Get from outside through Cisco 827, PIX 501 to Server. Urgent.pls help

Discussion in 'Cisco' started by Marc, Jan 15, 2004.

  1. Marc

    Marc Guest

    I bought a Wireless camera about 2 months ago. It is set up to use port 81
    and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type [the IP
    address of Dialer1 in my Cisco 827]:81 or :8482. It always times out.

    My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every day for
    what I want to do)
    Cisco 827 10.1.1.1
    PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway obviously)
    Inside network 192.168.1.X

    Also, I can ping my 827 from my inside network. But when I telnet into the
    router from my inside network and ping my inside network, it times out too.
    The farthest I can get is the inside interface of the PIX. I thought Chap
    may have something to do with all of this, but I'm not sure. I know if I
    could just ping my inside network from my router, that would probably solve
    most of this.

    I've been at this for 2 months, and have tried everything. NG searches, Port
    forwarding, access-lists. Nothing seems to work. I had port forwarding and
    access-lists specifically for ports www, 81 and 8482 on my router, but I
    removed them, because they didn't make a difference. I'm sure the answer
    lies in my firewall, but no matter what I do, I can't get to my inside
    network from the outside. Not even a ping from the router. I'm not an expert
    like a lot of you, so I hope this is not too rudimentary. But I'm all out of
    ideas.Any help would be greatly appreciated. My configs are below:

    PIX 501:
    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 0JeJdBKOXHOPaqYc encrypted
    passwd 0JeJdBKOXHOPaqYc encrypted
    hostname pixfirewall
    domain-name blabla.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 66.0.0.0 DNS
    name 10.1.1.35 PIX_OUTSIDE
    name 192.168.1.1 PIX_INSIDE
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in permit tcp any any eq 81
    access-list outside_access_in permit tcp any any eq www
    access-list outside_access_in permit tcp any any eq 8481
    access-list outside_access_in deny ip any any
    access-list inside_access_in permit ip any any
    access-list inbound permit tcp any any eq 8482
    no pager
    logging on
    logging timestamp
    logging trap warnings
    logging host inside 192.168.1.17 format emblem
    mtu outside 1492
    mtu inside 1492
    ip address outside PIX_OUTSIDE 255.0.0.0
    ip address inside PIX_INSIDE 255.255.255.0
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.0.0 255.255.255.0 inside
    pdm location DNS 255.255.255.0 inside
    pdm location DNS 255.255.255.255 outside
    pdm location PIX_OUTSIDE 255.255.255.255 outside
    pdm location 10.0.0.0 255.0.0.0 inside
    pdm location PIX_OUTSIDE 255.255.255.255 inside
    pdm location 192.168.1.17 255.255.255.255 inside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm location 192.168.1.50 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface www 192.168.1.50 www netmask
    255.255.255.255 0 0
    static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    255.255.255.255 0 0
    static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 15
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 66.228.128.70 66.228.128.202
    dhcpd lease 259200
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    terminal width 80
    Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
    : end
    [OK]

    Cisco 827:
    Using 2038 out of 131072 bytes
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname DSLrouter
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    !
    username blabla password 7 010409160A0D030B
    username CRWS_Kannan privilege 15 password 7
    015757406C5A002E65431F062A2007135A5
    F527E7F7D78656775
    no aaa new-model
    ip subnet-zero
    ip name-server 66.228.128.70
    ip name-server 66.228.128.69
    ip dhcp excluded-address 10.1.1.1
    ip dhcp excluded-address 10.0.0.33 10.255.255.254
    !
    ip dhcp pool CLIENT
    import all
    network 10.0.0.0 255.0.0.0
    default-router 10.1.1.1
    lease 0 2
    !
    ip ssh break-string
    !
    !
    interface Ethernet0
    description CRWS Generated text. Please do not delete
    this:10.1.1.1-255.0.0.0
    ip address 10.1.1.1 255.0.0.0 secondary
    ip address 10.10.10.1 255.255.255.0
    ip mtu 1452
    ip nat inside
    ip tcp adjust-mss 1452
    ipv6 mtu 1452
    hold-queue 100 out
    !
    interface Virtual-Template1
    no ip address
    !
    interface ATM0
    mtu 1492
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    dsl operating-mode auto
    !
    interface Dialer1
    mtu 1492
    ip address negotiated
    ip nat outside
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname blabla
    ppp chap password 7 07182E5E1F0F1C01
    ppp pap sent-username blabla password 7 131218005A0A012E
    ppp ipcp dns request
    ppp ipcp wins request
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    ip http secure-server
    !
    access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    dialer-list 1 protocol ip permit
    !
    !
    line con 0
    exec-timeout 120 0
    transport preferred all
    transport output all
    stopbits 1
    line vty 0 4
    exec-timeout 120 0
    login local
    length 0
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    !
    end
     
    Marc, Jan 15, 2004
    #1
    1. Advertising

  2. Marc,

    Doesn't the configuration have to have the following properties:
    1. A public address on the outside interface of the 827 router (a static
    address would be perferable)
    2. A private IP address on the inside of the 827 router
    3. NAT is performed for all traffic entering the 827's Ethernet interface
    and leaving the PPPoE circuit.
    4. A private IP address is on the PIX's outside interface
    5. A (different) private network is on the PIX's inside interface
    6. NAT is being performed for all traffic leaving the PIX to the web

    For this to work you need a configuration that:
    1. Translates ports 81 and 8482 on the 827 public address into a private
    address (one that is not defined on the PIX)
    2. The PIX needs to translate these addresses to the real internal (PIX
    inside) addresses/ports.

    I have made the following assumpotions:
    1. Both port 81 and 8482 goto the same box and the same ports.

    Here is the config changes:

    name 10.1.1.36 WEBSERVER
    no static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    255.255.255.255
    no static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    255.255.255.255
    no static (inside,outside) tcp interface www 192.168.1.50 www netmask
    255.255.255.255
    no static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    255.255.255.255
    no static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255
    static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255

    no access-list outside_access_in
    access-list outside_access_in permit tcp any 10.1.1.36 eq 81
    access-list outside_access_in permit tcp any 10.1.1.36 eq 8481
    access-list outside_access_in deny ip any any
    access-group outside_access_in in interface outside
    no route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    route outside 0.0.0.0 0.0.0.0 10.10.10.1

    no ip dhcp excluded-address 10.1.1.1
    no ip dhcp excluded-address 10.0.0.33 10.255.255.254
    no ip dhcp pool CLIENT


    Cisco 827 Changes
    ====================
    interface Ethernet0
    no ip address 10.1.1.1 255.0.0.0 secondary
    exit
    ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    extendable no-alias
    ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    extendable no-alias


    Afterwards, can you do a 'show ip nat translations' and on the pix 'show
    xlate' and repost this data and the new configs :)

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


    "Marc" <> wrote in message
    news:...
    > I bought a Wireless camera about 2 months ago. It is set up to use port 81
    > and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type [the IP
    > address of Dialer1 in my Cisco 827]:81 or :8482. It always times out.
    >
    > My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every day for
    > what I want to do)
    > Cisco 827 10.1.1.1
    > PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway obviously)
    > Inside network 192.168.1.X
    >
    > Also, I can ping my 827 from my inside network. But when I telnet into the
    > router from my inside network and ping my inside network, it times out

    too.
    > The farthest I can get is the inside interface of the PIX. I thought Chap
    > may have something to do with all of this, but I'm not sure. I know if I
    > could just ping my inside network from my router, that would probably

    solve
    > most of this.
    >
    > I've been at this for 2 months, and have tried everything. NG searches,

    Port
    > forwarding, access-lists. Nothing seems to work. I had port forwarding and
    > access-lists specifically for ports www, 81 and 8482 on my router, but I
    > removed them, because they didn't make a difference. I'm sure the answer
    > lies in my firewall, but no matter what I do, I can't get to my inside
    > network from the outside. Not even a ping from the router. I'm not an

    expert
    > like a lot of you, so I hope this is not too rudimentary. But I'm all out

    of
    > ideas.Any help would be greatly appreciated. My configs are below:
    >
    > PIX 501:
    > PIX Version 6.3(3)
    > interface ethernet0 10baset
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 0JeJdBKOXHOPaqYc encrypted
    > passwd 0JeJdBKOXHOPaqYc encrypted
    > hostname pixfirewall
    > domain-name blabla.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 66.0.0.0 DNS
    > name 10.1.1.35 PIX_OUTSIDE
    > name 192.168.1.1 PIX_INSIDE
    > access-list outside_access_in permit icmp any any echo-reply
    > access-list outside_access_in permit tcp any any eq 81
    > access-list outside_access_in permit tcp any any eq www
    > access-list outside_access_in permit tcp any any eq 8481
    > access-list outside_access_in deny ip any any
    > access-list inside_access_in permit ip any any
    > access-list inbound permit tcp any any eq 8482
    > no pager
    > logging on
    > logging timestamp
    > logging trap warnings
    > logging host inside 192.168.1.17 format emblem
    > mtu outside 1492
    > mtu inside 1492
    > ip address outside PIX_OUTSIDE 255.0.0.0
    > ip address inside PIX_INSIDE 255.255.255.0
    > ip verify reverse-path interface inside
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location 192.168.0.0 255.255.255.0 inside
    > pdm location DNS 255.255.255.0 inside
    > pdm location DNS 255.255.255.255 outside
    > pdm location PIX_OUTSIDE 255.255.255.255 outside
    > pdm location 10.0.0.0 255.0.0.0 inside
    > pdm location PIX_OUTSIDE 255.255.255.255 inside
    > pdm location 192.168.1.17 255.255.255.255 inside
    > pdm location 192.168.0.0 255.255.0.0 inside
    > pdm location 192.168.1.50 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface www 192.168.1.50 www netmask
    > 255.255.255.255 0 0
    > static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    > 255.255.255.255 0 0
    > static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > access-group inside_access_in in interface inside
    > route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > aaa authentication enable console LOCAL
    > aaa authentication http console LOCAL
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 15
    > ssh timeout 5
    > console timeout 0
    > dhcpd address 192.168.1.2-192.168.1.33 inside
    > dhcpd dns 66.228.128.70 66.228.128.202
    > dhcpd lease 259200
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    > terminal width 80
    > Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
    > : end
    > [OK]
    >
    > Cisco 827:
    > Using 2038 out of 131072 bytes
    > !
    > version 12.3
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname DSLrouter
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > no logging buffered
    > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    > !
    > username blabla password 7 010409160A0D030B
    > username CRWS_Kannan privilege 15 password 7
    > 015757406C5A002E65431F062A2007135A5
    > F527E7F7D78656775
    > no aaa new-model
    > ip subnet-zero
    > ip name-server 66.228.128.70
    > ip name-server 66.228.128.69
    > ip dhcp excluded-address 10.1.1.1
    > ip dhcp excluded-address 10.0.0.33 10.255.255.254
    > !
    > ip dhcp pool CLIENT
    > import all
    > network 10.0.0.0 255.0.0.0
    > default-router 10.1.1.1
    > lease 0 2
    > !
    > ip ssh break-string
    > !
    > !
    > interface Ethernet0
    > description CRWS Generated text. Please do not delete
    > this:10.1.1.1-255.0.0.0
    > ip address 10.1.1.1 255.0.0.0 secondary
    > ip address 10.10.10.1 255.255.255.0
    > ip mtu 1452
    > ip nat inside
    > ip tcp adjust-mss 1452
    > ipv6 mtu 1452
    > hold-queue 100 out
    > !
    > interface Virtual-Template1
    > no ip address
    > !
    > interface ATM0
    > mtu 1492
    > no ip address
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > pvc 0/35
    > pppoe-client dial-pool-number 1
    > !
    > dsl operating-mode auto
    > !
    > interface Dialer1
    > mtu 1492
    > ip address negotiated
    > ip nat outside
    > encapsulation ppp
    > ip tcp adjust-mss 1452
    > dialer pool 1
    > dialer remote-name redback
    > dialer-group 1
    > ppp authentication pap chap callin
    > ppp chap hostname blabla
    > ppp chap password 7 07182E5E1F0F1C01
    > ppp pap sent-username blabla password 7 131218005A0A012E
    > ppp ipcp dns request
    > ppp ipcp wins request
    > !
    > ip nat inside source list 102 interface Dialer1 overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > ip http server
    > ip http secure-server
    > !
    > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    > dialer-list 1 protocol ip permit
    > !
    > !
    > line con 0
    > exec-timeout 120 0
    > transport preferred all
    > transport output all
    > stopbits 1
    > line vty 0 4
    > exec-timeout 120 0
    > login local
    > length 0
    > transport preferred all
    > transport input all
    > transport output all
    > !
    > scheduler max-task-time 5000
    > !
    > end
    >
    >
    >
    >
     
