Two ISPs & Route-map & NAT POOL & access-list & not working -HELP!

Discussion in 'Cisco' started by Tarek Hamdy, Sep 26, 2004.

  1. Tarek Hamdy

    Tarek Hamdy Guest

    Hey Guys,

    I have been trying to configure this router for 4 weeks. So far, I
    have succeeded in getting the router to the following:

    I can ping both ISP's default router from computers within the
    network.
    It appears that computers from within the network can route out:

    Total active translations: 19 (0 static, 19 dynamic; 19 extended)
    Outside interfaces:
    Ethernet0/0, Serial0/0
    Inside interfaces:
    Ethernet0/1
    Hits: 4416 Misses: 1152
    Expired translations: 1031
    Dynamic mappings:
    -- Inside Source
    route-map T1 pool outt1 refcount 18
    pool outt1: netmask 255.255.255.252
    start 155.55.44.213 end 155.55.44.214
    type generic, total addresses 2, allocated 1 (50%), misses 0
    route-map outtoDSL pool outDSL refcount 1
    pool outDSL: netmask 255.255.255.128
    start 100.10.88.1 end 100.10.88.127
    type generic, total addresses 127, allocated 1 (0%), misses 0
    -- Outside Source
    route-map incDSL pool come-dsl refcount 0
    pool come-dsl: netmask 255.255.255.0
    start 192.168.50.1 end 192.168.50.254
    type generic, total addresses 254, allocated 0 (0%), misses 0
    route-map incT1 pool come-t1 refcount 0
    pool come-t1: netmask 255.255.255.0
    start 192.168.50.1 end 192.168.50.254
    type generic, total addresses 254, allocated 0 (0%), misses 0
    Entry1#sh ip nat trans
    Pro Inside global Inside local Outside local Outside
    global
    udp 155.55.44.213:29044 192.168.50.2:29044 166.2.2.4:53
    166.2.2.4:53
    tcp 155.55.44.213:48963 192.168.50.2:48963 188.7.2.155:4110
    188.7.2.155:4110
    udp 155.55.44.213:29034 192.168.50.2:29034 45.54.55.22:53
    45.54.55.22:53
    udp 155.55.44.213:29035 192.168.50.2:29035 45.54.55.22:53
    45.54.55.22:53
    tcp 155.55.44.213:29042 192.168.50.2:29042 206.46.164.23:110
    206.46.164.23:110
    tcp 155.55.44.213:29043 192.168.50.2:29043 206.46.164.23:110
    206.46.164.23:110
    icmp 100.10.88.1:29045 192.168.50.2:29045 100.10.88.1:29045
    100.10.88.1:29045
    udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.1:53
    166.2.2.1:53
    udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.2:53
    166.2.2.2:53
    udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.1:53
    166.2.2.1:53
    udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.2:53
    166.2.2.2:53
    udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.3:53
    166.2.2.3:53
    udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.4:53
    166.2.2.4:53

    Nothing seems to come back into the network. When we browse out, we
    cannot go anywhere.

    I am attempting to have one internal IP go out primarily the T1
    (s0/0), should that fail, then use the DSL (e0/0), with E0/1 being the
    internal IP. The router is configured to protect itself and not the
    network. On 198.168.0.2 is a firewall with hosts behind which
    protects the network. I am using the following IOS on a Cisco 2600:
    c2600-js-mz.121-5.T12.bin

    I eventually want to up grade to IOS 12.3.4 or above and follow Dr.
    Vincent Jones's example in article
    http://groups.google.com/groups?hl=...3633$b3$&rnum=10

    The flash and the IOS are bran new just incase the prior was corrupt.
    Below is the config with the real Ips faked, changed, etc (protect the
    innocent) but to also preserve the subnetting. It is somewhat messy
    with lots of access-lists showing that I have tried a lot of stuff:

    Entry1#sh run
    Building configuration...

    Current configuration : 5626 bytes
    !
    version 12.1
    service single-slot-reload-enable
    service tcp-keepalives-in
    service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname Entry1
    !
    no logging rate-limit
    enable secret 5 $1$cxlr$rneuK4r/MumRXA4oNvsxJ.
    !
    username Teddy privilege 15 password
    clock summer-time EDT recurring
    no ip subnet-zero
    no ip source-route
    !
    no ip finger
    ip ftp source-interface Ethernet0/1
    ip ftp username Teddy
    ip ftp password
    ip name-server 166.2.2.1
    ip name-server 166.2.2.2
    ip name-server 166.2.2.3
    ip name-server 166.2.2.4
    ip name-server 45.54.55.22
    !
    no ip bootp server
    !
    interface Loopback0
    ip address 192.168.22.65 255.255.255.224
    !
    interface Ethernet0/0
    ip address 100.10.88.105 255.255.255.128
    ip access-group incoming in
    no ip proxy-arp
    ip nat outside
    half-duplex
    no cdp enable
    !
    interface Serial0/0
    ip address 155.55.44.214 255.255.255.252
    ip access-group incomingT1 in
    no ip redirects
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    service-module t1 timeslots 1-24
    no cdp enable
    !
    interface Ethernet0/1
    ip address 192.168.0.1 255.255.255.0
    ip access-group outgoing in
    ip access-group return out
    no ip proxy-arp
    ip nat inside
    half-duplex
    no cdp enable
    !
    ip nat pool outDSL 100.10.88.1 100.10.88.127 netmask 255.255.255.128
    ip nat pool come-dsl 192.168.0.1 192.168.0.254 netmask 255.255.255.0
    ip nat pool come-t1 192.168.0.1 192.168.0.254 netmask 255.255.255.0
    ip nat pool outt1 155.55.44.213 155.55.44.214 netmask 255.255.255.252
    ip nat inside source route-map T1 pool outt1 overload
    ip nat inside source route-map outtoDSL pool outDSL overload
    ip nat outside source route-map incDSL pool come-dsl
    ip nat outside source route-map incT1 pool come-t1
    ip classless
    ip route 0.0.0.0 0.0.0.0 155.55.44.213
    ip route 0.0.0.0 0.0.0.0 Ethernet0/0 50
    ip route 0.0.0.0 0.0.0.0 Ethernet0/1 60
    ip route 67.130.40.252 255.255.255.252 Serial0/0
    no ip http server
    !
    ip access-list extended DSLin
    deny icmp any any echo
    deny icmp any any redirect
    deny icmp any any mask-request
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    permit ip any any
    ip access-list extended incoming
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny icmp any any echo
    deny icmp any any redirect
    deny icmp any any mask-request
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    permit ip any any
    ip access-list extended incomingT1
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 10.0.0.0 0.0.255.255 any
    deny icmp any any echo
    deny icmp any any redirect
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    permit ip any any
    ip access-list extended outDSL
    permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    ip access-list extended outT1
    permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    ip access-list extended outgoing
    permit tcp 192.168.0.0 0.0.0.255 any established
    permit udp 192.168.0.0 0.0.0.255 any
    permit icmp 192.168.0.0 0.0.0.255 any
    permit ip 192.168.0.0 0.0.0.255 any
    ip access-list extended outgoingDSL
    permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    ip access-list extended outgoingt1
    permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    ip access-list extended return
    permit tcp any 192.168.0.0 0.0.0.255 established
    permit ip any any
    access-list 5 permit 192.168.0.0 0.0.0.255
    access-list 6 permit 192.168.0.0 0.0.0.255
    access-list 13 permit any
    access-list 98 permit 192.168.0.0 0.0.255.255
    access-list 99 permit 192.168.0.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    no cdp run
    route-map incT1 permit 10
    match ip address incomingT1
    match interface Ethernet0/1
    set interface Ethernet0/1
    set ip default next-hop 192.168.0.2
    !
    route-map outtoDSL permit 10
    match ip address 5
    match interface Ethernet0/0
    set interface Ethernet0/0
    set ip default next-hop 100.10.88.1
    !
    route-map incDSL permit 10
    match ip address DSLin
    match interface Ethernet0/1
    set interface Ethernet0/1
    set ip default next-hop 192.168.0.2
    !
    route-map T1 permit 10
    match ip address 5
    match interface Serial0/0
    set interface Serial0/0
    set ip default next-hop 155.55.44.213
    !
    !
    line con 0
    exec-timeout 5 0
    password
    login local
    transport input none
    line aux 0
    no exec
    password
    login local
    line vty 0 4
    access-class 98 in
    exec-timeout 45 0
    password
    login
    transport input telnet
    transport output none
    !
    no scheduler allocate
    end

    If someone has an idea where I am goofed, please point it out. I am a
    relative newby to Cisco in the midst of you all experts, but not a
    newby to networking (10 years).

