mckeough
asked on
A couple more Cisco configuration commands
First of all I want to thank everyone that has been helping me with my Cisco questions. I REALLY appreciate it! I'm getting a book now, so I shouldn't have to ask such simple questions any more. My book isn't here yet though, and I wanted to ask a couple more things.
#1: OK, so let's say I apply a configuration something like the following:
OurCisco# ip nat inside source static tcp 192.168.50.2 1723 67.39.131.113 1723
Let' say I want three months later I want to remove that confiuration from the router. How do I do this? Is it something like the following?:
OurCisco# no ip nat inside source static tcp 192.168.50.2 1723 67.39.131.113 1723
#2 How do I pull up a list of confiurations like the above if I don't have it written down somewhere? I ran the show config command, after I ran the ip nat inside source static tcp 192.168.50.2 1723 67.39.131.113 1723 command, but didn't see it listed anywhere.
#3. If I have to configure a 1-1 static NAT for GRE does that mean I just need to configure the Cisco for a static NAT, I need a static IP at the remote location, do I need another Cisco at the remote location, or all of the above?
#4 Can anyone point me to a page on Cisco that will tell me how to configure GRE for PPTP, or just post the correct commands.
All help is VERY appreciated!
#1: OK, so let's say I apply a configuration something like the following:
OurCisco# ip nat inside source static tcp 192.168.50.2 1723 67.39.131.113 1723
Let' say I want three months later I want to remove that confiuration from the router. How do I do this? Is it something like the following?:
OurCisco# no ip nat inside source static tcp 192.168.50.2 1723 67.39.131.113 1723
#2 How do I pull up a list of confiurations like the above if I don't have it written down somewhere? I ran the show config command, after I ran the ip nat inside source static tcp 192.168.50.2 1723 67.39.131.113 1723 command, but didn't see it listed anywhere.
#3. If I have to configure a 1-1 static NAT for GRE does that mean I just need to configure the Cisco for a static NAT, I need a static IP at the remote location, do I need another Cisco at the remote location, or all of the above?
#4 Can anyone point me to a page on Cisco that will tell me how to configure GRE for PPTP, or just post the correct commands.
All help is VERY appreciated!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Since you have 12.2(8)T4 version, it just might work for you as shown in the link.
ASKER
OK. Things look like they are mapped OK. These are the two things I configured on the Cisco
Fragment of results of "show ver":
ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723 extendable
ip nat inside source static 192.168.254.2 67.39.131.113
When I Create a VPN connection to 67.39.131.113 I get the following error:
http://www.mckeough.com/screenshot.jpg
I checked to make sure our remote access server was authenticating properly. To do this I used the same VPN connection but changed the IP address to the server's address (192.168.254.2) instead of our external IP (67.39.131.113). Everything authenticated and connected just fine. Any ideas?
I'm raising the points to 500.
Fragment of results of "show ver":
ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723 extendable
ip nat inside source static 192.168.254.2 67.39.131.113
When I Create a VPN connection to 67.39.131.113 I get the following error:
http://www.mckeough.com/screenshot.jpg
I checked to make sure our remote access server was authenticating properly. To do this I used the same VPN connection but changed the IP address to the server's address (192.168.254.2) instead of our external IP (67.39.131.113). Everything authenticated and connected just fine. Any ideas?
I'm raising the points to 500.
Can I assume that the server 192.168.254.2 has a default gateway pointing to this router's Ethernet port?
Can I also assume that you are trying to do this from OUTSIDE the network, like from home? You're not trying from your office, just using the public IP? That'll never work anyway.
I guess I'd have to see the complete config to get a better understanding of your setup
Can I also assume that you are trying to do this from OUTSIDE the network, like from home? You're not trying from your office, just using the public IP? That'll never work anyway.
I guess I'd have to see the complete config to get a better understanding of your setup
Yes, a complete config will give us a broader outline.
ASKER
Below is the config. Yes, I tried doing this from outside the network. In fact, I had someone an employee in a different state try to do it.
Mckeough1720#show run
Building configuration...
