Cisco 837 - how to set up Inside to Inside NAT for DNS resolution?

Discussion in 'Cisco' started by Jim Willsher, May 23, 2006.

  1. Jim Willsher

    Jim Willsher Guest

    Hi,

    Can anybody help? I need to setup "inside to inside NAT" as described
    here:

    http://www.cisco.com/en/US/products...rod_release_note09186a0080457818.html#wp67645

    I'm running 12.4 on a Cisco 837, and I know this feature is supported
    on my image. But I can't work out how to actually implement it! The
    quoted page gives an example but is looks like it's for VPN. I want it
    to work such that inside the LAN I can access a hosted website (hosted
    inside the LAN) via its external DNS name (www.....).

    This should get round the need for local HOSTS entries. The important
    quote from the page for me is this:


    "The purpose of this feature is to provide customers of the Cisco 830
    and SOHO 90 routers, with the ability to allow the use of a single DNS
    name / DNS server external to the LAN to provide name resolution for
    internal servers to internal clients even if NAT is applied and the
    NAT global address is the known address from a DNS perspective. "


    I'm using my ISP's DNS.

    Can anyone suggest what changes I need to make to my config (below)?

    Many thanks!



    Jim

    ==============================

    !
    ! Last configuration change at 15:08:32 UTC Tue May 23 2006
    ! NVRAM config last updated at 14:44:33 UTC Tue May 23 2006
    !
    version 12.4
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    memory-size iomem 5
    enable secret 5 XXXXX
    !
    aaa new-model
    !
    !
    aaa authentication ppp default local
    aaa authorization network default if-authenticated
    !
    aaa session-id common
    !
    resource policy
    !
    !
    !
    no ip dhcp use vrf connected
    ip dhcp binding cleanup interval 10
    ip dhcp excluded-address 192.168.1.1 192.168.1.10
    ip dhcp excluded-address 192.168.1.101 192.168.1.254
    !
    ip dhcp pool JIMDESKTOP
    host 192.168.1.101 255.255.255.0
    client-identifier 0100.e018.fe31.ff
    default-router 192.168.1.1
    dns-server 212.104.130.9 212.104.130.65
    lease 0 12
    !
    ip dhcp pool CLIENT
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 212.104.130.9 212.104.130.65
    lease 0 12
    !
    !
    ip cef
    ip domain name home.lan
    ip ssh version 2
    login block-for 120 attempts 3 within 120
    login delay 3
    login on-failure log
    login on-success log
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    !
    username jim password 7 XXXXX
    !
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    hold-queue 100 out
    !
    interface Ethernet2
    no ip address
    hold-queue 100 out
    !
    interface ATM0
    description ADSL Broadband Interface
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    duplex auto
    speed auto
    !
    interface FastEthernet2
    duplex auto
    speed auto
    !
    interface FastEthernet3
    duplex auto
    speed auto
    !
    interface FastEthernet4
    duplex auto
    speed auto
    !
    interface Virtual-Template1
    ip unnumbered Ethernet0
    ip mroute-cache
    peer default ip address pool VPN-CLIENT
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    !
    interface Dialer1
    ip address 82.152.XXX.XX 255.255.255.XXX
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password 7 XXXXX
    ppp pap sent-username password 7 XXXXX
    ppp ipcp dns request
    ppp ipcp wins request
    !
    ip local pool VPN-CLIENT 192.168.1.251 192.168.1.254
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    no ip http server
    no ip http secure-server
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 192.168.1.150 25 interface Dialer1 25
    ip nat inside source static tcp 192.168.1.150 110 interface Dialer1
    110
    ip nat inside source static tcp 192.168.1.150 21 interface Dialer1 21
    ip nat inside source static tcp 192.168.1.150 80 interface Dialer1 80
    ip nat inside source static tcp 192.168.1.150 443 interface Dialer1
    443
    !
    !
    ip access-list standard SNMP-ALLOWED
    permit 192.168.1.101
    permit 192.168.1.150
    deny any
    ip access-list standard SSH-ALLOWED
    permit 82.XXX.XXX.XXX
    permit 192.168.1.0 0.0.0.255
    deny any
    !
    logging trap debugging
    logging 192.168.1.150
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    snmp-server community public RW SNMP-ALLOWED
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class SSH-ALLOWED in
    exec-timeout 120 0
    password 7 XXXXX
    length 0
    transport input ssh
    !
    scheduler max-task-time 5000
    sntp server 212.104.129.221
    end
     