    Tarek Hamdy, MSCE, CNE, 80% prepared for the CCNA
    Tarek Hamdy, Sep 26, 2004
    #1
    1. Advertising

  2. Tarek Hamdy

    PES Guest

    There is way too much information to process and troubleshoot here. I would
    take my access-lists to a minimum until I got it working. However, you need
    to do so with out compromising security.

    Issues that jumped out at me.

    1.) Your route-maps applied to nat statements will not set next hop as far
    as I know. You need to do this with policy routing on the internal ingress
    interface with policy routing or with route statements. Also, I don't know
    why you would ever match your inside interface with a policy that is for
    outbound nat.

    2). Some of your nat statements don't make sense. Its almost like you set
    them up for each direction or something. Whe a packet matches a nat entry,
    it adds a translation to the table. The return traffic should mirror the
    outbound traffic and match the table.

    3). I would also recommend getting the serial interface working first. Then
    bring the dsl interface into the mix.

    4). You have not stated your goal. Is it redundancy, or load balancing?

    "Tarek Hamdy" <> wrote in message
    news:...
    > Hey Guys,
    >
    > I have been trying to configure this router for 4 weeks. So far, I
    > have succeeded in getting the router to the following:
    >
    > I can ping both ISP's default router from computers within the
    > network.
    > It appears that computers from within the network can route out:
    >
    > Total active translations: 19 (0 static, 19 dynamic; 19 extended)
    > Outside interfaces:
    > Ethernet0/0, Serial0/0
    > Inside interfaces:
    > Ethernet0/1
    > Hits: 4416 Misses: 1152
    > Expired translations: 1031
    > Dynamic mappings:
    > -- Inside Source
    > route-map T1 pool outt1 refcount 18
    > pool outt1: netmask 255.255.255.252
    > start 155.55.44.213 end 155.55.44.214
    > type generic, total addresses 2, allocated 1 (50%), misses 0
    > route-map outtoDSL pool outDSL refcount 1
    > pool outDSL: netmask 255.255.255.128
    > start 100.10.88.1 end 100.10.88.127
    > type generic, total addresses 127, allocated 1 (0%), misses 0
    > -- Outside Source
    > route-map incDSL pool come-dsl refcount 0
    > pool come-dsl: netmask 255.255.255.0
    > start 192.168.50.1 end 192.168.50.254
    > type generic, total addresses 254, allocated 0 (0%), misses 0
    > route-map incT1 pool come-t1 refcount 0
    > pool come-t1: netmask 255.255.255.0
    > start 192.168.50.1 end 192.168.50.254
    > type generic, total addresses 254, allocated 0 (0%), misses 0
    > Entry1#sh ip nat trans
    > Pro Inside global Inside local Outside local Outside
    > global
    > udp 155.55.44.213:29044 192.168.50.2:29044 166.2.2.4:53
    > 166.2.2.4:53
    > tcp 155.55.44.213:48963 192.168.50.2:48963 188.7.2.155:4110
    > 188.7.2.155:4110
    > udp 155.55.44.213:29034 192.168.50.2:29034 45.54.55.22:53
    > 45.54.55.22:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 45.54.55.22:53
    > 45.54.55.22:53
    > tcp 155.55.44.213:29042 192.168.50.2:29042 206.46.164.23:110
    > 206.46.164.23:110
    > tcp 155.55.44.213:29043 192.168.50.2:29043 206.46.164.23:110
    > 206.46.164.23:110
    > icmp 100.10.88.1:29045 192.168.50.2:29045 100.10.88.1:29045
    > 100.10.88.1:29045
    > udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.1:53
    > 166.2.2.1:53
    > udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.2:53
    > 166.2.2.2:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.1:53
    > 166.2.2.1:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.2:53
    > 166.2.2.2:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.3:53
    > 166.2.2.3:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.4:53
    > 166.2.2.4:53
    >
    > Nothing seems to come back into the network. When we browse out, we
    > cannot go anywhere.
    >
    > I am attempting to have one internal IP go out primarily the T1
    > (s0/0), should that fail, then use the DSL (e0/0), with E0/1 being the
    > internal IP. The router is configured to protect itself and not the
    > network. On 198.168.0.2 is a firewall with hosts behind which
    > protects the network. I am using the following IOS on a Cisco 2600:
    > c2600-js-mz.121-5.T12.bin
    >
    > I eventually want to up grade to IOS 12.3.4 or above and follow Dr.
    > Vincent Jones's example in article
    > http://groups.google.com/groups?hl=...3633$b3$&rnum=10
    >
    > The flash and the IOS are bran new just incase the prior was corrupt.
    > Below is the config with the real Ips faked, changed, etc (protect the
    > innocent) but to also preserve the subnetting. It is somewhat messy
    > with lots of access-lists showing that I have tried a lot of stuff:
    >
    > Entry1#sh run
    > Building configuration...
    >
    > Current configuration : 5626 bytes
    > !
    > version 12.1
    > service single-slot-reload-enable
    > service tcp-keepalives-in
    > service timestamps debug uptime
    > no service timestamps log uptime
    > service password-encryption
    > !
    > hostname Entry1
    > !
    > no logging rate-limit
    > enable secret 5 $1$cxlr$rneuK4r/MumRXA4oNvsxJ.
    > !
    > username Teddy privilege 15 password
    > clock summer-time EDT recurring
    > no ip subnet-zero
    > no ip source-route
    > !
    > no ip finger
    > ip ftp source-interface Ethernet0/1
    > ip ftp username Teddy
    > ip ftp password
    > ip name-server 166.2.2.1
    > ip name-server 166.2.2.2
    > ip name-server 166.2.2.3
    > ip name-server 166.2.2.4
    > ip name-server 45.54.55.22
    > !
    > no ip bootp server
    > !
    > interface Loopback0
    > ip address 192.168.22.65 255.255.255.224
    > !
    > interface Ethernet0/0
    > ip address 100.10.88.105 255.255.255.128
    > ip access-group incoming in
    > no ip proxy-arp
    > ip nat outside
    > half-duplex
    > no cdp enable
    > !
    > interface Serial0/0
    > ip address 155.55.44.214 255.255.255.252
    > ip access-group incomingT1 in
    > no ip redirects
    > no ip proxy-arp
    > ip nat outside
    > no ip mroute-cache
    > service-module t1 timeslots 1-24
    > no cdp enable
    > !
    > interface Ethernet0/1
    > ip address 192.168.0.1 255.255.255.0
    > ip access-group outgoing in
    > ip access-group return out
    > no ip proxy-arp
    > ip nat inside
    > half-duplex
    > no cdp enable
    > !
    > ip nat pool outDSL 100.10.88.1 100.10.88.127 netmask 255.255.255.128
    > ip nat pool come-dsl 192.168.0.1 192.168.0.254 netmask 255.255.255.0
    > ip nat pool come-t1 192.168.0.1 192.168.0.254 netmask 255.255.255.0
    > ip nat pool outt1 155.55.44.213 155.55.44.214 netmask 255.255.255.252
    > ip nat inside source route-map T1 pool outt1 overload
    > ip nat inside source route-map outtoDSL pool outDSL overload
    > ip nat outside source route-map incDSL pool come-dsl
    > ip nat outside source route-map incT1 pool come-t1
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 155.55.44.213
    > ip route 0.0.0.0 0.0.0.0 Ethernet0/0 50
    > ip route 0.0.0.0 0.0.0.0 Ethernet0/1 60
    > ip route 67.130.40.252 255.255.255.252 Serial0/0
    > no ip http server
    > !
    > ip access-list extended DSLin
    > deny icmp any any echo
    > deny icmp any any redirect
    > deny icmp any any mask-request
    > deny ip 224.0.0.0 15.255.255.255 any
    > deny ip 127.0.0.0 0.255.255.255 any
    > deny ip 10.0.0.0 0.255.255.255 any
    > deny ip 192.168.0.0 0.0.255.255 any
    > permit ip any any
    > ip access-list extended incoming
    > deny ip 127.0.0.0 0.255.255.255 any
    > deny ip 172.16.0.0 0.15.255.255 any
    > deny ip 10.0.0.0 0.255.255.255 any
    > deny icmp any any echo
    > deny icmp any any redirect
    > deny icmp any any mask-request
    > deny ip 224.0.0.0 15.255.255.255 any
    > deny ip 192.168.0.0 0.0.255.255 any
    > permit ip any any
    > ip access-list extended incomingT1
    > deny ip 127.0.0.0 0.255.255.255 any
    > deny ip 172.16.0.0 0.15.255.255 any
    > deny ip 10.0.0.0 0.0.255.255 any
    > deny icmp any any echo
    > deny icmp any any redirect
    > deny ip 224.0.0.0 15.255.255.255 any
    > deny ip 192.168.0.0 0.0.255.255 any
    > permit ip any any
    > ip access-list extended outDSL
    > permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    > permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > ip access-list extended outT1
    > permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    > permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > ip access-list extended outgoing
    > permit tcp 192.168.0.0 0.0.0.255 any established
    > permit udp 192.168.0.0 0.0.0.255 any
    > permit icmp 192.168.0.0 0.0.0.255 any
    > permit ip 192.168.0.0 0.0.0.255 any
    > ip access-list extended outgoingDSL
    > permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    > permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > ip access-list extended outgoingt1
    > permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    > ip access-list extended return
    > permit tcp any 192.168.0.0 0.0.0.255 established
    > permit ip any any
    > access-list 5 permit 192.168.0.0 0.0.0.255
    > access-list 6 permit 192.168.0.0 0.0.0.255
    > access-list 13 permit any
    > access-list 98 permit 192.168.0.0 0.0.255.255
    > access-list 99 permit 192.168.0.0 0.0.0.255
    > access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    > no cdp run
    > route-map incT1 permit 10
    > match ip address incomingT1
    > match interface Ethernet0/1
    > set interface Ethernet0/1
    > set ip default next-hop 192.168.0.2
    > !
    > route-map outtoDSL permit 10
    > match ip address 5
    > match interface Ethernet0/0
    > set interface Ethernet0/0
    > set ip default next-hop 100.10.88.1
    > !
    > route-map incDSL permit 10
    > match ip address DSLin
    > match interface Ethernet0/1
    > set interface Ethernet0/1
    > set ip default next-hop 192.168.0.2
    > !
    > route-map T1 permit 10
    > match ip address 5
    > match interface Serial0/0
    > set interface Serial0/0
    > set ip default next-hop 155.55.44.213
    > !
    > !
    > line con 0
    > exec-timeout 5 0
    > password
    > login local
    > transport input none
    > line aux 0
    > no exec
    > password
    > login local
    > line vty 0 4
    > access-class 98 in
    > exec-timeout 45 0
    > password
    > login
    > transport input telnet
    > transport output none
    > !
    > no scheduler allocate
    > end
    >
    > If someone has an idea where I am goofed, please point it out. I am a
    > relative newby to Cisco in the midst of you all experts, but not a
    > newby to networking (10 years).
    >
    > Tarek Hamdy, MSCE, CNE, 80% prepared for the CCNA
    PES, Sep 26, 2004
    #2
    1. Advertising

