Solved

Need CISCO access list to allow internet access

Posted on 2004-08-30
28
869 Views
Last Modified: 2008-01-09
I have setup a VPN Tunnel from home to work using a CISCO 837.  I need to be able to browse the internet but don't know the correct access lists to use.  Below is a copy of the config I am using.  Can anyone provide me with the additonal config I need to do this.....???

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 0 (password)
!
username (username) password 0 (password)
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 1800
crypto isakmp key 0 password address xxx.xxx.xx.xxx
crypto isakmp keepalive 1800
!
crypto ipsec security-association lifetime kilobytes 50000
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set REMS_IPSec_Transform1 esp-3des esp-md5-hmac
!
crypto ipsec profile REMS_IPSec_Profile1
 set security-association lifetime kilobytes 4608000
 set transform-set REMS_IPSec_Transform1
!
!
crypto map REMS_IPSec_Policy1 1 ipsec-isakmp
 description VPN
 set peer xxx.xxx.xx.xxx
 set transform-set REMS_IPSec_Transform1
 match address 117
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
 ip address (ip address) (sub-net)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 113 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect REMSFW out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname (username)
 ppp chap password 0 (password)
 crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 109 remark Fast Ethernet 0 in - firewall configuration
access-list 109 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 109 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 109 permit ip host (external IP) host (firewall)
access-list 113 remark Dialer 2 - VPN - firewall configuration
access-list 113 permit ip host (firewall) host (firewall)
access-list 113 permit ip host (firewall) host (firewall)
access-list 113 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 113 permit udp host (firewall) host (external IP) eq non500-isakmp
access-list 113 permit udp host (firewall) host (external IP) eq isakmp
access-list 113 permit esp host (firewall) host (external IP)
access-list 113 permit ahp host (firewall) host (external IP)
access-list 113 permit tcp host (firewall) host (external IP) eq telnet
access-list 117 remark VPN encryption domain
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
 password 0 (password)
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end

Thanks in advance
0
Comment
Question by:caz1762
  • 14
  • 13
28 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11931006
>I need to be able to browse the internet
Please clarify this for me. Obviously, you have Internet access in order to establish the VPN.
Do you lose local Internet connectivity once you have established the VPN, or do you lose Internet connectivity at the work location while you are connected by VPN?
Is this configuration from the Home side, or the Work side?
If this is the config from Home, what device/config are you connected to at the Work end?
0
 

Author Comment

by:caz1762
ID: 11931112
Hi Irmoore,

I am using the 837 (Home) to establish a VPN connection to work (checkpoint firewall).. From my home computer i am able to connect to work machines using PCDuo.  This means that in theory the internet (ADSL) line is activated via the CISCO Router.  The additional config I need to place on the 837 is to allow me to go to certain web pages from my home machine.  The current config will not allow this.  I have been told that I need additional access lists but i am unsure what..

1. Do you lose local Internet connectivity once you have established the VPN, or do you lose Internet connectivity at the work location while you are connected by VPN?
I lose internet connectivity when I establish the VPN at home

2. Is this configuration from the Home side, or the Work side?
this is my home configuration

3. If this is the config from Home, what device/config are you connected to at the Work end?
checkpoint firewall
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11931424
Here's what you have:
!
set transform-set REMS_IPSec_Transform1
 match address 117
!
access-list 117 remark VPN encryption domain
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
!

those lines above define the traffic that is permitted to traverse the VPN tunnel to work. You would surely lose connectivity if it was something like:

access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx any

The "any" would mean ALL traffic from your network to anywhere would be tunneled. In this case you would surely lose local Internet access.

However, since that part of the config can be ruled out as a potential issue...
You might want to turn on the Inspect on the local interface so that your ACL 113 won't block your Internet access...

interface Ethernet0
 ip inspect REMSFW in  <=== add this line
!

The inspect rules open/close temporary access in your inbound acl (113) for inspected traffic, thereby permitting Internet access. Without the inspect rules applied, no temporary access-list entries, no Internet.


0
 

Author Comment

by:caz1762
ID: 11931538
Hi,

I have went into the config and inserted "ip inspect REMSFW in" to the Interface Ethernet0.  I am still not able to go on the internet.  When i try it is giving me the following error message: internet explorer could not open the search page..!!

is it possible that i need to setup another access list.....?

Caz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11932815
What do you have set as your DNS nameserver in your client configuration?

