaces:
  Ethernet0/1
Hits: 4416  Misses: 1152
Expired translations: 1031
Dynamic mappings:
-- Inside Source
route-map T1 pool outt1 refcount 18
 pool outt1: netmask 255.255.255.252
        start 155.55.44.213 end 155.55.44.214
        type generic, total addresses 2, allocated 1 (50%), misses 0
route-map outtoDSL pool outDSL refcount 1
 pool outDSL: netmask 255.255.255.128
        start 100.10.88.1 end 100.10.88.127
        type generic, total addresses 127, allocated 1 (0%), misses 0
-- Outside Source
route-map incDSL pool come-dsl refcount 0
 pool come-dsl: netmask 255.255.255.0
        start 192.168.50.1 end 192.168.50.254
        type generic, total addresses 254, allocated 0 (0%), misses 0
route-map incT1 pool come-t1 refcount 0
 pool come-t1: netmask 255.255.255.0
        start 192.168.50.1 end 192.168.50.254
        type generic, total addresses 254, allocated 0 (0%), misses 0
Entry1#sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside
global
udp 155.55.44.213:29044 192.168.50.2:29044 166.2.2.4:53      
166.2.2.4:53
tcp 155.55.44.213:48963 192.168.50.2:48963 188.7.2.155:4110
188.7.2.155:4110
udp 155.55.44.213:29034 192.168.50.2:29034 45.54.55.22:53  
45.54.55.22:53
udp 155.55.44.213:29035 192.168.50.2:29035 45.54.55.22:53  
45.54.55.22:53
tcp 155.55.44.213:29042 192.168.50.2:29042 206.46.164.23:110
206.46.164.23:110
tcp 155.55.44.213:29043 192.168.50.2:29043 206.46.164.23:110
206.46.164.23:110
icmp 100.10.88.1:29045  192.168.50.2:29045 100.10.88.1:29045  
100.10.88.1:29045
udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.1:53      
166.2.2.1:53
udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.2:53      
166.2.2.2:53
udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.1:53      
166.2.2.1:53
udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.2:53      
166.2.2.2:53
udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.3:53      
166.2.2.3:53
udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.4:53      
166.2.2.4:53

Nothing seems to come back into the network.  When we  browse out, we
cannot go anywhere.

I am attempting to have one internal IP go out primarily the T1
(s0/0), should that fail, then use the DSL (e0/0), with E0/1 being the
internal IP.  The router is configured to protect itself and not the
network.  On 198.168.0.2 is a firewall with hosts behind which
protects the network.  I am using  the following IOS on a Cisco 2600:
c2600-js-mz.121-5.T12.bin

I eventually want to up grade to IOS 12.3.4 or above and follow Dr.
Vincent Jones's example in article
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=ce3633%24b3%2...

The flash and the IOS are bran new just incase the prior was corrupt.
Below is the config with the real Ips faked, changed, etc (protect the
innocent) but to also preserve the subnetting.  It is somewhat messy
with lots of access-lists showing  that  I have tried a lot of stuff:

Entry1#sh run
Building configuration...

Current configuration : 5626 bytes
!
version 12.1
service single-slot-reload-enable
service tcp-keepalives-in
service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname Entry1
!
no logging rate-limit
enable secret 5 $1$cxlr$rneuK4r/MumRXA4oNvsxJ.
!
username Teddy privilege 15 password
clock summer-time EDT recurring
no ip subnet-zero
no ip source-route
!
no ip finger
ip ftp source-interface Ethernet0/1
ip ftp username Teddy
ip ftp password
ip name-server 166.2.2.1
ip name-server 166.2.2.2
ip name-server 166.2.2.3
ip name-server 166.2.2.4
ip name-server 45.54.55.22
!
no ip bootp server
!
interface Loopback0
 ip address 192.168.22.65 255.255.255.224
!
interface Ethernet0/0
 ip address 100.10.88.105 255.255.255.128
 ip access-group incoming in
 no ip proxy-arp
 ip nat outside
 half-duplex
 no cdp enable
!
interface Serial0/0
 ip address 155.55.44.214 255.255.255.252
 ip access-group incomingT1 in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
!
interface Ethernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip access-group outgoing in
 ip access-group return out
 no ip proxy-arp
 ip nat inside
 half-duplex
 no cdp enable
!
ip nat pool outDSL 100.10.88.1 100.10.88.127 netmask 255.255.255.128
ip nat pool come-dsl 192.168.0.1 192.168.0.254 netmask 255.255.255.0
ip nat pool come-t1 192.168.0.1 192.168.0.254 netmask 255.255.255.0
ip nat pool outt1 155.55.44.213 155.55.44.214 netmask 255.255.255.252
ip nat inside source route-map T1 pool outt1 overload
ip nat inside source route-map outtoDSL pool outDSL overload
ip nat outside source route-map incDSL pool come-dsl
ip nat outside source route-map incT1 pool come-t1
ip classless
ip route 0.0.0.0 0.0.0.0 155.55.44.213
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 50
ip route 0.0.0.0 0.0.0.0 Ethernet0/1 60
ip route 67.130.40.252 255.255.255.252 Serial0/0
no ip http server
!
ip access-list extended DSLin
 deny   icmp any any echo
 deny   icmp any any redirect
 deny   icmp any any mask-request
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip any any
ip access-list extended incoming
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   icmp any any echo
 deny   icmp any any redirect
 deny   icmp any any mask-request
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip any any
ip access-list extended incomingT1
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.0.255.255 any
 deny   icmp any any echo
 deny   icmp any any redirect
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip any any
ip access-list extended outDSL
 permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
 permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
ip access-list extended outT1
 permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
 permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
ip access-list extended outgoing
 permit tcp 192.168.0.0 0.0.0.255 any established
 permit udp 192.168.0.0 0.0.0.255 any
 permit icmp 192.168.0.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended outgoingDSL
 permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
 permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
ip access-list extended outgoingt1
 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
ip access-list extended return
 permit tcp any 192.168.0.0 0.0.0.255 established
 permit ip any any
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 6 permit 192.168.0.0 0.0.0.255
access-list 13 permit any
access-list 98 permit 192.168.0.0 0.0.255.255
access-list 99 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
no cdp run
route-map incT1 permit 10
 match ip address incomingT1
 match interface Ethernet0/1
 set interface Ethernet0/1
 set ip default next-hop 192.168.0.2
!
route-map outtoDSL permit 10
 match ip address 5
 match interface Ethernet0/0
 set interface Ethernet0/0
 set ip default next-hop 100.10.88.1
!
route-map incDSL permit 10
 match ip address DSLin
 match interface Ethernet0/1
 set interface Ethernet0/1
 set ip default next-hop 192.168.0.2
!
route-map T1 permit 10
 match ip address 5
 match interface Serial0/0
 set interface Serial0/0
 set ip default next-hop 155.55.44.213
!
!
line con 0
 exec-timeout 5 0
 password
 login local
 transport input none
line aux 0
 no exec
 password
 login local
line vty 0 4
 access-class 98 in
 exec-timeout 45 0
 password
 login
 transport input telnet
 transport output none
!
no scheduler allocate
end

If someone has an idea where I am goofed, please point it out.  I am a
relative newby to Cisco in the midst of you all experts, but not a
newby to networking (10 years).

