Link to home
Start Free TrialLog in
Avatar of caz1762
caz1762

asked on

Need CISCO access list to allow internet access

I have setup a VPN Tunnel from home to work using a CISCO 837.  I need to be able to browse the internet but don't know the correct access lists to use.  Below is a copy of the config I am using.  Can anyone provide me with the additonal config I need to do this.....???

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 0 (password)
!
username (username) password 0 (password)
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 1800
crypto isakmp key 0 password address xxx.xxx.xx.xxx
crypto isakmp keepalive 1800
!
crypto ipsec security-association lifetime kilobytes 50000
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set REMS_IPSec_Transform1 esp-3des esp-md5-hmac
!
crypto ipsec profile REMS_IPSec_Profile1
 set security-association lifetime kilobytes 4608000
 set transform-set REMS_IPSec_Transform1
!
!
crypto map REMS_IPSec_Policy1 1 ipsec-isakmp
 description VPN
 set peer xxx.xxx.xx.xxx
 set transform-set REMS_IPSec_Transform1
 match address 117
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
 ip address (ip address) (sub-net)
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 113 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect REMSFW out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname (username)
 ppp chap password 0 (password)
 crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 109 remark Fast Ethernet 0 in - firewall configuration
access-list 109 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 109 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 109 permit ip host (external IP) host (firewall)
access-list 113 remark Dialer 2 - VPN - firewall configuration
access-list 113 permit ip host (firewall) host (firewall)
access-list 113 permit ip host (firewall) host (firewall)
access-list 113 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 113 permit udp host (firewall) host (external IP) eq non500-isakmp
access-list 113 permit udp host (firewall) host (external IP) eq isakmp
access-list 113 permit esp host (firewall) host (external IP)
access-list 113 permit ahp host (firewall) host (external IP)
access-list 113 permit tcp host (firewall) host (external IP) eq telnet
access-list 117 remark VPN encryption domain
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
 password 0 (password)
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end

Thanks in advance
Avatar of Les Moore
Les Moore
Flag of United States of America image
>I need to be able to browse the internet
Please clarify this for me. Obviously, you have Internet access in order to establish the VPN.
Do you lose local Internet connectivity once you have established the VPN, or do you lose Internet connectivity at the work location while you are connected by VPN?
Is this configuration from the Home side, or the Work side?
If this is the config from Home, what device/config are you connected to at the Work end?
Avatar of caz1762
caz1762

ASKER

Hi Irmoore,

I am using the 837 (Home) to establish a VPN connection to work (checkpoint firewall).. From my home computer i am able to connect to work machines using PCDuo.  This means that in theory the internet (ADSL) line is activated via the CISCO Router.  The additional config I need to place on the 837 is to allow me to go to certain web pages from my home machine.  The current config will not allow this.  I have been told that I need additional access lists but i am unsure what..

1. Do you lose local Internet connectivity once you have established the VPN, or do you lose Internet connectivity at the work location while you are connected by VPN?
I lose internet connectivity when I establish the VPN at home

2. Is this configuration from the Home side, or the Work side?
this is my home configuration

3. If this is the config from Home, what device/config are you connected to at the Work end?
checkpoint firewall
Avatar of Les Moore
Les Moore
Flag of United States of America image
Here's what you have:
!
set transform-set REMS_IPSec_Transform1
 match address 117
!
access-list 117 remark VPN encryption domain
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx 192.xxx.0.x 0.xxx.xxx.xxx
!

those lines above define the traffic that is permitted to traverse the VPN tunnel to work. You would surely lose connectivity if it was something like:

access-list 117 permit ip 192.xxx.0.x 0.xxx.xxx.xxx any

The "any" would mean ALL traffic from your network to anywhere would be tunneled. In this case you would surely lose local Internet access.

However, since that part of the config can be ruled out as a potential issue...
You might want to turn on the Inspect on the local interface so that your ACL 113 won't block your Internet access...

interface Ethernet0
 ip inspect REMSFW in  <=== add this line
!

The inspect rules open/close temporary access in your inbound acl (113) for inspected traffic, thereby permitting Internet access. Without the inspect rules applied, no temporary access-list entries, no Internet.