  3. Tarek Hamdy

    Tarek Hamdy Guest

    PES,

    Thanks so much for answering. My goal is redundancy. However, at
    this point, I will take anything I can get to get the S0/0 interface
    working. I will try to get it working tonight while looking at the
    policy. I also need NAT to work in both directions. Each ISP gave us
    1 IP each, therefore, I cannot route RFC 1918 addresses.
    Unfortunately, NAT must be used. I will have PPTP VPN and VPN via
    3DES coming throught the router into the firewall that is connected to
    E0/1.

    I will post a new config tonight.

    Tarek
    Tarek Hamdy, Sep 27, 2004
    #3
  4. Tarek Hamdy

    Tarek Hamdy Guest

    PES,

    Also, in regards to:

    2). Some of your nat statements don't make sense. Its almost like you
    set
    them up for each direction or something. Whe a packet matches a nat
    entry,
    it adds a translation to the table. The return traffic should mirror
    the
    outbound traffic and match the table.

    Aren't we supposed to put the policy on the interface recieving the
    data stream. For example, the config posted does not show it, but I
    had executed command: ip policy route-map T1 on E0/1 in the hopes that
    the traffic would go out interface s0/0, but it did not. That changed
    nothing. Although, when I put a policy on s0/0 ip policy route-map
    incT1 and e0/0 ip policy route-map incDSL, it seems something came in,
    but never made it to internal network.

    Tarek
    Tarek Hamdy, Sep 27, 2004
    #4
  5. Tarek Hamdy

    RC Guest

    First, read up on PBR (Ping Based Routing). This is relatively new to Cisco
    and will overcome the problems of having a primary or backup connection that
    never looses carrier (your DSL over Ethernet).

    The other posters are right, start out simple. Build a basic config for the
    T1 with modest security using Cisco's ConfigMaker. This is hard to mess up
    but test it anyway.

    Add the ethernet port that goes to you DSL.

    Now add to the ACL on the nat so that it only applies to traffic going out
    serial0/0.

    Create a new nat configuration and configure the ACL so that it only applies
    to traffic going out the e0/0 (make sure you set e0/0 as nat outside).

    Now if you put in 2 default routes with the one to e0/0 having a hirer cost
    it should just work when you disconnect the T1 line. But it will probably be
    more reliable with the PBR. I can't help you much with PBR. I've only played
    with it a little, but I hear good things.