    Jim Willsher, May 23, 2006
    #1
    1. Advertisements

  2. Jim Willsher

    Merv Guest

    notice that in the Cisco configlet they use the command "ip nat enable"
    on the interfaces ...
     
    Merv, May 23, 2006
    #2
    1. Advertisements

  3. Jim Willsher

    Jim Willsher Guest

    Hi Merv,

    Yeah, saw that. But it didn't seem to make any difference.

    if I have

    ip nat enable by itself, I lose the ability to browse from internal
    clients. If I have

    ip nat enable
    ip nat inside

    I can browse, but browsing via external DNS still won't work.

    Confused!



    Jim
     
    Jim Willsher, May 23, 2006
    #3
  4. The URL you give is bogus on what you are trying to do.
    If I recall correctly, what you are looking for is the 'extendable' word at
    the end of the outbound NAT statement.
    Have the word appended to the NAT for the webserver, then your inside hosts
    will get DNS doctored.


    HTH
    Martin Bilgrav
     
    Martin Bilgrav, May 24, 2006
    #4
  5. Jim Willsher

    Jim Willsher Guest

    Hi Martin, many thanks for taking the time to post.

    I tried what you suggested (I think!) but it didn't seem to make much
    difference. I added the following command to my existing config:

    ip nat inside source static tcp 192.168.1.150 80 82.152.114.61 80
    extendable

    Everything else seemed to work as before, I could browse the
    internally-hosted webserver via domain-name from the internet. But I
    still can't browse it by domain name from inside the LAN.

    Sorry if I've misunderstood your suggestion, I'm very new to Cisco. I
    didn't really understand your "outbound NAT" bit, but I assumed
    (probably wrongly) that it was the port-80 NAT.

    Any ideas?

    Many thanks,



    Jim
     
    Jim Willsher, May 25, 2006
    #5
  6. did you 'clear ip nat translation *' ?
    How does your cfg looks like now ?
    This is just what the line should do. hmm
    Are the 82.152.114.61 the IP that the webserver has in the DNS A-record ?
    And it is hosted on the internal IP .150 ?
     
    Martin Bilgrav, May 25, 2006
    #6
  7. Jim Willsher

    Jim Willsher Guest

    Hi Martin,
    No, I hadn't run the clear, but I have now and it still hasn't worked
    :-(
    That's correct. The public DNS entries for the domain point to
    82.152.114.61:

    http://www.dnsstuff.com/tools/lookup.ch?name=www.jimwillsher.co.uk&type=A

    The internal IP is 192.168.1.150

    I've copied the entire config below. When I use this config, I cannot
    browse www.jimwillsher.co.uk from inside the LAN unless I manually add

    192.168.1.150 www.jimwillsher.co.uk

    to my hosts file, which I'm trying to avoid. Without this I get a
    1-second pause followed by a "page not found" (IE6).

    I hope you can spot where I'm going wrong....

    Many thanks!



