Question

(Cisco 1811/IOS 12.4 Advanced Security) Port forwarding problem

Asked by: NightBreakA

Hello,
     I know that I had previously posted a question similar to this on EE, but I'm still running into this issue with different service ports.
     The issue that I'm running into is that once I setup a nat forwarding rule for a port, it becomes available from the external interface, but is no longer available from the internal network.  I was able to work around this previously by just having the daemon in question listen on two ports, and only port forward one of them, but now I'm running into an issue with an internal application that I cannot do this with.
     What I need is a way that I can do an ip nat translation for this port and have it available both internally, and from outside the corporate network.  The thing that gets me is that a Linksys router does this by default, but the Cisco 1811's we are running now seem like it's an either/or situation.
     What I am looking for is a way to configure the routers where if a request comes in on a certian port on the external interface, just forward that request to a port on a host off of the internal interface.  It seems like the router is binding to the port, and only allowing external traffic to that port on the internal host (ie. When the port is forwarded, any attempts to connect to that resource from internally results in a timeout, when the ip nat command for this is removed, internal access works as it did before)
     Here is the router config in question:

------------------------------------------------------------------------

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router.east
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging on
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.x.x 192.168.x.x
ip dhcp excluded-address 192.168.x.x 192.168.x.x
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.x.x 255.255.255.0
   dns-server 192.168.x.x 68.87.75.194
   default-router 192.168.x.x
   domain-name xxxx.xxxxxxxxxx.xxx
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name xxxxxxxxxx.xxx
ip name-server xx.xx.xx.xxx
ip name-server xxx.xxx.x.x
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1433850974
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1433850974
 revocation-check none
 rsakeypair TP-self-signed-1433850974
!
!
crypto pki certificate chain TP-self-signed-1433850974
 certificate self-signed 01
<snip>
  quit
username xxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map SDMPolicy0
 class sdm_p2p_gnutella
 class sdm_p2p_bittorrent
 class sdm_p2p_edonkey
 class sdm_p2p_kazaa
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxx address xx.xx.xx.xx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map mymap 10 ipsec-isakmp
 set peer xx.xx.xx.xx
 set transform-set myset
 match address 101
!
!
!
!
interface Null0
 no ip unreachables
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0
 description Comcast Business Cable Modem$ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address xx.xx.xx.xx xxx.xxx.xxx.xxx
 ip access-group 105 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map mymap
!
interface FastEthernet1
 description $ETH-WAN$
 bandwidth 680
 ip address xxx.xxx.xx.xx xxx.xxx.xxx.xxx
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet2
 description Vlan1
!
interface FastEthernet3
 description Vlan1
!
interface FastEthernet4
 description Vlan1
!
interface FastEthernet5
 description Vlan1
!
interface FastEthernet6
 description Vlan1
!
interface FastEthernet7
 description Vlan1
!
interface FastEthernet8
 description Vlan2
 switchport access vlan 2
!
interface FastEthernet9
 description Vlan2
 switchport access vlan 2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.x.x 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1452
 ip policy route-map nonat
!
interface Vlan2
 description $FW_INSIDE$
 ip address 192.168.x.x 255.255.255.0
 ip access-group 104 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 shutdown
!
router ospf 1
 log-adjacency-changes
 passive-interface Vlan1
 network 192.168.x.x 0.0.0.255 area 1
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.x.x 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.x.x 0.0.0.255
access-list 2 permit 192.168.x.x 0.0.0.255
access-list 2 deny   any
access-list 100 deny   ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 100 deny   ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 100 permit ip 192.168.x.x 0.0.0.255 any
access-list 101 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 101 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 102 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip xx.xx.xx.xx 0.0.0.3 any
access-list 103 deny   ip 192.168.x.x 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip xx.xx.xx.xx 0.0.0.3 any
access-list 104 deny   ip 192.168.x.x 0.0.0.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit udp host xx.xx.xx.xxx eq domain host xx.xx.xx.xx
access-list 105 permit ahp host xx.xx.xx.xx host xx.xx.xx.xx
access-list 105 permit esp host xx.xx.xx.xx host xx.xx.xx.xx
access-list 105 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq isakmp
access-list 105 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq non500-isakmp
access-list 105 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 105 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 105 deny   ip 192.168.x.x 0.0.0.255 any
access-list 105 deny   ip 192.168.x.x 0.0.0.255 any
access-list 105 permit icmp any host xx.xx.xx.xx echo-reply
access-list 105 permit icmp any host xx.xx.xx.xx time-exceeded
access-list 105 permit icmp any host xx.xx.xx.xx unreachable
access-list 105 permit tcp any host xx.xx.xx.xx eq 443
access-list 105 permit tcp any host xx.xx.xx.xx eq 22
access-list 105 permit tcp any host xx.xx.xx.xx eq cmd
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 106 remark VTY Access-class list
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 192.168.x.x 0.0.0.255 any
access-list 106 permit ip 192.168.x.x 0.0.0.255 any
access-list 106 deny   ip any any
access-list 123 permit ip host 192.168.x.x 192.168.1.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
route-map nonat permit 10
 match ip address 123
 set interface Loopback0
!
!
!
!
control-plane
!
!
line con 0
 login authentication local_authen
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

--------------------------------------------------------------------------

Any help with this issue will be GREATLY appreciated.

NightBreakA

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2006-10-05 at 07:00:42ID22014061
Tags

cisco

,

1811

,

port

Topics

Miscellaneous Networking

,

Networking Hardware Firewalls

,

Dynamic Host Configuration Protocol (DHCP)

Participating Experts
2
Points
500
Comments
13

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. IPSEC validate_transform_proposal peer address not found
    Help! Can anyone tell me what the error in the title represents? and or where I can look to correct it. Phase one completes fine but fails on phase 2 pixfirewall(config)# IPSEC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0x50a192c2(1352766146) for SA ...
  2. Cisco 831 IPSEC Tunnel
    I have a bunch of Cisco 831 and SB101 Routers that I am trying ot run IPSec tunnels on. I don't think the tunnels are actually using IPSec. How can I tell if they are running IPSec or not?
  3. Cisco 1811 port forwarding not working
    Hi I have just configured port forwarding for a cisco 1811 but it's not working.What I am trying to achieve is forward port 55550 from the 1811 to sharepoint server 192.168.25.17:5080.My network configuration is --- one of the fast-ethernet ports of the 1811 is connecte...
  4. Problem with IPSec on Cisco Swtich
    I have a problem when I buliding a IPSec tunnel between a Cisco 3550 switch and a Cisco 1841 Router. The tolology is shown as the following drawing. The IPSec tunnel is up and I can ping 192.168.202.1 (vlan interface 201 on the switch) from 192.168.210.9 (server on Site B). H...
  5. Cisco GRE over IPSec and Straight IPSec on same Interface
    I have a number of remote offices configured with GRE over IPSec and it works perfectly. However today when setting up a IPSec only tunnel, it wouldnt work, looking into it it would seem that the new IPSec tunnel seems to go over my GRE Tunnels. How can I configure a IPSe...
  6. RDP over IPSEC VPN (CISCO 857W):
    I have two Cisco 857W Routers in separate physical locations [site 1 (192.168.0.1), site 2(192.168.1.1). I have established an IPSEC VPN between sites 1 & 2 - which works great. I am able to share resources between sites, access remote printers etc. The problem is I canno...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: photograffitiPosted on 2006-10-05 at 12:36:49ID: 17671560