    Good luck



    "Tarek Hamdy" <> wrote in message
    news:...
    > Hey Guys,
    >
    > I have been trying to configure this router for 4 weeks. So far, I
    > have succeeded in getting the router to the following:
    >
    > I can ping both ISP's default router from computers within the
    > network.
    > It appears that computers from within the network can route out:
    >
    > Total active translations: 19 (0 static, 19 dynamic; 19 extended)
    > Outside interfaces:
    > Ethernet0/0, Serial0/0
    > Inside interfaces:
    > Ethernet0/1
    > Hits: 4416 Misses: 1152
    > Expired translations: 1031
    > Dynamic mappings:
    > -- Inside Source
    > route-map T1 pool outt1 refcount 18
    > pool outt1: netmask 255.255.255.252
    > start 155.55.44.213 end 155.55.44.214
    > type generic, total addresses 2, allocated 1 (50%), misses 0
    > route-map outtoDSL pool outDSL refcount 1
    > pool outDSL: netmask 255.255.255.128
    > start 100.10.88.1 end 100.10.88.127
    > type generic, total addresses 127, allocated 1 (0%), misses 0
    > -- Outside Source
    > route-map incDSL pool come-dsl refcount 0
    > pool come-dsl: netmask 255.255.255.0
    > start 192.168.50.1 end 192.168.50.254
    > type generic, total addresses 254, allocated 0 (0%), misses 0
    > route-map incT1 pool come-t1 refcount 0
    > pool come-t1: netmask 255.255.255.0
    > start 192.168.50.1 end 192.168.50.254
    > type generic, total addresses 254, allocated 0 (0%), misses 0
    > Entry1#sh ip nat trans
    > Pro Inside global Inside local Outside local Outside
    > global
    > udp 155.55.44.213:29044 192.168.50.2:29044 166.2.2.4:53
    > 166.2.2.4:53
    > tcp 155.55.44.213:48963 192.168.50.2:48963 188.7.2.155:4110
    > 188.7.2.155:4110
    > udp 155.55.44.213:29034 192.168.50.2:29034 45.54.55.22:53
    > 45.54.55.22:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 45.54.55.22:53
    > 45.54.55.22:53
    > tcp 155.55.44.213:29042 192.168.50.2:29042 206.46.164.23:110
    > 206.46.164.23:110
    > tcp 155.55.44.213:29043 192.168.50.2:29043 206.46.164.23:110
    > 206.46.164.23:110
    > icmp 100.10.88.1:29045 192.168.50.2:29045 100.10.88.1:29045
    > 100.10.88.1:29045
    > udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.1:53
    > 166.2.2.1:53
    > udp 155.55.44.213:29034 192.168.50.2:29034 166.2.2.2:53
    > 166.2.2.2:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.1:53
    > 166.2.2.1:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.2:53
    > 166.2.2.2:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.3:53
    > 166.2.2.3:53
    > udp 155.55.44.213:29035 192.168.50.2:29035 166.2.2.4:53
    > 166.2.2.4:53
    >
    > Nothing seems to come back into the network. When we browse out, we
    > cannot go anywhere.
    >
    > I am attempting to have one internal IP go out primarily the T1
    > (s0/0), should that fail, then use the DSL (e0/0), with E0/1 being the
    > internal IP. The router is configured to protect itself and not the
    > network. On 198.168.0.2 is a firewall with hosts behind which
    > protects the network. I am using the following IOS on a Cisco 2600:
    > c2600-js-mz.121-5.T12.bin
    >
    > I eventually want to up grade to IOS 12.3.4 or above and follow Dr.
    > Vincent Jones's example in article
    >

    http://groups.google.com/groups?hl=...3633$b3$&rnum=10
    >
    > The flash and the IOS are bran new just incase the prior was corrupt.
    > Below is the config with the real Ips faked, changed, etc (protect the
    > innocent) but to also preserve the subnetting. It is somewhat messy
    > with lots of access-lists showing that I have tried a lot of stuff:
    >
    > Entry1#sh run
    > Building configuration...
    >
    > Current configuration : 5626 bytes
    > !
    > version 12.1
    > service single-slot-reload-enable
    > service tcp-keepalives-in
    > service timestamps debug uptime
    > no service timestamps log uptime
    > service password-encryption
    > !
    > hostname Entry1
    > !
    > no logging rate-limit
    > enable secret 5 $1$cxlr$rneuK4r/MumRXA4oNvsxJ.
    > !
    > username Teddy privilege 15 password
    > clock summer-time EDT recurring
    > no ip subnet-zero
    > no ip source-route
    > !
    > no ip finger
    > ip ftp source-interface Ethernet0/1
    > ip ftp username Teddy
    > ip ftp password
    > ip name-server 166.2.2.1
    > ip name-server 166.2.2.2
    > ip name-server 166.2.2.3
    > ip name-server 166.2.2.4
    > ip name-server 45.54.55.22
    > !
    > no ip bootp server
    > !
    > interface Loopback0
    > ip address 192.168.22.65 255.255.255.224
    > !
    > interface Ethernet0/0
    > ip address 100.10.88.105 255.255.255.128
    > ip access-group incoming in
    > no ip proxy-arp
    > ip nat outside
    > half-duplex
    > no cdp enable
    > !
    > interface Serial0/0
    > ip address 155.55.44.214 255.255.255.252
    > ip access-group incomingT1 in
    > no ip redirects
    > no ip proxy-arp
    > ip nat outside
    > no ip mroute-cache
    > service-module t1 timeslots 1-24
    > no cdp enable
    > !
    > interface Ethernet0/1
    > ip address 192.168.0.1 255.255.255.0
    > ip access-group outgoing in
    > ip access-group return out
    > no ip proxy-arp
    > ip nat inside
    > half-duplex
    > no cdp enable
    > !
    > ip nat pool outDSL 100.10.88.1 100.10.88.127 netmask 255.255.255.128
    > ip nat pool come-dsl 192.168.0.1 192.168.0.254 netmask 255.255.255.0
    > ip nat pool come-t1 192.168.0.1 192.168.0.254 netmask 255.255.255.0
    > ip nat pool outt1 155.55.44.213 155.55.44.214 netmask 255.255.255.252
    > ip nat inside source route-map T1 pool outt1 overload
    > ip nat inside source route-map outtoDSL pool outDSL overload
    > ip nat outside source route-map incDSL pool come-dsl
    > ip nat outside source route-map incT1 pool come-t1
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 155.55.44.213
    > ip route 0.0.0.0 0.0.0.0 Ethernet0/0 50
    > ip route 0.0.0.0 0.0.0.0 Ethernet0/1 60
    > ip route 67.130.40.252 255.255.255.252 Serial0/0
    > no ip http server
    > !
    > ip access-list extended DSLin
    > deny icmp any any echo
    > deny icmp any any redirect
    > deny icmp any any mask-request
    > deny ip 224.0.0.0 15.255.255.255 any
    > deny ip 127.0.0.0 0.255.255.255 any
    > deny ip 10.0.0.0 0.255.255.255 any
    > deny ip 192.168.0.0 0.0.255.255 any
    > permit ip any any
    > ip access-list extended incoming
    > deny ip 127.0.0.0 0.255.255.255 any
    > deny ip 172.16.0.0 0.15.255.255 any
    > deny ip 10.0.0.0 0.255.255.255 any
    > deny icmp any any echo
    > deny icmp any any redirect
    > deny icmp any any mask-request
    > deny ip 224.0.0.0 15.255.255.255 any
    > deny ip 192.168.0.0 0.0.255.255 any
    > permit ip any any
    > ip access-list extended incomingT1
    > deny ip 127.0.0.0 0.255.255.255 any
    > deny ip 172.16.0.0 0.15.255.255 any
    > deny ip 10.0.0.0 0.0.255.255 any
    > deny icmp any any echo
    > deny icmp any any redirect
    > deny ip 224.0.0.0 15.255.255.255 any
    > deny ip 192.168.0.0 0.0.255.255 any
    > permit ip any any
    > ip access-list extended outDSL
    > permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    > permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > ip access-list extended outT1
    > permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    > permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > ip access-list extended outgoing
    > permit tcp 192.168.0.0 0.0.0.255 any established
    > permit udp 192.168.0.0 0.0.0.255 any
    > permit icmp 192.168.0.0 0.0.0.255 any
    > permit ip 192.168.0.0 0.0.0.255 any
    > ip access-list extended outgoingDSL
    > permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    > permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    > ip access-list extended outgoingt1
    > permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    > ip access-list extended return
    > permit tcp any 192.168.0.0 0.0.0.255 established
    > permit ip any any
    > access-list 5 permit 192.168.0.0 0.0.0.255
    > access-list 6 permit 192.168.0.0 0.0.0.255
    > access-list 13 permit any
    > access-list 98 permit 192.168.0.0 0.0.255.255
    > access-list 99 permit 192.168.0.0 0.0.0.255
    > access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    > no cdp run
    > route-map incT1 permit 10
    > match ip address incomingT1
    > match interface Ethernet0/1
    > set interface Ethernet0/1
    > set ip default next-hop 192.168.0.2
    > !
    > route-map outtoDSL permit 10
    > match ip address 5
    > match interface Ethernet0/0
    > set interface Ethernet0/0
    > set ip default next-hop 100.10.88.1
    > !
    > route-map incDSL permit 10
    > match ip address DSLin
    > match interface Ethernet0/1
    > set interface Ethernet0/1
    > set ip default next-hop 192.168.0.2
    > !
    > route-map T1 permit 10
    > match ip address 5
    > match interface Serial0/0
    > set interface Serial0/0
    > set ip default next-hop 155.55.44.213
    > !
    > !
    > line con 0
    > exec-timeout 5 0
    > password
    > login local
    > transport input none
    > line aux 0
    > no exec
    > password
    > login local
    > line vty 0 4
    > access-class 98 in
    > exec-timeout 45 0
    > password
    > login
    > transport input telnet
    > transport output none
    > !
    > no scheduler allocate
    > end
    >
    > If someone has an idea where I am goofed, please point it out. I am a
    > relative newby to Cisco in the midst of you all experts, but not a
    > newby to networking (10 years).
    >
    > Tarek Hamdy, MSCE, CNE, 80% prepared for the CCNA
    RC, Sep 28, 2004
    #5
  6. Tarek Hamdy