    Jim

    =================================================

    New config


    !
    ! Last configuration change at 11:11:11 UTC Fri May 26 2006 by XXX
    ! NVRAM config last updated at 11:10:31 UTC Fri May 26 2006 by XXX
    !
    version 12.4
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    memory-size iomem 5
    enable secret 5 XXXXX
    !
    aaa new-model
    !
    !
    aaa authentication ppp default local
    aaa authorization network default if-authenticated
    !
    aaa session-id common
    !
    resource policy
    !
    !
    !
    no ip dhcp use vrf connected
    ip dhcp binding cleanup interval 10
    ip dhcp excluded-address 192.168.1.1 192.168.1.10
    ip dhcp excluded-address 192.168.1.101 192.168.1.254
    !
    ip dhcp pool JIMDESKTOP
    host 192.168.1.101 255.255.255.0
    client-identifier 0100.dddd.dddd.ff
    default-router 192.168.1.1
    dns-server XXX.XXX XXX.XXX
    lease 0 12
    !
    ip dhcp pool CLIENT
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server XXX.XXX XXX.XXX
    lease 0 12
    !
    !
    ip cef
    no ip domain lookup
    ip domain name home.lan
    ip ssh version 2
    login block-for 120 attempts 3 within 120
    login delay 3
    login on-failure log
    login on-success log
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    !
    username XXX password 7 XXXXX
    !
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    hold-queue 100 out
    !
    interface Ethernet2
    no ip address
    hold-queue 100 out
    !
    interface ATM0
    description ADSL Broadband Interface
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    duplex auto
    speed auto
    !
    interface FastEthernet2
    duplex auto
    speed auto
    !
    interface FastEthernet3
    duplex auto
    speed auto
    !
    interface FastEthernet4
    duplex auto
    speed auto
    !
    interface Virtual-Template1
    ip unnumbered Ethernet0
    ip mroute-cache
    peer default ip address pool VPN-CLIENT
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    !
    interface Dialer1
    ip address 82.152.114.61 255.255.255.252
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password 7 XXXXX
    ppp pap sent-username password 7 XXXXX
    ppp ipcp dns request
    ppp ipcp wins request
    !
    ip local pool VPN-CLIENT 192.168.1.251 192.168.1.254
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    no ip http server
    no ip http secure-server
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 192.168.1.150 443 interface Dialer1
    443
    ip nat inside source static tcp 192.168.1.150 80 interface Dialer1 80
    ip nat inside source static tcp 192.168.1.150 21 interface Dialer1 21
    ip nat inside source static tcp 192.168.1.150 110 interface Dialer1
    110
    ip nat inside source static tcp 192.168.1.150 25 interface Dialer1 25
    !
    !
    ip access-list standard SNMP-ALLOWED
    permit 192.168.1.101
    permit 192.168.1.150
    deny any
    ip access-list standard SSH-ALLOWED
    permit 81.168.116.141
    permit 82.152.95.189
    permit 82.152.232.9
    permit 82.152.83.57
    permit 82.152.237.153
    permit 192.168.1.0 0.0.0.255
    deny any
    !
    logging trap debugging
    logging 192.168.1.150
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    snmp-server community XXXXX RW SNMP-ALLOWED
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    transport preferred none
    stopbits 1
    line aux 0
    line vty 0 4
    access-class SSH-ALLOWED in
    exec-timeout 120 0
    password 7 XXXXX
    length 0
    transport preferred none
    transport input ssh
    !
    scheduler max-task-time 5000
    sntp server XXX.221
    end







    =================================================

    sh ver output

    Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.4(8),
    RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2006 by Cisco Systems, Inc.
    Compiled Mon 15-May-06 23:37 by prod_rel_team

    ROM: System Bootstrap, Version 12.2(11r)YV3, RELEASE SOFTWARE (fc2)

    router uptime is 3 minutes
    System returned to ROM by reload at 11:13:05 UTC Fri May 26 2006
    System restarted at 11:15:20 UTC Fri May 26 2006
    System image file is "flash:c837-k9o3sy6-mz.124-8.bin"


    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are
    unable
    to comply with U.S. and local laws, return this product immediately.


    A summary of U.S. laws governing Cisco cryptographic products may be
    found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

    If you require further assistance please contact us by sending email
    to
    .

    Cisco C837 (MPC857DSL) processor (revision 0x600) with 62260K/3276K
    bytes of memory.
    Processor board ID FCZ093343XZ, with hardware revision 0000
    CPU rev number 7
    2 Ethernet interfaces
    4 FastEthernet interfaces
    1 ATM interface
    128K bytes of NVRAM.
    12288K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)

    Configuration register is 0x2102
     
    Jim Willsher, May 26, 2006
    #7
  8. Jim Willsher

    anybody43 Guest

    Jim has:-
    This piqued my interest and I did a bit of reading.

