Cisco 837, NAT & Netscreen in transparent Mode

Discussion in 'Cisco' started by Scooty, Mar 25, 2008.

  1. Scooty

    Scooty Guest

    Hi all
    My apologies if posting to the wrong group
    I have a Cisco 837 which I want to use as a backup internet link. What
    I hope to do is simply change the static route on my 3750 if the
    primary link goes down
    I have a Netscreen 25 configured in transparent mode

    I have it configured as follows

    Public IP, Cisco 837 Dialer i/f ---> Ethernet0 ---->
    Netscreen25 Transparent ---> VLAN102 on the 3750 @

    The VLAN interface of the Netscreen is and the
    management i/f is

    I have configured the 837 router to perform NAT, as I only have 1
    public IP, the Ethernet i/f of the 837 is configured with a private IP
    I am seeing the Cisco attempt to perform NAT

    sh ip nat trans
    Pro Inside global Inside local Outside local
    Outside global

    I have a one off static route on the 3750 for testing and this is the
    websiteI am trying to access via this route

    ip route

    I have a policy on the netscreen that says
    Source Any to Dest Any permit HTTP
    I am seeing on the log of the Netscreen the same thing

    Date/Time Source Address/Port Destination Address/Port Duration
    2008-03-25 15:39:06 59 sec. HTTP

    The Cisco config is pretty straight forward as shown

    version 12.2
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    no service dhcp
    hostname aff_837
    logging queue-limit 100
    logging buffered 4096 debugging
    clock timezone AEST 8
    ip subnet-zero
    no ip source-route
    ip domain name
    ip name-server
    ip name-server
    no ip bootp server
    ip audit notify log
    ip audit po max-events 100
    vpdn enable
    no ftp-server write-enable
    interface Null0
    no ip unreachables
    interface Ethernet0
    ip address
    ip nat inside
    ip tcp adjust-mss 1452
    hold-queue 100 out
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 8/35
    pppoe-client dial-pool-number 1
    dsl operating-mode auto
    interface Dialer1
    description Amcom VPN
    mtu 1492
    ip address negotiated
    no ip unreachables
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname xxxxxxx
    ppp chap password xxxxxxx
    ip nat inside source list 23 interface Dialer1 overload
    ip classless
    ip route Dialer1
    no ip http server
    no ip http secure-server
    access-list 5 permit any
    access-list 23 permit
    access-list 23 permit
    access-list 23 permit
    dialer-list 1 protocol ip permit
    route-map clear-df permit 10
    match ip address 5
    set ip df 0

    line con 0
    exec-timeout 60 0
    no modem enable
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    exec-timeout 120 0
    login local
    length 0
    scheduler max-task-time 5000

    Can anyone tell me what I am missing? Is it a policy problem on the
    netscreen or a config problem on the 837?
    I can ping the & .7 from the router using an extended
    ping using the ethernet i/f as the source but cannot ping the VLAN102
    i/f of the 3750, once again I believe this is an incomingpolicy issue.
    All I have is 4 outgoing policies from the trust to the untrust for

    Scooty, Mar 25, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.