Current configuration : 3702 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Mckeough1720
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 $1$aRWL$8GrYUDSoABjufv587p
enable password 7 0509071B32
!
username mckeough password 7 1309161C0F1E1139
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key MCKEOUGHlandsTraverse49456
!
crypto isakmp client configuration group mckeough
key mckeoughlands
dns 192.168.254.1
wins 192.168.254.1
domain mckeough.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 2 ipsec-isakmp
description Connection to Traverse City Office
set peer 67.39.227.78
set transform-set trans1
match address 161
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
ip address 10.254.254.5 255.255.255.252
!
interface Ethernet0
ip address 67.39.112.186 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
ip address 192.168.254.10 255.255.255.0
ip nat inside
no ip route-cache
ip policy route-map nonat-map
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
ip local pool ippool 10.0.1.100 10.0.1.200
ip nat pool INTERNET 67.39.112.186 67.39.112.186 netmask 255.255.255.248
ip nat inside source route-map INTERNET pool INTERNET overload
ip nat inside source static tcp 192.168.254.1 25 67.39.131.113 25 extendable
ip nat inside source static tcp 192.168.254.1 80 67.39.131.113 80 extendable
ip nat inside source static tcp 192.168.254.2 3389 67.39.131.113 3389 extendable
ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723 extendable
ip nat inside source static 192.168.254.2 67.39.131.113
ip classless
ip route 0.0.0.0 0.0.0.0 67.39.112.185
ip route 10.99.1.0 255.255.255.0 64.109.109.92
no ip http server
ip pim bidir-enable
!
!
ip access-list extended nonat-list
permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 101 deny tcp any eq 139 any
access-list 101 deny tcp any eq 135 any
access-list 101 deny udp any eq netbios-ss any
access-list 101 deny udp any eq netbios-ns any
access-list 101 deny ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 101 deny ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.254.0 0.0.0.255 any
access-list 108 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 161 permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
route-map INTERNET permit 10
match ip address 101
!
route-map nonat-map permit 10
match ip address nonat-list
set ip next-hop 10.254.254.6
!
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 1119180B1313
!
end
That's the running config. Here's the startup config
Mckeough1720#show config
Using 3589 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Mckeough1720
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 $1$aRWL$8GrYUDSoABjufv587p
enable password 7 0509071B32
!
username mckeough password 7 1309161C0F1E1139
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key MCKEOUGHlandsTraverse49456
!
crypto isakmp client configuration group mckeough
key mckeoughlands
dns 192.168.254.1
wins 192.168.254.1
domain mckeough.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 2 ipsec-isakmp
description Connection to Traverse City Office
set peer 67.39.227.78
set transform-set trans1
match address 161
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
ip address 10.254.254.5 255.255.255.252
!
interface Ethernet0
ip address 67.39.131.113 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
ip address 192.168.254.10 255.255.255.0
ip nat inside
no ip route-cache
ip policy route-map nonat-map
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
ip local pool ippool 10.0.1.100 10.0.1.200
ip nat pool INTERNET 67.39.131.113 67.39.131.113 netmask 255.255.255.248
ip nat inside source route-map INTERNET pool INTERNET overload
ip nat inside source static tcp 192.168.254.1 25 67.39.131.113 25 extendable
ip nat inside source static tcp 192.168.254.1 80 67.39.131.113 80 extendable
ip nat inside source static tcp 192.168.254.2 3389 67.39.131.113 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 67.39.112.185 ---->>JUST FYI. I DON'T UNDERSTAND THIS IP ROUTE. IT'S NOT OUR IP. IF IT ISN'T A PROBLEM DON'T WORRY ABOUT IT.
ip route 10.99.1.0 255.255.255.0 64.109.109.92
no ip http server
ip pim bidir-enable
!
!
ip access-list extended nonat-list
permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 101 deny tcp any eq 139 any
access-list 101 deny tcp any eq 135 any
access-list 101 deny udp any eq netbios-ss any
access-list 101 deny udp any eq netbios-ns any
access-list 101 deny ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 101 deny ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.254.0 0.0.0.255 any
access-list 108 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 161 permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
route-map INTERNET permit 10
match ip address 101
!
route-map nonat-map permit 10
match ip address nonat-list
set ip next-hop 10.254.254.6
!