    There is a reference (not available to me right now)
    on CCO that I read. It talked about getting this behaviour
    when using Outside NAT.

    Maybe you need to add:-

    ip nat OUTSIDE source static interface Dialer1 192.168.1.150

    I haven't checked the syntax and you may well
    not be allowed the "interface dialer1" bit and have
    to use the address instead.

    So what will this do to the traffic.
    Inbound traffic with Source Address of the dialer will be NATted
    such that the source address will be changed to 192.168.1.150.

    As far as I can see there will be no such traffic.
    So nothing can get broken:)

    Similarly outbound traffic with DA of 192.168.1.150
    will get translated to the address of dialer1 interface.
    Once more there will be no such traffic passing through the router.


    ///Additionally///:-
    Inbound DNS packet contents will be inspected
    and A records containing the address of the Dialer1 interface
    will be translated to the address specified in the NAT Outside
    statement.

    I have not tested or implemented this and have no idea if
    it will work but it looked promising in your context.

    Please post results, good or bad.
     
    anybody43, May 26, 2006
    #8
  9. Jim Willsher

    anybody43 Guest

    I have realised that this is easy for me to test in the case
    where the Outside natted address is NOT the adderss of the router.

    Anyway. It works.
     
    anybody43, May 26, 2006
    #9
  10. Jim Willsher

    anybody43 Guest

    ADSL(config)#ip nat outside source static 155.198.5.83 ?
    A.B.C.D Outside local IP address

    ADSL(config)#ip nat outside source static 155.198.5.83 172.16.145.200
    ADSL(config)#^Z
    ADSL#

    C:\Documents and Settings\Administrator>ping www.ic.ac.uk
    Pinging www.ic.ac.uk [172.16.145.200] with 32 bytes of data:

    ADSL#sh run | inc nat
    ip nat inside
    ip nat inside
    ip nat outside
    ip nat inside source route-map nonat interface Dialer1 overload
    ip nat outside source static 155.198.5.83 172.16.145.200
    route-map nonat permit 10
     
    anybody43, May 26, 2006
    #10
  11. Jim Willsher

    Jim Willsher Guest

    Hi, many thanks for picking this one up, much appreciated.

    Okay, I tried what you suggested (I think). I entered:

    ip nat outside source static 82.152.114.61 192.168.1.150

    When I saved the config I noticed this on my consle:

    05:14:08: %SYS-5-CONFIG_I: Configured from console by consol
    05:14:41: %IP-4-DUPADDR: Duplicate address 192.168.1.150 on Ethernet0,
    sourced by 000f.xxxx.xxxx

    But the results were not what I had expected. Browsing the domain name
    from inside the network now works a treat - excellent! Sadly, browsing
    from the internet no longer worked :-(

    So I've had to remove the command and now I'm back to the "outside
    works, inside doesn't" situation.

    I noticed your comment about the DNS and the router. Unfortunately
    they are both the same IP, and I can't change. Hence why NAT is in
    use.


    SO it looked so promising - until I realised external access no longer
    worked (page not found).

    Can you think of anything else I can try?

    Many thanks,



    Jim
     
    Jim Willsher, May 26, 2006
    #11
  12. Jim Willsher

    anybody43 Guest

    Oh dear. Of course, (well its obvious now:) the router must
    be 'hosting' the address 192.168.1.150 on the inside. I guess
    it will respond to arps for that address and is apparently
    looking out for duplicates.


    I have tried a couple more things here.

    ip nat inside source route-map nonat interface Dialer1 overload
    ip nat outside source static 155.198.5.83 172.16.145.35

    ADSL#sh arp
    Protocol Address Age (min) Hardware Addr Type Interface
    Internet 172.16.145.37 1 0002.a545.2244 ARPA Ethernet0
    Internet 172.16.145.36 77 000d.5e48.0bc7 ARPA Ethernet0
    Internet 172.16.145.35 - 0013.1996.5db7 ARPA Ethernet0
    Internet 172.16.145.1 - 0013.1996.5db7 ARPA Ethernet0

    I had a telnet session from .35 to the router (.1).
    As soon as I added the NAT I lost the session.