From your PC, post result of "ipconfig /all"
From your router, post result of "show access-list 113"
0
 

Author Comment

by:caz1762
ID: 11933532
Hi.. As requested


Windows IP Configuration

        Host Name . . . . . . . . . . . . : temp02
        Primary Dns Suffix  . . . . . . . : task.local
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Dell TrueMobile 1150 Series Wireless
 LAN Mini PCI Card
        Physical Address. . . . . . . . . : 00-02-2D-B9-09-92

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
        Physical Address. . . . . . . . . : 00-0D-56-33-79-E5
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 152.xx.xx.xx
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 152.xx.xx.xx

Access List 113

Extended IP access list 113
     permit tcp host 192.168.xx.xx eq 5405 host 152.xxx.x.xx eq 1058 (3 matches)
    10 permit ip host 217.xx.xx.xx host 217.xx.xx.xx
    20 permit ip host 217.xx.xx.xx host 217.xx.xx.xx
    30 permit ip 192.168.xx.xx 0.0.xx.xx 152.xx.xx.xx 0.xx.xx.xx (813 matches)
    40 permit udp host 213.xx.xx.xx host 217.xx.xx.xx eq non500-isakmp
    50 permit udp host 213.xx.xx.xx host 217.xx.xx.xx eq isakmp (250 matches)
    60 permit esp host 213.xx.xx.xx host 217.xx.xx.xx (114679 matches)
    70 permit ahp host 213.xx.xx.xx host 217.xx.xx.xx
    80 permit tcp host 81.xx.xx.xx host 217.xx.xx.xx eq telnet

Hope this helps... :)

Caz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11933832
It looks like you do not have a DNS nameserver in your PC's TCP/IP configuration..
I would expect another line after Default Gateway......
        Default Gateway . . . . . . . . : 1x9.1xx.1xx.2
        DNS Servers . . . . . . . . . . . : 1x9.1xx.1xx.195
                                                    198.6.1.2

Try adding 198.6.1.2 (cache02.uu.net) in your client configuration.

Also try adding this to the top of access-list 113:

access-list 113 permit tcp any any established
access-list 113 permit udp any eq domain any

0
 

Author Comment

by:caz1762
ID: 11939565
Hey,

Still not working..

Windows IP Configuration

        Host Name . . . . . . . . . . . . : temp02
        Primary Dns Suffix  . . . . . . . : task.local
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : task.local

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Dell TrueMobile 1150 Series Wireless
 LAN Mini PCI Card
        Physical Address. . . . . . . . . : 00-02-2D-B9-09-92

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
        Physical Address. . . . . . . . . : 00-0D-56-33-79-E5
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 152.xxx.xxx.xxx
        Subnet Mask . . . . . . . . . . . : 255.xxx.xxx.xxx
        Default Gateway . . . . . . . . . : 152.xxx.xxx.xxx
        DNS Servers . . . . . . . . . . . : 198.6.1.2

Have also added the access list addition as shown below as shown below... Still not working

access-list 113 permit tcp any any established
access-list 113 permit udp any eq domain any
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11940388
Post result of "show ip inspect all"
Post result of "show ip access-list 113"
Post result of "ping 198.6.1.2" from the router
Post result of "C:\ping www.yahoo.com" from the PC

0
 

Author Comment

by:caz1762
ID: 11940428
As requested....!!

Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name REMSFW
    cuseeme alert is on audit-trail is off timeout 3600
    ftp alert is on audit-trail is off timeout 3600
    h323 alert is on audit-trail is off timeout 3600
    netshow alert is on audit-trail is off timeout 3600
    rcmd alert is on audit-trail is off timeout 3600
    realaudio alert is on audit-trail is off timeout 3600
    rtsp alert is on audit-trail is off timeout 3600
    smtp alert is on audit-trail is off timeout 3600
    sqlnet alert is on audit-trail is off timeout 3600
    streamworks alert is on audit-trail is off timeout 30
    tftp alert is on audit-trail is off timeout 30
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    vdolive alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10

Interface Configuration
 Interface Ethernet0
  Inbound inspection rule is REMSFW
    cuseeme alert is on audit-trail is off timeout 3600
    ftp alert is on audit-trail is off timeout 3600
    h323 alert is on audit-trail is off timeout 3600
    netshow alert is on audit-trail is off timeout 3600
    rcmd alert is on audit-trail is off timeout 3600
    realaudio alert is on audit-trail is off timeout 3600
    rtsp alert is on audit-trail is off timeout 3600
    smtp alert is on audit-trail is off timeout 3600
    sqlnet alert is on audit-trail is off timeout 3600
    streamworks alert is on audit-trail is off timeout 30
    tftp alert is on audit-trail is off timeout 30
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    vdolive alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set
 Interface Dialer1
  Inbound inspection rule is not set
  Outgoing inspection rule is REMSFW
    cuseeme alert is on audit-trail is off timeout 3600
    ftp alert is on audit-trail is off timeout 3600
    h323 alert is on audit-trail is off timeout 3600
    netshow alert is on audit-trail is off timeout 3600
    rcmd alert is on audit-trail is off timeout 3600
    realaudio alert is on audit-trail is off timeout 3600
    rtsp alert is on audit-trail is off timeout 3600
    smtp alert is on audit-trail is off timeout 3600
    sqlnet alert is on audit-trail is off timeout 3600
    streamworks alert is on audit-trail is off timeout 30
    tftp alert is on audit-trail is off timeout 30
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    vdolive alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10
  Inbound access list is 113
  Outgoing access list is not set