    scott enwright, Jan 15, 2004
    #2
    1. Advertising

  3. "Marc" <> wrote in message
    news:...
    > Also, I can ping my 827 from my inside network. But when I telnet into the
    > router from my inside network and ping my inside network, it times out

    too.

    Right, that's what you want the 501 doing. Allow outbound, stop inbound.
    You need to punch a hole through the 501 to allow inbound traffic.


    > The farthest I can get is the inside interface of the PIX.


    That is a feature. If you want pings answered from the routide, you'd need
    to add
    access-list outside_access_in permit icmp any any echo-request

    Couple things:

    0) You really want a static address service for this job.
    0a) Or a DDNS service (most webcams support that these days... which webcam?
    Linksys does DDNS :cool:

    1) If you are trying to attach TO the webcam, you will need a translation
    for the 827 of the form
    ip nat inside source static tcp y.y.y.y 81 x.x.x.x 81 extendable
    ip nat inside source static tcp y.y.y.y 8483 5900 x.x.x.x 8483 extendable

    Where y.y.y.y is the inside address and x.x.x.x is the public IP.

    BUT since your public IP is dynamic, you can't do that.

    I'm not sure there is a way to allow thes emaps to learn and use the dynamic
    address, inless the form

    ip nat inside source static tcp y.y.y.y 81 interface dialer 0 81 extendable
    ip nat inside source static tcp y.y.y.y 8483 5900 interface dialer 0 8483
    extendable

    is accepted by the parser, which I think it is not.

    Why do you have the 827 involved at all? Just as an (expensive) DSL modem?
    You might prefer getting an RFC1483 bridge (cheap!) and using the PPPOE
    feature of the 501.

    Or better, get a static address.

    Double NAT is too painful even for the heartiest of folks.

    This application begs for a static address.

    If you just need simple NAT services, you might consider a Linksys in this
    application.
     
    Phillip Remaker, Jan 15, 2004
    #3
  4. Marc

    Marc Guest

    Thank you for the config. I changed it. The new configs are below, as well
    as the xlate and ip nat translations It looks like port 80, 81, 8481 and
    8482 are still blank. Can you determine what I did wrong? Thanks.

    DSL Router:
    DSLrouter#sh ip nat translations
    Pro Inside global Inside local Outside local Outside global
    tcp 24.155.75.86:64436 10.1.1.35:64436 24.167.56.193:1949
    24.167.56.193:1949
    tcp 24.155.75.86:1 10.1.1.1:23 10.1.1.35:64336 10.1.1.35:64336
    tcp 24.155.75.86:64495 10.1.1.35:64495 64.157.107.71:80
    64.157.107.71:80
    tcp 24.155.75.86:64496 10.1.1.35:64496 64.157.107.71:80
    64.157.107.71:80
    tcp 24.155.75.86:80 192.1.2.14:80 --- ---
    tcp 24.155.75.86:81 192.1.2.14:81 --- ---
    tcp 24.155.75.86:64498 10.1.1.35:64498 209.11.131.36:80
    209.11.131.36:80
    tcp 24.155.75.86:64521 10.1.1.35:64521 24.165.151.247:1077
    24.165.151.247:107
    7
    tcp 24.155.75.86:64522 10.1.1.35:64522 24.165.151.247:1077
    24.165.151.247:107
    7
    tcp 24.155.75.86:64523 10.1.1.35:64523 24.165.151.247:1077
    24.165.151.247:107
    7
    tcp 24.155.75.86:8481 192.1.2.14:8481 --- ---
    tcp 24.155.75.86:8482 192.1.2.14:8482 --- ---
    tcp 24.155.75.86:64361 10.1.1.35:64361 216.155.193.167:5050
    216.155.193.167:5
    050
    tcp 24.155.75.86:64501 10.1.1.35:64501 67.23.182.154:3531
    67.23.182.154:3531
    tcp 24.155.75.86:64487 10.1.1.35:64487 66.135.211.87:443
    66.135.211.87:443

    PIX 501

    pixfirewall# sh xlate
    12 in use, 318 most used
    PAT Global PIX_OUTSIDE(64501) Local 192.168.1.101(2734)
    PAT Global PIX_OUTSIDE(64496) Local 192.168.1.102(4160)
    PAT Global PIX_OUTSIDE(64495) Local 192.168.1.102(4159)
    PAT Global PIX_OUTSIDE(64487) Local 192.168.1.102(4153)
    PAT Global PIX_OUTSIDE(64436) Local 192.168.1.101(2723)
    PAT Global PIX_OUTSIDE(64361) Local 192.168.1.102(4035)
    PAT Global PIX_OUTSIDE(64353) Local 192.168.1.102(4010)
    PAT Global PIX_OUTSIDE(64336) Local 192.168.1.102(3996)
    PAT Global PIX_OUTSIDE(64523) Local 192.168.1.101(2741)
    PAT Global PIX_OUTSIDE(64522) Local 192.168.1.101(2740)
    PAT Global PIX_OUTSIDE(64521) Local 192.168.1.101(2739)
    PAT Global PIX_OUTSIDE(64514) Local 192.168.1.102(4173)

    Current Configs
    PIX 501
    PIX Version 6.3(3)
    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password 0JeJdBKOXHOPaqYc encrypted
    passwd 0JeJdBKOXHOPaqYc encrypted
    hostname pixfirewall
    domain-name blabla.com
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names
    name 66.0.0.0 DNS
    name 10.1.1.35 PIX_OUTSIDE
    name 192.168.1.1 PIX_INSIDE
    name 10.1.1.36 WEBSERVER
    access-list outside_access_in deny ip any any
    access-list outside_access_in permit tcp any host WEBSERVER eq 81
    access-list outside_access_in permit tcp any host WEBSERVER eq www
    access-list outside_access_in permit tcp any host WEBSERVER eq 8481
    access-list outside_access_in permit tcp any host WEBSERVER eq 8482
    access-list inside_access_in permit ip any any
    access-list inbound permit tcp any any eq 8482
    no pager
    logging on
    logging timestamp
    logging trap warnings
    logging host inside 192.168.1.17 format emblem
    mtu outside 1492
    mtu inside 1492
    ip address outside PIX_OUTSIDE 255.0.0.0
    ip address inside PIX_INSIDE 255.255.255.0
    ip verify reverse-path interface inside
    ip audit info action alarm
    ip audit attack action alarm
    pdm location 192.168.0.0 255.255.255.0 inside
    pdm location DNS 255.255.255.0 inside
    pdm location DNS 255.255.255.255 outside
    pdm location PIX_OUTSIDE 255.255.255.255 outside
    pdm location 10.0.0.0 255.0.0.0 inside
    pdm location PIX_OUTSIDE 255.255.255.255 inside
    pdm location 192.168.1.17 255.255.255.255 inside
    pdm location 192.168.0.0 255.255.0.0 inside
    pdm location 192.168.1.50 255.255.255.255 inside
    pdm logging informational 100
    pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    static (inside,outside) WEBSERVER 192.168.1.50 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication enable console LOCAL
    aaa authentication http console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    telnet 192.168.1.0 255.255.255.0 inside
    telnet timeout 15
    ssh timeout 5
    console timeout 0
    dhcpd address 192.168.1.2-192.168.1.33 inside
    dhcpd dns 66.228.128.70 66.228.128.202
    dhcpd lease 259200
    dhcpd ping_timeout 750
    dhcpd auto_config outside
    dhcpd enable inside
    username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    terminal width 80
    Cryptochecksum:91f94940fc2a1e2f45f9b1c901828384

    Router 827:

    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname DSLrouter
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    !
    username blabla password 7 010409160A0D030B
    username CRWS_Kannan privilege 15 password 7
    015757406C5A002E65431F062A2007135A5
    F527E7F7D78656775
    no aaa new-model
    ip subnet-zero
    ip name-server 66.228.128.70
    ip name-server 66.228.128.69
    ip dhcp excluded-address 10.1.1.1
    ip dhcp excluded-address 10.0.0.33 10.255.255.254
    !
    ip dhcp pool CLIENT
    import all
    network 10.0.0.0 255.0.0.0
    default-router 10.1.1.1
    lease 0 2
    !
    ip ssh break-string
    !
    !
    !
    !
    !
    !
    interface Ethernet0
    description CRWS Generated text. Please do not delete
    this:10.1.1.1-255.0.0.0
    ip address 10.1.1.1 255.0.0.0
    ip mtu 1452
    ip nat inside
    ip tcp adjust-mss 1452
    ipv6 mtu 1452
    hold-queue 100 out
    !
    interface Virtual-Template1
    no ip address
    !
    interface ATM0
    mtu 1492
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/35
    pppoe-client dial-pool-number 1
    !
    dsl operating-mode auto
    !
    interface Dialer1
    mtu 1492
    ip address negotiated
    ip nat outside
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname blabla
    ppp chap password 7 07182E5E1F0F1C01
    ppp pap sent-username blabla password 7 131218005A0A012E
    ppp ipcp dns request
    ppp ipcp wins request
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
    ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    ip http secure-server
    !
    access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    dialer-list 1 protocol ip permit
    !
    !
    line con 0
    exec-timeout 120 0
    transport preferred all
    transport output all
    stopbits 1
    line vty 0 4
    exec-timeout 120 0
    login local
    length 0
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    !
    end