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 1119180B1313
!
no scheduler allocate
end
Mckeough1720#show run
Building configuration...
Current configuration : 3702 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Mckeough1720
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 $1$aRWL$8GrYUDSoABjufv587p
enable password 7 0509071B32
!
username mckeough password 7 1309161C0F1E1139
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key MCKEOUGHlandsTraverse49456
!
crypto isakmp client configuration group mckeough
key mckeoughlands
dns 192.168.254.1
wins 192.168.254.1
domain mckeough.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 2 ipsec-isakmp
description Connection to Traverse City Office
set peer 67.39.227.78
set transform-set trans1
match address 161
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
ip address 10.254.254.5 255.255.255.252
!
interface Ethernet0
ip address 67.39.112.186 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
ip address 192.168.254.10 255.255.255.0
ip nat inside
no ip route-cache
ip policy route-map nonat-map
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
ip local pool ippool 10.0.1.100 10.0.1.200
ip nat pool INTERNET 67.39.112.186 67.39.112.186 netmask 255.255.255.248
ip nat inside source route-map INTERNET pool INTERNET overload
ip nat inside source static tcp 192.168.254.1 25 67.39.131.113 25 extendable
ip nat inside source static tcp 192.168.254.1 80 67.39.131.113 80 extendable
ip nat inside source static tcp 192.168.254.2 3389 67.39.131.113 3389 extendable
ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723 extendable
ip nat inside source static 192.168.254.2 67.39.131.113
ip classless
ip route 0.0.0.0 0.0.0.0 67.39.112.185
ip route 10.99.1.0 255.255.255.0 64.109.109.92
no ip http server
ip pim bidir-enable
!
!
ip access-list extended nonat-list
permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 101 deny tcp any eq 139 any
access-list 101 deny tcp any eq 135 any
access-list 101 deny udp any eq netbios-ss any
access-list 101 deny udp any eq netbios-ns any
access-list 101 deny ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 101 deny ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.254.0 0.0.0.255 any
access-list 108 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 161 permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
route-map INTERNET permit 10
match ip address 101
!
route-map nonat-map permit 10
match ip address nonat-list
set ip next-hop 10.254.254.6
!
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 1119180B1313
!
end
That's the running config. Here's the startup config
Mckeough1720#show config
Using 3589 out of 29688 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Mckeough1720
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 $1$aRWL$8GrYUDSoABjufv587p
enable password 7 0509071B32
!
username mckeough password 7 1309161C0F1E1139
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key MCKEOUGHlandsTraverse49456
!
crypto isakmp client configuration group mckeough
key mckeoughlands
dns 192.168.254.1
wins 192.168.254.1
domain mckeough.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set trans1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 2 ipsec-isakmp
description Connection to Traverse City Office
set peer 67.39.227.78
set transform-set trans1
match address 161
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
ip address 10.254.254.5 255.255.255.252
!
interface Ethernet0
ip address 67.39.131.113 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
ip address 192.168.254.10 255.255.255.0
ip nat inside
no ip route-cache
ip policy route-map nonat-map
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
ip local pool ippool 10.0.1.100 10.0.1.200
ip nat pool INTERNET 67.39.131.113 67.39.131.113 netmask 255.255.255.248
ip nat inside source route-map INTERNET pool INTERNET overload
ip nat inside source static tcp 192.168.254.1 25 67.39.131.113 25 extendable
ip nat inside source static tcp 192.168.254.1 80 67.39.131.113 80 extendable
ip nat inside source static tcp 192.168.254.2 3389 67.39.131.113 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 67.39.112.185 ---->>JUST FYI. I DON'T UNDERSTAND THIS IP ROUTE. IT'S NOT OUR IP. IF IT ISN'T A PROBLEM DON'T WORRY ABOUT IT.
ip route 10.99.1.0 255.255.255.0 64.109.109.92
no ip http server
ip pim bidir-enable
!