    Tarek Hamdy Guest

    Hey Guys,

    I posted an update while trying to get this thing to work in a two way
    NAT going in and going out using the E0/1 and s0/0 interfaces. I
    tried to make the policy more textbook matching the incoming interface
    and set for the outgoing interface. So far nothing. Infact, about 1
    AM, it dropped my telnet session. I could connect only via serial
    cable to the con 0. Plus, I am seeing these weird entries pop up that
    are not being entered by me such as:

    call rsvp-sync
    cns event-service server
    ip kerberos source-interface any (fortunately this one causes an
    error)
    dial-peer cor custom

    I never put in the above 4 entries and no one accesses this router
    unless they are hacking into it.

    I tried to match incoming traffic policy with outgoing. My config is
    below:

    Password:
    Entry1#show run
    Building configuration...

    Current configuration : 5388 bytes
    !
    version 12.1
    service single-slot-reload-enable
    service tcp-keepalives-in
    service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname Entry1
    !
    no logging rate-limit
    enable secret
    !
    username
    clock summer-time EDT recurring
    no ip subnet-zero
    no ip source-route
    !
    !
    no ip finger
    ip ftp source-interface Ethernet0/1
    !
    no ip bootp server
    call rsvp-sync
    cns event-service server
    interface Loopback0
    ip address 192.168.22.65 255.255.255.224
    !
    interface Ethernet0/0
    ip address 100.10.88.105 255.255.255.128
    ip access-group incoming in
    no ip proxy-arp
    ip nat outside
    ip policy route-map incDSL
    half-duplex
    no cdp enable
    !
    interface Serial0/0
    ip address 155.55.44.214 255.255.255.252
    ip access-group incomingT1 in
    no ip redirects
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    ip policy route-map incT1
    service-module t1 timeslots 1-24
    no cdp enable
    !
    interface Ethernet0/1
    ip address 192.168.0.1 255.255.255.0
    ip access-group outgoing in
    ip access-group return out
    no ip proxy-arp
    ip nat inside
    ip policy route-map T1
    half-duplex
    no cdp enable
    !
    ip kerberos source-interface any
    ip nat pool outDSL 100.10.88.1 100.10.88.127 netmask 255.255.255.128
    ip nat pool come-dsl 192.168.0.1 192.168.0.254 netmask 255.255.255.0
    ip nat pool come-t1 192.168.0.1 192.168.0.254 netmask 255.255.255.0
    ip nat pool outt1 155.55.44.213 155.55.44.214 netmask 255.255.255.252
    ip nat inside source route-map T1 pool outt1 overload
    ip nat inside source route-map outtoDSL pool outDSL overload
    ip nat outside source route-map incDSL pool come-dsl
    ip nat outside source route-map incT1 pool come-t1
    ip classless
    ip route 0.0.0.0 0.0.0.0 155.55.44.213
    ip route 0.0.0.0 0.0.0.0 Ethernet0/0 50
    ip route 0.0.0.0 0.0.0.0 Ethernet0/1 60
    ip route 67.130.40.252 255.255.255.252 Serial0/0
    no ip http server
    !
    !
    ip access-list extended DSLin
    deny icmp any any echo
    deny icmp any any redirect
    deny icmp any any mask-request
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    permit ip any any
    ip access-list extended incoming
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny icmp any any echo
    deny icmp any any redirect
    deny icmp any any mask-request
    deny ip 224.0.0.0 15.255.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    permit ip any any
    ip access-list extended incomingT1
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 10.0.0.0 0.0.255.255 any
    deny icmp any any echo
    deny icmp any any redirect
    deny ip 224.0.0.0 15.255.255.255 any
    permit ip any any
    ip access-list extended outDSL
    permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    ip access-list extended outgoing
    permit tcp 192.168.0.0 0.0.0.255 any established
    permit udp 192.168.0.0 0.0.0.255 any
    permit icmp 192.168.0.0 0.0.0.255 any
    permit ip 192.168.0.0 0.0.0.255 any
    ip access-list extended outgoingDSL
    permit tcp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127 established
    permit udp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit icmp 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    permit ip 192.168.0.0 0.0.0.255 100.10.88.0 0.0.0.127
    ip access-list extended outgoingt1
    permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    ip access-list extended return
    permit tcp any 192.168.0.0 0.0.0.255 established
    permit ip any any
    access-list 5 permit 192.168.0.0 0.0.0.255
    access-list 6 permit 192.168.0.0 0.0.0.255
    access-list 13 permit any
    access-list 98 permit 192.168.0.0 0.0.255.255
    access-list 99 permit 192.168.0.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    no cdp run
    route-map incT1 permit 10
    match ip address incomingT1
    set interface Ethernet0/1
    set ip default next-hop 192.168.0.2
    !
    route-map outtoDSL permit 10
    match ip address 5
    match interface Ethernet0/1
    set interface Ethernet0/0
    set ip default next-hop 100.10.88.1
    !
    route-map incDSL permit 10
    match ip address DSLin
    match interface Ethernet0/0
    set interface Ethernet0/1
    set ip default next-hop 192.168.0.2
    !
    route-map T1 permit 10
    match ip address 5
    match interface Ethernet0/1
    set interface Serial0/0
    set ip default next-hop 155.55.44.213
    !
    dial-peer cor custom
    !
    !
    line con 0
    exec-timeout 5 0
    password
    login local
    transport input none
    line aux 0
    no exec
    password
    login local
    line vty 0 4
    access-class 98 in
    exec-timeout 45 0
    password
    login
    transport input telnet
    transport output none
    !
    no scheduler allocate

    Any help would be appreciated. It is 3 am and I have to be at my full
    time job at 8 AM. Its been like this for 5 weeks and my client is
    about to pull the plug.

    Tarek
    Tarek Hamdy, Sep 28, 2004
    #6
  7. Tarek Hamdy

    Tarek Hamdy Guest

    RC,

    I scanned the more CCIE books looking for a clue, then hit the
    O'Rielly Cisco IOS book. In its NAT section, it says not to include
    the router interface in the NAT Pool in italizised print. Wow, I
    could have had a V8! If you notice, I include my router's interfaces
    in the NAT pools. Its amazing, no other book indicates this, yet,
    many of the configs do not include the routers own interfaces in
    static nor dynamic NAT. It is assumed us relative newby's know this,
    we struggle for weeks to figure it out. I hope some of the future
    authors might be listening. I do read your stuff.

    Do you think that could be it or one of the issues? We may help some
    else.

    Unfortunately, I did not have a chance to test it because I could not
    for the life of me get connected via the LAN. I will try to replace
    the cross over cable with a new shorter cable and try again tomorrow.
    I hope to have some good news. I will then post an updated config.

