caz1762
asked on
Need CISCO access list to allow internet access
I have setup a VPN Tunnel from home to work using a CISCO 837. I need to be able to browse the internet but don't know the correct access lists to use. Below is a copy of the config I am using. Can anyone provide me with the additonal config I need to do this.....???
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 0 (password)
!
username (username) password 0 (password)
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 1800
crypto isakmp key 0 password address xxx.xxx.xx.xxx
crypto isakmp keepalive 1800
!
crypto ipsec security-association lifetime kilobytes 50000
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set REMS_IPSec_Transform1 esp-3des esp-md5-hmac
!
crypto ipsec profile REMS_IPSec_Profile1
set security-association lifetime kilobytes 4608000
set transform-set REMS_IPSec_Transform1
!
!
crypto map REMS_IPSec_Policy1 1 ipsec-isakmp
description VPN
set peer xxx.xxx.xx.xxx
set transform-set REMS_IPSec_Transform1
match address 117
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
ip address (ip address) (sub-net)
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 113 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect REMSFW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname (username)
ppp chap password 0 (password)
crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 109 remark Fast Ethernet 0 in - firewall configuration
access-list 109 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 109 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 109 permit ip host (external IP) host (firewall)
access-list 113 remark Dialer 2 - VPN - firewall configuration
access-list 113 permit ip host (firewall) host (firewall)
access-list 113 permit ip host (firewall) host (firewall)
access-list 113 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 113 permit udp host (firewall) host (external IP) eq non500-isakmp
access-list 113 permit udp host (firewall) host (external IP) eq isakmp
access-list 113 permit esp host (firewall) host (external IP)
access-list 113 permit ahp host (firewall) host (external IP)
access-list 113 permit tcp host (firewall) host (external IP) eq telnet
access-list 117 remark VPN encryption domain
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
password 0 (password)
no modem enable
transport output telnet
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
Thanks in advance
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 0 (password)
!
username (username) password 0 (password)
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 1800
crypto isakmp key 0 password address xxx.xxx.xx.xxx
crypto isakmp keepalive 1800
!
crypto ipsec security-association lifetime kilobytes 50000
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set REMS_IPSec_Transform1 esp-3des esp-md5-hmac
!
crypto ipsec profile REMS_IPSec_Profile1
set security-association lifetime kilobytes 4608000
set transform-set REMS_IPSec_Transform1
!
!
crypto map REMS_IPSec_Policy1 1 ipsec-isakmp
description VPN
set peer xxx.xxx.xx.xxx
set transform-set REMS_IPSec_Transform1
match address 117
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
ip address (ip address) (sub-net)
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 113 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect REMSFW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname (username)
ppp chap password 0 (password)
crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 109 remark Fast Ethernet 0 in - firewall configuration
access-list 109 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 109 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 109 permit ip host (external IP) host (firewall)
access-list 113 remark Dialer 2 - VPN - firewall configuration
access-list 113 permit ip host (firewall) host (firewall)
access-list 113 permit ip host (firewall) host (firewall)
access-list 113 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 113 permit udp host (firewall) host (external IP) eq non500-isakmp
access-list 113 permit udp host (firewall) host (external IP) eq isakmp
access-list 113 permit esp host (firewall) host (external IP)
access-list 113 permit ahp host (firewall) host (external IP)
access-list 113 permit tcp host (firewall) host (external IP) eq telnet
access-list 117 remark VPN encryption domain
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
password 0 (password)
no modem enable
transport output telnet
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
Thanks in advance
ASKER
Hi Irmoore,
I am using the 837 (Home) to establish a VPN connection to work (checkpoint firewall).. From my home computer i am able to connect to work machines using PCDuo. This means that in theory the internet (ADSL) line is activated via the CISCO Router. The additional config I need to place on the 837 is to allow me to go to certain web pages from my home machine. The current config will not allow this. I have been told that I need additional access lists but i am unsure what..
1. Do you lose local Internet connectivity once you have established the VPN, or do you lose Internet connectivity at the work location while you are connected by VPN?
I lose internet connectivity when I establish the VPN at home
2. Is this configuration from the Home side, or the Work side?
this is my home configuration
3. If this is the config from Home, what device/config are you connected to at the Work end?
checkpoint firewall
I am using the 837 (Home) to establish a VPN connection to work (checkpoint firewall).. From my home computer i am able to connect to work machines using PCDuo. This means that in theory the internet (ADSL) line is activated via the CISCO Router. The additional config I need to place on the 837 is to allow me to go to certain web pages from my home machine. The current config will not allow this. I have been told that I need additional access lists but i am unsure what..
1. Do you lose local Internet connectivity once you have established the VPN, or do you lose Internet connectivity at the work location while you are connected by VPN?
I lose internet connectivity when I establish the VPN at home
2. Is this configuration from the Home side, or the Work side?
this is my home configuration
3. If this is the config from Home, what device/config are you connected to at the Work end?
checkpoint firewall
Here's what you have:
!
set transform-set REMS_IPSec_Transform1
match address 117
!
access-list 117 remark VPN encryption domain
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
!
those lines above define the traffic that is permitted to traverse the VPN tunnel to work. You would surely lose connectivity if it was something like:
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx any
The "any" would mean ALL traffic from your network to anywhere would be tunneled. In this case you would surely lose local Internet access.
However, since that part of the config can be ruled out as a potential issue...
You might want to turn on the Inspect on the local interface so that your ACL 113 won't block your Internet access...
interface Ethernet0
ip inspect REMSFW in <=== add this line
!
The inspect rules open/close temporary access in your inbound acl (113) for inspected traffic, thereby permitting Internet access. Without the inspect rules applied, no temporary access-list entries, no Internet.
!
set transform-set REMS_IPSec_Transform1
match address 117
!
access-list 117 remark VPN encryption domain
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
!
those lines above define the traffic that is permitted to traverse the VPN tunnel to work. You would surely lose connectivity if it was something like:
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx any
The "any" would mean ALL traffic from your network to anywhere would be tunneled. In this case you would surely lose local Internet access.
However, since that part of the config can be ruled out as a potential issue...
You might want to turn on the Inspect on the local interface so that your ACL 113 won't block your Internet access...
interface Ethernet0
ip inspect REMSFW in <=== add this line
!
The inspect rules open/close temporary access in your inbound acl (113) for inspected traffic, thereby permitting Internet access. Without the inspect rules applied, no temporary access-list entries, no Internet.
ASKER
Hi,
I have went into the config and inserted "ip inspect REMSFW in" to the Interface Ethernet0. I am still not able to go on the internet. When i try it is giving me the following error message: internet explorer could not open the search page..!!
is it possible that i need to setup another access list.....?
Caz
I have went into the config and inserted "ip inspect REMSFW in" to the Interface Ethernet0. I am still not able to go on the internet. When i try it is giving me the following error message: internet explorer could not open the search page..!!
is it possible that i need to setup another access list.....?
Caz
What do you have set as your DNS nameserver in your client configuration?