    "scott enwright" <> wrote in message
    news:0OrNb.13106$...
    > Marc,
    >
    > Doesn't the configuration have to have the following properties:
    > 1. A public address on the outside interface of the 827 router (a static
    > address would be perferable)
    > 2. A private IP address on the inside of the 827 router
    > 3. NAT is performed for all traffic entering the 827's Ethernet interface
    > and leaving the PPPoE circuit.
    > 4. A private IP address is on the PIX's outside interface
    > 5. A (different) private network is on the PIX's inside interface
    > 6. NAT is being performed for all traffic leaving the PIX to the web
    >
    > For this to work you need a configuration that:
    > 1. Translates ports 81 and 8482 on the 827 public address into a private
    > address (one that is not defined on the PIX)
    > 2. The PIX needs to translate these addresses to the real internal (PIX
    > inside) addresses/ports.
    >
    > I have made the following assumpotions:
    > 1. Both port 81 and 8482 goto the same box and the same ports.
    >
    > Here is the config changes:
    >
    > name 10.1.1.36 WEBSERVER
    > no static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    > 255.255.255.255
    > no static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    > 255.255.255.255
    > no static (inside,outside) tcp interface www 192.168.1.50 www netmask
    > 255.255.255.255
    > no static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    > 255.255.255.255
    > no static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255
    > static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255
    >
    > no access-list outside_access_in
    > access-list outside_access_in permit tcp any 10.1.1.36 eq 81
    > access-list outside_access_in permit tcp any 10.1.1.36 eq 8481
    > access-list outside_access_in deny ip any any
    > access-group outside_access_in in interface outside
    > no route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    > route outside 0.0.0.0 0.0.0.0 10.10.10.1
    >
    > no ip dhcp excluded-address 10.1.1.1
    > no ip dhcp excluded-address 10.0.0.33 10.255.255.254
    > no ip dhcp pool CLIENT
    >
    >
    > Cisco 827 Changes
    > ====================
    > interface Ethernet0
    > no ip address 10.1.1.1 255.0.0.0 secondary
    > exit
    > ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    > extendable no-alias
    > ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    > extendable no-alias
    >
    >
    > Afterwards, can you do a 'show ip nat translations' and on the pix 'show
    > xlate' and repost this data and the new configs :)
    >
    > Regards,
    >
    > Scott.
    > \|/
    > (o o)
    > ---------------------oOOO--(_)--OOOo----------------------
    > Out the 100Base-T, off the firewall, through the router, down
    > the T1, over the leased line, off the bridge, nothing but Net.
    > (Use ROT13 to see my email address)
    > .oooO Oooo.
    > ----------------------( )---( )-----------------------
    > \ ( ) /
    > \_) (_/
    >
    >
    > "Marc" <> wrote in message
    > news:...
    > > I bought a Wireless camera about 2 months ago. It is set up to use port

    81
    > > and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type [the IP
    > > address of Dialer1 in my Cisco 827]:81 or :8482. It always times out.
    > >
    > > My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every day

    for
    > > what I want to do)
    > > Cisco 827 10.1.1.1
    > > PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway obviously)
    > > Inside network 192.168.1.X
    > >
    > > Also, I can ping my 827 from my inside network. But when I telnet into

    the
    > > router from my inside network and ping my inside network, it times out

    > too.
    > > The farthest I can get is the inside interface of the PIX. I thought

    Chap
    > > may have something to do with all of this, but I'm not sure. I know if I
    > > could just ping my inside network from my router, that would probably

    > solve
    > > most of this.
    > >
    > > I've been at this for 2 months, and have tried everything. NG searches,

    > Port
    > > forwarding, access-lists. Nothing seems to work. I had port forwarding

    and
    > > access-lists specifically for ports www, 81 and 8482 on my router, but I
    > > removed them, because they didn't make a difference. I'm sure the answer
    > > lies in my firewall, but no matter what I do, I can't get to my inside
    > > network from the outside. Not even a ping from the router. I'm not an

    > expert
    > > like a lot of you, so I hope this is not too rudimentary. But I'm all

    out
    > of
    > > ideas.Any help would be greatly appreciated. My configs are below:
    > >
    > > PIX 501:
    > > PIX Version 6.3(3)
    > > interface ethernet0 10baset
    > > interface ethernet1 100full
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > enable password 0JeJdBKOXHOPaqYc encrypted
    > > passwd 0JeJdBKOXHOPaqYc encrypted
    > > hostname pixfirewall
    > > domain-name blabla.com
    > > fixup protocol dns maximum-length 512
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol ils 389
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol sip 5060
    > > fixup protocol sip udp 5060
    > > fixup protocol skinny 2000
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol tftp 69
    > > names
    > > name 66.0.0.0 DNS
    > > name 10.1.1.35 PIX_OUTSIDE
    > > name 192.168.1.1 PIX_INSIDE
    > > access-list outside_access_in permit icmp any any echo-reply
    > > access-list outside_access_in permit tcp any any eq 81
    > > access-list outside_access_in permit tcp any any eq www
    > > access-list outside_access_in permit tcp any any eq 8481
    > > access-list outside_access_in deny ip any any
    > > access-list inside_access_in permit ip any any
    > > access-list inbound permit tcp any any eq 8482
    > > no pager
    > > logging on
    > > logging timestamp
    > > logging trap warnings
    > > logging host inside 192.168.1.17 format emblem
    > > mtu outside 1492
    > > mtu inside 1492
    > > ip address outside PIX_OUTSIDE 255.0.0.0
    > > ip address inside PIX_INSIDE 255.255.255.0
    > > ip verify reverse-path interface inside
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > pdm location 192.168.0.0 255.255.255.0 inside
    > > pdm location DNS 255.255.255.0 inside
    > > pdm location DNS 255.255.255.255 outside
    > > pdm location PIX_OUTSIDE 255.255.255.255 outside
    > > pdm location 10.0.0.0 255.0.0.0 inside
    > > pdm location PIX_OUTSIDE 255.255.255.255 inside
    > > pdm location 192.168.1.17 255.255.255.255 inside
    > > pdm location 192.168.0.0 255.255.0.0 inside
    > > pdm location 192.168.1.50 255.255.255.255 inside
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    > > 255.255.255.255 0 0
    > > static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    > > 255.255.255.255 0 0
    > > static (inside,outside) tcp interface www 192.168.1.50 www netmask
    > > 255.255.255.255 0 0
    > > static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    > > 255.255.255.255 0 0
    > > static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255 0

    0
    > > access-group outside_access_in in interface outside
    > > access-group inside_access_in in interface inside
    > > route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    > > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > aaa authentication enable console LOCAL
    > > aaa authentication http console LOCAL
    > > http server enable
    > > http 192.168.1.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > telnet 192.168.1.0 255.255.255.0 inside
    > > telnet timeout 15
    > > ssh timeout 5
    > > console timeout 0
    > > dhcpd address 192.168.1.2-192.168.1.33 inside
    > > dhcpd dns 66.228.128.70 66.228.128.202
    > > dhcpd lease 259200
    > > dhcpd ping_timeout 750
    > > dhcpd auto_config outside
    > > dhcpd enable inside
    > > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    > > terminal width 80
    > > Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
    > > : end
    > > [OK]
    > >
    > > Cisco 827:
    > > Using 2038 out of 131072 bytes
    > > !
    > > version 12.3
    > > no service pad
    > > service timestamps debug uptime
    > > service timestamps log uptime
    > > service password-encryption
    > > !
    > > hostname DSLrouter
    > > !
    > > boot-start-marker
    > > boot-end-marker
    > > !
    > > no logging buffered
    > > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    > > !
    > > username blabla password 7 010409160A0D030B
    > > username CRWS_Kannan privilege 15 password 7
    > > 015757406C5A002E65431F062A2007135A5
    > > F527E7F7D78656775
    > > no aaa new-model
    > > ip subnet-zero
    > > ip name-server 66.228.128.70
    > > ip name-server 66.228.128.69
    > > ip dhcp excluded-address 10.1.1.1
    > > ip dhcp excluded-address 10.0.0.33 10.255.255.254
    > > !
    > > ip dhcp pool CLIENT
    > > import all
    > > network 10.0.0.0 255.0.0.0
    > > default-router 10.1.1.1
    > > lease 0 2
    > > !
    > > ip ssh break-string
    > > !
    > > !
    > > interface Ethernet0
    > > description CRWS Generated text. Please do not delete
    > > this:10.1.1.1-255.0.0.0
    > > ip address 10.1.1.1 255.0.0.0 secondary
    > > ip address 10.10.10.1 255.255.255.0
    > > ip mtu 1452
    > > ip nat inside
    > > ip tcp adjust-mss 1452
    > > ipv6 mtu 1452
    > > hold-queue 100 out
    > > !
    > > interface Virtual-Template1
    > > no ip address
    > > !
    > > interface ATM0
    > > mtu 1492
    > > no ip address
    > > atm vc-per-vp 64
    > > no atm ilmi-keepalive
    > > pvc 0/35
    > > pppoe-client dial-pool-number 1
    > > !
    > > dsl operating-mode auto
    > > !
    > > interface Dialer1
    > > mtu 1492
    > > ip address negotiated
    > > ip nat outside
    > > encapsulation ppp
    > > ip tcp adjust-mss 1452
    > > dialer pool 1
    > > dialer remote-name redback
    > > dialer-group 1
    > > ppp authentication pap chap callin
    > > ppp chap hostname blabla
    > > ppp chap password 7 07182E5E1F0F1C01
    > > ppp pap sent-username blabla password 7 131218005A0A012E
    > > ppp ipcp dns request
    > > ppp ipcp wins request
    > > !
    > > ip nat inside source list 102 interface Dialer1 overload
    > > ip classless
    > > ip route 0.0.0.0 0.0.0.0 Dialer1
    > > ip http server
    > > ip http secure-server
    > > !
    > > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    > > dialer-list 1 protocol ip permit
    > > !
    > > !
    > > line con 0
    > > exec-timeout 120 0
    > > transport preferred all
    > > transport output all
    > > stopbits 1
    > > line vty 0 4
    > > exec-timeout 120 0
    > > login local
    > > length 0
    > > transport preferred all
    > > transport input all
    > > transport output all
    > > !
    > > scheduler max-task-time 5000
    > > !
    > > end
    > >
    > >
    > >
    > >

    >
    >
     
    Marc, Jan 16, 2004
    #4
  5. Marc

    Marc Guest

    "Phillip Remaker" <> wrote in message
    news:1074159174.156347@sj-nntpcache-5...
    >
    > "Marc" <> wrote in message
    > news:...
    > > Also, I can ping my 827 from my inside network. But when I telnet into

    the
    > > router from my inside network and ping my inside network, it times out

    > too.
    >
    > Right, that's what you want the 501 doing. Allow outbound, stop inbound.
    > You need to punch a hole through the 501 to allow inbound traffic.
    >
    >
    > > The farthest I can get is the inside interface of the PIX.