    Tarek
    Tarek Hamdy, Sep 29, 2004
    #7
  8. Tarek Hamdy

    Tarek Hamdy Guest

    Hey Guys,

    I took out everything referring to the DSL interface to focus on the
    S0/0 using the WIC-T1. So far, we cannot connect to the Internet
    from the Internal hosts. I want at least allow internal users to surf
    theInternet and to all VPN connections into the network.

    At this moment, I cannot even connect into the router into a telnet
    session. I Keep getting Duplicate address [IP_address] on [chars],
    sourced by [enet] with the Ethernet address being the MAC address of
    my firewall behind the router off of int E0/1. I worked off of a
    serial cable from a laptop. I made modifications to the incoming ACL
    on S0/0.

    I could take out the route maps and just use the default, but that did
    not work that way a couple of weeks ago.

    Entry1>en
    Password:
    Entry1#sh run
    Building configuration...

    Current configuration : 3939 bytes
    !
    version 12.1
    service single-slot-reload-enable
    service tcp-keepalives-in
    service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname Entry1
    !
    no logging rate-limit
    enable secret
    !
    username <removed> privilege 15 password
    clock summer-time EDT recurring
    no ip subnet-zero
    no ip source-route
    !
    !
    no ip finger
    ip ftp source-interface Ethernet0/1
    ip ftp username
    ip ftp password
    ip name-server 200.17.25.13
    !
    no ip bootp server
    call rsvp-sync
    cns event-service server
    ! How to I keep the above two entries from reappearing. They defy
    google
    ! research and logic. They appear by themselves right after my telnet
    session
    ! drops. Nuisance!
    !
    !
    !
    !
    !
    !
    interface Loopback0
    ip address 192.168.22.65 255.255.255.04
    !
    interface Ethernet0/0
    no ip address
    ip access-group incoming in
    no ip proxy-arp
    ip nat outside
    ip policy route-map incDSL
    half-duplex
    no cdp enable
    !
    interface Serial0/0
    ip address 155.55.44.214 255.255.255.252
    ip access-group incomingT1 in
    no ip redirects
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    ip policy route-map incT1
    service-module t1 timeslots 1-24
    no cdp enable
    !
    interface Ethernet0/1
    ip address 192.168.0.1 255.255.255.0
    ip access-group 5 in
    ip access-group return out
    no ip proxy-arp
    ip nat inside
    ip policy route-map T1
    half-duplex
    no cdp enable
    !
    ip kerberos source-interface any
    ip nat pool come-t1 192.168.0.2 192.168.0.20 netmask 255.255.255.0
    ip nat pool outt1 155.55.44.213 155.55.44.213 netmask 255.255.255.252
    ip nat inside source route-map T1 pool outt1 overload
    ip nat outside source route-map incT1 pool come-t1
    ip classless
    ip route 0.0.0.0 0.0.0.0 155.55.44.213
    no ip http server
    !
    !
    ip access-list extended incomingT1
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 10.0.0.0 0.0.255.255 any
    deny icmp any any echo
    deny icmp any any redirect
    deny ip 04.0.0.0 15.255.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    permit ip host <IP FOREIGN TRUSTED HOST> any
    permit tcp any any established
    permit gre any any
    deny tcp any any
    permit udp any any
    deny ip any any
    ip access-list extended outgoing
    permit tcp 192.168.0.0 0.0.0.255 any established
    permit udp 192.168.0.0 0.0.0.255 any
    permit icmp 192.168.0.0 0.0.0.255 any
    permit ip 192.168.0.0 0.0.0.255 any
    ip access-list extended outgoingDSL
    permit tcp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127 established
    permit udp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
    permit icmp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
    permit ip 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
    ip access-list extended outgoingt1
    permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    ip access-list extended return
    permit tcp any 192.168.0.0 0.0.0.255 established
    permit ip any any
    access-list 5 permit 192.168.0.0 0.0.0.255
    access-list 6 permit 192.168.0.0 0.0.0.255
    access-list 13 permit any
    access-list 98 permit 192.168.0.0 0.0.255.255
    access-list 99 permit 192.168.0.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    no cdp run
    route-map incT1 permit 10
    match ip address incomingT1
    set interface Ethernet0/1
    !
    route-map outtoDSL permit 10
    match ip address 5
    match interface Ethernet0/1
    set interface Ethernet0/0
    set ip default next-hop 66.15.92.1
    !
    route-map T1 permit 10
    match ip address 5
    match interface Ethernet0/1
    set interface Serial0/0
    set ip default next-hop 155.55.44.213
    !
    !
    ! I do not know how to get rid of this below entry? I did not put it
    here!
    dial-peer cor custom
    !
    !
    !
    line con 0
    exec-timeout 5 0
    password
    login local
    transport input none
    line aux 0
    no exec
    password
    login local
    line vty 0 4
    access-class 98 in
    exec-timeout 45 0
    password
    login
    transport input telnet
    transport output none
    !
    end

    Any ideas would be appreciated. Another day workng till 4:00 AM-Need
    help!

    Tarek
    Tarek Hamdy, Sep 30, 2004
    #8
  9. Tarek Hamdy

    Tarek Hamdy Guest

    Hey Guys,

    I took out everything referring to the DSL interface to focus on the
    S0/0 using the WIC-T1. So far, we cannot connect to the Internet
    from the Internal hosts. I want at least allow internal users to surf
    theInternet and to all VPN connections into the network.

    At this moment, I cannot even connect into the router into a telnet
    session. I Keep getting Duplicate address [IP_address] on [chars],
    sourced by [enet] with the Ethernet address being the MAC address of
    my firewall behind the router off of int E0/1. I worked off of a
    serial cable from a laptop. I made modifications to the incoming ACL
    on S0/0.

    I could take out the route maps and just use the default, but that did
    not work that way a couple of weeks ago.

    Entry1>en
    Password:
    Entry1#sh run
    Building configuration...