From your PC, post result of "ipconfig /all"
From your router, post result of "show access-list 113"
From your PC, post result of "ipconfig /all"
From your router, post result of "show access-list 113"
ASKER
Hi.. As requested
Windows IP Configuration
Host Name . . . . . . . . . . . . : temp02
Primary Dns Suffix . . . . . . . : task.local
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Dell TrueMobile 1150 Series Wireless
LAN Mini PCI Card
Physical Address. . . . . . . . . : 00-02-2D-B9-09-92
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-0D-56-33-79-E5
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 152.xx.xx.xx
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 152.xx.xx.xx
Access List 113
Extended IP access list 113
permit tcp host 192.168.xx.xx eq 5405 host 152.xxx.x.xx eq 1058 (3 matches)
10 permit ip host 217.xx.xx.xx host 217.xx.xx.xx
20 permit ip host 217.xx.xx.xx host 217.xx.xx.xx
30 permit ip 192.168.xx.xx 0.0.xx.xx 152.xx.xx.xx 0.xx.xx.xx (813 matches)
40 permit udp host 213.xx.xx.xx host 217.xx.xx.xx eq non500-isakmp
50 permit udp host 213.xx.xx.xx host 217.xx.xx.xx eq isakmp (250 matches)
60 permit esp host 213.xx.xx.xx host 217.xx.xx.xx (114679 matches)
70 permit ahp host 213.xx.xx.xx host 217.xx.xx.xx
80 permit tcp host 81.xx.xx.xx host 217.xx.xx.xx eq telnet
Hope this helps... :)
Caz
Windows IP Configuration
Host Name . . . . . . . . . . . . : temp02
Primary Dns Suffix . . . . . . . : task.local
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Dell TrueMobile 1150 Series Wireless
LAN Mini PCI Card
Physical Address. . . . . . . . . : 00-02-2D-B9-09-92
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-0D-56-33-79-E5
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 152.xx.xx.xx
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 152.xx.xx.xx
Access List 113
Extended IP access list 113
permit tcp host 192.168.xx.xx eq 5405 host 152.xxx.x.xx eq 1058 (3 matches)
10 permit ip host 217.xx.xx.xx host 217.xx.xx.xx
20 permit ip host 217.xx.xx.xx host 217.xx.xx.xx
30 permit ip 192.168.xx.xx 0.0.xx.xx 152.xx.xx.xx 0.xx.xx.xx (813 matches)
40 permit udp host 213.xx.xx.xx host 217.xx.xx.xx eq non500-isakmp
50 permit udp host 213.xx.xx.xx host 217.xx.xx.xx eq isakmp (250 matches)
60 permit esp host 213.xx.xx.xx host 217.xx.xx.xx (114679 matches)
70 permit ahp host 213.xx.xx.xx host 217.xx.xx.xx
80 permit tcp host 81.xx.xx.xx host 217.xx.xx.xx eq telnet
Hope this helps... :)
Caz
It looks like you do not have a DNS nameserver in your PC's TCP/IP configuration..
I would expect another line after Default Gateway......
Default Gateway . . . . . . . . : 1x9.1xx.1xx.2
DNS Servers . . . . . . . . . . . : 1x9.1xx.1xx.195
198.6.1.2
Try adding 198.6.1.2 (cache02.uu.net) in your client configuration.
Also try adding this to the top of access-list 113:
access-list 113 permit tcp any any established
access-list 113 permit udp any eq domain any
I would expect another line after Default Gateway......
Default Gateway . . . . . . . . : 1x9.1xx.1xx.2
DNS Servers . . . . . . . . . . . : 1x9.1xx.1xx.195
198.6.1.2
Try adding 198.6.1.2 (cache02.uu.net) in your client configuration.
Also try adding this to the top of access-list 113:
access-list 113 permit tcp any any established
access-list 113 permit udp any eq domain any
ASKER
Hey,
Still not working..
Windows IP Configuration
Host Name . . . . . . . . . . . . : temp02
Primary Dns Suffix . . . . . . . : task.local
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : task.local
Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Dell TrueMobile 1150 Series Wireless
LAN Mini PCI Card
Physical Address. . . . . . . . . : 00-02-2D-B9-09-92
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-0D-56-33-79-E5
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 152.xxx.xxx.xxx
Subnet Mask . . . . . . . . . . . : 255.xxx.xxx.xxx
Default Gateway . . . . . . . . . : 152.xxx.xxx.xxx
DNS Servers . . . . . . . . . . . : 198.6.1.2
Have also added the access list addition as shown below as shown below... Still not working
access-list 113 permit tcp any any established
access-list 113 permit udp any eq domain any
Still not working..