    >
    > That is a feature. If you want pings answered from the routide, you'd

    need
    > to add
    > access-list outside_access_in permit icmp any any echo-request
    >
    > Couple things:
    >
    > 0) You really want a static address service for this job.
    > 0a) Or a DDNS service (most webcams support that these days... which

    webcam?
    > Linksys does DDNS :cool:
    >
    > 1) If you are trying to attach TO the webcam, you will need a translation
    > for the 827 of the form
    > ip nat inside source static tcp y.y.y.y 81 x.x.x.x 81 extendable
    > ip nat inside source static tcp y.y.y.y 8483 5900 x.x.x.x 8483 extendable
    >
    > Where y.y.y.y is the inside address and x.x.x.x is the public IP.
    >
    > BUT since your public IP is dynamic, you can't do that.
    >
    > I'm not sure there is a way to allow thes emaps to learn and use the

    dynamic
    > address, inless the form
    >
    > ip nat inside source static tcp y.y.y.y 81 interface dialer 0 81

    extendable
    > ip nat inside source static tcp y.y.y.y 8483 5900 interface dialer 0 8483
    > extendable
    >
    > is accepted by the parser, which I think it is not.
    >
    > Why do you have the 827 involved at all? Just as an (expensive) DSL

    modem?
    > You might prefer getting an RFC1483 bridge (cheap!) and using the PPPOE
    > feature of the 501.
    >
    > Or better, get a static address.
    >
    > Double NAT is too painful even for the heartiest of folks.
    >
    > This application begs for a static address.
    >
    > If you just need simple NAT services, you might consider a Linksys in this
    > application.
    >

    I'm thinking about getting rid of the 827. I won it at a Cisco conference,
    several years ago. I could buy 3 statics, but I want to get it working with
    the dynamic first. The lease for my IP is 3 days, which is enough time to
    test this config. Actually, I'm thinking about getting rid of the PIX too. I
    used to do Cisco, but in my job now, I just do Windows. To me, the PIX is a
    great firewall, but it is not user friendly. It's too complicated to just
    block or open a simple port, as I'm experiencing here. For example. With the
    Linksys, I believe all you have to do is select 'Allow virtual port [port
    number], and that's it. On the other hand, I love a challenge, which is why
    I want to tackle this.
     
    Marc, Jan 16, 2004
    #5
  6. ok,

    the translations got screwed up on the router, enter these lines to correct
    it (you shouldnt get any errors when entering them):

    no ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    no ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    no ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
    no ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
    ip nat inside source static tcp 10.1.1.36 81 interface Dialer1 81
    ip nat inside source static tcp 10.1.1.36 8481 interface Dialer1 8481
    ip nat inside source static tcp 10.1.1.36 80 interface Dialer1 80
    ip nat inside source static tcp 10.1.1.36 482 interface Dialer1 8482


    Correct the PIX's inbound access-list.

    no access-list outside_access_in
    access-list outside_access_in permit tcp any host WEBSERVER eq 81
    access-list outside_access_in permit tcp any host WEBSERVER eq www
    access-list outside_access_in permit tcp any host WEBSERVER eq 8481
    access-list outside_access_in permit tcp any host WEBSERVER eq 8482
    access-list outside_access_in deny ip any any
    access-group outside_access_in in interface outside

    Thats all that looks wrong to me. Please repost the same stuff again :)

    Regards,

    Scott.
    \|/
    (o o)
    ---------------------oOOO--(_)--OOOo----------------------
    Out the 100Base-T, off the firewall, through the router, down
    the T1, over the leased line, off the bridge, nothing but Net.
    (Use ROT13 to see my email address)
    .oooO Oooo.
    ----------------------( )---( )-----------------------
    \ ( ) /
    \_) (_/


    "Marc" <> wrote in message
    news:...
    > Thank you for the config. I changed it. The new configs are below, as well
    > as the xlate and ip nat translations It looks like port 80, 81, 8481 and
    > 8482 are still blank. Can you determine what I did wrong? Thanks.
    >
    > DSL Router:
    > DSLrouter#sh ip nat translations
    > Pro Inside global Inside local Outside local Outside

    global
    > tcp 24.155.75.86:64436 10.1.1.35:64436 24.167.56.193:1949
    > 24.167.56.193:1949
    > tcp 24.155.75.86:1 10.1.1.1:23 10.1.1.35:64336

    10.1.1.35:64336
    > tcp 24.155.75.86:64495 10.1.1.35:64495 64.157.107.71:80
    > 64.157.107.71:80
    > tcp 24.155.75.86:64496 10.1.1.35:64496 64.157.107.71:80
    > 64.157.107.71:80
    > tcp 24.155.75.86:80 192.1.2.14:80 --- ---
    > tcp 24.155.75.86:81 192.1.2.14:81 --- ---
    > tcp 24.155.75.86:64498 10.1.1.35:64498 209.11.131.36:80
    > 209.11.131.36:80
    > tcp 24.155.75.86:64521 10.1.1.35:64521 24.165.151.247:1077
    > 24.165.151.247:107
    > 7
    > tcp 24.155.75.86:64522 10.1.1.35:64522 24.165.151.247:1077
    > 24.165.151.247:107
    > 7
    > tcp 24.155.75.86:64523 10.1.1.35:64523 24.165.151.247:1077
    > 24.165.151.247:107
    > 7
    > tcp 24.155.75.86:8481 192.1.2.14:8481 --- ---
    > tcp 24.155.75.86:8482 192.1.2.14:8482 --- ---
    > tcp 24.155.75.86:64361 10.1.1.35:64361 216.155.193.167:5050
    > 216.155.193.167:5
    > 050
    > tcp 24.155.75.86:64501 10.1.1.35:64501 67.23.182.154:3531
    > 67.23.182.154:3531
    > tcp 24.155.75.86:64487 10.1.1.35:64487 66.135.211.87:443
    > 66.135.211.87:443
    >
    > PIX 501
    >
    > pixfirewall# sh xlate
    > 12 in use, 318 most used
    > PAT Global PIX_OUTSIDE(64501) Local 192.168.1.101(2734)
    > PAT Global PIX_OUTSIDE(64496) Local 192.168.1.102(4160)
    > PAT Global PIX_OUTSIDE(64495) Local 192.168.1.102(4159)
    > PAT Global PIX_OUTSIDE(64487) Local 192.168.1.102(4153)
    > PAT Global PIX_OUTSIDE(64436) Local 192.168.1.101(2723)
    > PAT Global PIX_OUTSIDE(64361) Local 192.168.1.102(4035)
    > PAT Global PIX_OUTSIDE(64353) Local 192.168.1.102(4010)
    > PAT Global PIX_OUTSIDE(64336) Local 192.168.1.102(3996)
    > PAT Global PIX_OUTSIDE(64523) Local 192.168.1.101(2741)
    > PAT Global PIX_OUTSIDE(64522) Local 192.168.1.101(2740)
    > PAT Global PIX_OUTSIDE(64521) Local 192.168.1.101(2739)
    > PAT Global PIX_OUTSIDE(64514) Local 192.168.1.102(4173)
    >
    > Current Configs
    > PIX 501
    > PIX Version 6.3(3)
    > interface ethernet0 10baset
    > interface ethernet1 100full
    > nameif ethernet0 outside security0
    > nameif ethernet1 inside security100
    > enable password 0JeJdBKOXHOPaqYc encrypted
    > passwd 0JeJdBKOXHOPaqYc encrypted
    > hostname pixfirewall
    > domain-name blabla.com
    > fixup protocol dns maximum-length 512
    > fixup protocol ftp 21
    > fixup protocol h323 h225 1720
    > fixup protocol h323 ras 1718-1719
    > fixup protocol http 80
    > fixup protocol ils 389
    > fixup protocol rsh 514
    > fixup protocol rtsp 554
    > fixup protocol sip 5060
    > fixup protocol sip udp 5060
    > fixup protocol skinny 2000
    > fixup protocol smtp 25
    > fixup protocol sqlnet 1521
    > fixup protocol tftp 69
    > names
    > name 66.0.0.0 DNS
    > name 10.1.1.35 PIX_OUTSIDE
    > name 192.168.1.1 PIX_INSIDE
    > name 10.1.1.36 WEBSERVER
    > access-list outside_access_in deny ip any any
    > access-list outside_access_in permit tcp any host WEBSERVER eq 81
    > access-list outside_access_in permit tcp any host WEBSERVER eq www
    > access-list outside_access_in permit tcp any host WEBSERVER eq 8481
    > access-list outside_access_in permit tcp any host WEBSERVER eq 8482
    > access-list inside_access_in permit ip any any
    > access-list inbound permit tcp any any eq 8482
    > no pager
    > logging on
    > logging timestamp
    > logging trap warnings
    > logging host inside 192.168.1.17 format emblem
    > mtu outside 1492
    > mtu inside 1492
    > ip address outside PIX_OUTSIDE 255.0.0.0
    > ip address inside PIX_INSIDE 255.255.255.0
    > ip verify reverse-path interface inside
    > ip audit info action alarm
    > ip audit attack action alarm
    > pdm location 192.168.0.0 255.255.255.0 inside
    > pdm location DNS 255.255.255.0 inside
    > pdm location DNS 255.255.255.255 outside
    > pdm location PIX_OUTSIDE 255.255.255.255 outside
    > pdm location 10.0.0.0 255.0.0.0 inside
    > pdm location PIX_OUTSIDE 255.255.255.255 inside
    > pdm location 192.168.1.17 255.255.255.255 inside
    > pdm location 192.168.0.0 255.255.0.0 inside
    > pdm location 192.168.1.50 255.255.255.255 inside
    > pdm logging informational 100
    > pdm history enable
    > arp timeout 14400
    > global (outside) 1 interface
    > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > static (inside,outside) WEBSERVER 192.168.1.50 netmask 255.255.255.255 0 0
    > access-group outside_access_in in interface outside
    > access-group inside_access_in in interface inside
    > route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    > timeout xlate 0:05:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > 1:00:00
    > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > timeout uauth 0:05:00 absolute
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server RADIUS protocol radius
    > aaa-server LOCAL protocol local
    > aaa authentication enable console LOCAL
    > aaa authentication http console LOCAL
    > http server enable
    > http 192.168.1.0 255.255.255.0 inside
    > no snmp-server location
    > no snmp-server contact
    > snmp-server community public
    > no snmp-server enable traps
    > floodguard enable
    > telnet 192.168.1.0 255.255.255.0 inside
    > telnet timeout 15
    > ssh timeout 5
    > console timeout 0
    > dhcpd address 192.168.1.2-192.168.1.33 inside
    > dhcpd dns 66.228.128.70 66.228.128.202
    > dhcpd lease 259200
    > dhcpd ping_timeout 750
    > dhcpd auto_config outside
    > dhcpd enable inside
    > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    > terminal width 80
    > Cryptochecksum:91f94940fc2a1e2f45f9b1c901828384
    >
    > Router 827:
    >
    > version 12.3
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname DSLrouter
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > no logging buffered
    > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    > !
    > username blabla password 7 010409160A0D030B
    > username CRWS_Kannan privilege 15 password 7
    > 015757406C5A002E65431F062A2007135A5
    > F527E7F7D78656775
    > no aaa new-model
    > ip subnet-zero
    > ip name-server 66.228.128.70
    > ip name-server 66.228.128.69
    > ip dhcp excluded-address 10.1.1.1
    > ip dhcp excluded-address 10.0.0.33 10.255.255.254
    > !
    > ip dhcp pool CLIENT
    > import all
    > network 10.0.0.0 255.0.0.0
    > default-router 10.1.1.1
    > lease 0 2
    > !
    > ip ssh break-string
    > !
    > !
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > description CRWS Generated text. Please do not delete
    > this:10.1.1.1-255.0.0.0
    > ip address 10.1.1.1 255.0.0.0
    > ip mtu 1452
    > ip nat inside
    > ip tcp adjust-mss 1452
    > ipv6 mtu 1452
    > hold-queue 100 out
    > !
    > interface Virtual-Template1
    > no ip address
    > !
    > interface ATM0
    > mtu 1492
    > no ip address
    > atm vc-per-vp 64
    > no atm ilmi-keepalive
    > pvc 0/35
    > pppoe-client dial-pool-number 1
    > !
    > dsl operating-mode auto
    > !
    > interface Dialer1
    > mtu 1492
    > ip address negotiated
    > ip nat outside
    > encapsulation ppp
    > ip tcp adjust-mss 1452
    > dialer pool 1
    > dialer remote-name redback
    > dialer-group 1
    > ppp authentication pap chap callin
    > ppp chap hostname blabla
    > ppp chap password 7 07182E5E1F0F1C01
    > ppp pap sent-username blabla password 7 131218005A0A012E
    > ppp ipcp dns request
    > ppp ipcp wins request
    > !
    > ip nat inside source list 102 interface Dialer1 overload
    > ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    > ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    > ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
    > ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > ip http server
    > ip http secure-server
    > !
    > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    > dialer-list 1 protocol ip permit
    > !
    > !
    > line con 0
    > exec-timeout 120 0
    > transport preferred all
    > transport output all
    > stopbits 1
    > line vty 0 4
    > exec-timeout 120 0
    > login local
    > length 0
    > transport preferred all
    > transport input all
    > transport output all
    > !
    > scheduler max-task-time 5000
    > !
    > end
    >
    >
    > "scott enwright" <> wrote in message
    > news:0OrNb.13106$...
    > > Marc,
    > >
    > > Doesn't the configuration have to have the following properties:
    > > 1. A public address on the outside interface of the 827 router (a static
    > > address would be perferable)
    > > 2. A private IP address on the inside of the 827 router
    > > 3. NAT is performed for all traffic entering the 827's Ethernet