!
ip access-list extended nonat-list
permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 101 deny tcp any eq 139 any
access-list 101 deny tcp any eq 135 any
access-list 101 deny udp any eq netbios-ss any
access-list 101 deny udp any eq netbios-ns any
access-list 101 deny ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 101 deny ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 deny ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.254.0 0.0.0.255 any
access-list 108 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 160 permit ip 192.168.254.0 0.0.0.255 10.99.1.0 0.0.0.255
access-list 161 permit ip 192.168.254.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp run
!
route-map INTERNET permit 10
match ip address 101
!
route-map nonat-map permit 10
match ip address nonat-list
set ip next-hop 10.254.254.6
!
snmp-server community public RO
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 1119180B1313
!
no scheduler allocate
end
>ip route 0.0.0.0 0.0.0.0 67.39.112.185 ---->>JUST FYI. I DON'T UNDERSTAND THIS IP ROUTE. IT'S NOT OUR IP. IF IT ISN'T A PROBLEM DON'T WORRY ABOUT IT.
I think this is THE problem.
Your default gateway should be on this subnet:
>interface Ethernet0
> ip address 67.39.131.113 255.255.255.248
Find out from your ISP what your gateway should be, then:
no ip route 0.0.0.0 0.0.0.0 67.39.112.185
ip route 0.0.0.0 0.0.0.0 67.39.131.x
I think this is THE problem.
Your default gateway should be on this subnet:
>interface Ethernet0
> ip address 67.39.131.113 255.255.255.248
Find out from your ISP what your gateway should be, then:
no ip route 0.0.0.0 0.0.0.0 67.39.112.185
ip route 0.0.0.0 0.0.0.0 67.39.131.x
ASKER
Actually, I started using the IP address of 67.39.131.113 as an example, and kept using it to avoid any confusion since you've been working with me. Anywhere you see 67.39.131.113 in our configuration that I posted, just replace that with Our IP (yes, it is static) is actually 67.39.112.186. I still called our ISP however, and they said the gateway address is 67.39.112.190 with a range of 184-191. ALL internet communications get routed through this single Cisco, so does it makes sense that we've been able to utilize a Cisco to Cisco VPN along with the Internet all this time? If it does, then I'll go ahead with the change.
Also something else popped up. I'm not sure if this is related or not, but the Cisco (Pix 501) to Cisco (1720) VPN that we have with one of our offices went down sometime yesterday. The VPN is to Traverse City. You'll see it referenced in the configuration I posted. I'm wondering if I accidently removed a configuration line that lets the Cisco in Traverse City talk to ours here in Grand Haven. I don't think any of the changes I made would effect that. The remote office can still get on the internet, and can still use Terminal Services to get onto our RAS, but when I tried telnetting into the router up there, it gave me the following error:
Z:\>telnet 67.39.227.78
Connecting To 67.39.227.78...Could not open connection to the host, on port 23:
Connect failed
I also had someone try from their own network, and they got the same error. The IP I had them try was even the Cisco's internal IP. So, I'm wondering if something went wrong with the router up there, or if there is something you see in our configuration here that I changed that would sever that connection. I used to be able to ping all the internal IP's of the network up there, but I can't any longer. They can't ping our servers down here either. They called their ISP to make sure that their static IP didn't get changed. It wasn't. We had that happen to us once. Any ideas on that? If this you guys think this is separate from what I'm trying to do with Microsoft PPTP then I'll post a different question with some more points on it.