Tarek Hamdy,  MSCE, CNE, 80% prepared for the CCNA

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by PES » Mon, 27 Sep 2004 22:35:44


There is way too much information to process and troubleshoot here.  I would
take my access-lists to a minimum until I got it working.  However, you need
to do so with out compromising security.

Issues that jumped out at me.

1.) Your route-maps applied to nat statements will not set next hop as far
as I know.  You need to do this with policy routing on the internal ingress
interface with policy routing or with route statements.  Also, I don't know
why you would ever match your inside interface with a policy that is for
outbound nat.

2). Some of your nat statements don't make sense.  Its almost like you set
them up for each direction or something.  Whe a packet matches a nat entry,
it adds a translation to the table.  The return traffic should mirror the
outbound traffic and match the table.

3). I would also recommend getting the serial interface working first.  Then
bring the dsl interface into the mix.

4). You have not stated your goal.  Is it redundancy, or load balancing?

"Tarek Hamdy" <tha...@quixnet.net> wrote in message

news:c2aa728e.0409260457.16b92f75@posting.google.com...
> Hey Guys,

> I have been trying to configure this router for 4 weeks.  So  far, I
> have succeeded in getting the router to the following:

> I can ping both ISP's default router from computers within the
> network.
> It appears that computers from within the network can route out:

> Total active translations: 19 (0 static, 19 dynamic; 19 extended)
> Outside interfaces:
>  Ethernet0/0, Serial0/0
> Inside interfaces:
>  Ethernet0/1
> Hits: 4416  Misses: 1152
> Expired translations: 1031
> Dynamic mappings:
> -- Inside Source
> route-map T1 pool outt1 refcount 18
> pool outt1: netmask 255.255.255.252
>        start 155.55.44.213 end 155.55.44.214
>        type generic, total addresses 2, allocated 1 (50%), misses 0
> route-map outtoDSL pool outDSL refcount 1
> pool outDSL: netmask 255.255.255.128
>        start 100.10.88.1 end 100.10.88.127
>        type generic, total addresses 127, allocated 1 (0%), misses 0
> -- Outside Source
> route-map incDSL pool come-dsl refcount 0
> pool come-dsl: netmask 255.255.255.0
>        start 192.168.50.1 end 192.168.50.254
>        type generic, total addresses 254, allocated 0 (0%), misses 0
> route-map incT1 pool come-t1 refcount 0
> pool come-t1: netmask 255.255.255.0
>        start 192.168.50.1 end 192.168.50.254
>        type generic, total addresses 254, allocated 0 (0%), misses 0
> Entry1#sh ip nat trans
> Pro Inside global      Inside local       Outside local      Outside
> global
> udp 155.55.44.213:29044 192.168.50.2:29044 166.2.2.4:53
> 166.2.2.4:53
> tcp 155.55.44.213:48963 192.168.50.2:48963 188.7.2.155:4110
> 188.7.2.155:4110
> udp 155.55.44.213:29034 192.168.50.2:29034 45.54.55.22:53
> 45.54.55.22:53
> udp 155.55.44.213:29035 192.168.50.2:29035 45.54.55.22:53
> 45.54.55.22:53
> tcp 155.55.44.213:29042 192.168.50.2:29042 206.46.164.23:110
> 206.46.164.23:110
> tcp 155.55.44.213:29043 192.168.50.2:29043 206.46.164.23:110
> 206.46.164.23:110
> icmp 100.10.88.1:29045  192.168.50.2:29045 100.10.88.1:29045
> 100.10.88.1:29045
> udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.1:53
> 166.2.2.1:53
> udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.2:53
> 166.2.2.2:53
> udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.1:53
> 166.2.2.1:53
> udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.2:53
> 166.2.2.2:53
> udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.3:53
> 166.2.2.3:53
> udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.4:53
> 166.2.2.4:53

> Nothing seems to come back into the network.  When we  browse out, we
> cannot go anywhere.

> I am attempting to have one internal IP go out primarily the T1
> (s0/0), should that fail, then use the DSL (e0/0), with E0/1 being the
> internal IP.  The router is configured to protect itself and not the
> network.  On 198.168.0.2 is a firewall with hosts behind which
> protects the network.  I am using  the following IOS on a Cisco 2600:
> c2600-js-mz.121-5.T12.bin

> I eventually want to up grade to IOS 12.3.4 or above and follow Dr.
> Vincent Jones's example in article
> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=ce3633%24b3%2...

> The flash and the IOS are bran new just incase the prior was corrupt.
> Below is the config with the real Ips faked, changed, etc (protect the
> innocent) but to also preserve the subnetting.  It is somewhat messy
> with lots of access-lists showing  that  I have tried a lot of stuff:

> Entry1#sh run
> Building configuration...