    interface
    > > and leaving the PPPoE circuit.
    > > 4. A private IP address is on the PIX's outside interface
    > > 5. A (different) private network is on the PIX's inside interface
    > > 6. NAT is being performed for all traffic leaving the PIX to the web
    > >
    > > For this to work you need a configuration that:
    > > 1. Translates ports 81 and 8482 on the 827 public address into a private
    > > address (one that is not defined on the PIX)
    > > 2. The PIX needs to translate these addresses to the real internal (PIX
    > > inside) addresses/ports.
    > >
    > > I have made the following assumpotions:
    > > 1. Both port 81 and 8482 goto the same box and the same ports.
    > >
    > > Here is the config changes:
    > >
    > > name 10.1.1.36 WEBSERVER
    > > no static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    > > 255.255.255.255
    > > no static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    > > 255.255.255.255
    > > no static (inside,outside) tcp interface www 192.168.1.50 www netmask
    > > 255.255.255.255
    > > no static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    > > 255.255.255.255
    > > no static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255
    > > static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255
    > >
    > > no access-list outside_access_in
    > > access-list outside_access_in permit tcp any 10.1.1.36 eq 81
    > > access-list outside_access_in permit tcp any 10.1.1.36 eq 8481
    > > access-list outside_access_in deny ip any any
    > > access-group outside_access_in in interface outside
    > > no route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    > > route outside 0.0.0.0 0.0.0.0 10.10.10.1
    > >
    > > no ip dhcp excluded-address 10.1.1.1
    > > no ip dhcp excluded-address 10.0.0.33 10.255.255.254
    > > no ip dhcp pool CLIENT
    > >
    > >
    > > Cisco 827 Changes
    > > ====================
    > > interface Ethernet0
    > > no ip address 10.1.1.1 255.0.0.0 secondary
    > > exit
    > > ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    > > extendable no-alias
    > > ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    > > extendable no-alias
    > >
    > >
    > > Afterwards, can you do a 'show ip nat translations' and on the pix 'show
    > > xlate' and repost this data and the new configs :)
    > >
    > > Regards,
    > >
    > > Scott.
    > > \|/
    > > (o o)
    > > ---------------------oOOO--(_)--OOOo----------------------
    > > Out the 100Base-T, off the firewall, through the router, down
    > > the T1, over the leased line, off the bridge, nothing but Net.
    > > (Use ROT13 to see my email address)
    > > .oooO Oooo.
    > > ----------------------( )---( )-----------------------
    > > \ ( ) /
    > > \_) (_/
    > >
    > >
    > > "Marc" <> wrote in message
    > > news:...
    > > > I bought a Wireless camera about 2 months ago. It is set up to use

    port
    > 81
    > > > and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type [the

    IP
    > > > address of Dialer1 in my Cisco 827]:81 or :8482. It always times out.
    > > >
    > > > My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every day

    > for
    > > > what I want to do)
    > > > Cisco 827 10.1.1.1
    > > > PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway

    obviously)
    > > > Inside network 192.168.1.X
    > > >
    > > > Also, I can ping my 827 from my inside network. But when I telnet into

    > the
    > > > router from my inside network and ping my inside network, it times out

    > > too.
    > > > The farthest I can get is the inside interface of the PIX. I thought

    > Chap
    > > > may have something to do with all of this, but I'm not sure. I know if

    I
    > > > could just ping my inside network from my router, that would probably

    > > solve
    > > > most of this.
    > > >
    > > > I've been at this for 2 months, and have tried everything. NG

    searches,
    > > Port
    > > > forwarding, access-lists. Nothing seems to work. I had port forwarding

    > and
    > > > access-lists specifically for ports www, 81 and 8482 on my router, but

    I
    > > > removed them, because they didn't make a difference. I'm sure the

    answer
    > > > lies in my firewall, but no matter what I do, I can't get to my inside
    > > > network from the outside. Not even a ping from the router. I'm not an

    > > expert
    > > > like a lot of you, so I hope this is not too rudimentary. But I'm all

    > out
    > > of
    > > > ideas.Any help would be greatly appreciated. My configs are below:
    > > >
    > > > PIX 501:
    > > > PIX Version 6.3(3)
    > > > interface ethernet0 10baset
    > > > interface ethernet1 100full
    > > > nameif ethernet0 outside security0
    > > > nameif ethernet1 inside security100
    > > > enable password 0JeJdBKOXHOPaqYc encrypted
    > > > passwd 0JeJdBKOXHOPaqYc encrypted
    > > > hostname pixfirewall
    > > > domain-name blabla.com
    > > > fixup protocol dns maximum-length 512
    > > > fixup protocol ftp 21
    > > > fixup protocol h323 h225 1720
    > > > fixup protocol h323 ras 1718-1719
    > > > fixup protocol http 80
    > > > fixup protocol ils 389
    > > > fixup protocol rsh 514
    > > > fixup protocol rtsp 554
    > > > fixup protocol sip 5060
    > > > fixup protocol sip udp 5060
    > > > fixup protocol skinny 2000
    > > > fixup protocol smtp 25
    > > > fixup protocol sqlnet 1521
    > > > fixup protocol tftp 69
    > > > names
    > > > name 66.0.0.0 DNS
    > > > name 10.1.1.35 PIX_OUTSIDE
    > > > name 192.168.1.1 PIX_INSIDE
    > > > access-list outside_access_in permit icmp any any echo-reply
    > > > access-list outside_access_in permit tcp any any eq 81
    > > > access-list outside_access_in permit tcp any any eq www
    > > > access-list outside_access_in permit tcp any any eq 8481
    > > > access-list outside_access_in deny ip any any
    > > > access-list inside_access_in permit ip any any
    > > > access-list inbound permit tcp any any eq 8482
    > > > no pager
    > > > logging on
    > > > logging timestamp
    > > > logging trap warnings
    > > > logging host inside 192.168.1.17 format emblem
    > > > mtu outside 1492
    > > > mtu inside 1492
    > > > ip address outside PIX_OUTSIDE 255.0.0.0
    > > > ip address inside PIX_INSIDE 255.255.255.0
    > > > ip verify reverse-path interface inside
    > > > ip audit info action alarm
    > > > ip audit attack action alarm
    > > > pdm location 192.168.0.0 255.255.255.0 inside
    > > > pdm location DNS 255.255.255.0 inside
    > > > pdm location DNS 255.255.255.255 outside
    > > > pdm location PIX_OUTSIDE 255.255.255.255 outside
    > > > pdm location 10.0.0.0 255.0.0.0 inside
    > > > pdm location PIX_OUTSIDE 255.255.255.255 inside
    > > > pdm location 192.168.1.17 255.255.255.255 inside
    > > > pdm location 192.168.0.0 255.255.0.0 inside
    > > > pdm location 192.168.1.50 255.255.255.255 inside
    > > > pdm logging informational 100
    > > > pdm history enable
    > > > arp timeout 14400
    > > > global (outside) 1 interface
    > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    > > > 255.255.255.255 0 0
    > > > static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    > > > 255.255.255.255 0 0
    > > > static (inside,outside) tcp interface www 192.168.1.50 www netmask
    > > > 255.255.255.255 0 0
    > > > static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    > > > 255.255.255.255 0 0
    > > > static (inside,outside) PIX_INSIDE PIX_INSIDE netmask 255.255.255.255