What you described is how the Cisco router should work by default. It should not break anything on the inside of your network.
In your config, I don't see where the port forwarding is configured. All I see if a NAT overload for all traffic on your VLAN1 interface going outbound.

 

by: NightBreakAPosted on 2006-10-06 at 08:24:09ID: 17677167

Oops...  accidentally posted an older version of that config.

The line I'm trying to use for this is:

ip nat inside source static tcp 192.168.x.x <port number> interface fastethernet0 <port number>

This works in the sense that the resource is now available externally, but it is no longer accessible internally at that point.

As soon as I remove this line, the resource is available internally again.

I'm not sure if this is due to something in the ACL's, or if this is how port forwarding is supposed to work in IOS (which would be lame since the Linksys routers we were previously using did not do this, and allowed access from either internally or externally)

Any help on this would be greatly appreciated.

 

by: photograffitiPosted on 2006-10-06 at 08:47:13ID: 17677383

So you're saying once you put in that line, from the Internet you can access that server via the FastEthernet0's IP address on that specific port. But from the local network you can no longer access that server on 192.168.x.x on the same port?
The NAT should not affect internal access at all. I'm not even sure how the router could do it other than start to ARP for the internal IP address, which it shouldn't especially since you've turned off proxy arp. Since the inside traffic doesn't flow through the router, I can't see any other way it could affect that traffic.

 

by: NightBreakAPosted on 2006-10-06 at 12:05:57ID: 17679208

Actually, after doing some testing on this, it appears that this issue is only occurring whenever I'm coming across the IPsec VPN connection to try to access the host.

We have two locations, with a Cisco 1811 at each location connected to both a commercial cable modem, and a 768k fractional T1.  We are using the Cisco 1811's to provide a VPN connection between the two locations.

When I have the port forwarding rule in place, and I try to connect to the host (which is at the West location) from my PC (which is at the East location) using the remote host's private IP address (192.168.x.x), the connection times out.

However...  If I attempt the same thing from a host that's in the same location as the remote host in question, things work fine when connecting by the private IP address, and when connecting from the Internet (coming through FastEthernet0's address).

I apologize for the earlier confusion on this.  This is only happening when:

1)    The server is at the West location
2)    The forwarding rule is in place on the West router to forward the port in question to the
       external interface's IP address
3)    The client trying to connect to the private IP address is at the East location (coming over
       the IPsec VPN connection)

In this scenario, the connection to the remote server's private IP address will time out.  Removing the port forwarding rule allows the client to connect to the remote server by private IP address over the VPN link.

Any ideas?

 

by: photograffitiPosted on 2006-10-06 at 13:39:09ID: 17679760

Ah, that makes more sense then. What is happening is that your PC traffic is going across the VPN tunnel fine but when the server replies the reply is getting NAT'd and no longer matches the parameters of the tunnel. You need to add a route-map to the end of the static NAT translation so that it bypasses NAT for traffic going across the VPN tunnel. It looks like you have that configured for the dynamic stuff but not the static NAT.
Try something liks this:
ip nat inside source static tcp 192.168.x.x <port number> interface fastethernet0 <port number> route-map SDM_RMAP_1

 

by: NightBreakAPosted on 2006-10-06 at 13:50:31ID: 17679835

Ok, that makes sense...  but I'm not sure how to implement it...

when I tried putting everything you suggested on the same line, it rejects the route-map...  at the end.

When I put the route-map <map name> on a seperate line, it is treating it like I'm defining a new route-map.

I feel confident that what you're talking about is the case, I'm just too much of a noob at this to pull it off...  ;-)  If you could give a more detailed example of this, I would GREATLY appreciate it.

 

by: photograffitiPosted on 2006-10-06 at 13:54:33ID: 17679868

Can you post what you are typing and the corresponding error? If you type ip nat inside source static tcp 192.168.x.x <port number> interface fastethernet0 <port number> with a ? mark at the end and hit enter, what other options does it give you?

 

by: brian_36526Posted on 2006-10-06 at 16:16:37ID: 17680472

Post a copy of your latest configuration. It sounds like your Nat for your vpn isnt properly configured.

 

by: NightBreakAPosted on 2006-10-10 at 08:26:07ID: 17699611

Hello,
     Sorry for not getting back on this yesterday.  Below are the current configurations of both routers in question (with IP addresses/passwords/certificates snipped out):

------------------------------------------------------------------------------------------------
East (remote) router:

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router.east
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
logging console critical
enable secret 5 $1$edHp$.Ja/JmtA2urh8T3.bZF.80
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.221 192.168.2.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 192.168.1.3 68.87.75.194
   default-router 192.168.2.1
   domain-name xxxx.xxxxxxxxxx.xxx
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name ingridhome.com
ip name-server 192.168.2.4
ip name-server 68.87.75.194
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1433850974
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1433850974
 revocation-check none
 rsakeypair TP-self-signed-1433850974
!
!
crypto pki certificate chain TP-self-signed-1433850974
 certificate self-signed 01
<snip>
  quit
username xxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map SDMPolicy0
 class sdm_p2p_gnutella
 class sdm_p2p_bittorrent
 class sdm_p2p_edonkey
 class sdm_p2p_kazaa
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxx address xx.xx.xx.xx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map mymap 10 ipsec-isakmp
 set peer xx.xx.xx.xx
 set transform-set myset
 match address 101
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 description Comcast Business Cable Modem$ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address xx.xx.xx.xx 255.255.255.252
 ip access-group 110 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map mymap
!
interface FastEthernet1
 description $ETH-WAN$
 bandwidth 680
 ip address xxx.xxx.xx.xx 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet2
 description Vlan1
!
interface FastEthernet3
 description Vlan1
!
interface FastEthernet4
 description Vlan1
!
interface FastEthernet5
 description Vlan1
!
interface FastEthernet6
 description Vlan1
!
interface FastEthernet7
 description Vlan1
!
interface FastEthernet8
 description Vlan3 (DMZ)
!
interface FastEthernet9
 description Vlan3 (DMZ)
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 107 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect SDM_LOW in
 ip virtual-reassembly
 no ip route-cache cef
 ip route-cache flow
 ip tcp adjust-mss 1452
 ip policy route-map nonat
!
interface Vlan2
 description $FW_INSIDE$
 ip address 192.168.4.1 255.255.255.0
 ip access-group 108 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip inspect SDM_LOW in
 ip virtual-reassembly
 no ip route-cache cef
 ip route-cache flow
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 shutdown
!
router ospf 1
 log-adjacency-changes
 passive-interface Vlan1
 network 192.168.2.0 0.0.0.255 area 1
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
ip route 192.168.3.0 255.255.255.0 192.168.1.1
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.2.83 3389 interface FastEthernet0 3389
ip nat inside source static tcp 192.168.2.4 7575 interface FastEthernet0 22
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 deny   any
access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 deny   ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 70.91.45.72 0.0.0.3 any
access-list 103 deny   ip 192.168.4.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip 70.91.45.72 0.0.0.3 any
access-list 104 deny   ip 192.168.2.0 0.0.0.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit udp host 68.87.75.194 eq domain host 70.91.45.73
access-list 105 permit ahp host 70.89.20.93 host 70.91.45.73
access-list 105 permit esp host 70.89.20.93 host 70.91.45.73
access-list 105 permit udp host 70.89.20.93 host 70.91.45.73 eq isakmp
access-list 105 permit udp host 70.89.20.93 host 70.91.45.73 eq non500-isakmp
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 deny   ip 192.168.4.0 0.0.0.255 any
access-list 105 deny   ip 192.168.2.0 0.0.0.255 any
access-list 105 permit icmp any host 70.91.45.73 echo-reply
access-list 105 permit icmp any host 70.91.45.73 time-exceeded
access-list 105 permit icmp any host 70.91.45.73 unreachable
access-list 105 permit tcp any host 70.91.45.73 eq 443
access-list 105 permit tcp any host 70.91.45.73 eq 22
access-list 105 permit tcp any host 70.91.45.73 eq cmd
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 106 remark VTY Access-class list
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 192.168.4.0 0.0.0.255 any
access-list 106 permit ip 192.168.2.0 0.0.0.255 any
access-list 106 deny   ip any any
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 deny   ip 70.91.45.72 0.0.0.3 any
access-list 107 deny   ip 192.168.10.0 0.0.0.255 any
access-list 107 deny   ip 192.168.4.0 0.0.0.255 any
access-list 107 deny   ip host 255.255.255.255 any
access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
access-list 107 permit ip any any
access-list 108 remark auto generated by SDM firewall configuration
access-list 108 remark SDM_ACL Category=1
access-list 108 deny   ip 70.91.45.72 0.0.0.3 any
access-list 108 deny   ip 192.168.10.0 0.0.0.255 any
access-list 108 deny   ip 192.168.2.0 0.0.0.255 any
access-list 108 deny   ip host 255.255.255.255 any
access-list 108 deny   ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
access-list 109 remark auto generated by SDM firewall configuration
access-list 109 remark SDM_ACL Category=1
access-list 109 deny   ip any any log
access-list 110 remark auto generated by SDM firewall configuration
access-list 110 remark SDM_ACL Category=1
access-list 110 permit tcp any host 70.91.45.73 eq 10123
access-list 110 permit tcp any host 70.91.45.73 eq 3389
access-list 110 permit tcp any host 70.91.45.73 eq 2222
access-list 110 permit tcp any host 70.91.45.73 eq 22
access-list 110 permit udp host 68.87.75.194 eq domain host 70.91.45.73
access-list 110 permit ahp host 70.89.20.93 host 70.91.45.73
access-list 110 permit esp host 70.89.20.93 host 70.91.45.73
access-list 110 permit udp host 70.89.20.93 host 70.91.45.73 eq isakmp
access-list 110 permit udp host 70.89.20.93 host 70.91.45.73 eq non500-isakmp
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 110 deny   ip 192.168.10.0 0.0.0.255 any
access-list 110 deny   ip 192.168.4.0 0.0.0.255 any
access-list 110 deny   ip 192.168.2.0 0.0.0.255 any
access-list 110 permit icmp any host 70.91.45.73 echo-reply
access-list 110 permit icmp any host 70.91.45.73 time-exceeded
access-list 110 permit icmp any host 70.91.45.73 unreachable
access-list 110 permit tcp any host 192.168.10.80 eq 3389
access-list 110 permit tcp any host 192.168.10.81 eq 3389
access-list 110 permit tcp any host 192.168.10.82 eq 3389
access-list 110 permit tcp any host 192.168.10.83 eq 3389
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any
access-list 110 deny   ip host 255.255.255.255 any
access-list 110 deny   ip host 0.0.0.0 any
access-list 110 deny   ip any any log
access-list 111 remark VTY Access-class list
access-list 111 remark SDM_ACL Category=1
access-list 111 permit ip 192.168.4.0 0.0.0.255 any
access-list 111 permit ip 192.168.2.0 0.0.0.255 any
access-list 111 deny   ip any any
access-list 123 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
route-map nonat permit 10
 match ip address 123
 set interface Loopback0
!
!
control-plane
!
!
line con 0
 login authentication local_authen
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 111 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 111 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

------------------------------------------------------------------------------------------------
West (home office) router:

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router.west
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 emergencies
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication ppp default local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
no ip gratuitous-arps
!
!
ip cef
ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.149
ip dhcp excluded-address 192.168.1.221 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 192.168.1.3
   default-router 192.168.1.1
   domain-name corp.ingridhome.com
!
!
ip tcp synwait-time 10
ip vrf VPN
 rd 1:1
!
no ip bootp server
ip domain name ingridhome.com
ip name-server 68.87.64.146
ip name-server 192.168.2.4
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_MEDIUM pptp
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW cuseeme
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1967845904
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1967845904
 revocation-check none
 rsakeypair TP-self-signed-1967845904
!
!
crypto pki certificate chain TP-self-signed-1967845904
 certificate self-signed 01
<snip>
  quit
username xxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
!
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_MEDIUM
 class sdm_p2p_gnutella
 class sdm_p2p_bittorrent
 class sdm_p2p_edonkey
 class sdm_p2p_kazaa
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 hash md5
!
crypto isakmp policy 15
 hash md5
crypto isakmp key xxxxxxxx address 70.91.45.73
crypto isakmp keepalive 3600
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac
 mode transport
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map ipsec 10 ipsec-isakmp
 set peer 70.91.45.73
 set transform-set myset
 match address 101
 qos pre-classify
!
crypto map mymap 10 ipsec-isakmp
 set peer 70.91.45.73
 set transform-set myset
 match address 101
!
!
interface Null0
 no ip unreachables
!
interface Loopback0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
!
interface FastEthernet0
 description Comcast Business Cable Modem (1Mbit/9Mbit)$ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address 70.89.20.93 255.255.255.252
 ip access-group 117 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed 10
 crypto map mymap
!
interface FastEthernet1
 description US LEC fractional T1 (768k)$ETH-WAN$$FW_OUTSIDE$
 bandwidth 740
 ip address 199.72.119.50 255.255.255.248
 ip access-group 118 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip inspect SDM_LOW in
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map ipsec
!
interface FastEthernet2
 description Vlan1
!
interface FastEthernet3
 description Vlan1
!
interface FastEthernet4
 description Vlan1
!
interface FastEthernet5
 description Vlan1
!
interface FastEthernet6
 description Vlan1
!
interface FastEthernet7
 description Vlan1
!
interface FastEthernet8
 description Vlan2
 switchport access vlan 2
!
interface FastEthernet9
 description Vlan2
 switchport access vlan 2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 115 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan2
 description $FW_INSIDE$
 ip address 192.168.3.1 255.255.255.0
 ip access-group 116 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 no ip route-cache cef
 ip route-cache flow
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 shutdown
!
router ospf 1
 log-adjacency-changes
 redistribute static subnets
 passive-interface Vlan1
 network 11.0.0.0 0.0.0.255 area 0
 network 192.168.1.0 0.0.0.255 area 1
!
ip local pool POOL 20.0.0.100 20.0.0.150
ip route 0.0.0.0 0.0.0.0 70.89.20.94 permanent
ip route 10.8.0.0 255.255.255.0 192.168.1.3 permanent
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.4 10123 interface FastEthernet0 10123
ip nat inside source static tcp 192.168.1.10 443 interface FastEthernet0 443
ip nat inside source static tcp 192.168.1.10 25 interface FastEthernet0 25
ip nat inside source static udp 192.168.1.3 473 interface FastEthernet0 473
ip nat inside source route-map SDM_RMAP_11 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.1.4 7575 interface FastEthernet0 22
!
logging trap critical
logging 192.168.1.4
logging 192.168.1.3
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-Class List
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark ACL for NAT translation
access-list 101 remark SDM_ACL Category=20
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 permit gre host 192.168.3.1 host 192.168.4.1
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip 70.89.20.92 0.0.0.3 any
access-list 103 deny   ip 192.168.3.0 0.0.0.255 any
access-list 103 deny   ip 199.72.119.48 0.0.0.7 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit gre host 192.168.4.1 host 192.168.3.1
access-list 104 permit ahp host 70.91.45.73 host 192.168.3.1
access-list 104 permit esp host 70.91.45.73 host 192.168.3.1
access-list 104 permit udp host 70.91.45.73 host 192.168.3.1 eq isakmp
access-list 104 permit udp host 70.91.45.73 host 192.168.3.1 eq non500-isakmp
access-list 104 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 104 deny   ip 70.89.20.92 0.0.0.3 any
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 deny   ip 199.72.119.48 0.0.0.7 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit tcp any host 70.89.20.93 eq 10123
access-list 105 permit udp host 68.87.64.146 eq domain host 70.89.20.93
access-list 105 permit udp host 192.168.2.4 eq domain host 70.89.20.93
access-list 105 permit ahp host 70.91.45.73 host 70.89.20.93
access-list 105 permit esp host 70.91.45.73 host 70.89.20.93
access-list 105 permit udp host 70.91.45.73 host 70.89.20.93 eq isakmp
access-list 105 permit udp host 70.91.45.73 host 70.89.20.93 eq non500-isakmp
access-list 105 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 105 deny   ip 192.168.3.0 0.0.0.255 any
access-list 105 deny   ip 192.168.1.0 0.0.0.255 any
access-list 105 deny   ip 199.72.119.48 0.0.0.7 any
access-list 105 permit icmp any host 70.89.20.93 echo-reply
access-list 105 permit icmp any host 70.89.20.93 time-exceeded
access-list 105 permit icmp any host 70.89.20.93 unreachable
access-list 105 permit tcp any host 70.89.20.93 eq 443
access-list 105 permit tcp any host 70.89.20.93 eq 22
access-list 105 permit tcp any host 70.89.20.93 eq cmd
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp any host 70.89.20.93 eq 22
access-list 106 permit udp any host 70.89.20.93 eq 473
access-list 106 permit tcp any host 70.89.20.93 eq 473
access-list 106 permit udp host 192.168.2.4 eq domain host 70.89.20.93
access-list 106 permit udp host 68.87.64.146 eq domain host 70.89.20.93
access-list 106 permit ahp host 70.91.45.73 host 70.89.20.93
access-list 106 permit esp host 70.91.45.73 host 70.89.20.93
access-list 106 permit udp host 70.91.45.73 host 70.89.20.93 eq isakmp
access-list 106 permit udp host 70.91.45.73 host 70.89.20.93 eq non500-isakmp
access-list 106 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 106 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 106 deny   ip 192.168.3.0 0.0.0.255 any
access-list 106 deny   ip 192.168.1.0 0.0.0.255 any
access-list 106 deny   ip 199.72.119.48 0.0.0.7 any
access-list 106 permit icmp any host 70.89.20.93 echo-reply
access-list 106 permit icmp any host 70.89.20.93 time-exceeded
access-list 106 permit icmp any host 70.89.20.93 unreachable
access-list 106 deny   ip 10.0.0.0 0.255.255.255 any
access-list 106 deny   ip 172.16.0.0 0.15.255.255 any
access-list 106 deny   ip 192.168.0.0 0.0.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip host 0.0.0.0 any
access-list 106 deny   ip any any log
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ahp host 70.91.45.73 host 199.72.119.50
access-list 107 permit esp host 70.91.45.73 host 199.72.119.50
access-list 107 permit udp host 70.91.45.73 host 199.72.119.50 eq isakmp
access-list 107 permit udp host 70.91.45.73 host 199.72.119.50 eq non500-isakmp
access-list 107 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 107 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 107 permit ahp any host 199.72.119.50
access-list 107 permit esp any host 199.72.119.50
access-list 107 permit udp any host 199.72.119.50 eq isakmp
access-list 107 permit udp any host 199.72.119.50 eq non500-isakmp
access-list 107 deny   ip 70.89.20.92 0.0.0.3 any
access-list 107 deny   ip 192.168.3.0 0.0.0.255 any
access-list 107 deny   ip 192.168.1.0 0.0.0.255 any
access-list 107 permit icmp any host 199.72.119.50 echo-reply
access-list 107 permit icmp any host 199.72.119.50 time-exceeded
access-list 107 permit icmp any host 199.72.119.50 unreachable
access-list 107 deny   ip 10.0.0.0 0.255.255.255 any
access-list 107 deny   ip 172.16.0.0 0.15.255.255 any
access-list 107 deny   ip 192.168.0.0 0.0.255.255 any
access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
access-list 107 deny   ip host 255.255.255.255 any
access-list 107 deny   ip host 0.0.0.0 any
access-list 107 deny   ip any any log
access-list 108 remark SDM_ACL Category=16
access-list 108 permit udp host 192.168.1.3 eq 1645 host 192.168.1.1
access-list 108 remark Access List for incoming traffic on vlan1
access-list 108 permit udp host 192.168.1.3 eq 1646 host 192.168.1.1
access-list 108 deny   ip 70.89.20.92 0.0.0.3 any
access-list 108 deny   ip 192.168.3.0 0.0.0.255 any
access-list 108 deny   ip 199.72.119.48 0.0.0.7 any
access-list 108 deny   ip host 255.255.255.255 any
access-list 108 deny   ip 127.0.0.0 0.255.255.255 any
access-list 108 permit ip any any
access-list 109 remark auto generated by SDM firewall configuration
access-list 109 remark SDM_ACL Category=1
access-list 109 permit udp host 70.91.45.73 host 192.168.3.1 eq non500-isakmp
access-list 109 permit udp host 70.91.45.73 host 192.168.3.1 eq isakmp
access-list 109 permit esp host 70.91.45.73 host 192.168.3.1
access-list 109 permit ahp host 70.91.45.73 host 192.168.3.1
access-list 109 permit gre host 192.168.4.1 host 192.168.3.1
access-list 109 permit udp host 192.168.4.1 host 192.168.3.1 eq non500-isakmp
access-list 109 permit udp host 192.168.4.1 host 192.168.3.1 eq isakmp
access-list 109 permit esp host 192.168.4.1 host 192.168.3.1
access-list 109 permit ahp host 192.168.4.1 host 192.168.3.1
access-list 109 deny   ip 70.89.20.92 0.0.0.3 any
access-list 109 deny   ip 192.168.1.0 0.0.0.255 any
access-list 109 deny   ip 199.72.119.48 0.0.0.7 any
access-list 109 deny   ip host 255.255.255.255 any
access-list 109 deny   ip 127.0.0.0 0.255.255.255 any
access-list 109 permit ip any any
access-list 110 remark Rule for the VoIP GRE tunnel
access-list 110 remark SDM_ACL Category=4
access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 111 remark auto generated by SDM firewall configuration
access-list 111 remark SDM_ACL Category=1
access-list 111 permit ip host 192.168.5.100 any
access-list 111 permit ip host 192.168.5.101 any
access-list 111 permit ip host 192.168.5.102 any
access-list 111 permit ip host 192.168.5.103 any
access-list 111 permit ip host 192.168.5.104 any
access-list 111 permit ip host 192.168.5.105 any
access-list 111 permit ip host 192.168.5.106 any
access-list 111 permit ip host 192.168.5.107 any
access-list 111 permit ip host 192.168.5.108 any
access-list 111 permit ip host 192.168.5.109 any
access-list 111 permit ip host 192.168.5.110 any
access-list 111 permit ip host 192.168.5.111 any
access-list 111 permit ip host 192.168.5.112 any
access-list 111 permit ip host 192.168.5.113 any
access-list 111 permit ip host 192.168.5.114 any
access-list 111 permit ip host 192.168.5.115 any
access-list 111 permit ip host 192.168.5.116 any
access-list 111 permit ip host 192.168.5.117 any
access-list 111 permit ip host 192.168.5.118 any
access-list 111 permit ip host 192.168.5.119 any
access-list 111 permit ip host 192.168.5.120 any
access-list 111 permit ip host 192.168.5.121 any
access-list 111 permit ip host 192.168.5.122 any
access-list 111 permit ip host 192.168.5.123 any
access-list 111 permit ip host 192.168.5.124 any
access-list 111 permit ip host 192.168.5.125 any
access-list 111 permit ip host 192.168.5.126 any
access-list 111 permit ip host 192.168.5.127 any
access-list 111 permit ip host 192.168.5.128 any
access-list 111 permit ip host 192.168.5.129 any
access-list 111 permit ip host 192.168.5.130 any
access-list 111 permit ip host 192.168.5.131 any
access-list 111 permit ip host 192.168.5.132 any
access-list 111 permit ip host 192.168.5.133 any
access-list 111 permit ip host 192.168.5.134 any
access-list 111 permit ip host 192.168.5.135 any
access-list 111 permit ip host 192.168.5.136 any
access-list 111 permit ip host 192.168.5.137 any
access-list 111 permit ip host 192.168.5.138 any
access-list 111 permit ip host 192.168.5.139 any
access-list 111 permit ip host 192.168.5.140 any
access-list 111 permit ip host 192.168.5.141 any
access-list 111 permit ip host 192.168.5.142 any
access-list 111 permit ip host 192.168.5.143 any
access-list 111 permit ip host 192.168.5.144 any
access-list 111 permit ip host 192.168.5.145 any
access-list 111 permit ip host 192.168.5.146 any
access-list 111 permit ip host 192.168.5.147 any
access-list 111 permit ip host 192.168.5.148 any
access-list 111 permit ip host 192.168.5.149 any
access-list 111 permit ip host 192.168.5.150 any
access-list 111 permit udp any host 199.72.119.50 eq non500-isakmp
access-list 111 permit udp any host 199.72.119.50 eq isakmp
access-list 111 permit esp any host 199.72.119.50
access-list 111 permit ahp any host 199.72.119.50
access-list 111 deny   ip 70.89.20.92 0.0.0.3 any
access-list 111 deny   ip 192.168.3.0 0.0.0.255 any
access-list 111 deny   ip 192.168.1.0 0.0.0.255 any
access-list 111 permit icmp any host 199.72.119.50 echo-reply
access-list 111 permit icmp any host 199.72.119.50 time-exceeded
access-list 111 permit icmp any host 199.72.119.50 unreachable
access-list 111 deny   ip 10.0.0.0 0.255.255.255 any
access-list 111 deny   ip 172.16.0.0 0.15.255.255 any
access-list 111 deny   ip 192.168.0.0 0.0.255.255 any
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any
access-list 111 deny   ip host 255.255.255.255 any
access-list 111 deny   ip host 0.0.0.0 any
access-list 111 deny   ip any any log
access-list 112 remark auto generated by SDM firewall configuration
access-list 112 remark SDM_ACL Category=1
access-list 112 deny   ip 70.89.20.92 0.0.0.3 any
access-list 112 deny   ip 192.168.3.0 0.0.0.255 any
access-list 112 deny   ip host 255.255.255.255 any
access-list 112 deny   ip 127.0.0.0 0.255.255.255 any
access-list 112 permit ip any any
access-list 113 remark auto generated by SDM firewall configuration
access-list 113 remark SDM_ACL Category=1
access-list 113 permit gre host 192.168.4.1 host 192.168.3.1
access-list 113 permit ahp host 70.91.45.73 host 192.168.3.1
access-list 113 permit esp host 70.91.45.73 host 192.168.3.1
access-list 113 permit udp host 70.91.45.73 host 192.168.3.1 eq isakmp