> Current configuration : 5626 bytes
> !
> version 12.1
> service single-slot-reload-enable
> service tcp-keepalives-in
> service timestamps debug uptime
> no service timestamps log uptime
> service password-encryption
> !
> hostname Entry1
> !
> no logging rate-limit
> enable secret 5 $1$cxlr$rneuK4r/MumRXA4oNvsxJ.
> !
> username Teddy privilege 15 password
> clock summer-time EDT recurring
> no ip subnet-zero
> no ip source-route
> !
> no ip finger
> ip ftp source-interface Ethernet0/1
> ip ftp username Teddy
> ip ftp password
> ip name-server 166.2.2.1
> ip name-server 166.2.2.2
> ip name-server 166.2.2.3
> ip name-server 166.2.2.4
> ip name-server 45.54.55.22
> !
> no ip bootp server
> !
> interface Loopback0
> ip address 192.168.22.65 255.255.255.224
> !
> interface Ethernet0/0
> ip address 100.10.88.105 255.255.255.128
> ip access-group incoming in
> no ip proxy-arp
> ip nat outside
> half-duplex
> no cdp enable
> !
> interface Serial0/0
> ip address 155.55.44.214 255.255.255.252
> ip access-group incomingT1 in
> no ip redirects
> no ip proxy-arp
> ip nat outside
> no ip mroute-cache
> service-module t1 timeslots 1-24
> no cdp enable
> !
> interface Ethernet0/1
> ip address 192.168.0.1 255.255.255.0
> ip access-group outgoing in
> ip access-group return out
> no ip proxy-arp
> ip nat inside
> half-duplex
> no cdp enable
> !
> ip nat pool outDSL 100.10.88.1 100.10.88.127 netmask 255.255.255.128
> ip nat pool come-dsl 192.168.0.1 192.168.0.254 netmask 255.255.255.0
> ip nat pool come-t1 192.168.0.1 192.168.0.254 netmask 255.255.255.0
> ip nat pool outt1 155.55.44.213 155.55.44.214 netmask 255.255.255.252
> ip nat inside source route-map T1 pool outt1 overload
> ip nat inside source route-map outtoDSL pool outDSL overload
> ip nat outside source route-map incDSL pool come-dsl
> ip nat outside source route-map incT1 pool come-t1
> ip classless
> ip route 0.0.0.0 0.0.0.0 155.55.44.213
> ip route 0.0.0.0 0.0.0.0 Ethernet0/0 50
> ip route 0.0.0.0 0.0.0.0 Ethernet0/1 60
> ip route 67.130.40.252 255.255.255.252 Serial0/0
> no ip http server
> !
> ip access-list extended DSLin
> deny   icmp any any echo
> deny   icmp any any redirect
> deny   icmp any any mask-request
> deny   ip 224.0.0.0 15.255.255.255 any
> deny   ip 127.0.0.0 0.255.255.255 any
> deny   ip 10.0.0.0 0.255.255.255 any
> deny   ip 192.168.0.0 0.0.255.255 any
> permit ip any any
> ip access-list extended incoming
> deny   ip 127.0.0.0 0.255.255.255 any
> deny   ip 172.16.0.0 0.15.255.255 any
> deny   ip 10.0.0.0 0.255.255.255 any
> deny   icmp any any echo
> deny   icmp any any redirect
> deny   icmp any any mask-request
> deny   ip 224.0.0.0 15.255.255.255 any
> deny   ip 192.168.0.0 0.0.255.255 any
> permit ip any any
> ip access-list extended incomingT1
> deny   ip 127.0.0.0 0.255.255.255 any
> deny   ip 172.16.0.0 0.15.255.255 any
> deny   ip 10.0.0.0 0.0.255.255 any
> deny   icmp any any echo
> deny   icmp any any redirect
> deny   ip 224.0.0.0 15.255.255.255 any
> deny   ip 192.168.0.0 0.0.255.255 any
> permit ip any any
> ip access-list extended outDSL
> permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
> permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> ip access-list extended outT1
> permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
> permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> ip access-list extended outgoing
> permit tcp 192.168.0.0 0.0.0.255 any established
> permit udp 192.168.0.0 0.0.0.255 any
> permit icmp 192.168.0.0 0.0.0.255 any
> permit ip 192.168.0.0 0.0.0.255 any
> ip access-list extended outgoingDSL
> permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
> permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> ip access-list extended outgoingt1
> permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
> ip access-list extended return
> permit tcp any 192.168.0.0 0.0.0.255 established
> permit ip any any
> access-list 5 permit 192.168.0.0 0.0.0.255
> access-list 6 permit 192.168.0.0 0.0.0.255
> access-list 13 permit any
> access-list 98 permit 192.168.0.0 0.0.255.255
> access-list 99 permit 192.168.0.0 0.0.0.255
> access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
> no cdp run
> route-map incT1 permit 10
> match ip address incomingT1
> match interface Ethernet0/1
> set interface Ethernet0/1
> set ip default next-hop 192.168.0.2
> !
> route-map outtoDSL permit 10
> match ip address 5
> match interface Ethernet0/0
> set interface Ethernet0/0
> set ip default next-hop 100.10.88.1
> !
> route-map incDSL permit 10
> match ip address DSLin
> match interface Ethernet0/1
> set interface Ethernet0/1
> set ip default next-hop 192.168.0.2
> !
> route-map T1 permit 10
> match ip address 5
> match interface Serial0/0
> set interface Serial0/0
> set ip default next-hop 155.55.44.213
> !
> !
> line con 0
> exec-timeout 5 0
> password
> login local
> transport input none
> line aux 0
> no exec
> password
> login local
> line vty 0 4
> access-class 98 in
> exec-timeout 45 0
> password
> login
> transport input telnet

...

read more »

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Wed, 29 Sep 2004 00:35:10


PES,

Thanks so much for answering.  My goal is redundancy.  However, at
this point, I will take anything I can get to get the S0/0 interface
working.  I will try to get it working tonight while looking at the
policy.  I also need NAT to work in both directions.  Each ISP gave us
1 IP each, therefore, I cannot route RFC 1918 addresses.
Unfortunately, NAT must be used.  I will have PPTP VPN and VPN via
3DES coming throught the router into the firewall that is connected to
E0/1.

I will post a new config tonight.

Tarek

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Wed, 29 Sep 2004 00:58:32


PES,

Also, in regards to:

2). Some of your nat statements don't make sense.  Its almost like you
set
them up for each direction or something.  Whe a packet matches a nat
entry,
it adds a translation to the table.  The return traffic should mirror
the
outbound traffic and match the table.

Aren't we supposed to put the policy on the interface recieving the
data stream.  For example, the config posted does not show it, but I
had executed command: ip policy route-map T1 on E0/1 in the hopes that
the traffic would go out interface s0/0, but it did not.  That changed
nothing.  Although, when I put a policy on s0/0 ip policy route-map
incT1 and e0/0 ip policy route-map incDSL, it seems something came in,
but never made it to internal network.

Tarek

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Wed, 29 Sep 2004 15:51:34


Hey Guys,

I posted an update while trying to get this thing to work in a two way
NAT going in and going out using the E0/1 and s0/0 interfaces.  I
tried to make the policy more textbook matching the incoming interface
 and set for the outgoing interface.  So far nothing.  Infact, about 1
AM, it dropped my telnet session.  I could connect only via serial
cable to the con 0.  Plus, I am seeing these weird entries pop up that
are not being entered by me such as:

call rsvp-sync
cns event-service server
ip kerberos source-interface any  (fortunately this one causes an
error)
dial-peer cor custom

I never put in the above 4 entries and no one accesses this router
unless they are hacking into it.

I tried to match incoming traffic policy with outgoing.  My config is
below:

Password:
Entry1#show run
Building configuration...