    Whn I ping .35 from .37 the router responds.

    C:\Program Files>arp -a

    Interface: 192.168.67.249 --- 0x3
    Internet Address Physical Address Type
    192.168.67.1 00-0b-5f-78-f3-bf dynamic

    Interface: 172.16.145.37 --- 0x20002
    Internet Address Physical Address Type
    172.16.145.1 00-13-19-96-5d-b7 dynamic
    172.16.145.35 00-13-19-96-5d-b7 dynamic

    C:\Program Files>ping 172.16.145.35 -t

    Pinging 172.16.145.35 with 32 bytes of data:

    Reply from 172.16.145.35: bytes=32 time=1ms TTL=255
    Reply from 172.16.145.35: bytes=32 time=1ms TTL=255
    Reply from 172.16.145.35: bytes=32 time=1ms TTL=255


    ## However

    When I use
    ip nat outside source static 155.198.5.83 172.16.145.200

    I dont get this ARP entry and the router does /not/
    respond to a ping for 172.16.145.200.

    Weird.
     
    anybody43, May 26, 2006
    #12
  13. Jim Willsher

    anybody43 Guest

    Sorry, the netmask was not what I expected.
    Local router address is 172.16.145.1/25.
    I had assumed /24. I forgot that I had changed it a while back.
     
    anybody43, May 26, 2006
    #13
  14. Jim Willsher

    Jim Willsher Guest


    Whoa, you've lost me :) So do you think you're onto a winner, or
    should I throw the 837 out of the window?

    I appreciate your help!


    Jim
     
    Jim Willsher, May 26, 2006
    #14
  15. Hi,

    Stick with me on this one, Jim - This is the way to do it and it will work.
    What we need to do is find out were you go wrong.

    ....
    ..

    did you omit ACL 102 from your cfg ?
    I dont see it anywere

    I dont see the
    ip nat inside source static 192.168.1.150 82.152.114.61 extendable
    line anywhere

    Here is what you do:

    1. remove ALL you present NAT entries and add the one I sugguested:
    C/P this :
    cle ip nat trans *
    no ip nat inside source static tcp 192.168.1.150 443 interface Dialer1 443
    no ip nat inside source static tcp 192.168.1.150 80 interface Dialer1 80
    no ip nat inside source static tcp 192.168.1.150 21 interface Dialer1 21
    no ip nat inside source static tcp 192.168.1.150 110 interface Dialer1 110
    no ip nat inside source static tcp 192.168.1.150 25 interface Dialer1 25
    ip nat inside source static 192.168.1.150 82.152.114.61 extendable

    This will do it, if you do not get any error msg, cause of ANT in use.


    HTH
    Martin Bilgrav
     
    Martin Bilgrav, May 28, 2006
    #15
  16. Also just to make sure add:
    ip subnet-zero
     
    Martin Bilgrav, May 28, 2006
    #16
  17. Jim Willsher

    Jim Willsher Guest


    Hi Martin,

    Many thanks for persisting :)

    Before I try it though, won't these lines:
    prevent my websites from working? Surely nobody on the WAN will be
    able to see them, as by removing these, there's nothing to say that
    http (80) is on 192.168.1.150, etc.


    Jim
     
    Jim Willsher, May 29, 2006
    #17
  18. yes - correct, but the last line (not in your C/P) brings it back online
    instantly, so only current session gets broken as you clear NAT.
    no big deal.
     
    Martin Bilgrav, May 29, 2006
    #18
  19. Jim Willsher

    Jim Willsher Guest


    Sorry, I'm obviosuly being a bit silly here. I just don't want to get
    it wrong!

    For the avoidance of doubt, I've pasted my *full* running-config
    below. I still can't see how my server will be accessible from the web
    after I make your changes. We're removing the port 80, port 443 etc
    ines, but we're not replacing them with anything. So either nothing
    will get to my server, or EVERYTHING will get to my server (DMZ). Or
    am I misreading the situation?