    0
    > 0
    > > > access-group outside_access_in in interface outside
    > > > access-group inside_access_in in interface inside
    > > > route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    > > > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    > > > timeout xlate 0:05:00
    > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > > 1:00:00
    > > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > > timeout uauth 0:05:00 absolute
    > > > aaa-server TACACS+ protocol tacacs+
    > > > aaa-server RADIUS protocol radius
    > > > aaa-server LOCAL protocol local
    > > > aaa authentication enable console LOCAL
    > > > aaa authentication http console LOCAL
    > > > http server enable
    > > > http 192.168.1.0 255.255.255.0 inside
    > > > no snmp-server location
    > > > no snmp-server contact
    > > > snmp-server community public
    > > > no snmp-server enable traps
    > > > floodguard enable
    > > > telnet 192.168.1.0 255.255.255.0 inside
    > > > telnet timeout 15
    > > > ssh timeout 5
    > > > console timeout 0
    > > > dhcpd address 192.168.1.2-192.168.1.33 inside
    > > > dhcpd dns 66.228.128.70 66.228.128.202
    > > > dhcpd lease 259200
    > > > dhcpd ping_timeout 750
    > > > dhcpd auto_config outside
    > > > dhcpd enable inside
    > > > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    > > > terminal width 80
    > > > Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
    > > > : end
    > > > [OK]
    > > >
    > > > Cisco 827:
    > > > Using 2038 out of 131072 bytes
    > > > !
    > > > version 12.3
    > > > no service pad
    > > > service timestamps debug uptime
    > > > service timestamps log uptime
    > > > service password-encryption
    > > > !
    > > > hostname DSLrouter
    > > > !
    > > > boot-start-marker
    > > > boot-end-marker
    > > > !
    > > > no logging buffered
    > > > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    > > > !
    > > > username blabla password 7 010409160A0D030B
    > > > username CRWS_Kannan privilege 15 password 7
    > > > 015757406C5A002E65431F062A2007135A5
    > > > F527E7F7D78656775
    > > > no aaa new-model
    > > > ip subnet-zero
    > > > ip name-server 66.228.128.70
    > > > ip name-server 66.228.128.69
    > > > ip dhcp excluded-address 10.1.1.1
    > > > ip dhcp excluded-address 10.0.0.33 10.255.255.254
    > > > !
    > > > ip dhcp pool CLIENT
    > > > import all
    > > > network 10.0.0.0 255.0.0.0
    > > > default-router 10.1.1.1
    > > > lease 0 2
    > > > !
    > > > ip ssh break-string
    > > > !
    > > > !
    > > > interface Ethernet0
    > > > description CRWS Generated text. Please do not delete
    > > > this:10.1.1.1-255.0.0.0
    > > > ip address 10.1.1.1 255.0.0.0 secondary
    > > > ip address 10.10.10.1 255.255.255.0
    > > > ip mtu 1452
    > > > ip nat inside
    > > > ip tcp adjust-mss 1452
    > > > ipv6 mtu 1452
    > > > hold-queue 100 out
    > > > !
    > > > interface Virtual-Template1
    > > > no ip address
    > > > !
    > > > interface ATM0
    > > > mtu 1492
    > > > no ip address
    > > > atm vc-per-vp 64
    > > > no atm ilmi-keepalive
    > > > pvc 0/35
    > > > pppoe-client dial-pool-number 1
    > > > !
    > > > dsl operating-mode auto
    > > > !
    > > > interface Dialer1
    > > > mtu 1492
    > > > ip address negotiated
    > > > ip nat outside
    > > > encapsulation ppp
    > > > ip tcp adjust-mss 1452
    > > > dialer pool 1
    > > > dialer remote-name redback
    > > > dialer-group 1
    > > > ppp authentication pap chap callin
    > > > ppp chap hostname blabla
    > > > ppp chap password 7 07182E5E1F0F1C01
    > > > ppp pap sent-username blabla password 7 131218005A0A012E
    > > > ppp ipcp dns request
    > > > ppp ipcp wins request
    > > > !
    > > > ip nat inside source list 102 interface Dialer1 overload
    > > > ip classless
    > > > ip route 0.0.0.0 0.0.0.0 Dialer1
    > > > ip http server
    > > > ip http secure-server
    > > > !
    > > > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    > > > dialer-list 1 protocol ip permit
    > > > !
    > > > !
    > > > line con 0
    > > > exec-timeout 120 0
    > > > transport preferred all
    > > > transport output all
    > > > stopbits 1
    > > > line vty 0 4
    > > > exec-timeout 120 0
    > > > login local
    > > > length 0
    > > > transport preferred all
    > > > transport input all
    > > > transport output all
    > > > !
    > > > scheduler max-task-time 5000
    > > > !
    > > > end
    > > >
    > > >
    > > >
    > > >

    > >
    > >

    >
    >
     
    scott enwright, Jan 16, 2004
    #6
  7. Marc

    Marc Guest

    Re: It worked.......Get from outside through Cisco 827, PIX 501 to Server. Urgent.pls help

    Scott. It worked!

    This was the key:

    (I left out the other ports in this post to avoid redundancy)

    PIX:

    access-list outside_access_in permit ip any host 10.1.1.36
    access-list inside_access_in permit ip any any
    access-list inbound permit tcp any any eq 81
    access-list outside_access_in deny ip any any (last rule)

    static (inside,outside) 10.1.1.36 192.168.1.50 netmask 255.255.255.255 0 0

    827:
    ip nat inside source static tcp 10.1.1.36 81 interface Dialer1 81

    Now when I get a static IP, I think all I have to do is change "interface
    Dialer1" to the public IP address.

    Not only did this work, but I learned a lot about nat translation as well,
    and it's function.

    Thanks!

    "scott enwright" <> wrote in message
    news:GnMNb.14362$...
    > ok,
    >
    > the translations got screwed up on the router, enter these lines to

    correct
    > it (you shouldnt get any errors when entering them):
    >
    > no ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    > no ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    > no ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
    > no ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
    > ip nat inside source static tcp 10.1.1.36 81 interface Dialer1 81
    > ip nat inside source static tcp 10.1.1.36 8481 interface Dialer1 8481
    > ip nat inside source static tcp 10.1.1.36 80 interface Dialer1 80
    > ip nat inside source static tcp 10.1.1.36 482 interface Dialer1 8482
    >
    >
    > Correct the PIX's inbound access-list.
    >
    > no access-list outside_access_in
    > access-list outside_access_in permit tcp any host WEBSERVER eq 81
    > access-list outside_access_in permit tcp any host WEBSERVER eq www
    > access-list outside_access_in permit tcp any host WEBSERVER eq 8481
    > access-list outside_access_in permit tcp any host WEBSERVER eq 8482
    > access-list outside_access_in deny ip any any
    > access-group outside_access_in in interface outside
    >
    > Thats all that looks wrong to me. Please repost the same stuff again :)
    >
    > Regards,
    >
    > Scott.
    > \|/
    > (o o)
    > ---------------------oOOO--(_)--OOOo----------------------
    > Out the 100Base-T, off the firewall, through the router, down
    > the T1, over the leased line, off the bridge, nothing but Net.
    > (Use ROT13 to see my email address)
    > .oooO Oooo.
    > ----------------------( )---( )-----------------------
    > \ ( ) /
    > \_) (_/
    >
    >
    > "Marc" <> wrote in message
    > news:...
    > > Thank you for the config. I changed it. The new configs are below, as

    well
    > > as the xlate and ip nat translations It looks like port 80, 81, 8481 and
    > > 8482 are still blank. Can you determine what I did wrong? Thanks.
    > >
    > > DSL Router:
    > > DSLrouter#sh ip nat translations
    > > Pro Inside global Inside local Outside local Outside

    > global
    > > tcp 24.155.75.86:64436 10.1.1.35:64436 24.167.56.193:1949
    > > 24.167.56.193:1949
    > > tcp 24.155.75.86:1 10.1.1.1:23 10.1.1.35:64336

    > 10.1.1.35:64336
    > > tcp 24.155.75.86:64495 10.1.1.35:64495 64.157.107.71:80
    > > 64.157.107.71:80
    > > tcp 24.155.75.86:64496 10.1.1.35:64496 64.157.107.71:80
    > > 64.157.107.71:80
    > > tcp 24.155.75.86:80 192.1.2.14:80 --- ---
    > > tcp 24.155.75.86:81 192.1.2.14:81 --- ---
    > > tcp 24.155.75.86:64498 10.1.1.35:64498 209.11.131.36:80
    > > 209.11.131.36:80
    > > tcp 24.155.75.86:64521 10.1.1.35:64521 24.165.151.247:1077
    > > 24.165.151.247:107
    > > 7
    > > tcp 24.155.75.86:64522 10.1.1.35:64522 24.165.151.247:1077
    > > 24.165.151.247:107
    > > 7
    > > tcp 24.155.75.86:64523 10.1.1.35:64523 24.165.151.247:1077
    > > 24.165.151.247:107
    > > 7
    > > tcp 24.155.75.86:8481 192.1.2.14:8481 --- ---
    > > tcp 24.155.75.86:8482 192.1.2.14:8482 --- ---
    > > tcp 24.155.75.86:64361 10.1.1.35:64361 216.155.193.167:5050
    > > 216.155.193.167:5
    > > 050
    > > tcp 24.155.75.86:64501 10.1.1.35:64501 67.23.182.154:3531
    > > 67.23.182.154:3531
    > > tcp 24.155.75.86:64487 10.1.1.35:64487 66.135.211.87:443
    > > 66.135.211.87:443
    > >
    > > PIX 501
    > >
    > > pixfirewall# sh xlate
    > > 12 in use, 318 most used
    > > PAT Global PIX_OUTSIDE(64501) Local 192.168.1.101(2734)
    > > PAT Global PIX_OUTSIDE(64496) Local 192.168.1.102(4160)
    > > PAT Global PIX_OUTSIDE(64495) Local 192.168.1.102(4159)
    > > PAT Global PIX_OUTSIDE(64487) Local 192.168.1.102(4153)
    > > PAT Global PIX_OUTSIDE(64436) Local 192.168.1.101(2723)
    > > PAT Global PIX_OUTSIDE(64361) Local 192.168.1.102(4035)
    > > PAT Global PIX_OUTSIDE(64353) Local 192.168.1.102(4010)
    > > PAT Global PIX_OUTSIDE(64336) Local 192.168.1.102(3996)
    > > PAT Global PIX_OUTSIDE(64523) Local 192.168.1.101(2741)
    > > PAT Global PIX_OUTSIDE(64522) Local 192.168.1.101(2740)
    > > PAT Global PIX_OUTSIDE(64521) Local 192.168.1.101(2739)
    > > PAT Global PIX_OUTSIDE(64514) Local 192.168.1.102(4173)
    > >
    > > Current Configs
    > > PIX 501
    > > PIX Version 6.3(3)
    > > interface ethernet0 10baset
    > > interface ethernet1 100full
    > > nameif ethernet0 outside security0
    > > nameif ethernet1 inside security100
    > > enable password 0JeJdBKOXHOPaqYc encrypted
    > > passwd 0JeJdBKOXHOPaqYc encrypted
    > > hostname pixfirewall
    > > domain-name blabla.com
    > > fixup protocol dns maximum-length 512
    > > fixup protocol ftp 21
    > > fixup protocol h323 h225 1720
    > > fixup protocol h323 ras 1718-1719
    > > fixup protocol http 80
    > > fixup protocol ils 389
    > > fixup protocol rsh 514
    > > fixup protocol rtsp 554
    > > fixup protocol sip 5060
    > > fixup protocol sip udp 5060
    > > fixup protocol skinny 2000
    > > fixup protocol smtp 25
    > > fixup protocol sqlnet 1521
    > > fixup protocol tftp 69
    > > names
    > > name 66.0.0.0 DNS
    > > name 10.1.1.35 PIX_OUTSIDE
    > > name 192.168.1.1 PIX_INSIDE
    > > name 10.1.1.36 WEBSERVER
    > > access-list outside_access_in deny ip any any
    > > access-list outside_access_in permit tcp any host WEBSERVER eq 81
    > > access-list outside_access_in permit tcp any host WEBSERVER eq www
    > > access-list outside_access_in permit tcp any host WEBSERVER eq 8481
    > > access-list outside_access_in permit tcp any host WEBSERVER eq 8482
    > > access-list inside_access_in permit ip any any
    > > access-list inbound permit tcp any any eq 8482
    > > no pager
    > > logging on
    > > logging timestamp
    > > logging trap warnings
    > > logging host inside 192.168.1.17 format emblem
    > > mtu outside 1492
    > > mtu inside 1492
    > > ip address outside PIX_OUTSIDE 255.0.0.0
    > > ip address inside PIX_INSIDE 255.255.255.0
    > > ip verify reverse-path interface inside
    > > ip audit info action alarm
    > > ip audit attack action alarm
    > > pdm location 192.168.0.0 255.255.255.0 inside
    > > pdm location DNS 255.255.255.0 inside
    > > pdm location DNS 255.255.255.255 outside
    > > pdm location PIX_OUTSIDE 255.255.255.255 outside
    > > pdm location 10.0.0.0 255.0.0.0 inside
    > > pdm location PIX_OUTSIDE 255.255.255.255 inside
    > > pdm location 192.168.1.17 255.255.255.255 inside
    > > pdm location 192.168.0.0 255.255.0.0 inside
    > > pdm location 192.168.1.50 255.255.255.255 inside
    > > pdm logging informational 100
    > > pdm history enable
    > > arp timeout 14400
    > > global (outside) 1 interface
    > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > static (inside,outside) WEBSERVER 192.168.1.50 netmask 255.255.255.255 0