Current configuration : 5388 bytes
!
version 12.1
service single-slot-reload-enable
service tcp-keepalives-in
service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname Entry1
!
no logging rate-limit
enable secret
!
username
clock summer-time EDT recurring
no ip subnet-zero
no ip source-route
!
!
no ip finger
ip ftp source-interface Ethernet0/1
!
no ip bootp server
call rsvp-sync
cns event-service server
interface Loopback0
 ip address 192.168.22.65 255.255.255.224
!
interface Ethernet0/0
 ip address 100.10.88.105 255.255.255.128
 ip access-group incoming in
 no ip proxy-arp
 ip nat outside
 ip policy route-map incDSL
 half-duplex
 no cdp enable
!
interface Serial0/0
 ip address 155.55.44.214 255.255.255.252
 ip access-group incomingT1 in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 ip policy route-map incT1
 service-module t1 timeslots 1-24
 no cdp enable
!
interface Ethernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip access-group outgoing in
 ip access-group return out
 no ip proxy-arp
 ip nat inside
 ip policy route-map T1
 half-duplex
 no cdp enable
!
ip kerberos source-interface any
ip nat pool outDSL 100.10.88.1 100.10.88.127 netmask 255.255.255.128
ip nat pool come-dsl 192.168.0.1 192.168.0.254 netmask 255.255.255.0
ip nat pool come-t1 192.168.0.1 192.168.0.254 netmask 255.255.255.0
ip nat pool outt1 155.55.44.213 155.55.44.214 netmask 255.255.255.252
ip nat inside source route-map T1 pool outt1 overload
ip nat inside source route-map outtoDSL pool outDSL overload
ip nat outside source route-map incDSL pool come-dsl
ip nat outside source route-map incT1 pool come-t1
ip classless
ip route 0.0.0.0 0.0.0.0 155.55.44.213
ip route 0.0.0.0 0.0.0.0 Ethernet0/0 50
ip route 0.0.0.0 0.0.0.0 Ethernet0/1 60
ip route 67.130.40.252 255.255.255.252 Serial0/0
no ip http server
!
!
ip access-list extended DSLin
 deny   icmp any any echo
 deny   icmp any any redirect
 deny   icmp any any mask-request
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip any any
ip access-list extended incoming
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   icmp any any echo
 deny   icmp any any redirect
 deny   icmp any any mask-request
 deny   ip 224.0.0.0 15.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip any any
ip access-list extended incomingT1
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.0.255.255 any
 deny   icmp any any echo
 deny   icmp any any redirect
 deny   ip 224.0.0.0 15.255.255.255 any
 permit ip any any
ip access-list extended outDSL
 permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
 permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
ip access-list extended outgoing
 permit tcp 192.168.0.0 0.0.0.255 any established
 permit udp 192.168.0.0 0.0.0.255 any
 permit icmp 192.168.0.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended outgoingDSL
 permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
 permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
 permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
ip access-list extended outgoingt1
 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
ip access-list extended return
 permit tcp any 192.168.0.0 0.0.0.255 established
 permit ip any any
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 6 permit 192.168.0.0 0.0.0.255
access-list 13 permit any
access-list 98 permit 192.168.0.0 0.0.255.255
access-list 99 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
no cdp run
route-map incT1 permit 10
 match ip address incomingT1
 set interface Ethernet0/1
 set ip default next-hop 192.168.0.2
!
route-map outtoDSL permit 10
 match ip address 5
 match interface Ethernet0/1
 set interface Ethernet0/0
 set ip default next-hop 100.10.88.1
!
route-map incDSL permit 10
 match ip address DSLin
 match interface Ethernet0/0
 set interface Ethernet0/1
 set ip default next-hop 192.168.0.2
!
route-map T1 permit 10
 match ip address 5
 match interface Ethernet0/1
 set interface Serial0/0
 set ip default next-hop 155.55.44.213
!
dial-peer cor custom
!
!
line con 0
 exec-timeout 5 0
 password
 login local
 transport input none
line aux 0
 no exec
 password
 login local
line vty 0 4
 access-class 98 in
 exec-timeout 45 0
 password
 login
 transport input telnet
 transport output none
!
no scheduler allocate

Any help would be appreciated.  It is 3 am and I have to be at my full
time job at 8 AM.  Its been like this for 5 weeks and my client is
about  to pull the plug.

Tarek

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by RC » Wed, 29 Sep 2004 09:34:35


First, read up on PBR (Ping Based Routing). This is relatively new to Cisco
and will overcome the problems of having a primary or backup connection that
never looses carrier (your DSL over Ethernet).

The other posters are right, start out simple. Build a basic config for the
T1 with modest security using Cisco's ConfigMaker. This is hard to mess up
but test it anyway.

Add the ethernet port that goes to you DSL.

Now add to the ACL on the nat so that it only applies to traffic going out
serial0/0.

Create a new nat configuration and configure the ACL so that it only applies
to traffic going out the e0/0 (make sure you set e0/0 as nat outside).

Now if you put in 2 default routes with the one to e0/0 having a hirer cost
it should just work when you disconnect the T1 line. But it will probably be
more reliable with the PBR. I can't help you much with PBR. I've only played
with it a little, but I hear good things.

Good luck

"Tarek Hamdy" <tha...@quixnet.net> wrote in message

news:c2aa728e.0409260457.16b92f75@posting.google.com...
> Hey Guys,

> I have been trying to configure this router for 4 weeks.  So  far, I
> have succeeded in getting the router to the following:

> I can ping both ISP's default router from computers within the
> network.
> It appears that computers from within the network can route out:

> Total active translations: 19 (0 static, 19 dynamic; 19 extended)
> Outside interfaces:
>   Ethernet0/0, Serial0/0
> Inside interfaces:
>   Ethernet0/1
> Hits: 4416  Misses: 1152
> Expired translations: 1031
> Dynamic mappings:
> -- Inside Source
> route-map T1 pool outt1 refcount 18
>  pool outt1: netmask 255.255.255.252
>         start 155.55.44.213 end 155.55.44.214
>         type generic, total addresses 2, allocated 1 (50%), misses 0
> route-map outtoDSL pool outDSL refcount 1
>  pool outDSL: netmask 255.255.255.128
>         start 100.10.88.1 end 100.10.88.127
>         type generic, total addresses 127, allocated 1 (0%), misses 0
> -- Outside Source
> route-map incDSL pool come-dsl refcount 0
>  pool come-dsl: netmask 255.255.255.0
>         start 192.168.50.1 end 192.168.50.254
>         type generic, total addresses 254, allocated 0 (0%), misses 0
> route-map incT1 pool come-t1 refcount 0
>  pool come-t1: netmask 255.255.255.0
>         start 192.168.50.1 end 192.168.50.254
>         type generic, total addresses 254, allocated 0 (0%), misses 0
> Entry1#sh ip nat trans
> Pro Inside global      Inside local       Outside local      Outside
> global
> udp 155.55.44.213:29044 192.168.50.2:29044 166.2.2.4:53
> 166.2.2.4:53
> tcp 155.55.44.213:48963 192.168.50.2:48963 188.7.2.155:4110
> 188.7.2.155:4110
> udp 155.55.44.213:29034 192.168.50.2:29034 45.54.55.22:53
> 45.54.55.22:53
> udp 155.55.44.213:29035 192.168.50.2:29035 45.54.55.22:53
> 45.54.55.22:53
> tcp 155.55.44.213:29042 192.168.50.2:29042 206.46.164.23:110
> 206.46.164.23:110
> tcp 155.55.44.213:29043 192.168.50.2:29043 206.46.164.23:110
> 206.46.164.23:110
> icmp 100.10.88.1:29045  192.168.50.2:29045 100.10.88.1:29045
> 100.10.88.1:29045
> udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.1:53
> 166.2.2.1:53
> udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.2:53
> 166.2.2.2:53
> udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.1:53
> 166.2.2.1:53
> udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.2:53
> 166.2.2.2:53
> udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.3:53
> 166.2.2.3:53
> udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.4:53
> 166.2.2.4:53

> Nothing seems to come back into the network.  When we  browse out, we
> cannot go anywhere.