Avatar of caz1762
caz1762

ASKER

Hi,

I have went into the config and inserted "ip inspect REMSFW in" to the Interface Ethernet0.  I am still not able to go on the internet.  When i try it is giving me the following error message: internet explorer could not open the search page..!!

is it possible that i need to setup another access list.....?

Caz
Avatar of Les Moore
Les Moore
Flag of United States of America image
What do you have set as your DNS nameserver in your client configuration?

From your PC, post result of "ipconfig /all"
From your router, post result of "show access-list 113"
Avatar of caz1762
caz1762

ASKER

Hi.. As requested


Windows IP Configuration

        Host Name . . . . . . . . . . . . : temp02
        Primary Dns Suffix  . . . . . . . : task.local
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Dell TrueMobile 1150 Series Wireless
 LAN Mini PCI Card
        Physical Address. . . . . . . . . : 00-02-2D-B9-09-92

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
        Physical Address. . . . . . . . . : 00-0D-56-33-79-E5
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 152.xx.xx.xx
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 152.xx.xx.xx

Access List 113

Extended IP access list 113
     permit tcp host 192.168.xx.xx eq 5405 host 152.xxx.x.xx eq 1058 (3 matches)
    10 permit ip host 217.xx.xx.xx host 217.xx.xx.xx
    20 permit ip host 217.xx.xx.xx host 217.xx.xx.xx
    30 permit ip 192.168.xx.xx 0.0.xx.xx 152.xx.xx.xx 0.xx.xx.xx (813 matches)
    40 permit udp host 213.xx.xx.xx host 217.xx.xx.xx eq non500-isakmp
    50 permit udp host 213.xx.xx.xx host 217.xx.xx.xx eq isakmp (250 matches)
    60 permit esp host 213.xx.xx.xx host 217.xx.xx.xx (114679 matches)
    70 permit ahp host 213.xx.xx.xx host 217.xx.xx.xx
    80 permit tcp host 81.xx.xx.xx host 217.xx.xx.xx eq telnet

Hope this helps... :)

Caz
Avatar of Les Moore
Les Moore
Flag of United States of America image
It looks like you do not have a DNS nameserver in your PC's TCP/IP configuration..
I would expect another line after Default Gateway......
        Default Gateway . . . . . . . . : 1x9.1xx.1xx.2
        DNS Servers . . . . . . . . . . . : 1x9.1xx.1xx.195
                                                    198.6.1.2

Try adding 198.6.1.2 (cache02.uu.net) in your client configuration.

Also try adding this to the top of access-list 113:

access-list 113 permit tcp any any established
access-list 113 permit udp any eq domain any

Avatar of caz1762
caz1762

ASKER

Hey,

Still not working..

Windows IP Configuration

        Host Name . . . . . . . . . . . . : temp02
        Primary Dns Suffix  . . . . . . . : task.local
        Node Type . . . . . . . . . . . . : Mixed
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : task.local

Ethernet adapter Wireless Network Connection:

        Media State . . . . . . . . . . . : Media disconnected
        Description . . . . . . . . . . . : Dell TrueMobile 1150 Series Wireless
 LAN Mini PCI Card
        Physical Address. . . . . . . . . : 00-02-2D-B9-09-92

Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
        Physical Address. . . . . . . . . : 00-0D-56-33-79-E5
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 152.xxx.xxx.xxx
        Subnet Mask . . . . . . . . . . . : 255.xxx.xxx.xxx
        Default Gateway . . . . . . . . . : 152.xxx.xxx.xxx
        DNS Servers . . . . . . . . . . . : 198.6.1.2

Have also added the access list addition as shown below as shown below... Still not working

access-list 113 permit tcp any any established
access-list 113 permit udp any eq domain any
Avatar of Les Moore
Les Moore
Flag of United States of America image
Post result of "show ip inspect all"
Post result of "show ip access-list 113"
Post result of "ping 198.6.1.2" from the router
Post result of "C:\ping www.yahoo.com" from the PC

Avatar of caz1762
caz1762

ASKER

As requested....!!

Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [400:500] connections
max-incomplete sessions thresholds are [400:500]
max-incomplete tcp connections per host is 50. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
dns-timeout is 5 sec
Inspection Rule Configuration
 Inspection name REMSFW
    cuseeme alert is on audit-trail is off timeout 3600
    ftp alert is on audit-trail is off timeout 3600
    h323 alert is on audit-trail is off timeout 3600
    netshow alert is on audit-trail is off timeout 3600
    rcmd alert is on audit-trail is off timeout 3600
    realaudio alert is on audit-trail is off timeout 3600
    rtsp alert is on audit-trail is off timeout 3600
    smtp alert is on audit-trail is off timeout 3600
    sqlnet alert is on audit-trail is off timeout 3600
    streamworks alert is on audit-trail is off timeout 30
    tftp alert is on audit-trail is off timeout 30
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    vdolive alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10

Interface Configuration
 Interface Ethernet0
  Inbound inspection rule is REMSFW
    cuseeme alert is on audit-trail is off timeout 3600
    ftp alert is on audit-trail is off timeout 3600
    h323 alert is on audit-trail is off timeout 3600
    netshow alert is on audit-trail is off timeout 3600
    rcmd alert is on audit-trail is off timeout 3600
    realaudio alert is on audit-trail is off timeout 3600
    rtsp alert is on audit-trail is off timeout 3600
    smtp alert is on audit-trail is off timeout 3600
    sqlnet alert is on audit-trail is off timeout 3600
    streamworks alert is on audit-trail is off timeout 30
    tftp alert is on audit-trail is off timeout 30
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    vdolive alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10
  Outgoing inspection rule is not set
  Inbound access list is not set
  Outgoing access list is not set
 Interface Dialer1
  Inbound inspection rule is not set
  Outgoing inspection rule is REMSFW
    cuseeme alert is on audit-trail is off timeout 3600
    ftp alert is on audit-trail is off timeout 3600
    h323 alert is on audit-trail is off timeout 3600
    netshow alert is on audit-trail is off timeout 3600
    rcmd alert is on audit-trail is off timeout 3600
    realaudio alert is on audit-trail is off timeout 3600
    rtsp alert is on audit-trail is off timeout 3600
    smtp alert is on audit-trail is off timeout 3600
    sqlnet alert is on audit-trail is off timeout 3600
    streamworks alert is on audit-trail is off timeout 30
    tftp alert is on audit-trail is off timeout 30
    tcp alert is on audit-trail is off timeout 3600
    udp alert is on audit-trail is off timeout 30
    vdolive alert is on audit-trail is off timeout 3600
    icmp alert is on audit-trail is off timeout 10
  Inbound access list is 113
  Outgoing access list is not set

Router#sho ip access-list 113
Extended IP access list 113
    10 permit tcp any any established (641 matches)
    20 permit udp any eq domain any
    30 permit ip host 217.xxx.xxx.xxx host 217.xxx.xxx.xxx
    40 permit ip host 217.xxx.xxx.xxx host 217.xxx.xxx.xxx
    50 permit ip 192.xxx.xxx.xxx 0.0.0.255 152.xxx.xxx.xxx 0.0.0.255 (18 matches)
    60 permit udp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx eq non500-isakmp
    70 permit udp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx eq isakmp (146 matches)
    80 permit esp host 213.xxx.xxx.xxx host 217.4xxx.xxx.xxx (23272 matches)
    90 permit ahp host 213.xxx.xxx.xxx host 217.xxx.xxx.xxx
    100 permit tcp host 81.xxx.xxx.xxx host 217.xxx.xxx.xxx eq telnet
Router#ping 198.6.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 198.6.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

Ping Result for "ping www.yahoo.com - ping request could not find host www.yahoo.com.  Please check the name and try again.

Hope this helps.

Caz
Avatar of Les Moore
Les Moore
Flag of United States of America image
> 20 permit udp any eq domain any
No matches/hits on this one, so you are not getting DNS resolution replies

Let's try removing the inspect from the Ethernet

interface Ethernet0
 no ip inspect REMSFW in  
 ^
!

No ping because we have not permitted icmp in through acl 113. Add this:

access-list 113 permit icmp any any echo-reply

Then try to ping 198.6.1.2 again. Post result.

Did your ISP provide any nameserver addresses to use?