    Current configuration : 3939 bytes
    !
    version 12.1
    service single-slot-reload-enable
    service tcp-keepalives-in
    service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname Entry1
    !
    no logging rate-limit
    enable secret
    !
    username <removed> privilege 15 password
    clock summer-time EDT recurring
    no ip subnet-zero
    no ip source-route
    !
    !
    no ip finger
    ip ftp source-interface Ethernet0/1
    ip ftp username
    ip ftp password
    ip name-server 200.17.25.13
    !
    no ip bootp server
    call rsvp-sync
    cns event-service server
    ! How to I keep the above two entries from reappearing. They defy
    google
    ! research and logic. They appear by themselves right after my telnet
    session
    ! drops. Nuisance!
    !
    !
    !
    !
    !
    !
    interface Loopback0
    ip address 192.168.22.65 255.255.255.04
    !
    interface Ethernet0/0
    no ip address
    ip access-group incoming in
    no ip proxy-arp
    ip nat outside
    ip policy route-map incDSL
    half-duplex
    no cdp enable
    !
    interface Serial0/0
    ip address 155.55.44.214 255.255.255.252
    ip access-group incomingT1 in
    no ip redirects
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    ip policy route-map incT1
    service-module t1 timeslots 1-24
    no cdp enable
    !
    interface Ethernet0/1
    ip address 192.168.0.1 255.255.255.0
    ip access-group 5 in
    ip access-group return out
    no ip proxy-arp
    ip nat inside
    ip policy route-map T1
    half-duplex
    no cdp enable
    !
    ip kerberos source-interface any
    ip nat pool come-t1 192.168.0.2 192.168.0.20 netmask 255.255.255.0
    ip nat pool outt1 155.55.44.213 155.55.44.213 netmask 255.255.255.252
    ip nat inside source route-map T1 pool outt1 overload
    ip nat outside source route-map incT1 pool come-t1
    ip classless
    ip route 0.0.0.0 0.0.0.0 155.55.44.213
    no ip http server
    !
    !
    ip access-list extended incomingT1
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 10.0.0.0 0.0.255.255 any
    deny icmp any any echo
    deny icmp any any redirect
    deny ip 04.0.0.0 15.255.255.255 any
    deny ip 192.168.0.0 0.0.255.255 any
    permit ip host <IP FOREIGN TRUSTED HOST> any
    permit tcp any any established
    permit gre any any
    deny tcp any any
    permit udp any any
    deny ip any any
    ip access-list extended outgoing
    permit tcp 192.168.0.0 0.0.0.255 any established
    permit udp 192.168.0.0 0.0.0.255 any
    permit icmp 192.168.0.0 0.0.0.255 any
    permit ip 192.168.0.0 0.0.0.255 any
    ip access-list extended outgoingDSL
    permit tcp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127 established
    permit udp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
    permit icmp 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
    permit ip 192.168.0.0 0.0.0.255 66.15.92.0 0.0.0.127
    ip access-list extended outgoingt1
    permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    ip access-list extended return
    permit tcp any 192.168.0.0 0.0.0.255 established
    permit ip any any
    access-list 5 permit 192.168.0.0 0.0.0.255
    access-list 6 permit 192.168.0.0 0.0.0.255
    access-list 13 permit any
    access-list 98 permit 192.168.0.0 0.0.255.255
    access-list 99 permit 192.168.0.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.0.255 155.55.44.212 0.0.0.3
    no cdp run
    route-map incT1 permit 10
    match ip address incomingT1
    set interface Ethernet0/1
    !
    route-map outtoDSL permit 10
    match ip address 5
    match interface Ethernet0/1
    set interface Ethernet0/0
    set ip default next-hop 66.15.92.1
    !
    route-map T1 permit 10
    match ip address 5
    match interface Ethernet0/1
    set interface Serial0/0
    set ip default next-hop 155.55.44.213
    !
    !
    ! I do not know how to get rid of this below entry? I did not put it
    here!
    dial-peer cor custom
    !
    !
    !
    line con 0
    exec-timeout 5 0
    password
    login local
    transport input none
    line aux 0
    no exec
    password
    login local
    line vty 0 4
    access-class 98 in
    exec-timeout 45 0
    password
    login
    transport input telnet
    transport output none
    !
    end

    Any ideas would be appreciated. Another day workng till 4:00 AM-Need
    help!

    Tarek
    Tarek Hamdy, Sep 30, 2004
    #9
  10. Tarek Hamdy

    Tarek Hamdy Guest

    Hey Guys,

    I completely removed NAT and still cannot surf the Internet. I took
    the firewall between the network and the Internet out of the picture
    for now, therefore, I changed the Access-lists to make sure the
    internel network does not get cracked. I only allow the trusted ISPs
    DNS server to have free UDP access in order for us to talk DNS to it.
    We can only ping the ISPs router. We cannot go beyond the ISPs
    router.

    Surely, I am missing something small and stupid. If someone can
    point it out, it would be appreciated, then I can make this silly
    thing work after 6 weeks of failure and an upset client.

    Current configuration : 3559 bytes
    !
    version 12.1
    service single-slot-reload-enable
    service tcp-keepalives-in
    service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname Entry1
    !
    no logging rate-limit
    enable secret
    !
    username
    clock summer-time EDT recurring
    no ip subnet-zero
    no ip source-route
    ip name-server 200.17.25.13
    !
    no ip finger
    !
    no ip bootp server
    !
    interface Loopback0
    ip address 192.168.22.65 255.255.255.224
    !
    interface Ethernet0/0
    no ip address
    ip access-group incoming in
    no ip proxy-arp
    ip nat outside
    ip policy route-map incDSL
    half-duplex
    no cdp enable
    !
    interface Serial0/0
    ip address 155.55.44.214 255.255.255.252
    ip access-group ok-in in
    ip access-group ok-out1 out
    no ip redirects
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    service-module t1 timeslots 1-24
    no cdp enable
    !
    interface Ethernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip access-group 3 in
    no ip proxy-arp
    ip nat inside
    half-duplex
    no cdp enable
    !
    ip kerberos source-interface any
    ip nat pool outt1 155.55.44.213 155.55.44.213 netmask 255.255.255.252
    ip nat pool come-t1 192.168.1.2 192.168.1.254 netmask 255.255.255.0
    ip nat inside source list 3 pool outt1 overload
    ip nat outside source list 2 pool come-t1
    ip classless
    ip route 0.0.0.0 0.0.0.0 155.55.44.213
    no ip http server
    !
    ip access-list extended ok-in
    evaluate outgo
    permit udp host 200.17.25.13 192.168.1.0 0.0.0.255
    evaluate ok-packets
    ip access-list extended ok-out1
    permit udp 192.168.1.0 0.0.0.255 host 200.17.25.13 eq domain
    permit tcp 192.168.1.0 0.0.0.255 any established
    permit udp 192.168.1.0 0.0.0.255 any reflect outgo
    permit icmp 192.168.1.0 0.0.0.255 any reflect outgo
    access-list 2 permit 155.55.44.212 0.0.0.3
    access-list 3 permit 192.168.1.0 0.0.0.255
    access-list 5 permit 192.168.0.0 0.0.0.255
    access-list 98 permit 192.168.0.0 0.0.255.255
    access-list 99 permit 192.168.0.0 0.0.0.255
    no cdp run
    !
    dial-peer cor custom
    !
    line con 0
    exec-timeout 5 0
    password
    login local
    transport input none
    line aux 0
    no exec
    password
    login local
    line vty 0 4
    access-class 98 in
    exec-timeout 45 0
    password
    login
    transport input telnet
    transport output none
    !
    no scheduler allocate
    end


    Tarek
    Tarek Hamdy, Oct 4, 2004
    #10
  11. Tarek Hamdy

    Tarek Hamdy Guest

    Hey Guys,

    I added RIP2 and changed the NAT entries to use the interface. It
    still does not route. ISP does not use RIP, but it was a suggestion
    from Configmaker. I am pretty much out of option. We cannot surf the
    Internet through it! If anyone has an idea of hour to make this thing
    route, please tell me.

    Current configuration : 2830 bytes
    !
    version 12.1
    service single-slot-reload-enable
    service tcp-keepalives-in
    service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname Entry1
    !
    no logging rate-limit
    enable secret
    !
    username
    clock summer-time EDT recurring
    no ip subnet-zero
    no ip source-route
    !
    !
    no ip finger
    ip ftp source-interface Ethernet0/1
    ip ftp username
    ip ftp password
    ip name-server 205.171.3.65
    !
    no ip bootp server
    !
    interface Loopback0
    ip address 192.168.22.65 255.255.255.224
    !
    interface Ethernet0/0
    no ip address
    no ip proxy-arp
    ip nat outside
    half-duplex
    no cdp enable
    !
    interface Serial0/0
    ip address 155.55.44.214 255.255.255.252
    ip access-group ok-in in
    ip access-group ok-out1 out
    no ip redirects
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    service-module t1 timeslots 1-24
    no cdp enable
    !
    Ethernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip access-group 3 in
    no ip proxy-arp
    ip nat inside
    half-duplex
    no cdp enable
    !
    router rip
    version 2
    passive-interface Serial0/0
    network 192.168.1.0
    no auto-summary
    !
    ip kerberos source-interface any
    ip nat inside source list 3 interface Serial0/0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 155.55.44.213
    no ip http server
    !
    !
    ip access-list extended ok-in
    evaluate outgo
    permit udp host 205.171.3.65 192.168.1.0 0.0.0.255
    evaluate ok-packets
    ip access-list extended ok-out1
    permit udp 192.168.1.0 0.0.0.255 host 205.171.3.65 eq domain
    permit tcp 192.168.1.0 0.0.0.255 any established
    permit udp 192.168.1.0 0.0.0.255 any reflect outgo
    permit icmp 192.168.1.0 0.0.0.255 any reflect outgo
    access-list 2 permit 155.55.44.212 0.0.0.3
    access-list 3 permit 192.168.1.0 0.0.0.255
    access-list 98 permit 192.168.0.0 0.0.255.255
    no cdp run
    !
    dial-peer cor custom
    !
    line con 0
    exec-timeout 5 0
    password
    login local
    transport input none
    line aux 0
    no exec
    password
    login local
    line vty 0 4
    access-class 98 in
    exec-timeout 45 0
    password
    login
    transport input telnet
    transport output none
    !
    no scheduler allocate
    end
    Tarek Hamdy, Oct 6, 2004
    #11
  12. Tarek Hamdy

    PES Guest

    Is it an access list problem with ok-out1 (nat has already happened as it
    leaves public interface, thus 192.168.1.x is invalid and would be dropped)?
    It may be to your benefit to contact a consultant who can come in and get
    this going for you in a couple of hours. Also, I would definitely recommend
    utilizing ios fw instead of reflexive acl's.