    Anyway, my *entire* config follows. Thank you *so much* for being so
    patient with my clear lack of Cisco skills :)



    =============

    !
    ! Last configuration change at 10:28:19 BST Sun May 28 2006
    ! NVRAM config last updated at 08:36:36 BST Tue May 30 2006 by XXX
    !
    version 12.4
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname router
    !
    boot-start-marker
    boot-end-marker
    !
    memory-size iomem 5
    enable secret 5 XXXXX
    !
    aaa new-model
    !
    !
    aaa authentication ppp default local
    aaa authorization network default if-authenticated
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 3:00
    !
    !
    no ip dhcp use vrf connected
    ip dhcp binding cleanup interval 10
    ip dhcp excluded-address 192.168.1.1 192.168.1.10
    ip dhcp excluded-address 192.168.1.101 192.168.1.254
    !
    ip dhcp pool JIMDESKTOP
    host 192.168.1.101 255.255.255.0
    client-identifier 0100.e018.fe31.ff
    default-router 192.168.1.1
    dns-server 212.104.130.9 212.104.130.65
    lease 0 12
    !
    ip dhcp pool CLIENT
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 212.104.130.9 212.104.130.65
    lease 0 12
    !
    !
    ip cef
    no ip domain lookup
    ip domain name home.lan
    ip ssh version 2
    login block-for 120 attempts 3 within 120
    login delay 3
    login on-failure log
    login on-success log
    vpdn enable
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    !
    !
    !
    !
    username XXX password 7 XXXXX
    !
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    hold-queue 100 out
    !
    interface Ethernet2
    no ip address
    hold-queue 100 out
    !
    interface ATM0
    description ADSL Broadband Interface
    no ip address
    ip nbar protocol-discovery
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    duplex auto
    speed auto
    !
    interface FastEthernet2
    duplex auto
    speed auto
    !
    interface FastEthernet3
    duplex auto
    speed auto
    !
    interface FastEthernet4
    duplex auto
    speed auto
    !
    interface Virtual-Template1
    ip unnumbered Ethernet0
    ip mroute-cache
    peer default ip address pool VPN-CLIENT
    ppp encrypt mppe auto required
    ppp authentication ms-chap ms-chap-v2
    !
    interface Dialer1
    ip address 82.152.114.61 255.255.255.252
    ip mtu 1492
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password 7 XXX
    ppp pap sent-username password 7 XXX
    ppp ipcp dns request
    ppp ipcp wins request
    !
    ip local pool VPN-CLIENT 192.168.1.251 192.168.1.254
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    no ip http server
    no ip http secure-server
    ip dns server
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 192.168.1.150 443 interface Dialer1
    443
    ip nat inside source static tcp 192.168.1.150 80 interface Dialer1 80
    ip nat inside source static tcp 192.168.1.150 21 interface Dialer1 21
    ip nat inside source static tcp 192.168.1.150 110 interface Dialer1
    110
    ip nat inside source static tcp 192.168.1.150 25 interface Dialer1 25
    !
    !
    ip access-list standard SNMP-ALLOWED
    permit 192.168.1.101
    permit 192.168.1.150
    deny any
    ip access-list standard SSH-ALLOWED
    permit 81.168.124.101
    permit 192.168.1.0 0.0.0.255
    deny any
    !
    logging trap debugging
    logging 192.168.1.150
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    snmp-server community public RW SNMP-ALLOWED
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    transport preferred none
    stopbits 1
    line aux 0
    line vty 0 4
    access-class SSH-ALLOWED in
    exec-timeout 120 0
    password 7 XXXX
    length 0
    transport preferred none
    transport input ssh
    !
    scheduler max-task-time 5000
    ntp clock-period 17179402
    ntp server 212.104.129.221
    end

    =============
     
    Jim Willsher, May 30, 2006
    #19
  20. Jim Willsher

    Uli Link Guest

    Jim Willsher schrieb:

    AFAIR this feature was introduced in 12.3(11)YS and did not make it into
    12.4 mainline. It should be in 12.4T train.
     
    Uli Link, May 30, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.