Windows IP Configuration
Host Name . . . . . . . . . . . . : temp02
Primary Dns Suffix . . . . . . . : task.local
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : task.local
Ethernet adapter Wireless Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Dell TrueMobile 1150 Series Wireless
LAN Mini PCI Card
Physical Address. . . . . . . . . : 00-02-2D-B9-09-92
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-0D-56-33-79-E5
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 152.xxx.xxx.xxx
Subnet Mask . . . . . . . . . . . : 255.xxx.xxx.xxx
Default Gateway . . . . . . . . . : 152.xxx.xxx.xxx
DNS Servers . . . . . . . . . . . : 198.6.1.2
Have also added the access list addition as shown below as shown below... Still not working
access-list 113 permit tcp any any established
access-list 113 permit udp any eq domain any
Post result of "show ip inspect all"
Post result of "show ip access-list 113"
Post result of "ping 198.6.1.2" from the router
Post result of "C:\ping www.yahoo.com" from the PC
Post result of "show ip access-list 113"
Post result of "ping 198.6.1.2" from the router
Post result of "C:\ping www.yahoo.com" from the PC
ASKER
As requested....!!
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name REMSFW
cuseeme alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
h323 alert is on audit-trail is off timeout 3600
netshow alert is on audit-trail is off timeout 3600
rcmd alert is on audit-trail is off timeout 3600
realaudio alert is on audit-trail is off timeout 3600
rtsp alert is on audit-trail is off timeout 3600
smtp alert is on audit-trail is off timeout 3600
sqlnet alert is on audit-trail is off timeout 3600
streamworks alert is on audit-trail is off timeout 30
tftp alert is on audit-trail is off timeout 30
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
vdolive alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
Interface Configuration
Interface Ethernet0
Inbound inspection rule is REMSFW
cuseeme alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
h323 alert is on audit-trail is off timeout 3600
netshow alert is on audit-trail is off timeout 3600
rcmd alert is on audit-trail is off timeout 3600
realaudio alert is on audit-trail is off timeout 3600
rtsp alert is on audit-trail is off timeout 3600
smtp alert is on audit-trail is off timeout 3600
sqlnet alert is on audit-trail is off timeout 3600
streamworks alert is on audit-trail is off timeout 30
tftp alert is on audit-trail is off timeout 30
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
vdolive alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
Interface Dialer1
Inbound inspection rule is not set
Outgoing inspection rule is REMSFW
cuseeme alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
h323 alert is on audit-trail is off timeout 3600
netshow alert is on audit-trail is off timeout 3600
rcmd alert is on audit-trail is off timeout 3600
realaudio alert is on audit-trail is off timeout 3600
rtsp alert is on audit-trail is off timeout 3600
smtp alert is on audit-trail is off timeout 3600
sqlnet alert is on audit-trail is off timeout 3600
streamworks alert is on audit-trail is off timeout 30
tftp alert is on audit-trail is off timeout 30
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
vdolive alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
Inbound access list is 113
Outgoing access list is not set
Router#sho ip access-list 113
Extended IP access list 113
10 permit tcp any any established (641 matches)
20 permit udp any eq domain any
30 permit ip host 217.xxx.xxx.xxx host 217.xxx.xxx.xxx
40 permit ip host 217.xxx.xxx.xxx host 217.xxx.xxx.xxx
50 permit ip 192.xxx.xxx.xxx 0.0.0.255 152.xxx.xxx.xxx 0.0.0.255 (18 matches)
60 permit udp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx eq non500-isakmp
70 permit udp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx eq isakmp (146 matches)
80 permit esp host 213.xxx.xxx.xxx host 217.4xxx.xxx.xxx (23272 matches)
90 permit ahp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx
100 permit tcp host 81.xxx.xxx.xxx host 217.xxx.xxx.xxx eq telnet
Router#ping 198.6.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.6.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#
Ping Result for "ping www.yahoo.com - ping request could not find host www.yahoo.com. Please check the name and try again.
Hope this helps.
Caz
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name REMSFW
cuseeme alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
h323 alert is on audit-trail is off timeout 3600
netshow alert is on audit-trail is off timeout 3600
rcmd alert is on audit-trail is off timeout 3600
realaudio alert is on audit-trail is off timeout 3600
rtsp alert is on audit-trail is off timeout 3600
smtp alert is on audit-trail is off timeout 3600
sqlnet alert is on audit-trail is off timeout 3600
streamworks alert is on audit-trail is off timeout 30
tftp alert is on audit-trail is off timeout 30
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
vdolive alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
Interface Configuration
Interface Ethernet0
Inbound inspection rule is REMSFW
cuseeme alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
h323 alert is on audit-trail is off timeout 3600
netshow alert is on audit-trail is off timeout 3600
rcmd alert is on audit-trail is off timeout 3600
realaudio alert is on audit-trail is off timeout 3600
rtsp alert is on audit-trail is off timeout 3600
smtp alert is on audit-trail is off timeout 3600
sqlnet alert is on audit-trail is off timeout 3600
streamworks alert is on audit-trail is off timeout 30
tftp alert is on audit-trail is off timeout 30
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
vdolive alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set
Interface Dialer1
Inbound inspection rule is not set
Outgoing inspection rule is REMSFW
cuseeme alert is on audit-trail is off timeout 3600
ftp alert is on audit-trail is off timeout 3600
h323 alert is on audit-trail is off timeout 3600
netshow alert is on audit-trail is off timeout 3600
rcmd alert is on audit-trail is off timeout 3600
realaudio alert is on audit-trail is off timeout 3600
rtsp alert is on audit-trail is off timeout 3600
smtp alert is on audit-trail is off timeout 3600
sqlnet alert is on audit-trail is off timeout 3600
streamworks alert is on audit-trail is off timeout 30
tftp alert is on audit-trail is off timeout 30
tcp alert is on audit-trail is off timeout 3600
udp alert is on audit-trail is off timeout 30
vdolive alert is on audit-trail is off timeout 3600
icmp alert is on audit-trail is off timeout 10
Inbound access list is 113
Outgoing access list is not set
Router#sho ip access-list 113
Extended IP access list 113
10 permit tcp any any established (641 matches)
20 permit udp any eq domain any
30 permit ip host 217.xxx.xxx.xxx host 217.xxx.xxx.xxx
40 permit ip host 217.xxx.xxx.xxx host 217.xxx.xxx.xxx
50 permit ip 192.xxx.xxx.xxx 0.0.0.255 152.xxx.xxx.xxx 0.0.0.255 (18 matches)
60 permit udp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx eq non500-isakmp
70 permit udp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx eq isakmp (146 matches)
80 permit esp host 213.xxx.xxx.xxx host 217.4xxx.xxx.xxx (23272 matches)
90 permit ahp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx
100 permit tcp host 81.xxx.xxx.xxx host 217.xxx.xxx.xxx eq telnet
Router#ping 198.6.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.6.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#
Ping Result for "ping www.yahoo.com - ping request could not find host www.yahoo.com. Please check the name and try again.
Hope this helps.
Caz
> 20 permit udp any eq domain any
No matches/hits on this one, so you are not getting DNS resolution replies
Let's try removing the inspect from the Ethernet
interface Ethernet0
no ip inspect REMSFW in
^
!
No ping because we have not permitted icmp in through acl 113. Add this:
access-list 113 permit icmp any any echo-reply
Then try to ping 198.6.1.2 again. Post result.
Did your ISP provide any nameserver addresses to use?
No matches/hits on this one, so you are not getting DNS resolution replies
Let's try removing the inspect from the Ethernet
interface Ethernet0
no ip inspect REMSFW in
^
!
No ping because we have not permitted icmp in through acl 113. Add this:
access-list 113 permit icmp any any echo-reply
Then try to ping 198.6.1.2 again. Post result.
Did your ISP provide any nameserver addresses to use?
Let's try ruling out PC issues, too.
On the router, add:
!
ip name-server 198.6.1.2
router#ping www.yahoo.com
Whether or not the ping is successful, this is what I'm looking for:
Translating "www.yahoo.com"...domain server (192.168.122.149) [OK]
Are you sure that access-list 109 is not applied to the Ethernet interface?
>access-list 109 remark Fast Ethernet 0 in - firewall configuration
I do not see it applied in the first post of your configuration. If it is applied, it will surely block all internet access...
On the router, add:
!
ip name-server 198.6.1.2
router#ping www.yahoo.com
Whether or not the ping is successful, this is what I'm looking for:
Translating "www.yahoo.com"...domain server (192.168.122.149) [OK]
Are you sure that access-list 109 is not applied to the Ethernet interface?
>access-list 109 remark Fast Ethernet 0 in - firewall configuration
I do not see it applied in the first post of your configuration. If it is applied, it will surely block all internet access...
ASKER
connection has been dropped for my home machine.. will post replies this evening.. .. I have checked through documentation from BT and the DNS Server is 213.1.119.102.
do I need to include this in the config or my TCP/IP settings..?
Caz
do I need to include this in the config or my TCP/IP settings..?
Caz
>the DNS Server is 213.1.119.102.
>do I need to include this in the config or my TCP/IP settings..?
Yes. TCP/IP settings on your PC
Also, make sure that this is the IP address of the router's Ethernet interface..
> Default Gateway . . . . . . . . . : 152.xxx.xxx.xxx
>do I need to include this in the config or my TCP/IP settings..?
Yes. TCP/IP settings on your PC
Also, make sure that this is the IP address of the router's Ethernet interface..
> Default Gateway . . . . . . . . . : 152.xxx.xxx.xxx
ASKER
Hi,
I have included the above DNS settings within TCP/IP
I have also included the addtional line to the access list (113)
I am still not able to get internet connection. I tried pinging the ip address you requested but the success rate is still (o)
I can also confirm that the config I initially give with the post is the original config..
Caz
I have included the above DNS settings within TCP/IP
I have also included the addtional line to the access list (113)
I am still not able to get internet connection. I tried pinging the ip address you requested but the success rate is still (o)
I can also confirm that the config I initially give with the post is the original config..
Caz
Can you post result of "show access-list 109"
and "show interface Ethernet0"
and "show interface Ethernet0"
ASKER
Extended IP access list 109
10 permit ip 152.xxx.xxx.xxx 0.0.0.255 192.xxx.xxx.xxx 0.0.0.255
20 permit ip 192.xxx.xxx.xxx 0.0.0.255 152.xxx.xxx.xxx 0.0.0.255
30 permit ip host 217.xxx.xxx.xxx host 213.xxx.xxx.xxx
Router#sho interface ethernet0
Ethernet0 is up, line protocol is up
Hardware is PQUICC Ethernet, address is 0011.5cb7.7bd8 (bia 0011.5cb7.7bd8)
Description: $ETH-LAN$$FW_INSIDE$Semi Secure LAN
Internet address is 152.xxx.xxx.xxx/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 10Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:42, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/100 (size/max)
5 minute input rate 0 bits/sec, 2 packets/sec
5 minute output rate 1000 bits/sec, 2 packets/sec
1930 packets input, 122460 bytes, 0 no buffer
Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
1422 packets output, 410370 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Hope this helps
Caz
10 permit ip 152.xxx.xxx.xxx 0.0.0.255 192.xxx.xxx.xxx 0.0.0.255
20 permit ip 192.xxx.xxx.xxx 0.0.0.255 152.xxx.xxx.xxx 0.0.0.255
30 permit ip host 217.xxx.xxx.xxx host 213.xxx.xxx.xxx
Router#sho interface ethernet0
Ethernet0 is up, line protocol is up
Hardware is PQUICC Ethernet, address is 0011.5cb7.7bd8 (bia 0011.5cb7.7bd8)
Description: $ETH-LAN$$FW_INSIDE$Semi Secure LAN
Internet address is 152.xxx.xxx.xxx/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 10Mb/s
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:42, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/100 (size/max)
5 minute input rate 0 bits/sec, 2 packets/sec
5 minute output rate 1000 bits/sec, 2 packets/sec
1930 packets input, 122460 bytes, 0 no buffer
Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
1422 packets output, 410370 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Hope this helps
Caz
Darn. Everything looks right.
One more test.
From your PC, post result of "C:\route print"
Don't mask the last digit of the addresses in the output..
OK: 157.xx.xx.122
Not: 157.xx.xx.xx
One more test.
From your PC, post result of "C:\route print"
Don't mask the last digit of the addresses in the output..
OK: 157.xx.xx.122
Not: 157.xx.xx.xx
It sounds awfully like the VPN profile that you are using does not have split tunnelling enabled. Is this enabled @ the work VPN tunnel termination point? If the termination point has split tunnelling enabled, then all traffic will be forced to head back to the office. Just a thought.
ASKER
========================== ========== ========== ========== ========== =========
Interface List
0x1 .......................... . MS TCP Loopback interface
0x2 ...00 02 2d b9 09 92 ...... Dell TrueMobile 1150 Series Wireless LAN Mini PC
I Card - Packet Scheduler Miniport
0x3 ...00 0d 56 33 79 e5 ...... 3Com 3C920 Integrated Fast Ethernet Controller (
3C905C-TX Compatible) - Packet Scheduler Miniport
========================== ========== ========== ========== ========== =========
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 152.114.1.1 152.114.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
152.114.1.0 255.255.255.0 152.114.1.2 152.114.1.2 20
152.114.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
152.114.255.255 255.255.255.255 152.114.1.2 152.114.1.2 20
224.0.0.0 240.0.0.0 152.114.1.2 152.114.1.2 20
255.255.255.255 255.255.255.255 152.114.1.2 2 1
255.255.255.255 255.255.255.255 152.114.1.2 152.114.1.2 1
Default Gateway: 152.114.1.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
Interface List
0x1 ..........................
0x2 ...00 02 2d b9 09 92 ...... Dell TrueMobile 1150 Series Wireless LAN Mini PC
I Card - Packet Scheduler Miniport
0x3 ...00 0d 56 33 79 e5 ...... 3Com 3C920 Integrated Fast Ethernet Controller (
3C905C-TX Compatible) - Packet Scheduler Miniport
==========================
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 152.114.1.1 152.114.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
152.114.1.0 255.255.255.0 152.114.1.2 152.114.1.2 20
152.114.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
152.114.255.255 255.255.255.255 152.114.1.2 152.114.1.2 20
224.0.0.0 240.0.0.0 152.114.1.2 152.114.1.2 20
255.255.255.255 255.255.255.255 152.114.1.2 2 1
255.255.255.255 255.255.255.255 152.114.1.2 152.114.1.2 1
Default Gateway: 152.114.1.1
==========================
Persistent Routes:
None
ASKER
Hi,
If I wanted to provide straight internet access without the VPN Tunnel what would i need to do..?
Caz
If I wanted to provide straight internet access without the VPN Tunnel what would i need to do..?
Caz
interface Dialer1
no crypto map REMS_IPSec_Policy1
^^
ASKER
Hi Irmoore
Will the below config work
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHH XqH0
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
ip address 152.114.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface Dialer1
description $FW_OUTSIDE$Antrim VPN
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect REMSFW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname A435840@hg31.btclick.com
ppp chap password 7 105E060B111F1D07010172
crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
password 7 044B0A151C36435C0D
no modem enable
transport output telnet
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
Thanks
Caz
Will the below config work
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHH
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
ip address 152.114.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface Dialer1
description $FW_OUTSIDE$Antrim VPN
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect REMSFW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname A435840@hg31.btclick.com
ppp chap password 7 105E060B111F1D07010172
crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
password 7 044B0A151C36435C0D
no modem enable
transport output telnet
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
Thanks
Caz
Not quite. You've removed all the crypto commands, but you have left the map applied to the dialer interface:
interface Dialer1
no crypto map REMS_IPSec_Policy1
^^
Q: are you in Europe?
Q: Was this IP subnet block assigned specifically to you? It is unusual for a small office, and even more unusual for an individual to be assigned an entire class C address ..
interface Ethernet0
ip address 152.114.1.1 255.255.255.0 <=== ?
You might want to consider using nat.
Just add the following:
interface Dialer 1
ip nat outside
interface Ethernet0
ip nat inside
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
interface Dialer1
no crypto map REMS_IPSec_Policy1
^^
Q: are you in Europe?
Q: Was this IP subnet block assigned specifically to you? It is unusual for a small office, and even more unusual for an individual to be assigned an entire class C address ..
interface Ethernet0
ip address 152.114.1.1 255.255.255.0 <=== ?
You might want to consider using nat.
Just add the following:
interface Dialer 1
ip nat outside
interface Ethernet0
ip nat inside
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
ASKER
Hi,
I have added your suggestions below, in answer to your I am in Northern Ireland, the IP subnet I am using is just a random subnet that I have setup for testing purposes at home.
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHH XqH0
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
ip address 152.114.1.1 255.255.255.0
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface Dialer1
description $FW_OUTSIDE$Antrim VPN
ip address negotiated
ip nat outside
no crypto map REMS_IPSec_Policy1
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect REMSFW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname A435840@hg31.btclick.com
ppp chap password 7 105E060B111F1D07010172
crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
password 7 044B0A151C36435C0D
no modem enable
transport output telnet
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
Will the above config work...????
Caz
I have added your suggestions below, in answer to your I am in Northern Ireland, the IP subnet I am using is just a random subnet that I have setup for testing purposes at home.
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHH
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
ip address 152.114.1.1 255.255.255.0
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface Dialer1
description $FW_OUTSIDE$Antrim VPN
ip address negotiated
ip nat outside
no crypto map REMS_IPSec_Policy1
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect REMSFW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname A435840@hg31.btclick.com
ppp chap password 7 105E060B111F1D07010172
crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
password 7 044B0A151C36435C0D
no modem enable
transport output telnet
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
Will the above config work...????
Caz
Almost.
For the 3rd time, you need to remove the crypto map from the dialer interface:
interface Dialer1
no crypto map REMS_IPSec_Policy1
^^
For the 3rd time, you need to remove the crypto map from the dialer interface:
interface Dialer1
no crypto map REMS_IPSec_Policy1
^^
ASKER
Hope this is now correct...!! :)
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHH XqH0
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
ip address 152.114.1.1 255.255.255.0
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface Dialer1
description $FW_OUTSIDE$Antrim VPN
ip address negotiated
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect REMSFW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname A435840@hg31.btclick.com
ppp chap password 7 105E060B111F1D07010172
no crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
password 7 044B0A151C36435C0D
no modem enable
transport output telnet
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHH
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
ip address 152.114.1.1 255.255.255.0
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
hold-queue 224 in
!
interface Dialer1
description $FW_OUTSIDE$Antrim VPN
ip address negotiated
ip nat outside
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect REMSFW out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname A435840@hg31.btclick.com
ppp chap password 7 105E060B111F1D07010172
no crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
password 7 044B0A151C36435C0D
no modem enable
transport output telnet
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please clarify this for me. Obviously, you have Internet access in order to establish the VPN.
Do you lose local Internet connectivity once you have established the VPN, or do you lose Internet connectivity at the work location while you are connected by VPN?
Is this configuration from the Home side, or the Work side?
If this is the config from Home, what device/config are you connected to at the Work end?