    0
    > > access-group outside_access_in in interface outside
    > > access-group inside_access_in in interface inside
    > > route outside 0.0.0.0 0.0.0.0 10.10.10.1 1
    > > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    > > timeout xlate 0:05:00
    > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    > > 1:00:00
    > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > timeout uauth 0:05:00 absolute
    > > aaa-server TACACS+ protocol tacacs+
    > > aaa-server RADIUS protocol radius
    > > aaa-server LOCAL protocol local
    > > aaa authentication enable console LOCAL
    > > aaa authentication http console LOCAL
    > > http server enable
    > > http 192.168.1.0 255.255.255.0 inside
    > > no snmp-server location
    > > no snmp-server contact
    > > snmp-server community public
    > > no snmp-server enable traps
    > > floodguard enable
    > > telnet 192.168.1.0 255.255.255.0 inside
    > > telnet timeout 15
    > > ssh timeout 5
    > > console timeout 0
    > > dhcpd address 192.168.1.2-192.168.1.33 inside
    > > dhcpd dns 66.228.128.70 66.228.128.202
    > > dhcpd lease 259200
    > > dhcpd ping_timeout 750
    > > dhcpd auto_config outside
    > > dhcpd enable inside
    > > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    > > terminal width 80
    > > Cryptochecksum:91f94940fc2a1e2f45f9b1c901828384
    > >
    > > Router 827:
    > >
    > > version 12.3
    > > no service pad
    > > service timestamps debug uptime
    > > service timestamps log uptime
    > > service password-encryption
    > > !
    > > hostname DSLrouter
    > > !
    > > boot-start-marker
    > > boot-end-marker
    > > !
    > > no logging buffered
    > > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    > > !
    > > username blabla password 7 010409160A0D030B
    > > username CRWS_Kannan privilege 15 password 7
    > > 015757406C5A002E65431F062A2007135A5
    > > F527E7F7D78656775
    > > no aaa new-model
    > > ip subnet-zero
    > > ip name-server 66.228.128.70
    > > ip name-server 66.228.128.69
    > > ip dhcp excluded-address 10.1.1.1
    > > ip dhcp excluded-address 10.0.0.33 10.255.255.254
    > > !
    > > ip dhcp pool CLIENT
    > > import all
    > > network 10.0.0.0 255.0.0.0
    > > default-router 10.1.1.1
    > > lease 0 2
    > > !
    > > ip ssh break-string
    > > !
    > > !
    > > !
    > > !
    > > !
    > > !
    > > interface Ethernet0
    > > description CRWS Generated text. Please do not delete
    > > this:10.1.1.1-255.0.0.0
    > > ip address 10.1.1.1 255.0.0.0
    > > ip mtu 1452
    > > ip nat inside
    > > ip tcp adjust-mss 1452
    > > ipv6 mtu 1452
    > > hold-queue 100 out
    > > !
    > > interface Virtual-Template1
    > > no ip address
    > > !
    > > interface ATM0
    > > mtu 1492
    > > no ip address
    > > atm vc-per-vp 64
    > > no atm ilmi-keepalive
    > > pvc 0/35
    > > pppoe-client dial-pool-number 1
    > > !
    > > dsl operating-mode auto
    > > !
    > > interface Dialer1
    > > mtu 1492
    > > ip address negotiated
    > > ip nat outside
    > > encapsulation ppp
    > > ip tcp adjust-mss 1452
    > > dialer pool 1
    > > dialer remote-name redback
    > > dialer-group 1
    > > ppp authentication pap chap callin
    > > ppp chap hostname blabla
    > > ppp chap password 7 07182E5E1F0F1C01
    > > ppp pap sent-username blabla password 7 131218005A0A012E
    > > ppp ipcp dns request
    > > ppp ipcp wins request
    > > !
    > > ip nat inside source list 102 interface Dialer1 overload
    > > ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    > > ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    > > ip nat inside source static tcp 192.1.2.14 80 interface Dialer1 80
    > > ip nat inside source static tcp 192.1.2.14 8482 interface Dialer1 8482
    > > ip classless
    > > ip route 0.0.0.0 0.0.0.0 Dialer1
    > > ip http server
    > > ip http secure-server
    > > !
    > > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    > > dialer-list 1 protocol ip permit
    > > !
    > > !
    > > line con 0
    > > exec-timeout 120 0
    > > transport preferred all
    > > transport output all
    > > stopbits 1
    > > line vty 0 4
    > > exec-timeout 120 0
    > > login local
    > > length 0
    > > transport preferred all
    > > transport input all
    > > transport output all
    > > !
    > > scheduler max-task-time 5000
    > > !
    > > end
    > >
    > >
    > > "scott enwright" <> wrote in message
    > > news:0OrNb.13106$...
    > > > Marc,
    > > >
    > > > Doesn't the configuration have to have the following properties:
    > > > 1. A public address on the outside interface of the 827 router (a

    static
    > > > address would be perferable)
    > > > 2. A private IP address on the inside of the 827 router
    > > > 3. NAT is performed for all traffic entering the 827's Ethernet

    > interface
    > > > and leaving the PPPoE circuit.
    > > > 4. A private IP address is on the PIX's outside interface
    > > > 5. A (different) private network is on the PIX's inside interface
    > > > 6. NAT is being performed for all traffic leaving the PIX to the web
    > > >
    > > > For this to work you need a configuration that:
    > > > 1. Translates ports 81 and 8482 on the 827 public address into a

    private
    > > > address (one that is not defined on the PIX)
    > > > 2. The PIX needs to translate these addresses to the real internal

    (PIX
    > > > inside) addresses/ports.
    > > >
    > > > I have made the following assumpotions:
    > > > 1. Both port 81 and 8482 goto the same box and the same ports.
    > > >
    > > > Here is the config changes:
    > > >
    > > > name 10.1.1.36 WEBSERVER
    > > > no static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    > > > 255.255.255.255
    > > > no static (inside,outside) tcp interface 8482 192.168.1.50 8482

    netmask
    > > > 255.255.255.255
    > > > no static (inside,outside) tcp interface www 192.168.1.50 www netmask
    > > > 255.255.255.255
    > > > no static (inside,outside) tcp interface 8481 192.168.1.50 8481

    netmask
    > > > 255.255.255.255
    > > > no static (inside,outside) PIX_INSIDE PIX_INSIDE netmask

    255.255.255.255
    > > > static (inside,outside) 10.1.1.36 192.168.1.50 netmask

    255.255.255.255
    > > >
    > > > no access-list outside_access_in
    > > > access-list outside_access_in permit tcp any 10.1.1.36 eq 81
    > > > access-list outside_access_in permit tcp any 10.1.1.36 eq 8481
    > > > access-list outside_access_in deny ip any any
    > > > access-group outside_access_in in interface outside
    > > > no route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    > > > route outside 0.0.0.0 0.0.0.0 10.10.10.1
    > > >
    > > > no ip dhcp excluded-address 10.1.1.1
    > > > no ip dhcp excluded-address 10.0.0.33 10.255.255.254
    > > > no ip dhcp pool CLIENT
    > > >
    > > >
    > > > Cisco 827 Changes
    > > > ====================
    > > > interface Ethernet0
    > > > no ip address 10.1.1.1 255.0.0.0 secondary
    > > > exit
    > > > ip nat inside source static tcp 192.1.2.14 81 interface Dialer1 81
    > > > extendable no-alias
    > > > ip nat inside source static tcp 192.1.2.14 8481 interface Dialer1 8481
    > > > extendable no-alias
    > > >
    > > >
    > > > Afterwards, can you do a 'show ip nat translations' and on the pix

    'show
    > > > xlate' and repost this data and the new configs :)
    > > >
    > > > Regards,
    > > >
    > > > Scott.
    > > > \|/
    > > > (o o)
    > > > ---------------------oOOO--(_)--OOOo----------------------
    > > > Out the 100Base-T, off the firewall, through the router, down
    > > > the T1, over the leased line, off the bridge, nothing but Net.
    > > > (Use ROT13 to see my email address)
    > > > .oooO Oooo.
    > > > ----------------------( )---( )-----------------------
    > > > \ ( ) /
    > > > \_) (_/
    > > >
    > > >
    > > > "Marc" <> wrote in message
    > > > news:...
    > > > > I bought a Wireless camera about 2 months ago. It is set up to use

    > port
    > > 81
    > > > > and 8482. It's IP is 192.168.1.50. So from the 'outside,' I type

    [the
    > IP
    > > > > address of Dialer1 in my Cisco 827]:81 or :8482. It always times

    out.
    > > > >
    > > > > My set up is DSL PPPoE (Dynamic IP. I have to look up the IP every

    day
    > > for
    > > > > what I want to do)
    > > > > Cisco 827 10.1.1.1
    > > > > PIX 501 (Outside 10.1.1.35) (Inside 192.168.1.1, the gateway

    > obviously)
    > > > > Inside network 192.168.1.X
    > > > >
    > > > > Also, I can ping my 827 from my inside network. But when I telnet

    into
    > > the
    > > > > router from my inside network and ping my inside network, it times

    out
    > > > too.
    > > > > The farthest I can get is the inside interface of the PIX. I thought

    > > Chap
    > > > > may have something to do with all of this, but I'm not sure. I know

    if
    > I
    > > > > could just ping my inside network from my router, that would

    probably
    > > > solve
    > > > > most of this.
    > > > >
    > > > > I've been at this for 2 months, and have tried everything. NG

    > searches,
    > > > Port
    > > > > forwarding, access-lists. Nothing seems to work. I had port

    forwarding
    > > and
    > > > > access-lists specifically for ports www, 81 and 8482 on my router,

    but
    > I
    > > > > removed them, because they didn't make a difference. I'm sure the

    > answer
    > > > > lies in my firewall, but no matter what I do, I can't get to my

    inside
    > > > > network from the outside. Not even a ping from the router. I'm not

    an
    > > > expert
    > > > > like a lot of you, so I hope this is not too rudimentary. But I'm

    all
    > > out
    > > > of
    > > > > ideas.Any help would be greatly appreciated. My configs are below:
    > > > >
    > > > > PIX 501:
    > > > > PIX Version 6.3(3)
    > > > > interface ethernet0 10baset
    > > > > interface ethernet1 100full
    > > > > nameif ethernet0 outside security0
    > > > > nameif ethernet1 inside security100
    > > > > enable password 0JeJdBKOXHOPaqYc encrypted
    > > > > passwd 0JeJdBKOXHOPaqYc encrypted
    > > > > hostname pixfirewall
    > > > > domain-name blabla.com
    > > > > fixup protocol dns maximum-length 512
    > > > > fixup protocol ftp 21
    > > > > fixup protocol h323 h225 1720
    > > > > fixup protocol h323 ras 1718-1719
    > > > > fixup protocol http 80
    > > > > fixup protocol ils 389
    > > > > fixup protocol rsh 514
    > > > > fixup protocol rtsp 554
    > > > > fixup protocol sip 5060
    > > > > fixup protocol sip udp 5060
    > > > > fixup protocol skinny 2000
    > > > > fixup protocol smtp 25
    > > > > fixup protocol sqlnet 1521
    > > > > fixup protocol tftp 69
    > > > > names
    > > > > name 66.0.0.0 DNS
    > > > > name 10.1.1.35 PIX_OUTSIDE
    > > > > name 192.168.1.1 PIX_INSIDE
    > > > > access-list outside_access_in permit icmp any any echo-reply
    > > > > access-list outside_access_in permit tcp any any eq 81
    > > > > access-list outside_access_in permit tcp any any eq www
    > > > > access-list outside_access_in permit tcp any any eq 8481
    > > > > access-list outside_access_in deny ip any any
    > > > > access-list inside_access_in permit ip any any
    > > > > access-list inbound permit tcp any any eq 8482
    > > > > no pager
    > > > > logging on
    > > > > logging timestamp
    > > > > logging trap warnings
    > > > > logging host inside 192.168.1.17 format emblem
    > > > > mtu outside 1492
    > > > > mtu inside 1492
    > > > > ip address outside PIX_OUTSIDE 255.0.0.0
    > > > > ip address inside PIX_INSIDE 255.255.255.0
    > > > > ip verify reverse-path interface inside
    > > > > ip audit info action alarm
    > > > > ip audit attack action alarm
    > > > > pdm location 192.168.0.0 255.255.255.0 inside
    > > > > pdm location DNS 255.255.255.0 inside
    > > > > pdm location DNS 255.255.255.255 outside
    > > > > pdm location PIX_OUTSIDE 255.255.255.255 outside
    > > > > pdm location 10.0.0.0 255.0.0.0 inside
    > > > > pdm location PIX_OUTSIDE 255.255.255.255 inside
    > > > > pdm location 192.168.1.17 255.255.255.255 inside
    > > > > pdm location 192.168.0.0 255.255.0.0 inside
    > > > > pdm location 192.168.1.50 255.255.255.255 inside
    > > > > pdm logging informational 100
    > > > > pdm history enable
    > > > > arp timeout 14400
    > > > > global (outside) 1 interface
    > > > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    > > > > static (inside,outside) tcp interface 81 192.168.1.50 81 netmask
    > > > > 255.255.255.255 0 0
    > > > > static (inside,outside) tcp interface 8482 192.168.1.50 8482 netmask
    > > > > 255.255.255.255 0 0
    > > > > static (inside,outside) tcp interface www 192.168.1.50 www netmask
    > > > > 255.255.255.255 0 0
    > > > > static (inside,outside) tcp interface 8481 192.168.1.50 8481 netmask
    > > > > 255.255.255.255 0 0
    > > > > static (inside,outside) PIX_INSIDE PIX_INSIDE netmask

    255.255.255.255
    > 0
    > > 0
    > > > > access-group outside_access_in in interface outside
    > > > > access-group inside_access_in in interface inside
    > > > > route outside 0.0.0.0 0.0.0.0 10.1.1.1 1
    > > > > route inside PIX_OUTSIDE 255.255.255.255 10.1.1.1 1
    > > > > timeout xlate 0:05:00
    > > > > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00

    h225
    > > > > 1:00:00
    > > > > timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    > > > > timeout uauth 0:05:00 absolute
    > > > > aaa-server TACACS+ protocol tacacs+
    > > > > aaa-server RADIUS protocol radius
    > > > > aaa-server LOCAL protocol local
    > > > > aaa authentication enable console LOCAL
    > > > > aaa authentication http console LOCAL
    > > > > http server enable
    > > > > http 192.168.1.0 255.255.255.0 inside
    > > > > no snmp-server location
    > > > > no snmp-server contact
    > > > > snmp-server community public
    > > > > no snmp-server enable traps
    > > > > floodguard enable
    > > > > telnet 192.168.1.0 255.255.255.0 inside
    > > > > telnet timeout 15
    > > > > ssh timeout 5
    > > > > console timeout 0
    > > > > dhcpd address 192.168.1.2-192.168.1.33 inside
    > > > > dhcpd dns 66.228.128.70 66.228.128.202
    > > > > dhcpd lease 259200
    > > > > dhcpd ping_timeout 750
    > > > > dhcpd auto_config outside
    > > > > dhcpd enable inside
    > > > > username blabla password 8ArGC/ZkyTHYV9HQ encrypted privilege 15
    > > > > terminal width 80
    > > > > Cryptochecksum:6e2da49431ab4c028e1cc447ccc9d090
    > > > > : end
    > > > > [OK]
    > > > >
    > > > > Cisco 827:
    > > > > Using 2038 out of 131072 bytes
    > > > > !
    > > > > version 12.3
    > > > > no service pad
    > > > > service timestamps debug uptime
    > > > > service timestamps log uptime
    > > > > service password-encryption
    > > > > !
    > > > > hostname DSLrouter
    > > > > !
    > > > > boot-start-marker
    > > > > boot-end-marker
    > > > > !
    > > > > no logging buffered
    > > > > enable secret 5 $1$MWD6$zeU0/gtFE0WPWg8ju2qHY0
    > > > > !
    > > > > username blabla password 7 010409160A0D030B
    > > > > username CRWS_Kannan privilege 15 password 7
    > > > > 015757406C5A002E65431F062A2007135A5
    > > > > F527E7F7D78656775
    > > > > no aaa new-model
    > > > > ip subnet-zero
    > > > > ip name-server 66.228.128.70
    > > > > ip name-server 66.228.128.69
    > > > > ip dhcp excluded-address 10.1.1.1
    > > > > ip dhcp excluded-address 10.0.0.33 10.255.255.254
    > > > > !
    > > > > ip dhcp pool CLIENT
    > > > > import all
    > > > > network 10.0.0.0 255.0.0.0
    > > > > default-router 10.1.1.1
    > > > > lease 0 2
    > > > > !
    > > > > ip ssh break-string
    > > > > !
    > > > > !
    > > > > interface Ethernet0
    > > > > description CRWS Generated text. Please do not delete
    > > > > this:10.1.1.1-255.0.0.0
    > > > > ip address 10.1.1.1 255.0.0.0 secondary
    > > > > ip address 10.10.10.1 255.255.255.0
    > > > > ip mtu 1452
    > > > > ip nat inside
    > > > > ip tcp adjust-mss 1452
    > > > > ipv6 mtu 1452
    > > > > hold-queue 100 out
    > > > > !
    > > > > interface Virtual-Template1
    > > > > no ip address
    > > > > !
    > > > > interface ATM0
    > > > > mtu 1492
    > > > > no ip address
    > > > > atm vc-per-vp 64
    > > > > no atm ilmi-keepalive
    > > > > pvc 0/35
    > > > > pppoe-client dial-pool-number 1
    > > > > !
    > > > > dsl operating-mode auto
    > > > > !
    > > > > interface Dialer1
    > > > > mtu 1492
    > > > > ip address negotiated
    > > > > ip nat outside
    > > > > encapsulation ppp
    > > > > ip tcp adjust-mss 1452
    > > > > dialer pool 1
    > > > > dialer remote-name redback
    > > > > dialer-group 1
    > > > > ppp authentication pap chap callin
    > > > > ppp chap hostname blabla
    > > > > ppp chap password 7 07182E5E1F0F1C01
    > > > > ppp pap sent-username blabla password 7 131218005A0A012E
    > > > > ppp ipcp dns request
    > > > > ppp ipcp wins request
    > > > > !
    > > > > ip nat inside source list 102 interface Dialer1 overload
    > > > > ip classless
    > > > > ip route 0.0.0.0 0.0.0.0 Dialer1
    > > > > ip http server
    > > > > ip http secure-server
    > > > > !
    > > > > access-list 102 permit ip 10.0.0.0 0.255.255.255 any
    > > > > dialer-list 1 protocol ip permit
    > > > > !
    > > > > !
    > > > > line con 0
    > > > > exec-timeout 120 0
    > > > > transport preferred all
    > > > > transport output all
    > > > > stopbits 1
    > > > > line vty 0 4
    > > > > exec-timeout 120 0
    > > > > login local
    > > > > length 0
    > > > > transport preferred all
    > > > > transport input all
    > > > > transport output all
    > > > > !
    > > > > scheduler max-task-time 5000
    > > > > !
    > > > > end
    > > > >
    > > > >
    > > > >
    > > > >
    > > >
    > > >

    > >
    > >

    >
    >
     
    Marc, Jan 17, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gadh
    Replies:
    1
    Views:
    651
    TheRealSlimShady
    Aug 27, 2003
  2. Dave
    Replies:
    4
    Views:
    5,328
  3. pix help
    Replies:
    2
    Views:
    708
    pix help
    Jan 31, 2007
  4. Jack
    Replies:
    0
    Views:
    739
  5. Replies:
    2
    Views:
    715
    trouble
    Aug 16, 2008
Loading...

Share This Page