> I am attempting to have one internal IP go out primarily the T1
> (s0/0), should that fail, then use the DSL (e0/0), with E0/1 being the
> internal IP.  The router is configured to protect itself and not the
> network.  On 198.168.0.2 is a firewall with hosts behind which
> protects the network.  I am using  the following IOS on a Cisco 2600:
> c2600-js-mz.121-5.T12.bin

> I eventually want to up grade to IOS 12.3.4 or above and follow Dr.
> Vincent Jones's example in article

http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=ce3633%24b3%2...

- Show quoted text -

> The flash and the IOS are bran new just incase the prior was corrupt.
> Below is the config with the real Ips faked, changed, etc (protect the
> innocent) but to also preserve the subnetting.  It is somewhat messy
> with lots of access-lists showing  that  I have tried a lot of stuff:

> Entry1#sh run
> Building configuration...

> Current configuration : 5626 bytes
> !
> version 12.1
> service single-slot-reload-enable
> service tcp-keepalives-in
> service timestamps debug uptime
> no service timestamps log uptime
> service password-encryption
> !
> hostname Entry1
> !
> no logging rate-limit
> enable secret 5 $1$cxlr$rneuK4r/MumRXA4oNvsxJ.
> !
> username Teddy privilege 15 password
> clock summer-time EDT recurring
> no ip subnet-zero
> no ip source-route
> !
> no ip finger
> ip ftp source-interface Ethernet0/1
> ip ftp username Teddy
> ip ftp password
> ip name-server 166.2.2.1
> ip name-server 166.2.2.2
> ip name-server 166.2.2.3
> ip name-server 166.2.2.4
> ip name-server 45.54.55.22
> !
> no ip bootp server
> !
> interface Loopback0
>  ip address 192.168.22.65 255.255.255.224
> !
> interface Ethernet0/0
>  ip address 100.10.88.105 255.255.255.128
>  ip access-group incoming in
>  no ip proxy-arp
>  ip nat outside
>  half-duplex
>  no cdp enable
> !
> interface Serial0/0
>  ip address 155.55.44.214 255.255.255.252
>  ip access-group incomingT1 in
>  no ip redirects
>  no ip proxy-arp
>  ip nat outside
>  no ip mroute-cache
>  service-module t1 timeslots 1-24
>  no cdp enable
> !
> interface Ethernet0/1
>  ip address 192.168.0.1 255.255.255.0
>  ip access-group outgoing in
>  ip access-group return out
>  no ip proxy-arp
>  ip nat inside
>  half-duplex
>  no cdp enable
> !
> ip nat pool outDSL 100.10.88.1 100.10.88.127 netmask 255.255.255.128
> ip nat pool come-dsl 192.168.0.1 192.168.0.254 netmask 255.255.255.0
> ip nat pool come-t1 192.168.0.1 192.168.0.254 netmask 255.255.255.0
> ip nat pool outt1 155.55.44.213 155.55.44.214 netmask 255.255.255.252
> ip nat inside source route-map T1 pool outt1 overload
> ip nat inside source route-map outtoDSL pool outDSL overload
> ip nat outside source route-map incDSL pool come-dsl
> ip nat outside source route-map incT1 pool come-t1
> ip classless
> ip route 0.0.0.0 0.0.0.0 155.55.44.213
> ip route 0.0.0.0 0.0.0.0 Ethernet0/0 50
> ip route 0.0.0.0 0.0.0.0 Ethernet0/1 60
> ip route 67.130.40.252 255.255.255.252 Serial0/0
> no ip http server
> !
> ip access-list extended DSLin
>  deny   icmp any any echo
>  deny   icmp any any redirect
>  deny   icmp any any mask-request
>  deny   ip 224.0.0.0 15.255.255.255 any
>  deny   ip 127.0.0.0 0.255.255.255 any
>  deny   ip 10.0.0.0 0.255.255.255 any
>  deny   ip 192.168.0.0 0.0.255.255 any
>  permit ip any any
> ip access-list extended incoming
>  deny   ip 127.0.0.0 0.255.255.255 any
>  deny   ip 172.16.0.0 0.15.255.255 any
>  deny   ip 10.0.0.0 0.255.255.255 any
>  deny   icmp any any echo
>  deny   icmp any any redirect
>  deny   icmp any any mask-request
>  deny   ip 224.0.0.0 15.255.255.255 any
>  deny   ip 192.168.0.0 0.0.255.255 any
>  permit ip any any
> ip access-list extended incomingT1
>  deny   ip 127.0.0.0 0.255.255.255 any
>  deny   ip 172.16.0.0 0.15.255.255 any
>  deny   ip 10.0.0.0 0.0.255.255 any
>  deny   icmp any any echo
>  deny   icmp any any redirect
>  deny   ip 224.0.0.0 15.255.255.255 any
>  deny   ip 192.168.0.0 0.0.255.255 any
>  permit ip any any
> ip access-list extended outDSL
>  permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
>  permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
>  permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
>  permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> ip access-list extended outT1
>  permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
>  permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
>  permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
>  permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> ip access-list extended outgoing
>  permit tcp 192.168.0.0 0.0.0.255 any established
>  permit udp 192.168.0.0 0.0.0.255 any
>  permit icmp 192.168.0.0 0.0.0.255 any
>  permit ip 192.168.0.0 0.0.0.255 any
> ip access-list extended outgoingDSL
>  permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
>  permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
>  permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
>  permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
> ip access-list extended outgoingt1
>  permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
> ip access-list extended return
>  permit tcp any 192.168.0.0 0.0.0.255 established
>  permit ip any any
> access-list 5 permit 192.168.0.0 0.0.0.255
> access-list 6 permit 192.168.0.0 0.0.0.255
> access-list 13 permit any
> access-list 98 permit 192.168.0.0 0.0.255.255
> access-list 99 permit 192.168.0.0 0.0.0.255
> access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
> no cdp run
> route-map incT1 permit 10
>  match ip address incomingT1
>  match interface Ethernet0/1
>  set interface Ethernet0/1
>  set ip default next-hop 192.168.0.2
> !
> route-map outtoDSL permit 10
>  match ip address 5
>  match interface Ethernet0/0
>  set interface Ethernet0/0
>  set ip default next-hop 100.10.88.1
> !
> route-map incDSL permit 10
>  match ip address DSLin
>  match interface Ethernet0/1
>  set interface Ethernet0/1
>  set ip default next-hop 192.168.0.2
> !
> route-map T1 permit 10
>  match ip address 5
>  match interface Serial0/0
>  set interface Serial0/0
>  set ip default next-hop 155.55.44.213
> !
> !
> line con 0
>  exec-timeout 5 0
>  password
>  login local
>  transport input none
> line aux 0
>  no exec
>  password
>  login local
> line vty 0 4
>  access-class 98 in
>  exec-timeout 45 0

...

read more »

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Thu, 30 Sep 2004 18:38:23


RC,

I scanned the more CCIE books looking for a clue, then hit the
O'Rielly Cisco IOS book.  In its NAT section, it says not to include
the router interface in the NAT Pool in italizised print.  Wow, I
could have had a V8!  If you notice, I include my router's interfaces
in the NAT pools.    Its amazing, no other book indicates this, yet,
many of the configs do not include the routers own interfaces in
static nor dynamic NAT.  It is assumed us relative newby's know this,
we struggle for weeks to figure it out.  I hope some of the future
authors might be listening.  I do read your stuff.

Do you think that could be it or one of the issues?  We may help some
else.

Unfortunately, I did not have a chance to test it because I could not
for the life of me get connected via the LAN.  I will try to replace
the cross over cable with a new shorter cable and try again tomorrow.
I hope to have some good news.  I will then post an updated config.

Tarek

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Fri, 01 Oct 2004 17:25:36


Hey Guys,

I took out  everything referring to the DSL interface to focus on the
S0/0 using the WIC-T1.  So  far, we cannot connect to the Internet
from the Internal hosts.  I want at least allow internal users to surf
theInternet and to all VPN connections into the network.

At this moment, I cannot even connect into the router into a telnet
session.  I Keep getting Duplicate address [IP_address] on [chars],
sourced by [enet] with the Ethernet address being the  MAC address of
my firewall behind the router off of int E0/1.  I worked off of a
serial cable from a laptop.  I made modifications  to the incoming ACL
on S0/0.

I could take out the route maps and just use the default, but that did
not work that way a couple of weeks ago.

Entry1>en
Password:
Entry1#sh run
Building configuration...

Current configuration : 3939 bytes
!
version 12.1
service single-slot-reload-enable
service tcp-keepalives-in
service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname Entry1
!
no logging rate-limit
enable secret
!
username <removed> privilege 15 password
 clock summer-time EDT recurring
no ip subnet-zero
no ip source-route
!
!
no ip finger
ip ftp source-interface Ethernet0/1
ip ftp username
ip ftp password
ip name-server 200.17.25.13
!
no ip bootp server
call rsvp-sync
cns event-service server
! How to I keep the above two entries from reappearing.  They defy
google
! research and logic.  They appear by themselves right after my telnet
session
! drops.  Nuisance!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.22.65 255.255.255.04
!
interface Ethernet0/0
 no ip address
 ip access-group incoming in
 no ip proxy-arp
 ip nat outside
 ip policy route-map incDSL
 half-duplex
 no cdp enable
!
interface Serial0/0
 ip address 155.55.44.214 255.255.255.252
 ip access-group incomingT1 in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 ip policy route-map incT1
 service-module t1 timeslots 1-24
 no cdp enable
!
interface Ethernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip access-group 5 in
 ip access-group return out
 no ip proxy-arp
 ip nat inside
 ip policy route-map T1
 half-duplex
 no cdp enable
!
ip kerberos source-interface any
ip nat pool come-t1 192.168.0.2 192.168.0.20 netmask 255.255.255.0
ip nat pool outt1 155.55.44.213 155.55.44.213 netmask 255.255.255.252
ip nat inside source route-map T1 pool outt1 overload
ip nat outside source route-map incT1 pool come-t1
ip classless
ip route 0.0.0.0 0.0.0.0 155.55.44.213
no ip http server
!
!
ip access-list extended incomingT1
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.0.255.255 any
 deny   icmp any any echo
 deny   icmp any any redirect
 deny   ip 04.0.0.0 15.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip host <IP FOREIGN TRUSTED HOST> any
 permit tcp any any established
 permit gre any any
 deny   tcp any any
 permit udp any any
 deny   ip any any
ip access-list extended outgoing
 permit tcp 192.168.0.0 0.0.0.255 any established
 permit udp 192.168.0.0 0.0.0.255 any
 permit icmp 192.168.0.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended outgoingDSL
 permit tcp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127 established
 permit udp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
 permit icmp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
 permit ip 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
ip access-list extended outgoingt1
 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
ip access-list extended return
 permit tcp any 192.168.0.0 0.0.0.255 established
 permit ip any any
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 6 permit 192.168.0.0 0.0.0.255
access-list 13 permit any
access-list 98 permit 192.168.0.0 0.0.255.255
access-list 99 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
no cdp run
route-map incT1 permit 10
 match ip address incomingT1
 set interface Ethernet0/1
!
route-map outtoDSL permit 10
 match ip address 5
 match interface Ethernet0/1
 set interface Ethernet0/0
 set ip default next-hop 66.15.92.1
!
route-map T1 permit 10
 match ip address 5
 match interface Ethernet0/1
 set interface Serial0/0
 set ip default next-hop 155.55.44.213
!
!
! I do not know how to get  rid of this below entry? I did not  put it
here!
dial-peer cor custom
!
!
!
line con 0
 exec-timeout 5 0
 password
 login local
 transport input none
line aux 0
 no exec
 password
 login local
line vty 0 4
 access-class 98 in
 exec-timeout 45 0
 password
 login
 transport input telnet
 transport output none
!
end

Any ideas would be appreciated.  Another day workng till 4:00 AM-Need
help!

Tarek

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Fri, 01 Oct 2004 17:25:40


Hey Guys,

I took out  everything referring to the DSL interface to focus on the
S0/0 using the WIC-T1.  So  far, we cannot connect to the Internet
from the Internal hosts.  I want at least allow internal users to surf
theInternet and to all VPN connections into the network.

At this moment, I cannot even connect into the router into a telnet
session.  I Keep getting Duplicate address [IP_address] on [chars],
sourced by [enet] with the Ethernet address being the  MAC address of
my firewall behind the router off of int E0/1.  I worked off of a
serial cable from a laptop.  I made modifications  to the incoming ACL
on S0/0.

I could take out the route maps and just use the default, but that did
not work that way a couple of weeks ago.

Entry1>en
Password:
Entry1#sh run
Building configuration...

Current configuration : 3939 bytes
!
version 12.1
service single-slot-reload-enable
service tcp-keepalives-in
service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname Entry1
!
no logging rate-limit
enable secret
!
username <removed> privilege 15 password
 clock summer-time EDT recurring
no ip subnet-zero
no ip source-route
!
!
no ip finger
ip ftp source-interface Ethernet0/1
ip ftp username
ip ftp password
ip name-server 200.17.25.13
!
no ip bootp server
call rsvp-sync
cns event-service server
! How to I keep the above two entries from reappearing.  They defy
google
! research and logic.  They appear by themselves right after my telnet
session
! drops.  Nuisance!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.22.65 255.255.255.04
!
interface Ethernet0/0
 no ip address
 ip access-group incoming in
 no ip proxy-arp
 ip nat outside
 ip policy route-map incDSL
 half-duplex
 no cdp enable
!
interface Serial0/0
 ip address 155.55.44.214 255.255.255.252
 ip access-group incomingT1 in
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 ip policy route-map incT1
 service-module t1 timeslots 1-24
 no cdp enable
!
interface Ethernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip access-group 5 in
 ip access-group return out
 no ip proxy-arp
 ip nat inside
 ip policy route-map T1
 half-duplex
 no cdp enable
!
ip kerberos source-interface any
ip nat pool come-t1 192.168.0.2 192.168.0.20 netmask 255.255.255.0
ip nat pool outt1 155.55.44.213 155.55.44.213 netmask 255.255.255.252
ip nat inside source route-map T1 pool outt1 overload
ip nat outside source route-map incT1 pool come-t1
ip classless
ip route 0.0.0.0 0.0.0.0 155.55.44.213
no ip http server
!
!
ip access-list extended incomingT1
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.0.255.255 any
 deny   icmp any any echo
 deny   icmp any any redirect
 deny   ip 04.0.0.0 15.255.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 permit ip host <IP FOREIGN TRUSTED HOST> any
 permit tcp any any established
 permit gre any any
 deny   tcp any any
 permit udp any any
 deny   ip any any
ip access-list extended outgoing
 permit tcp 192.168.0.0 0.0.0.255 any established
 permit udp 192.168.0.0 0.0.0.255 any
 permit icmp 192.168.0.0 0.0.0.255 any
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended outgoingDSL
 permit tcp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127 established
 permit udp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
 permit icmp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
 permit ip 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
ip access-list extended outgoingt1
 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
ip access-list extended return
 permit tcp any 192.168.0.0 0.0.0.255 established
 permit ip any any
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 6 permit 192.168.0.0 0.0.0.255
access-list 13 permit any
access-list 98 permit 192.168.0.0 0.0.255.255
access-list 99 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
no cdp run
route-map incT1 permit 10
 match ip address incomingT1
 set interface Ethernet0/1
!
route-map outtoDSL permit 10
 match ip address 5
 match interface Ethernet0/1
 set interface Ethernet0/0
 set ip default next-hop 66.15.92.1
!
route-map T1 permit 10
 match ip address 5
 match interface Ethernet0/1
 set interface Serial0/0
 set ip default next-hop 155.55.44.213
!
!
! I do not know how to get  rid of this below entry? I did not  put it
here!
dial-peer cor custom
!
!
!
line con 0
 exec-timeout 5 0
 password
 login local
 transport input none
line aux 0
 no exec
 password
 login local
line vty 0 4
 access-class 98 in
 exec-timeout 45 0
 password
 login
 transport input telnet
 transport output none
!
end

Any ideas would be appreciated.  Another day workng till 4:00 AM-Need
help!

Tarek

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Tue, 05 Oct 2004 16:22:56


Hey Guys,

I completely removed NAT and still cannot surf the Internet.    I took
the firewall between the network and the Internet out of the picture
for now,  therefore, I changed the Access-lists to make sure the
internel network does not get cracked.  I only allow the  trusted ISPs
DNS server to have free UDP access in order for us to talk DNS to it.
We can only ping the ISPs router.  We cannot go beyond the ISPs
router.

Surely, I am missing something small and stupid.  If someone  can
point it out, it would be appreciated,  then I can make this silly
thing work after 6  weeks of failure and an upset client.

Current configuration : 3559 bytes
!
version 12.1
service single-slot-reload-enable
service tcp-keepalives-in
service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname Entry1
!
no logging rate-limit
enable secret
!
username
clock summer-time EDT recurring
no ip subnet-zero
no ip source-route
ip name-server 200.17.25.13
!
no ip finger
!
no ip bootp server
!
interface Loopback0
 ip address 192.168.22.65 255.255.255.224
!
interface Ethernet0/0
 no ip address
 ip access-group incoming in
 no ip proxy-arp
 ip nat outside
 ip policy route-map incDSL
 half-duplex
 no cdp enable
!
interface Serial0/0
 ip address 155.55.44.214 255.255.255.252
 ip access-group ok-in in
 ip access-group ok-out1 out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
!
interface Ethernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 3 in
 no ip proxy-arp
 ip nat inside
 half-duplex
 no cdp enable
!
ip kerberos source-interface any
ip nat pool outt1 155.55.44.213 155.55.44.213 netmask 255.255.255.252
ip nat pool come-t1 192.168.1.2 192.168.1.254 netmask 255.255.255.0
ip nat inside source list 3 pool outt1 overload
ip nat outside source list 2 pool come-t1
ip classless
ip route 0.0.0.0 0.0.0.0 155.55.44.213
no ip http server
!
ip access-list extended ok-in
 evaluate outgo
 permit udp host 200.17.25.13 192.168.1.0 0.0.0.255
 evaluate ok-packets
ip access-list extended ok-out1
 permit udp 192.168.1.0 0.0.0.255 host 200.17.25.13 eq domain
 permit tcp 192.168.1.0 0.0.0.255 any established
 permit udp 192.168.1.0 0.0.0.255 any reflect outgo
 permit icmp 192.168.1.0 0.0.0.255 any reflect outgo
access-list 2 permit 155.55.44.212 0.0.0.3
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 98 permit 192.168.0.0 0.0.255.255
access-list 99 permit 192.168.0.0 0.0.0.255
no cdp run
!
dial-peer cor custom
!
line con 0
 exec-timeout 5 0
 password
 login local
 transport input none
line aux 0
 no exec
 password
 login local
line vty 0 4
 access-class 98 in
 exec-timeout 45 0
 password
 login
 transport input telnet
 transport output none
!
no scheduler allocate
end

Tarek

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Thu, 07 Oct 2004 14:00:53


Hey Guys,

I added RIP2 and changed the NAT entries to use the interface.  It
still does not route.  ISP does not use RIP, but it was a suggestion
from Configmaker.  I am pretty much out of option.  We cannot surf the
Internet through it!  If anyone has an idea of hour to make this thing
route, please tell me.

Current configuration : 2830 bytes
!
version 12.1
service single-slot-reload-enable
service tcp-keepalives-in
service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname Entry1
!
no logging rate-limit
enable secret
!
username
clock summer-time EDT recurring
no ip subnet-zero
no ip source-route
!
!
no ip finger
ip ftp source-interface Ethernet0/1
ip ftp username
ip ftp password
ip name-server 205.171.3.65
!
no ip bootp server
!
interface Loopback0
 ip address 192.168.22.65 255.255.255.224
!
interface Ethernet0/0
 no ip address
 no ip proxy-arp
 ip nat outside
 half-duplex
 no cdp enable
!
interface Serial0/0
 ip address 155.55.44.214 255.255.255.252
 ip access-group ok-in in
 ip access-group ok-out1 out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
!
 Ethernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip access-group 3 in
 no ip proxy-arp
 ip nat inside
 half-duplex
 no cdp enable
!
router rip
 version 2
 passive-interface Serial0/0
 network 192.168.1.0
 no auto-summary
!
ip kerberos source-interface any
ip nat inside source list 3 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 155.55.44.213
no ip http server
!
!
ip access-list extended ok-in
 evaluate outgo
 permit udp host 205.171.3.65 192.168.1.0 0.0.0.255
 evaluate ok-packets
ip access-list extended ok-out1
 permit udp 192.168.1.0 0.0.0.255 host 205.171.3.65 eq domain
 permit tcp 192.168.1.0 0.0.0.255 any established
 permit udp 192.168.1.0 0.0.0.255 any reflect outgo
 permit icmp 192.168.1.0 0.0.0.255 any reflect outgo
access-list 2 permit 155.55.44.212 0.0.0.3
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 98 permit 192.168.0.0 0.0.255.255
no cdp run
!
dial-peer cor custom
!
line con 0
 exec-timeout 5 0
 password
login local
 transport input none
line aux 0
 no exec
 password
 login local
line vty 0 4
 access-class 98 in
 exec-timeout 45 0
 password
 login
 transport input telnet
 transport output none
!
no scheduler allocate
end

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by PES » Thu, 07 Oct 2004 18:53:05


Is it an access list problem with ok-out1 (nat has already happened as it
leaves public interface, thus 192.168.1.x is invalid and would be dropped)?
It may be to your benefit to contact a consultant who can come in and get
this going for you in a couple of hours.  Also, I would definitely recommend
utilizing ios fw instead of reflexive acl's.