    "Tarek Hamdy" <> wrote in message
    news:...
    > Hey Guys,
    >
    > I added RIP2 and changed the NAT entries to use the interface. It
    > still does not route. ISP does not use RIP, but it was a suggestion
    > from Configmaker. I am pretty much out of option. We cannot surf the
    > Internet through it! If anyone has an idea of hour to make this thing
    > route, please tell me.
    >
    > Current configuration : 2830 bytes
    > !
    > version 12.1
    > service single-slot-reload-enable
    > service tcp-keepalives-in
    > service timestamps debug uptime
    > no service timestamps log uptime
    > service password-encryption
    > !
    > hostname Entry1
    > !
    > no logging rate-limit
    > enable secret
    > !
    > username
    > clock summer-time EDT recurring
    > no ip subnet-zero
    > no ip source-route
    > !
    > !
    > no ip finger
    > ip ftp source-interface Ethernet0/1
    > ip ftp username
    > ip ftp password
    > ip name-server 205.171.3.65
    > !
    > no ip bootp server
    > !
    > interface Loopback0
    > ip address 192.168.22.65 255.255.255.224
    > !
    > interface Ethernet0/0
    > no ip address
    > no ip proxy-arp
    > ip nat outside
    > half-duplex
    > no cdp enable
    > !
    > interface Serial0/0
    > ip address 155.55.44.214 255.255.255.252
    > ip access-group ok-in in
    > ip access-group ok-out1 out
    > no ip redirects
    > no ip proxy-arp
    > ip nat outside
    > no ip mroute-cache
    > service-module t1 timeslots 1-24
    > no cdp enable
    > !
    > Ethernet0/1
    > ip address 192.168.1.1 255.255.255.0
    > ip access-group 3 in
    > no ip proxy-arp
    > ip nat inside
    > half-duplex
    > no cdp enable
    > !
    > router rip
    > version 2
    > passive-interface Serial0/0
    > network 192.168.1.0
    > no auto-summary
    > !
    > ip kerberos source-interface any
    > ip nat inside source list 3 interface Serial0/0 overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 155.55.44.213
    > no ip http server
    > !
    > !
    > ip access-list extended ok-in
    > evaluate outgo
    > permit udp host 205.171.3.65 192.168.1.0 0.0.0.255
    > evaluate ok-packets
    > ip access-list extended ok-out1
    > permit udp 192.168.1.0 0.0.0.255 host 205.171.3.65 eq domain
    > permit tcp 192.168.1.0 0.0.0.255 any established
    > permit udp 192.168.1.0 0.0.0.255 any reflect outgo
    > permit icmp 192.168.1.0 0.0.0.255 any reflect outgo
    > access-list 2 permit 155.55.44.212 0.0.0.3
    > access-list 3 permit 192.168.1.0 0.0.0.255
    > access-list 98 permit 192.168.0.0 0.0.255.255
    > no cdp run
    > !
    > dial-peer cor custom
    > !
    > line con 0
    > exec-timeout 5 0
    > password
    > login local
    > transport input none
    > line aux 0
    > no exec
    > password
    > login local
    > line vty 0 4
    > access-class 98 in
    > exec-timeout 45 0
    > password
    > login
    > transport input telnet
    > transport output none
    > !
    > no scheduler allocate
    > end
    PES, Oct 6, 2004
    #12
  13. Tarek Hamdy

    Tarek Hamdy Guest

    PES,

    Thanks PES! That did it. I changed the ACL on the external interface,
    s0/0 to any any from 192.168.1.0 and it worked. It worked! I spent
    the last hour surfing Internet using the Cisco router. Finally!
    Whew! I am the IT department at this place and their consultant. I
    learned a lot. It will make the CCNA easier later this month or next.
    I posted my config below incase it may help someone (last time):

    Current configuration : 2978 bytes
    !
    version 12.1
    service single-slot-reload-enable
    service tcp-keepalives-in
    service timestamps debug uptime
    no service timestamps log uptime
    service password-encryption
    !
    hostname Entry1
    !
    no logging rate-limit
    enable secret
    !
    username
    clock summer-time EDT recurring
    no ip subnet-zero
    no ip source-route
    !
    ip name-server 205.171.3.65
    !
    no ip bootp server
    call rsvp-sync
    cns event-service server
    !
    interface Loopback0
    ip address 192.168.22.65 255.255.255.224
    !
    interface Ethernet0/0
    no ip address
    no ip proxy-arp
    half-duplex
    no cdp enable
    !
    interface Serial0/0
    ip address 155.55.44.214 255.255.255.252
    ip access-group ok-in in
    ip access-group ok-out1 out
    no ip redirects
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    service-module t1 timeslots 1-24
    no cdp enable
    !
    interface Ethernet0/1
    ip address 192.168.1.1 255.255.255.0
    ip access-group lan-in in
    ip access-group lan-out out
    no ip proxy-arp
    ip nat inside
    half-duplex
    no cdp enable
    !
    router rip
    version 2
    passive-interface Serial0/0
    network 192.168.1.0
    no auto-summary
    !
    ip kerberos source-interface any
    ip nat inside source list 3 interface Serial0/0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 155.55.44.213
    no ip http server
    !
    !
    ip access-list extended lan-in
    permit ip any host 205.171.3.65
    permit tcp 192.168.0.0 0.0.255.255 any established
    permit ip 192.168.0.0 0.0.255.255 any reflect ok-packets
    ip access-list extended lan-out
    permit ip host 205.171.3.65 any
    evaluate ok-packets
    ip access-list extended ok-in
    evaluate outgo
    permit udp host 205.171.3.65 192.168.1.0 0.0.0.255
    evaluate ok-packets
    ip access-list extended ok-out1
    permit udp any host 205.171.3.65 eq domain
    permit tcp any any established
    permit tcp any any reflect outgo
    permit udp any any reflect outgo
    permit icmp any any reflect outgo
    access-list 2 permit 155.55.44.212 0.0.0.3
    access-list 3 permit 192.168.1.0 0.0.0.255
    access-list 98 permit 192.168.0.0 0.0.255.255
    no cdp run
    !
    dial-peer cor custom
    !
    line con 0
    exec-timeout 5 0
    password
    login local
    transport input none
    line aux 0
    no exec
    password
    login local
    line vty 0 4
    access-class 98 in
    exec-timeout 45 0
    password
    login
    transport input telnet
    transport output none
    !
    end

    I changed my passwords. I will do some tweaking and get them using
    this full time plus using the DSL as a backup. I will also order the
    IOS with FW set and implement ip inspect exactly as you suggested.

    Tarek
    Tarek Hamdy, Oct 7, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    3
    Views:
    627
  2. AM
    Replies:
    2
    Views:
    4,492
    paranic
    Aug 1, 2005
  3. Tuc
    Replies:
    0
    Views:
    722
  4. Dil
    Replies:
    0
    Views:
    1,302
  5. tom
    Replies:
    0
    Views:
    927
Loading...

Share This Page