Also something else popped up. I'm not sure if this is related or not, but the Cisco (Pix 501) to Cisco (1720) VPN that we have with one of our offices went down sometime yesterday. The VPN is to Traverse City. You'll see it referenced in the configuration I posted. I'm wondering if I accidently removed a configuration line that lets the Cisco in Traverse City talk to ours here in Grand Haven. I don't think any of the changes I made would effect that. The remote office can still get on the internet, and can still use Terminal Services to get onto our RAS, but when I tried telnetting into the router up there, it gave me the following error:
Z:\>telnet 67.39.227.78
Connecting To 67.39.227.78...Could not open connection to the host, on port 23:
Connect failed
I also had someone try from their own network, and they got the same error. The IP I had them try was even the Cisco's internal IP. So, I'm wondering if something went wrong with the router up there, or if there is something you see in our configuration here that I changed that would sever that connection. I used to be able to ping all the internal IP's of the network up there, but I can't any longer. They can't ping our servers down here either. They called their ISP to make sure that their static IP didn't get changed. It wasn't. We had that happen to us once. Any ideas on that? If this you guys think this is separate from what I'm trying to do with Microsoft PPTP then I'll post a different question with some more points on it.
ASKER
OK. Here's an update. I got rid of the "ip nat inside source static 192.168.50.2 67.39.112.186" entry and it fixed it. Soooo.... does this mean I can't map my GRE?
According to Cisco document, this 'should' be the only entry you need:
ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723
Suggest removing the "extendable" from your config:
no ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723 extendable
ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723
ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723
Suggest removing the "extendable" from your config:
no ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723 extendable
ip nat inside source static tcp 192.168.254.2 1723 67.39.131.113 1723
ASKER
Sorry for the delay time. Our DSL router died here at the office, so I've been frantically trying to get a new one back online. We're up and running again...
Actually because of the routing that had to take place, I had a Cisco expert come to our office to configure things for the new router. While he was here I told him what we wanted to do. He said that he could do it, but it wouldn't be wise to set things up like that because of a the other VPN stuff we have goin' on inside this thing. He DID say that our router was already configured to use Cisco's client software. The only problem is that it has to be installed for anyone that wants a VPN. With that I decided the best way to go was to get Cisco Pix 501's installed at our other offices. This should make things much simpler and cost effective.
By the way, I didn't put the extendable part of that on there. It did it on its own.
I got my Cisco book! It isn't as command intensive as I would like it to be, but it is pretty in-depth when it comes to Cisco networking concepts.
Again, I appreciate the help you've given me Irmoore. The points are yours.
FYI, I'm going to see if I can get this post deleted. I don't feel comfortable with all this configuration information out on the web for the world to see.
Actually because of the routing that had to take place, I had a Cisco expert come to our office to configure things for the new router. While he was here I told him what we wanted to do. He said that he could do it, but it wouldn't be wise to set things up like that because of a the other VPN stuff we have goin' on inside this thing. He DID say that our router was already configured to use Cisco's client software. The only problem is that it has to be installed for anyone that wants a VPN. With that I decided the best way to go was to get Cisco Pix 501's installed at our other offices. This should make things much simpler and cost effective.
By the way, I didn't put the extendable part of that on there. It did it on its own.
I got my Cisco book! It isn't as command intensive as I would like it to be, but it is pretty in-depth when it comes to Cisco networking concepts.
Again, I appreciate the help you've given me Irmoore. The points are yours.
FYI, I'm going to see if I can get this post deleted. I don't feel comfortable with all this configuration information out on the web for the world to see.
Glad you're up and running. Wise choice to use 501's at remote offices...
ASKER
Yeah, I bet that's what you wanted to tell me to do in the first place... get Ciscos! Thanks again! :-)
ASKER
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K9SY7-M), Version 12.2(8)T4, RELEASE SOFTWARE (f
c1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sun 05-May-02 22:11 by ccai
Image text-base: 0x80008108, data-base: 0x80CF1DC0
ROM: System Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)
Mckeough1720 uptime is 13 weeks, 4 days, 16 hours, 21 minutes
System returned to ROM by power-on
System image file is "flash:c1700-k9sy7-mz.122-
cisco 1720 (MPC860T) processor (revision 0x601) with 39322K/9830K bytes of memory.
Processor board ID JAD060205KP (3947939072), with hardware revision 0000
MPC860T processor: part number 0, mask 32
Bridging software.
X.25 software, Version 3.0.0.
1 Ethernet/IEEE 802.3 interface(s)
1 FastEthernet/IEEE 802.3 interface(s)
1 Virtual Private Network (VPN) Module(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Configuration register is 0x2102