Quote:> Hey Guys,

> I added RIP2 and changed the NAT entries to use the interface.  It
> still does not route.  ISP does not use RIP, but it was a suggestion
> from Configmaker.  I am pretty much out of option.  We cannot surf the
> Internet through it!  If anyone has an idea of hour to make this thing
> route, please tell me.

> Current configuration : 2830 bytes
> !
> version 12.1
> service single-slot-reload-enable
> service tcp-keepalives-in
> service timestamps debug uptime
> no service timestamps log uptime
> service password-encryption
> !
> hostname Entry1
> !
> no logging rate-limit
> enable secret
> !
> username
> clock summer-time EDT recurring
> no ip subnet-zero
> no ip source-route
> !
> !
> no ip finger
> ip ftp source-interface Ethernet0/1
> ip ftp username
> ip ftp password
> ip name-server 205.171.3.65
> !
> no ip bootp server
> !
> interface Loopback0
> ip address 192.168.22.65 255.255.255.224
> !
> interface Ethernet0/0
> no ip address
> no ip proxy-arp
> ip nat outside
> half-duplex
> no cdp enable
> !
> interface Serial0/0
> ip address 155.55.44.214 255.255.255.252
> ip access-group ok-in in
> ip access-group ok-out1 out
> no ip redirects
> no ip proxy-arp
> ip nat outside
> no ip mroute-cache
> service-module t1 timeslots 1-24
> no cdp enable
> !
> Ethernet0/1
> ip address 192.168.1.1 255.255.255.0
> ip access-group 3 in
> no ip proxy-arp
> ip nat inside
> half-duplex
> no cdp enable
> !
> router rip
> version 2
> passive-interface Serial0/0
> network 192.168.1.0
> no auto-summary
> !
> ip kerberos source-interface any
> ip nat inside source list 3 interface Serial0/0 overload
> ip classless
> ip route 0.0.0.0 0.0.0.0 155.55.44.213
> no ip http server
> !
> !
> ip access-list extended ok-in
> evaluate outgo
> permit udp host 205.171.3.65 192.168.1.0 0.0.0.255
> evaluate ok-packets
> ip access-list extended ok-out1
> permit udp 192.168.1.0 0.0.0.255 host 205.171.3.65 eq domain
> permit tcp 192.168.1.0 0.0.0.255 any established
> permit udp 192.168.1.0 0.0.0.255 any reflect outgo
> permit icmp 192.168.1.0 0.0.0.255 any reflect outgo
> access-list 2 permit 155.55.44.212 0.0.0.3
> access-list 3 permit 192.168.1.0 0.0.0.255
> access-list 98 permit 192.168.0.0 0.0.255.255
> no cdp run
> !
> dial-peer cor custom
> !
> line con 0
> exec-timeout 5 0
> password
> login local
> transport input none
> line aux 0
> no exec
> password
> login local
> line vty 0 4
> access-class 98 in
> exec-timeout 45 0
> password
> login
> transport input telnet
> transport output none
> !
> no scheduler allocate
> end

 
 
 

Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Post by Tarek Ham » Fri, 08 Oct 2004 14:08:15


PES,

Thanks PES! That did it.  I changed the ACL on the external interface,
s0/0 to any any from 192.168.1.0 and it worked.   It worked! I spent
the last hour surfing  Internet using the Cisco router.  Finally!
Whew!  I am the IT department at this place and their consultant.  I
learned a lot.  It will make the CCNA easier later this month or next.
 I posted my config below incase it may help someone (last time):

Current configuration : 2978 bytes
!
version 12.1
service single-slot-reload-enable
service tcp-keepalives-in
service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname Entry1
!
no logging rate-limit
enable secret
!
username
clock summer-time EDT recurring
no ip subnet-zero
no ip source-route
!
ip name-server 205.171.3.65
!
no ip bootp server
call rsvp-sync
cns event-service server
!
interface Loopback0
 ip address 192.168.22.65 255.255.255.224
!
interface Ethernet0/0
 no ip address
 no ip proxy-arp
 half-duplex
 no cdp enable
!
interface Serial0/0
 ip address 155.55.44.214 255.255.255.252
 ip access-group ok-in in
 ip access-group ok-out1 out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 no ip mroute-cache
 service-module t1 timeslots 1-24
 no cdp enable
!
interface Ethernet0/1
 ip address 192.168.1.1 255.255.255.0
 ip access-group lan-in in
 ip access-group lan-out out
 no ip proxy-arp
 ip nat inside
 half-duplex
 no cdp enable
!
router rip
 version 2
 passive-interface Serial0/0
 network 192.168.1.0
 no auto-summary
!
ip kerberos source-interface any
ip nat inside source list 3 interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 155.55.44.213
no ip http server
!
!
ip access-list extended lan-in
 permit ip any host 205.171.3.65
 permit tcp 192.168.0.0 0.0.255.255 any established
 permit ip 192.168.0.0 0.0.255.255 any reflect ok-packets
ip access-list extended lan-out
 permit ip host 205.171.3.65 any
 evaluate ok-packets
ip access-list extended ok-in
 evaluate outgo
 permit udp host 205.171.3.65 192.168.1.0 0.0.0.255
 evaluate ok-packets
ip access-list extended ok-out1
 permit udp any host 205.171.3.65 eq domain
 permit tcp any any established
 permit tcp any any reflect outgo
 permit udp any any reflect outgo
 permit icmp any any reflect outgo
access-list 2 permit 155.55.44.212 0.0.0.3
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 98 permit 192.168.0.0 0.0.255.255
no cdp run
!
dial-peer cor custom
!
line con 0
 exec-timeout 5 0
 password
 login local
 transport input none
line aux 0
 no exec
 password
 login local
line vty 0 4
 access-class 98 in
 exec-timeout 45 0
 password
 login
 transport input telnet
 transport output none
!
end

I changed my passwords.  I will do some tweaking and get them using
this full time plus using the DSL as a backup.  I will also order the
IOS with FW set and implement ip inspect exactly as you suggested.

Tarek