Router#sho ip access-list 113
Extended IP access list 113
    10 permit tcp any any established (641 matches)
    20 permit udp any eq domain any
    30 permit ip host 217.xxx.xxx.xxx host 217.xxx.xxx.xxx
    40 permit ip host 217.xxx.xxx.xxx host 217.xxx.xxx.xxx
    50 permit ip 192.xxx.xxx.xxx 0.0.0.255 152.xxx.xxx.xxx 0.0.0.255 (18 matches)
    60 permit udp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx eq non500-isakmp
    70 permit udp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx eq isakmp (146 matches)
    80 permit esp host 213.xxx.xxx.xxx host 217.4xxx.xxx.xxx (23272 matches)
    90 permit ahp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx
    100 permit tcp host 81.xxx.xxx.xxx host 217.xxx.xxx.xxx eq telnet
Router#ping 198.6.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.6.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

Ping Result for "ping www.yahoo.com - ping request could not find host www.yahoo.com.  Please check the name and try again.

Hope this helps.

Caz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11940655
> 20 permit udp any eq domain any
No matches/hits on this one, so you are not getting DNS resolution replies

Let's try removing the inspect from the Ethernet

interface Ethernet0
 no ip inspect REMSFW in  
 ^
!

No ping because we have not permitted icmp in through acl 113. Add this:

access-list 113 permit icmp any any echo-reply

Then try to ping 198.6.1.2 again. Post result.

Did your ISP provide any nameserver addresses to use?


0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11940699
Let's try ruling out PC issues, too.
On the router, add:

!
ip name-server 198.6.1.2

router#ping www.yahoo.com
Whether or not the ping is successful, this is what I'm looking for:
   Translating "www.yahoo.com"...domain server (192.168.122.149) [OK]

Are you sure that access-list 109 is not applied to the Ethernet interface?
 >access-list 109 remark Fast Ethernet 0 in - firewall configuration
I do not see it applied in the first post of your configuration. If it is applied, it will surely block all internet access...
0
 

Author Comment

by:caz1762
ID: 11941529
connection has been dropped for my home machine.. will post replies this evening.. .. I have checked through documentation from BT and the DNS Server is 213.1.119.102.

do I need to include this in the config or my TCP/IP settings..?

Caz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11941777
>the DNS Server is 213.1.119.102.
>do I need to include this in the config or my TCP/IP settings..?

Yes. TCP/IP settings on your PC

Also, make sure that this is the IP address of the router's Ethernet interface..

>   Default Gateway . . . . . . . . . : 152.xxx.xxx.xxx
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:caz1762
ID: 11944705
Hi,
I have included the above DNS settings within TCP/IP

I have also included the addtional line to the access list (113)

I am still not able to get internet connection.  I tried pinging the ip address you requested but the success rate is still (o)

I can also confirm that the config I initially give with the post is the original config..

Caz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11944933
Can you post result of "show access-list 109"
and "show interface Ethernet0"
0
 

Author Comment

by:caz1762
ID: 11946146
Extended IP access list 109
    10 permit ip 152.xxx.xxx.xxx 0.0.0.255 192.xxx.xxx.xxx 0.0.0.255
    20 permit ip 192.xxx.xxx.xxx 0.0.0.255 152.xxx.xxx.xxx 0.0.0.255
    30 permit ip host 217.xxx.xxx.xxx host 213.xxx.xxx.xxx

Router#sho interface ethernet0
Ethernet0 is up, line protocol is up
  Hardware is PQUICC Ethernet, address is 0011.5cb7.7bd8 (bia 0011.5cb7.7bd8)
  Description: $ETH-LAN$$FW_INSIDE$Semi Secure LAN
  Internet address is 152.xxx.xxx.xxx/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 10Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:42, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/100 (size/max)
  5 minute input rate 0 bits/sec, 2 packets/sec
  5 minute output rate 1000 bits/sec, 2 packets/sec
     1930 packets input, 122460 bytes, 0 no buffer
     Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     1422 packets output, 410370 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

Hope this helps

Caz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11946245
Darn. Everything looks right.

One more test.
From your PC, post result of "C:\route print"
Don't mask the last digit of the addresses in the output..
OK: 157.xx.xx.122
Not: 157.xx.xx.xx
0
 

Expert Comment

by:jaysonjennings
ID: 11949304
It sounds awfully like the VPN profile that you are using does not have split tunnelling enabled.  Is this enabled @ the work VPN tunnel termination point?  If the termination point has split tunnelling enabled, then all traffic will be forced to head back to the office.  Just a thought.
0
 

Author Comment

by:caz1762
ID: 11949793
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 02 2d b9 09 92 ...... Dell TrueMobile 1150 Series Wireless LAN Mini PC
I Card - Packet Scheduler Miniport
0x3 ...00 0d 56 33 79 e5 ...... 3Com 3C920 Integrated Fast Ethernet Controller (
3C905C-TX Compatible) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      152.114.1.1     152.114.1.2       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      152.114.1.0    255.255.255.0      152.114.1.2     152.114.1.2       20
      152.114.1.2  255.255.255.255        127.0.0.1       127.0.0.1       20
  152.114.255.255  255.255.255.255      152.114.1.2     152.114.1.2       20
        224.0.0.0        240.0.0.0      152.114.1.2     152.114.1.2       20
  255.255.255.255  255.255.255.255      152.114.1.2               2       1
  255.255.255.255  255.255.255.255      152.114.1.2     152.114.1.2       1
Default Gateway:       152.114.1.1
===========================================================================
Persistent Routes:
  None
0
 

Author Comment

by:caz1762
ID: 11988706
Hi,

If I wanted to provide straight internet access without the VPN Tunnel what would i need to do..?

Caz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11990402

interface Dialer1
  no crypto map REMS_IPSec_Policy1
  ^^
0
 

Author Comment

by:caz1762
ID: 11990830
Hi  Irmoore

Will the below config work

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHHXqH0
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
 ip address 152.114.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer1
 description $FW_OUTSIDE$Antrim VPN
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect REMSFW out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname A435840@hg31.btclick.com
 ppp chap password 7 105E060B111F1D07010172
 crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
 password 7 044B0A151C36435C0D
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end

Thanks

Caz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11992766
Not quite. You've removed all the crypto commands, but you have left the map applied to the dialer interface:

interface Dialer1
  no crypto map REMS_IPSec_Policy1
  ^^

Q: are you in Europe?
Q: Was this IP subnet block assigned specifically to you? It is unusual for a small office, and even more unusual for an individual to be assigned an entire class C address ..

interface Ethernet0
  ip address 152.114.1.1 255.255.255.0  <=== ?


You might want to consider using nat.
Just add the following:

interface Dialer 1
  ip nat outside

interface Ethernet0
 ip nat inside

access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
0
 

Author Comment

by:caz1762
ID: 11994415
Hi,

I have added your suggestions below, in answer to your I am in Northern Ireland, the IP subnet I am using is just a random subnet that I have setup for testing purposes at home.

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHHXqH0
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
 ip address 152.114.1.1 255.255.255.0
 ip nat outside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer1
 description $FW_OUTSIDE$Antrim VPN
 ip address negotiated
 ip nat outside
 no crypto map REMS_IPSec_Policy1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect REMSFW out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname A435840@hg31.btclick.com
 ppp chap password 7 105E060B111F1D07010172
 crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
 password 7 044B0A151C36435C0D
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end

Will the above config work...????

Caz
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 11995922
Almost.
For the 3rd time, you need to remove the crypto map from the dialer interface:

interface Dialer1
  no crypto map REMS_IPSec_Policy1
  ^^
0
 

Author Comment

by:caz1762
ID: 11996852
Hope this is now correct...!! :)

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHHXqH0
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
 ip address 152.114.1.1 255.255.255.0
 ip nat outside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer1
 description $FW_OUTSIDE$Antrim VPN
 ip address negotiated
 ip nat outside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect REMSFW out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname A435840@hg31.btclick.com
 ppp chap password 7 105E060B111F1D07010172
 no crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
 password 7 044B0A151C36435C0D
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11997060
Yes, this should work now.

But, if you want both the VPN and Internet (assume you do?), then the original config will work with the inclusion of just the following changes. I didn't realize that you did not own the 157.x.x.x address space and need to use nat..

Assuming that the remote LAN subnet over the other end of the VPN is 192.168.0.x / 24
Assuming that the other end has a mirror-image to acl 117 to trigger the VPN coming back to you
!
access-list 117 remark -defines traffic to open VPN tunnel
access-list 117 permit ip 157.114.1.0 0.0.0.255 192.168.0.0 0.0.0.155
!
access-list 110 remark -don't nat traffic from LAN through VPN tunnel, but nat all other
access-list 110 deny ip 157.114.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 permit ip 157.114.1.0 0.0.0.255 any
!
! <- use a route-map instead of list to define traffic to be Natt'dd ->
ip nat inside source route-map no_nat interface dialer1 overload

route-map no_nat permit 10
 match address 110
!

0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now