Avatar of Les Moore
Les Moore
Flag of United States of America image
Let's try ruling out PC issues, too.
On the router, add:

!
ip name-server 198.6.1.2

router#ping www.yahoo.com
Whether or not the ping is successful, this is what I'm looking for:
   Translating "www.yahoo.com"...domain server (192.168.122.149) [OK]

Are you sure that access-list 109 is not applied to the Ethernet interface?
 >access-list 109 remark Fast Ethernet 0 in - firewall configuration
I do not see it applied in the first post of your configuration. If it is applied, it will surely block all internet access...
Avatar of caz1762
caz1762

ASKER

connection has been dropped for my home machine.. will post replies this evening.. .. I have checked through documentation from BT and the DNS Server is 213.1.119.102.

do I need to include this in the config or my TCP/IP settings..?

Caz
Avatar of Les Moore
Les Moore
Flag of United States of America image
>the DNS Server is 213.1.119.102.
>do I need to include this in the config or my TCP/IP settings..?

Yes. TCP/IP settings on your PC

Also, make sure that this is the IP address of the router's Ethernet interface..

>   Default Gateway . . . . . . . . . : 152.xxx.xxx.xxx
Avatar of caz1762
caz1762

ASKER

Hi,
I have included the above DNS settings within TCP/IP

I have also included the addtional line to the access list (113)

I am still not able to get internet connection.  I tried pinging the ip address you requested but the success rate is still (o)

I can also confirm that the config I initially give with the post is the original config..

Caz
Avatar of Les Moore
Les Moore
Flag of United States of America image
Can you post result of "show access-list 109"
and "show interface Ethernet0"
Avatar of caz1762
caz1762

ASKER

Extended IP access list 109
    10 permit ip 152.xxx.xxx.xxx 0.0.0.255 192.xxx.xxx.xxx 0.0.0.255
    20 permit ip 192.xxx.xxx.xxx 0.0.0.255 152.xxx.xxx.xxx 0.0.0.255
    30 permit ip host 217.xxx.xxx.xxx host 213.xxx.xxx.xxx

Router#sho interface ethernet0
Ethernet0 is up, line protocol is up
  Hardware is PQUICC Ethernet, address is 0011.5cb7.7bd8 (bia 0011.5cb7.7bd8)
  Description: $ETH-LAN$$FW_INSIDE$Semi Secure LAN
  Internet address is 152.xxx.xxx.xxx/24
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 10Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:42, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/100 (size/max)
  5 minute input rate 0 bits/sec, 2 packets/sec
  5 minute output rate 1000 bits/sec, 2 packets/sec
     1930 packets input, 122460 bytes, 0 no buffer
     Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     1422 packets output, 410370 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

Hope this helps

Caz
Avatar of Les Moore
Les Moore
Flag of United States of America image
Darn. Everything looks right.

One more test.
From your PC, post result of "C:\route print"
Don't mask the last digit of the addresses in the output..
OK: 157.xx.xx.122
Not: 157.xx.xx.xx
Avatar of jaysonjennings
jaysonjennings
It sounds awfully like the VPN profile that you are using does not have split tunnelling enabled.  Is this enabled @ the work VPN tunnel termination point?  If the termination point has split tunnelling enabled, then all traffic will be forced to head back to the office.  Just a thought.
Avatar of caz1762
caz1762

ASKER

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 02 2d b9 09 92 ...... Dell TrueMobile 1150 Series Wireless LAN Mini PC
I Card - Packet Scheduler Miniport
0x3 ...00 0d 56 33 79 e5 ...... 3Com 3C920 Integrated Fast Ethernet Controller (
3C905C-TX Compatible) - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      152.114.1.1     152.114.1.2       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      152.114.1.0    255.255.255.0      152.114.1.2     152.114.1.2       20
      152.114.1.2  255.255.255.255        127.0.0.1       127.0.0.1       20
  152.114.255.255  255.255.255.255      152.114.1.2     152.114.1.2       20
        224.0.0.0        240.0.0.0      152.114.1.2     152.114.1.2       20
  255.255.255.255  255.255.255.255      152.114.1.2               2       1
  255.255.255.255  255.255.255.255      152.114.1.2     152.114.1.2       1
Default Gateway:       152.114.1.1
===========================================================================
Persistent Routes:
  None
Avatar of caz1762
caz1762

ASKER

Hi,

If I wanted to provide straight internet access without the VPN Tunnel what would i need to do..?

