NAT question for Cisco 851 router

Discussion in 'Cisco' started by bestdeals421@hotmail.com, Dec 5, 2005.

  1. Guest

    I am attempting to configure a Cisco 851 router in a small office
    environment.

    I've configured an Easy VPN Server, to which I can connect with Cisco
    VPN client w/ no problem. Once connected with the client, I can SSH to
    the router without problems.

    What I have not been able to do is connect to an internal server
    running terminal services (TCP port 3389) from a connected VPN client.
    The internal server address is 192.168.1.2.

    I don't understand the NAT route map, since it seems to prohibit
    traffic from the local subnet to the clients that are assigned
    addresses from the VPN pool.

    Please help!!!


    Following is my startup configuration:

    !This is the running config of the router: 192.168.1.1
    !----------------------------------------------------------------------------
    !version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname esirouter
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 $1$wk71$tHaNxneJDZrhuFHvLgb8Q0
    !
    username administrator privilege 15 secret 5
    $1$qB7W$USua9BNt7dmgSp0iZBEL//
    username dmasters privilege 15 secret 5 $1$rEkL$W5VSbsT5Lg.30m1GWjyvN/
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip dhcp excluded-address 192.168.1.1 192.168.1.99
    !
    ip dhcp pool sdm-pool1
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    !
    !
    ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip tcp synwait-time 10
    no ip bootp server
    no ip domain lookup
    ip domain name easternscientificinc.com
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 3
    encr 3des
    group 2
    !
    crypto isakmp client configuration group esivpnmain
    key erlight822!
    dns 192.168.1.2
    pool VPNPOOL
    acl 102
    save-password
    max-logins 5
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set ESP-3DES-SHA
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    !
    !
    interface FastEthernet0
    no ip address
    no cdp enable
    !
    interface FastEthernet1
    no ip address
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface FastEthernet4
    description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
    ip address dhcp client-id FastEthernet4
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no cdp enable
    crypto map SDM_CMAP_1
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 192.168.1.1 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    router rip
    network 192.168.1.0
    no auto-summary
    !
    ip local pool VPNPOOL 192.168.1.50 192.168.1.99
    ip classless
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4
    overload
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 100 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by Cisco SDM Express firewall
    configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 permit ip host 192.168.1.50 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.51 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.52 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.53 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.54 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.55 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.56 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.57 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.58 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.59 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.60 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.61 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.62 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.63 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.64 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.65 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.66 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.67 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.68 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.69 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.70 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.71 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.72 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.73 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.74 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.75 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.76 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.77 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.78 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.79 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.80 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.81 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.82 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.83 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.84 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.85 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.86 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.87 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.88 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.89 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.90 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.91 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.92 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.93 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.94 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.95 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.96 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.97 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.98 192.168.1.0 0.0.0.255
    access-list 101 permit ip host 192.168.1.99 192.168.1.0 0.0.0.255
    access-list 101 permit udp any any eq non500-isakmp
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit esp any any
    access-list 101 permit ahp any any
    access-list 101 permit udp any eq bootps any eq bootpc
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip any any
    access-list 102 remark SDM_ACL Category=4
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 103 remark SDM_ACL Category=2
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.50
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.51
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.52
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.53
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.54
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.55
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.56
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.57
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.58
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.59
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.60
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.61
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.62
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.63
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.64
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.65
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.66
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.67
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.68
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.69
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.70
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.71
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.72
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.73
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.74
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.75
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.76
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.77
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.78
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.79
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.80
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.81
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.82
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.83
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.84
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.85
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.86
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.87
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.88
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.89
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.90
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.91
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.92
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.93
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.94
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.95
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.96
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.97
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.98
    access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.99
    access-list 103 permit ip 192.168.1.0 0.0.0.255 any
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 103
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    no modem enable
    transport preferred all
    transport output telnet
    line aux 0
    transport preferred all
    transport output telnet
    line vty 0 4
    transport preferred all
    transport input telnet ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end
     
    , Dec 5, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. murphynev

    FA: Cisco 851 VPN Firewall Router

    murphynev, Oct 15, 2005, in forum: Cisco
    Replies:
    2
    Views:
    1,001
    Gizmo
    Oct 17, 2005
  2. TFC
    Replies:
    6
    Views:
    1,007
  3. Paul

    Cisco 851 won't NAT port 80

    Paul, Jan 5, 2008, in forum: Cisco
    Replies:
    2
    Views:
    4,416
    kjems
    Apr 17, 2008
  4. Giuen
    Replies:
    0
    Views:
    1,057
    Giuen
    Sep 12, 2008
  5. Zedsquared
    Replies:
    0
    Views:
    614
    Zedsquared
    Feb 3, 2010
Loading...

Share This Page