access-list 113 permit udp host 70.91.45.73 host 192.168.3.1 eq non500-isakmp
access-list 113 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 113 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 113 deny   ip 70.89.20.92 0.0.0.3 any
access-list 113 deny   ip host 255.255.255.255 any
access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
access-list 113 permit ip any any
access-list 114 remark auto generated by SDM firewall configuration
access-list 114 remark SDM_ACL Category=1
access-list 114 permit tcp any any eq 10123
access-list 114 permit tcp any host 70.89.20.93 eq www
access-list 114 permit udp any host 70.89.20.93 eq 473
access-list 114 permit tcp any host 70.89.20.93 eq smtp
access-list 114 permit udp host 192.168.2.4 eq domain host 70.89.20.93
access-list 114 permit udp host 68.87.64.146 eq domain host 70.89.20.93
access-list 114 permit ahp host 70.91.45.73 host 70.89.20.93
access-list 114 permit esp host 70.91.45.73 host 70.89.20.93
access-list 114 permit udp host 70.91.45.73 host 70.89.20.93 eq isakmp
access-list 114 permit udp host 70.91.45.73 host 70.89.20.93 eq non500-isakmp
access-list 114 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 114 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 114 deny   ip 192.168.3.0 0.0.0.255 any
access-list 114 deny   ip 192.168.1.0 0.0.0.255 any
access-list 114 permit icmp any host 70.89.20.93 echo-reply
access-list 114 permit icmp any host 70.89.20.93 time-exceeded
access-list 114 permit icmp any host 70.89.20.93 unreachable
access-list 114 permit tcp any host 70.89.20.93 eq 443
access-list 114 permit tcp any host 70.89.20.93 eq 22
access-list 114 permit tcp any host 70.89.20.93 eq cmd
access-list 114 deny   ip 10.0.0.0 0.255.255.255 any
access-list 114 deny   ip 172.16.0.0 0.15.255.255 any
access-list 114 deny   ip 192.168.0.0 0.0.255.255 any
access-list 114 deny   ip 127.0.0.0 0.255.255.255 any
access-list 114 deny   ip host 255.255.255.255 any
access-list 114 deny   ip host 0.0.0.0 any
access-list 114 deny   ip any any log
access-list 115 remark auto generated by SDM firewall configuration
access-list 115 remark SDM_ACL Category=1
access-list 115 deny   ip 70.89.20.92 0.0.0.3 any
access-list 115 deny   ip 192.168.3.0 0.0.0.255 any
access-list 115 deny   ip 199.72.119.48 0.0.0.7 any
access-list 115 deny   ip host 255.255.255.255 any
access-list 115 deny   ip 127.0.0.0 0.255.255.255 any
access-list 115 permit ip any any
access-list 116 remark auto generated by SDM firewall configuration
access-list 116 remark SDM_ACL Category=1
access-list 116 deny   ip 70.89.20.92 0.0.0.3 any
access-list 116 deny   ip 192.168.1.0 0.0.0.255 any
access-list 116 deny   ip 199.72.119.48 0.0.0.7 any
access-list 116 deny   ip host 255.255.255.255 any
access-list 116 deny   ip 127.0.0.0 0.255.255.255 any
access-list 116 permit ip any any
access-list 117 remark auto generated by SDM firewall configuration
access-list 117 remark SDM_ACL Category=1
access-list 117 permit tcp any host 70.89.20.93 eq 10123
access-list 117 permit tcp any host 70.89.20.93 eq 22
access-list 117 permit udp any host 70.89.20.93 eq 473
access-list 117 permit tcp any host 70.89.20.93 eq smtp
access-list 117 permit tcp any host 70.89.20.93 eq 443
access-list 117 permit udp host 192.168.2.4 eq domain host 70.89.20.93
access-list 117 permit udp host 68.87.64.146 eq domain host 70.89.20.93
access-list 117 permit ahp host 70.91.45.73 host 70.89.20.93
access-list 117 permit esp host 70.91.45.73 host 70.89.20.93
access-list 117 permit udp host 70.91.45.73 host 70.89.20.93 eq isakmp
access-list 117 permit udp host 70.91.45.73 host 70.89.20.93 eq non500-isakmp
access-list 117 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 117 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 117 deny   ip 192.168.3.0 0.0.0.255 any
access-list 117 deny   ip 199.72.119.48 0.0.0.7 any
access-list 117 permit icmp any host 70.89.20.93 echo-reply
access-list 117 permit icmp any host 70.89.20.93 time-exceeded
access-list 117 permit icmp any host 70.89.20.93 unreachable
access-list 117 deny   ip 10.0.0.0 0.255.255.255 any
access-list 117 deny   ip 172.16.0.0 0.15.255.255 any
access-list 117 deny   ip 127.0.0.0 0.255.255.255 any
access-list 117 deny   ip host 255.255.255.255 any
access-list 117 deny   ip host 0.0.0.0 any
access-list 117 deny   ip any any log
access-list 118 remark auto generated by SDM firewall configuration
access-list 118 remark SDM_ACL Category=1
access-list 118 permit ahp host 70.91.45.73 host 199.72.119.50
access-list 118 permit esp host 70.91.45.73 host 199.72.119.50
access-list 118 permit udp host 70.91.45.73 host 199.72.119.50 eq isakmp
access-list 118 permit udp host 70.91.45.73 host 199.72.119.50 eq non500-isakmp
access-list 118 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 118 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 118 deny   ip 70.89.20.92 0.0.0.3 any
access-list 118 deny   ip 192.168.3.0 0.0.0.255 any
access-list 118 deny   ip 192.168.1.0 0.0.0.255 any
access-list 118 permit icmp any host 199.72.119.50 echo-reply
access-list 118 permit icmp any host 199.72.119.50 time-exceeded
access-list 118 permit icmp any host 199.72.119.50 unreachable
access-list 118 deny   ip 10.0.0.0 0.255.255.255 any
access-list 118 deny   ip 172.16.0.0 0.15.255.255 any
access-list 118 deny   ip 192.168.0.0 0.0.255.255 any
access-list 118 deny   ip 127.0.0.0 0.255.255.255 any
access-list 118 deny   ip host 255.255.255.255 any
access-list 118 deny   ip host 0.0.0.0 any
access-list 118 deny   ip any any log
access-list 119 remark auto generated by SDM firewall configuration
access-list 119 remark SDM_ACL Category=1
access-list 119 permit udp host 192.168.2.4 eq domain host 70.89.20.93
access-list 119 permit udp host 68.87.64.146 eq domain host 70.89.20.93
access-list 119 permit ahp host 70.91.45.73 host 70.89.20.93
access-list 119 permit esp host 70.91.45.73 host 70.89.20.93
access-list 119 permit udp host 70.91.45.73 host 70.89.20.93 eq isakmp
access-list 119 permit udp host 70.91.45.73 host 70.89.20.93 eq non500-isakmp
access-list 119 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 119 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 119 deny   ip 192.168.3.0 0.0.0.255 any
access-list 119 deny   ip 192.168.1.0 0.0.0.255 any
access-list 119 deny   ip 199.72.119.48 0.0.0.7 any
access-list 119 permit icmp any host 70.89.20.93 echo-reply
access-list 119 permit icmp any host 70.89.20.93 time-exceeded
access-list 119 permit icmp any host 70.89.20.93 unreachable
access-list 119 permit tcp any host 70.89.20.93 eq 443
access-list 119 permit tcp any host 70.89.20.93 eq 22
access-list 119 permit tcp any host 70.89.20.93 eq cmd
access-list 119 deny   ip 10.0.0.0 0.255.255.255 any
access-list 119 deny   ip 172.16.0.0 0.15.255.255 any
access-list 119 deny   ip 192.168.0.0 0.0.255.255 any
access-list 119 deny   ip 127.0.0.0 0.255.255.255 any
access-list 119 deny   ip host 255.255.255.255 any
access-list 119 deny   ip host 0.0.0.0 any
access-list 119 deny   ip any any log
access-list 120 remark auto generated by SDM firewall configuration
access-list 120 remark SDM_ACL Category=1
access-list 120 permit tcp any host 70.89.20.93 eq 22
access-list 120 permit ahp any host 199.72.119.50
access-list 120 permit esp any host 199.72.119.50
access-list 120 permit udp any host 199.72.119.50 eq isakmp
access-list 120 permit udp any host 199.72.119.50 eq non500-isakmp
access-list 120 deny   ip 70.89.20.92 0.0.0.3 any
access-list 120 deny   ip 192.168.3.0 0.0.0.255 any
access-list 120 deny   ip 192.168.1.0 0.0.0.255 any
access-list 120 permit icmp any host 199.72.119.50 echo-reply
access-list 120 permit icmp any host 199.72.119.50 time-exceeded
access-list 120 permit icmp any host 199.72.119.50 unreachable
access-list 120 deny   ip 10.0.0.0 0.255.255.255 any
access-list 120 deny   ip 172.16.0.0 0.15.255.255 any
access-list 120 deny   ip 192.168.0.0 0.0.255.255 any
access-list 120 deny   ip 127.0.0.0 0.255.255.255 any
access-list 120 deny   ip host 255.255.255.255 any
access-list 120 deny   ip host 0.0.0.0 any
access-list 120 deny   ip any any log
access-list 121 remark VTY Access-class list
access-list 121 remark SDM_ACL Category=1
access-list 121 permit ip 192.168.3.0 0.0.0.255 any
access-list 121 permit ip 192.168.1.0 0.0.0.255 any
access-list 121 deny   ip any any
access-list 122 remark SDM_ACL Category=2
access-list 122 deny   ip host 192.168.1.4 any
access-list 122 deny   ip any host 192.168.5.100
access-list 122 deny   ip any host 192.168.5.101
access-list 122 deny   ip any host 192.168.5.102
access-list 122 deny   ip any host 192.168.5.103
access-list 122 deny   ip any host 192.168.5.104
access-list 122 deny   ip any host 192.168.5.105
access-list 122 deny   ip any host 192.168.5.106
access-list 122 deny   ip any host 192.168.5.107
access-list 122 deny   ip any host 192.168.5.108
access-list 122 deny   ip any host 192.168.5.109
access-list 122 deny   ip any host 192.168.5.110
access-list 122 deny   ip any host 192.168.5.111
access-list 122 deny   ip any host 192.168.5.112
access-list 122 deny   ip any host 192.168.5.113
access-list 122 deny   ip any host 192.168.5.114
access-list 122 deny   ip any host 192.168.5.115
access-list 122 deny   ip any host 192.168.5.116
access-list 122 deny   ip any host 192.168.5.117
access-list 122 deny   ip any host 192.168.5.118
access-list 122 deny   ip any host 192.168.5.119
access-list 122 deny   ip any host 192.168.5.120
access-list 122 deny   ip any host 192.168.5.121
access-list 122 deny   ip any host 192.168.5.122
access-list 122 deny   ip any host 192.168.5.123
access-list 122 deny   ip any host 192.168.5.124
access-list 122 deny   ip any host 192.168.5.125
access-list 122 deny   ip any host 192.168.5.126
access-list 122 deny   ip any host 192.168.5.127
access-list 122 deny   ip any host 192.168.5.128
access-list 122 deny   ip any host 192.168.5.129
access-list 122 deny   ip any host 192.168.5.130
access-list 122 deny   ip any host 192.168.5.131
access-list 122 deny   ip any host 192.168.5.132
access-list 122 deny   ip any host 192.168.5.133
access-list 122 deny   ip any host 192.168.5.134
access-list 122 deny   ip any host 192.168.5.135
access-list 122 deny   ip any host 192.168.5.136
access-list 122 deny   ip any host 192.168.5.137
access-list 122 deny   ip any host 192.168.5.138
access-list 122 deny   ip any host 192.168.5.139
access-list 122 deny   ip any host 192.168.5.140
access-list 122 deny   ip any host 192.168.5.141
access-list 122 deny   ip any host 192.168.5.142
access-list 122 deny   ip any host 192.168.5.143
access-list 122 deny   ip any host 192.168.5.144
access-list 122 deny   ip any host 192.168.5.145
access-list 122 deny   ip any host 192.168.5.146
access-list 122 deny   ip any host 192.168.5.147
access-list 122 deny   ip any host 192.168.5.148
access-list 122 deny   ip any host 192.168.5.149
access-list 122 deny   ip any host 192.168.5.150
access-list 122 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 122 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 122 permit ip 192.168.1.0 0.0.0.255 any
access-list 123 remark SDM_ACL Category=2
access-list 123 deny   ip any host 192.168.5.100
access-list 123 deny   ip any host 192.168.5.101
access-list 123 deny   ip any host 192.168.5.102
access-list 123 deny   ip any host 192.168.5.103
access-list 123 deny   ip any host 192.168.5.104
access-list 123 deny   ip any host 192.168.5.105
access-list 123 deny   ip any host 192.168.5.106
access-list 123 deny   ip any host 192.168.5.107
access-list 123 deny   ip any host 192.168.5.108
access-list 123 deny   ip any host 192.168.5.109
access-list 123 deny   ip any host 192.168.5.110
access-list 123 deny   ip any host 192.168.5.111
access-list 123 deny   ip any host 192.168.5.112
access-list 123 deny   ip any host 192.168.5.113
access-list 123 deny   ip any host 192.168.5.114
access-list 123 deny   ip any host 192.168.5.115
access-list 123 deny   ip any host 192.168.5.116
access-list 123 deny   ip any host 192.168.5.117
access-list 123 deny   ip any host 192.168.5.118
access-list 123 deny   ip any host 192.168.5.119
access-list 123 deny   ip any host 192.168.5.120
access-list 123 deny   ip any host 192.168.5.121
access-list 123 deny   ip any host 192.168.5.122
access-list 123 deny   ip any host 192.168.5.123
access-list 123 deny   ip any host 192.168.5.124
access-list 123 deny   ip any host 192.168.5.125
access-list 123 deny   ip any host 192.168.5.126
access-list 123 deny   ip any host 192.168.5.127
access-list 123 deny   ip any host 192.168.5.128
access-list 123 deny   ip any host 192.168.5.129
access-list 123 deny   ip any host 192.168.5.130
access-list 123 deny   ip any host 192.168.5.131
access-list 123 deny   ip any host 192.168.5.132
access-list 123 deny   ip any host 192.168.5.133
access-list 123 deny   ip any host 192.168.5.134
access-list 123 deny   ip any host 192.168.5.135
access-list 123 deny   ip any host 192.168.5.136
access-list 123 deny   ip any host 192.168.5.137
access-list 123 deny   ip any host 192.168.5.138
access-list 123 deny   ip any host 192.168.5.139
access-list 123 deny   ip any host 192.168.5.140
access-list 123 deny   ip any host 192.168.5.141
access-list 123 deny   ip any host 192.168.5.142
access-list 123 deny   ip any host 192.168.5.143
access-list 123 deny   ip any host 192.168.5.144
access-list 123 deny   ip any host 192.168.5.145
access-list 123 deny   ip any host 192.168.5.146
access-list 123 deny   ip any host 192.168.5.147
access-list 123 deny   ip any host 192.168.5.148
access-list 123 deny   ip any host 192.168.5.149
access-list 123 deny   ip any host 192.168.5.150
access-list 123 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 123 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 123 permit ip 192.168.1.0 0.0.0.255 any
access-list 151 remark Rule for L2TP VPN clients.
access-list 151 remark SDM_ACL Category=4
access-list 151 permit ip any 192.168.1.0 0.0.0.255
access-list 151 permit ip any 192.168.2.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_11 permit 1
 match ip address 123
!
route-map SDM_RMAP_4 permit 1
 match ip address 114
!
route-map SDM_RMAP_5 permit 1
 match ip address 115
!
route-map SDM_RMAP_6 permit 1
 match ip address 116
!
route-map SDM_RMAP_7 permit 1
 match ip address 117
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
route-map SDM_RMAP_2 permit 1
 match ip address 112
!
route-map SDM_RMAP_3 permit 1
 match ip address 113
!
route-map SDM_RMAP_8 permit 1
 match ip address 118
!
route-map SDM_RMAP_9 permit 1
 match ip address 122
!
!
!
!
control-plane
!
!
line con 0
 login authentication local_authen
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 121 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 access-class 121 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

------------------------------------------------------------------------------------------------

      Let me know if you need any additional info on this.

Thanks,
Mike H.
NightBreakA

 

by: photograffitiPosted on 2006-10-10 at 08:37:29ID: 17699717

Can you respond to my post above? I would like to see the error message and additional commands.

 

by: NightBreakAPosted on 2006-10-11 at 06:16:06ID: 17706565

photograffiti:
     Here's what I get when I put a ? at the end of the nat command.

router.west(config)#$static tcp 192.168.1.3 10123 interface fastethernet0 10123 ?
  <cr>

router.west(config)#$static tcp 192.168.1.3 10123 interface fastethernet0 10123

     It looks like the IOS image that the routers are using do not accept anything after the public port number for static NAT definitions.
     Let me know if you need any more info on this.

Thanks,
Mike H.
NightBreakA

 

by: photograffitiPosted on 2006-10-11 at 08:14:59ID: 17707581

OK. I think you need to have the T train of the IOS for that option. I wasn't sure just from reading the documentation but this confirms it. You will have to upgrade your router IOS to get this to work.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bac.html

 

by: NightBreakAPosted on 2006-10-11 at 13:54:16ID: 17710649

Hmmm...  is there any way around this without having to upgrade IOS?  The support contract for just one of these routers costs a hair shy of what both of them cost to initially purchase.

If that's the only way to resolve this, then I guess we'll just live with the workaround I was able to come up with (access the resource by the external IP address of the home office router from the remote office)

Any additional ideas?

Thanks,
Mike H.
NightBreakA

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...