Caz
Avatar of Les Moore
Les Moore
Flag of United States of America image

interface Dialer1
  no crypto map REMS_IPSec_Policy1
  ^^
Avatar of caz1762
caz1762

ASKER

Hi  Irmoore

Will the below config work

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHHXqH0
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
 ip address 152.114.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer1
 description $FW_OUTSIDE$Antrim VPN
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect REMSFW out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname A435840@hg31.btclick.com
 ppp chap password 7 105E060B111F1D07010172
 crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
 password 7 044B0A151C36435C0D
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end

Thanks

Caz
Avatar of Les Moore
Les Moore
Flag of United States of America image
Not quite. You've removed all the crypto commands, but you have left the map applied to the dialer interface:

interface Dialer1
  no crypto map REMS_IPSec_Policy1
  ^^

Q: are you in Europe?
Q: Was this IP subnet block assigned specifically to you? It is unusual for a small office, and even more unusual for an individual to be assigned an entire class C address ..

interface Ethernet0
  ip address 152.114.1.1 255.255.255.0  <=== ?


You might want to consider using nat.
Just add the following:

interface Dialer 1
  ip nat outside

interface Ethernet0
 ip nat inside

access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
Avatar of caz1762
caz1762

ASKER

Hi,

I have added your suggestions below, in answer to your I am in Northern Ireland, the IP subnet I am using is just a random subnet that I have setup for testing purposes at home.

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHHXqH0
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
 ip address 152.114.1.1 255.255.255.0
 ip nat outside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer1
 description $FW_OUTSIDE$Antrim VPN
 ip address negotiated
 ip nat outside
 no crypto map REMS_IPSec_Policy1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect REMSFW out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname A435840@hg31.btclick.com
 ppp chap password 7 105E060B111F1D07010172
 crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
 password 7 044B0A151C36435C0D
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end

Will the above config work...????

Caz
Avatar of Les Moore
Les Moore
Flag of United States of America image
Almost.
For the 3rd time, you need to remove the crypto map from the dialer interface:

interface Dialer1
  no crypto map REMS_IPSec_Policy1
  ^^
Avatar of caz1762
caz1762

ASKER

Hope this is now correct...!! :)

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
logging queue-limit 100
logging buffered 51200 debugging
enable secret 5 $1$o3tb$f/loGugJoThG8jxvHHXqH0
!
username consilium password 7 095C4F1A0A1218000F
clock timezone Europe/London 0
clock summer-time Europe/London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
!
!
no ip bootp server
ip inspect name REMSFW cuseeme
ip inspect name REMSFW ftp
ip inspect name REMSFW h323
ip inspect name REMSFW netshow
ip inspect name REMSFW rcmd
ip inspect name REMSFW realaudio
ip inspect name REMSFW rtsp
ip inspect name REMSFW smtp
ip inspect name REMSFW sqlnet
ip inspect name REMSFW streamworks
ip inspect name REMSFW tftp
ip inspect name REMSFW tcp
ip inspect name REMSFW udp
ip inspect name REMSFW vdolive
ip inspect name REMSFW icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$Semi Secure LAN
 ip address 152.114.1.1 255.255.255.0
 ip nat outside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 hold-queue 224 in
!
interface Dialer1
 description $FW_OUTSIDE$Antrim VPN
 ip address negotiated
 ip nat outside
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect REMSFW out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname A435840@hg31.btclick.com
 ppp chap password 7 105E060B111F1D07010172
 no crypto map REMS_IPSec_Policy1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
no logging trap
access-list 1 permit 152.114.1.0 0.0.0.255
ip nat inside source list 1 interface dialer1 overload
dialer-list 1 protocol ip permit
no cdp run
radius-server authorization permit missing Service-Type
!
line con 0
 password 7 044B0A151C36435C0D
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!
scheduler max-task-time 5000
!
end
ASKER CERTIFIED SOLUTION
Avatar of Les Moore
Les Moore
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial