RyanMielke
asked on
Cisco 2600 config problem, both with PPPoE and without. :)
I'm currently in a DSL dilemma. I have a Cisco 2621 (IOS 12.3) connecting to a DSL line that ultimately connects by PPPoE which is used to connect to the home office by a site to site VPN tunnel. I initially tried configuring the Cisco with its PPPoE client, with the DSL modem in bridge mode. Nothing. So then I took the DSL modem out of bridge mode, enabled port forwarding on the DSL modem, and gave the 2600 an internal address. With this I was able to ping the outside word, and ping the inside network connected to the Cisco, but NAT is screwed up, so the 2600 isn't routing. Plus, I'm sure that my VPN tunnel isn't functioning in this layout either. Also, I'm pretty sure neither setup is currently using any of my access lists. I've been working at this for a few hours, I can't look at it any more...and it know the mistakes are idiotic one line misses, but I can't think. Anyway, my apologies for the long post, but I'm going drop in both configs. If anyone has an idea on either config, or both, it would be appreciated (I put it at 500 pts, not because this should be very hard, but it's quite time sensitive).
PPPoE Client Config:
show conf
Using 3670 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 **********************
enable password 7 *****************
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
ip dhcp excluded-address 172.200.200.1 172.200.200.50
ip dhcp excluded-address 172.200.200.200 172.200.200.254
ip dhcp excluded-address 172.200.200.75
!
ip dhcp pool jf
network 172.200.200.0 255.255.255.0
dns-server 10.1.254.23 4.2.2.2
netbios-name-server 10.1.254.23 10.1.254.22
netbios-node-type p-node
domain-name virginmega.com
default-router 172.200.200.10
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******** address ************
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
set peer **********
set transform-set to_vpn
match address 101
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 172.200.200.10 255.255.255.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
crypto map to_vpn
!
interface Async1
no ip address
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap
ppp pap sent-username **************** password 7 **************
!
ip nat inside source list 1 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
logging history debugging
no logging trap
access-list 1 permit 172.200.200.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 110 permit ip 172.200.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
timeout login response 1
password 7 *****************
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 5 0
password 7 *****************
modem InOut
transport input all
speed 38400
flowcontrol hardware
line vty 0 4
password 7 *****************
login
!
!
end
--------------------------
Non-PPPoE Config:
show conf
Using 3275 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 ******************
enable password 7 ******************
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
ip dhcp excluded-address 172.200.200.1 172.200.200.50
ip dhcp excluded-address 172.200.200.200 172.200.200.254
ip dhcp excluded-address 172.200.200.75
!
ip dhcp pool jf
network 172.200.200.0 255.255.255.0
dns-server 10.1.254.23 4.2.2.2
netbios-name-server 10.1.254.23 10.1.254.22
netbios-node-type p-node
domain-name virginmega.com
default-router 172.200.200.10
!
ip audit po max-events 100
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******** address ************
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
set peer **************
set transform-set to_vpn
match address 101
!
!
interface FastEthernet0/0
ip address 192.168.1.10 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.200.200.10 255.255.255.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
crypto map to_vpn
!
interface Async1
no ip address
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
logging history debugging
no logging trap
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 110 permit ip 172.200.200.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
timeout login response 1
password 7 ****************
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 5 0
password 7 ****************
modem InOut
transport input all
speed 38400
flowcontrol hardware
line vty 0 4
password 7 ****************
login
!
!
end
PPPoE Client Config:
show conf
Using 3670 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 **********************
enable password 7 *****************
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
ip dhcp excluded-address 172.200.200.1 172.200.200.50
ip dhcp excluded-address 172.200.200.200 172.200.200.254
ip dhcp excluded-address 172.200.200.75
!
ip dhcp pool jf
network 172.200.200.0 255.255.255.0
dns-server 10.1.254.23 4.2.2.2
netbios-name-server 10.1.254.23 10.1.254.22
netbios-node-type p-node
domain-name virginmega.com
default-router 172.200.200.10
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******** address ************
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
set peer **********
set transform-set to_vpn
match address 101
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 172.200.200.10 255.255.255.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
crypto map to_vpn
!
interface Async1
no ip address
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap
ppp pap sent-username **************** password 7 **************
!
ip nat inside source list 1 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
logging history debugging
no logging trap
access-list 1 permit 172.200.200.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 110 permit ip 172.200.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
timeout login response 1
password 7 *****************
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 5 0
password 7 *****************
modem InOut
transport input all
speed 38400
flowcontrol hardware
line vty 0 4
password 7 *****************
login
!
!
end
--------------------------
Non-PPPoE Config:
show conf
Using 3275 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 ******************
enable password 7 ******************
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
no ip domain lookup
ip dhcp excluded-address 172.200.200.1 172.200.200.50
ip dhcp excluded-address 172.200.200.200 172.200.200.254
ip dhcp excluded-address 172.200.200.75
!
ip dhcp pool jf
network 172.200.200.0 255.255.255.0
dns-server 10.1.254.23 4.2.2.2
netbios-name-server 10.1.254.23 10.1.254.22
netbios-node-type p-node
domain-name virginmega.com
default-router 172.200.200.10
!
ip audit po max-events 100
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******** address ************
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
set peer **************
set transform-set to_vpn
match address 101
!
!
interface FastEthernet0/0
ip address 192.168.1.10 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.200.200.10 255.255.255.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
crypto map to_vpn
!
interface Async1
no ip address
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.254
!
!
logging history debugging
no logging trap
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 110 permit ip 172.200.200.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 110
!
!
line con 0
timeout login response 1
password 7 ****************
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 5 0
password 7 ****************
modem InOut
transport input all
speed 38400
flowcontrol hardware
line vty 0 4
password 7 ****************
login
!
!
end
ASKER
minmei,
I made the changes to the pppoe config, since this would be my preference to use. I'm still not getting a connection... I'm going to post the changed config, just so you can have a look at it. What commands can I run to check the connection? I ran "show int dialer1" and "show vpdn" (which I'll post as well), but I'm not really sure what I'm looking at. Thanks for your help.
Ryan
--------------------------
show conf
Using 3627 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 **************
enable password 7 **************
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip dhcp excluded-address 172.200.200.1 172.200.200.50
ip dhcp excluded-address 172.200.200.200 172.200.200.254
ip dhcp excluded-address 172.200.200.75
!
ip dhcp pool jf
network 172.200.200.0 255.255.255.0
dns-server 10.1.254.23 4.2.2.2
netbios-name-server 10.1.254.23 10.1.254.22
netbios-node-type p-node
domain-name ***********
default-router 172.200.200.10
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******* address **********
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
set peer *************
set transform-set to_vpn
match address 101
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 172.200.200.10 255.255.255.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface Async1
no ip address
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap
ppp pap sent-username ***************** password 7 **************
crypto map to_vpn
!
ip nat inside source list 110 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
logging history debugging
no logging trap
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 110 permit ip 172.200.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 110
!
!
!
!
!
!
line con 0
timeout login response 1
password 7 ******************
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 5 0
password 7 ******************
modem InOut
transport input all
speed 38400
flowcontrol hardware
line vty 0 4
password 7 ******************
login
!
!
end
****#show int dialer1
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address will be negotiated using IPCP
MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
DTR is pulsed for 1 seconds on reset
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:12:44
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 42 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 packets output, 0 bytes
****#show vpdn
%No active L2TP tunnels
%No active L2F tunnels
%No active PPTP tunnels
PPPoE Tunnel and Session Information Total tunnels 1 sessions 1
PPPoE Session Information
UID SID RemMAC OIntf Intf Session
LocMAC VASt state
0 395 000e.4040.e002 Fa0/0 N/A N/A
000b.be99.8c20
NoJf#
I made the changes to the pppoe config, since this would be my preference to use. I'm still not getting a connection... I'm going to post the changed config, just so you can have a look at it. What commands can I run to check the connection? I ran "show int dialer1" and "show vpdn" (which I'll post as well), but I'm not really sure what I'm looking at. Thanks for your help.
Ryan
--------------------------
show conf
Using 3627 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 **************
enable password 7 **************
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip dhcp excluded-address 172.200.200.1 172.200.200.50
ip dhcp excluded-address 172.200.200.200 172.200.200.254
ip dhcp excluded-address 172.200.200.75
!
ip dhcp pool jf
network 172.200.200.0 255.255.255.0
dns-server 10.1.254.23 4.2.2.2
netbios-name-server 10.1.254.23 10.1.254.22
netbios-node-type p-node
domain-name ***********
default-router 172.200.200.10
!
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******* address **********
!
!
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
!
crypto map to_vpn 10 ipsec-isakmp
set peer *************
set transform-set to_vpn
match address 101
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1
ip address 172.200.200.10 255.255.255.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface Async1
no ip address
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap
ppp pap sent-username ***************** password 7 **************
crypto map to_vpn
!
ip nat inside source list 110 interface Dialer1 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
logging history debugging
no logging trap
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 101 permit ip 172.200.200.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.252.0 0.0.3.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.0.0 0.0.31.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.32.0 0.0.15.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.99.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 10.1.190.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 172.17.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.2.0 0.0.0.255
access-list 110 deny ip 172.200.200.0 0.0.0.255 86.85.50.0 0.0.0.255
access-list 110 permit ip 172.200.200.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 110
!
!
!
!
!
!
line con 0
timeout login response 1
password 7 ******************
line 1
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 5 0
password 7 ******************
modem InOut
transport input all
speed 38400
flowcontrol hardware
line vty 0 4
password 7 ******************
login
!
!
end
****#show int dialer1
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address will be negotiated using IPCP
MTU 1500 bytes, BW 56 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, loopback not set
DTR is pulsed for 1 seconds on reset
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:12:44
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: weighted fair
Output queue: 0/1000/64/0 (size/max total/threshold/drops)
Conversations 0/0/16 (active/max active/max total)
Reserved Conversations 0/0 (allocated/max allocated)
Available Bandwidth 42 kilobits/sec
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 packets output, 0 bytes
****#show vpdn
%No active L2TP tunnels
%No active L2F tunnels
%No active PPTP tunnels
PPPoE Tunnel and Session Information Total tunnels 1 sessions 1
PPPoE Session Information
UID SID RemMAC OIntf Intf Session
LocMAC VASt state
0 395 000e.4040.e002 Fa0/0 N/A N/A
000b.be99.8c20
NoJf#
RyanMielke,
> ppp authentication pap
change to "ppp authentication pap callin"
the route-map doesn't do anything - you can get rid of it.
Everything else looks great to me, will continue to check.
> ppp authentication pap
change to "ppp authentication pap callin"
the route-map doesn't do anything - you can get rid of it.
Everything else looks great to me, will continue to check.
ASKER
minmei,
I changed the ppp auth, and took out the route-map...still nothing. Is there any logging I can turn on to see if it's actually initiating the pppoe call? Or maybe somewhere where it will show at which point it's erroring out? I'm at a loss...
Thanks,
Ryan
I changed the ppp auth, and took out the route-map...still nothing. Is there any logging I can turn on to see if it's actually initiating the pppoe call? Or maybe somewhere where it will show at which point it's erroring out? I'm at a loss...
Thanks,
Ryan
terminal monitor
debug ppp authentication
debug ppp authentication
ASKER
This is what I get. :)
*Mar 1 00:47:26.455: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Mar 1 00:47:26.455: Vi1 PPP: Using dialer call direction
*Mar 1 00:47:26.455: Vi1 PPP: Treating connection as a callout
*Mar 1 00:47:26.459: Vi1 PPP: Authorization required
*Mar 1 00:47:26.459: Vi1 PPP: No remote authentication for call-out
*Mar 1 00:47:26.459: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o up
*Mar 1 00:47:26.471: Vi1 PPP: No authorization without authentication
*Mar 1 00:47:26.483: Vi1 CHAP: I CHALLENGE id 1 len 32 from "nworlama76w"
*Mar 1 00:47:26.483: Vi1 CHAP: Unable to authenticate for peer
*Mar 1 00:47:26.503: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
*Mar 1 00:47:26.511: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o down
Bad username/password? My username is an email address, and the password is a number sequence...
*Mar 1 00:47:26.455: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Mar 1 00:47:26.455: Vi1 PPP: Using dialer call direction
*Mar 1 00:47:26.455: Vi1 PPP: Treating connection as a callout
*Mar 1 00:47:26.459: Vi1 PPP: Authorization required
*Mar 1 00:47:26.459: Vi1 PPP: No remote authentication for call-out
*Mar 1 00:47:26.459: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o up
*Mar 1 00:47:26.471: Vi1 PPP: No authorization without authentication
*Mar 1 00:47:26.483: Vi1 CHAP: I CHALLENGE id 1 len 32 from "nworlama76w"
*Mar 1 00:47:26.483: Vi1 CHAP: Unable to authenticate for peer
*Mar 1 00:47:26.503: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
*Mar 1 00:47:26.511: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o down
Bad username/password? My username is an email address, and the password is a number sequence...
Change authentication to CHAP
ppp authentication pap callin
becomes
ppp authentication chap
ppp authentication pap callin
becomes
ppp authentication chap
ASKER
Do I need to make changes on this line as well?
ppp pap sent-username ***************** password 7 **************
ppp pap sent-username ***************** password 7 **************
yes- chap uses a different command - sorry, missed it.
ppp chap hostname xxxxxxx
ppp chap password yyyyyyy
ppp chap hostname xxxxxxx
ppp chap password yyyyyyy
ASKER
Looks like the same thing. Sould I repost the config so you can take a look at it?
*Mar 1 01:06:49.415: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Mar 1 01:06:49.415: Vi1 PPP: Using dialer call direction
*Mar 1 01:06:49.415: Vi1 PPP: Treating connection as a callout
*Mar 1 01:06:49.415: Vi1 PPP: Authorization required
*Mar 1 01:06:49.419: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o up
*Mar 1 01:06:49.567: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
*Mar 1 01:06:49.575: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o down
*Mar 1 01:06:49.415: %DIALER-6-BIND: Interface Vi1 bound to profile Di1
*Mar 1 01:06:49.415: Vi1 PPP: Using dialer call direction
*Mar 1 01:06:49.415: Vi1 PPP: Treating connection as a callout
*Mar 1 01:06:49.415: Vi1 PPP: Authorization required
*Mar 1 01:06:49.419: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o up
*Mar 1 01:06:49.567: %DIALER-6-UNBIND: Interface Vi1 unbound from profile Di1
*Mar 1 01:06:49.575: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state t
o down
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome awesome awesome! We're up with internet from the router, and from a client, so the NAT's working great. What makes me mad about this is that I called BellSouth, and the tech told me it was pap, not chap. Oh well, that's what I get for not asking for second or third level (not that all first level techs are poor).
The only problem left is the VPN tunnel.
When I do a "show crypto isakmp sa" on the 2600 I get:
oJf#show crypto isakmp sa
dst src state conn-id slot
Home IP Cleint IP MM_KEY_EXCH 3 0
Home IP Client IP MM_NO_STATE 2 0 (deleted)
But on the Home Pix (525)
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
I also get this:
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
return status is IKMP_NO_ERROR
The only problem left is the VPN tunnel.
When I do a "show crypto isakmp sa" on the 2600 I get:
oJf#show crypto isakmp sa
dst src state conn-id slot
Home IP Cleint IP MM_KEY_EXCH 3 0
Home IP Client IP MM_NO_STATE 2 0 (deleted)
But on the Home Pix (525)
crypto_isakmp_process_bloc
ISAKMP: reserved not zero on payload 5!
ISAKMP: malformed payload
I also get this:
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): SA is doing pre-shared key authentication using id type ID
return status is IKMP_NO_ERROR
crypto_isakmp_process_bloc
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
return status is IKMP_NO_ERROR
Looks like isakmp (phase 1) is ok, but ipsec (phase 2) isn't matching.
Post the crypto commands for both sides so we can see what doesn't match
Post the crypto commands for both sides so we can see what doesn't match
ASKER
On the 525:
crypto map vpn-map 26 set peer Client IP
isakmp key ******** address Cleint IP netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
sakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
On the 2600:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******* address Home IP
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
crypto map to_vpn 10 ipsec-isakmp
set peer Home IP
set transform-set to_vpn
match address 101
interface Dialer1
crypto map to_vpn
crypto map vpn-map 26 set peer Client IP
isakmp key ******** address Cleint IP netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
sakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
On the 2600:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ******* address Home IP
crypto ipsec transform-set to_vpn esp-3des esp-md5-hmac
crypto map to_vpn 10 ipsec-isakmp
set peer Home IP
set transform-set to_vpn
match address 101
interface Dialer1
crypto map to_vpn
The 525 has a lifetime on the isakmp policy 10
Do you have the same on the 2600 policy 1?
Do you have the same on the 2600 policy 1?
ASKER
Yep. I remember when I set this up in the lab that if I changed the IP address of the client (2600) that it took some time for it to change on the PIX. Example:
When I do a "show crypto ipsec sa" it shows this:
local ident (addr/mask/prot/port): (10.1.252.0/255.255.252.0/
remote ident (addr/mask/prot/port): (172.200.200.0/255.255.255
current_peer: Old Lab IP address
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3955, #pkts encrypt: 3955, #pkts digest 3955
#pkts decaps: 3708, #pkts decrypt: 3708, #pkts verify 3708
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 209.223.113.2, remote crypto endpt.: Old Lab IP address
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Beyond that, I haven't changed any crypto configs since this was working under a static IP (non-PPPoE) in the lab last week.
When I do a "show crypto ipsec sa" it shows this:
local ident (addr/mask/prot/port): (10.1.252.0/255.255.252.0/
remote ident (addr/mask/prot/port): (172.200.200.0/255.255.255
current_peer: Old Lab IP address
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3955, #pkts encrypt: 3955, #pkts digest 3955
#pkts decaps: 3708, #pkts decrypt: 3708, #pkts verify 3708
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 15, #recv errors 0
local crypto endpt.: 209.223.113.2, remote crypto endpt.: Old Lab IP address
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Beyond that, I haven't changed any crypto configs since this was working under a static IP (non-PPPoE) in the lab last week.
Can you give me a better straight paste out of the configs? please keep the ip addresses obfuscated.
ASKER
Certainly. It'll take about 20 minutes for me to get the config for the HQ to you, it's several pages long and will take a while to edit.
Thanks again for your help.
Ryan
Thanks again for your help.
Ryan
ASKER
Well, here's 440 Lines worth. The crypto for the 2600 client is lines 413 and 422. If I marked out too much, just let me know. Good luck!
1 !
2 ! Telconi Terminal v0.94a
3 ! direct TELNET to ********254.9 [********254.9] from ********253.51
4 ! PIX device detected.
5 :
6 PIX Version 6.2(3)
7 nameif ethernet0 outside security0
8 nameif ethernet1 inside security100
9 nameif ethernet2 intf2 security10
10 nameif ethernet3 intf3 security15
11 nameif ethernet4 intf4 security20
12 nameif ethernet5 state security20
13 enable password ************* encrypted
14 passwd ************ encrypted
15 hostname pixfirewall
16 domain-name **************
17 clock timezone pacific 0
18 fixup protocol ftp 21
19 fixup protocol http 80
20 fixup protocol h323 h225 1720
21 fixup protocol h323 ras 1718-1719
22 fixup protocol ils 389
23 fixup protocol rsh 514
24 fixup protocol rtsp 554
25 fixup protocol sqlnet 1521
26 fixup protocol sip 5060
27 fixup protocol skinny 2000
28 fixup protocol smtp 25
29 fixup protocol sip udp 5060
30 names
31 access-list zm permit ip host *********** *********** 255.255.255.0
32 access-list internelnet permit tcp host ************** any eq 6882
33 access-list 1721 permit ip host ********************* host ********254.27
34 access-list 1721 permit ip host ********************* host ********254.23
35 access-list 1721 permit ip host ********************* host ********254.22
36 access-list 1721 permit ip host ********************* host ********254.42
37 access-list 1721 permit ip host ********************* host ********254.45
38 access-list 1721 permit ip host ********************* host ********254.30
39 access-list 1721 permit ip host ********************* host ********254.20
40 access-list 1721 permit ip host ********************* host ********254.168
41 access-list 1721 permit ip host ********************* host ********253.100
42 access-list 1721 permit ip host ********************* host ********254.142
43 access-list 1721 permit ip host ********************* host ********254.41
44 access-list 1721 permit ip host ********.1.18 host ********252.142
45 access-list 1721 permit tcp host ********************* any eq www
46 access-list 1721 permit udp host ********************* any eq www
47 access-list 1721 permit tcp host ********************* host ********252.3 eq 1984
48 access-list 1721 permit tcp host ********.1.71 host ********252.3 eq 1984
49 access-list 1721 permit tcp host ********.1.73 host ********252.3 eq 1984
50 access-list 1721 permit tcp host ********.1.18 host ********252.3 eq 1984
51 access-list 1721 permit icmp host ********************* host ********252.3
52 access-list 1721 permit icmp host ********.1.71 host ********252.3
53 access-list 1721 permit icmp host ********.1.73 host ********252.3
54 access-list 1721 permit icmp host ********.1.18 host ********252.3
55 access-list 1721 permit icmp ********.1.0 255.255.255.0 ********252.0 255.255.252.0 echo-reply
56 access-list 1721 deny ip any any
57 access-list any permit ip any any
58 access-list nonat permit ip ********252.0 255.255.252.0 172.200.200.0 255.255.255.0
59 access-list nonat permit ip ********32.0 255.255.240.0 172.200.200.0 255.255.255.0
60 access-list nonat permit ip ********99.0 255.255.255.0 172.200.200.0 255.255.255.0
61 access-list nonat permit ip 86.85.2.0 255.255.255.0 172.200.200.0 255.255.255.0
62 access-list nonat permit ip 86.85.50.0 255.255.255.0 172.200.200.0 255.255.255.0
63 access-list nonat permit ip ********190.0 255.255.255.0 172.200.200.0 255.255.255.0
64 access-list nonat permit ip any ********.0.0 255.255.0.0
65 access-list nonat permit ip any ********.0.0 255.255.0.0
66 access-list nonat permit ip any ********0.0 255.255.0.0
67 access-list nonat permit ip any 85.85.0.0 255.255.0.0
68 access-list nonat permit ip ********.2.0 255.255.255.0 172.200.200.0 255.255.255.0
69 access-list nonat permit ip ********16.0 255.255.255.0 172.200.200.0 255.255.255.0
70 access-list hv permit ip host ********** host 10.********
71 access-list VM permit ip host *********** host **********
72 access-list Im permit ip host ********** 192.168.8.0 255.255.252.0
73 access-list internalnet permit ip any ********.1.0 255.255.255.0
74 access-list internalnet permit ip any ********.2.0 255.255.255.0
75 access-list internalnet permit tcp any any eq domain
76 access-list internalnet permit udp any any eq domain
77 access-list internalnet permit tcp any any eq ftp
78 access-list internalnet permit tcp any any eq ssh
79 access-list internalnet permit tcp any any eq telnet
80 access-list internalnet permit tcp any any eq whois
81 access-list internalnet permit tcp any any eq www
82 access-list internalnet permit tcp any any eq pop3
83 access-list internalnet permit tcp any any eq imap4
84 access-list internalnet permit tcp any any eq https
85 access-list internalnet permit tcp any any eq ldaps
86 access-list internalnet permit udp any any eq isakmp
87 access-list internalnet permit udp any any eq ntp
88 access-list internalnet permit tcp any any eq ldap
89 access-list internalnet permit tcp any any eq 1474
90 access-list internalnet permit tcp any any eq h323
91 access-list internalnet permit tcp any any eq 3389
92 access-list internalnet permit tcp any any eq 8080
93 access-list internalnet permit tcp any any eq 8081
94 access-list internalnet permit tcp any any eq 1755
95 access-list internalnet permit tcp any any eq 7000
96 access-list internalnet permit tcp any any eq 14579
97 access-list internalnet permit tcp any any eq 15217
98 access-list internalnet permit tcp any any eq 16660
99 access-list internalnet permit tcp any any eq 16662
100 access-list internalnet permit udp host ********252.3 any eq snmp
101 access-list internalnet permit tcp any any eq 2703
102 access-list internalnet permit tcp any any eq sqlnet
103 access-list internalnet permit tcp any any eq 1433
104 access-list internalnet permit tcp host ********252.3 any eq smtp
105 access-list internalnet permit tcp host ********190.254 any eq smtp
106 access-list internalnet permit tcp any any eq 20000
107 access-list internalnet permit tcp any any eq 8000
108 access-list internalnet permit tcp any any eq 889
109 access-list internalnet deny udp any any eq tftp
110 access-list internalnet deny udp any any eq 4444
111 access-list internalnet permit tcp any any eq 5556
112 access-list internalnet permit udp any any eq 5556
113 access-list internalnet permit tcp any any eq 1863
114 access-list internalnet permit tcp any any eq 2082
115 access-list internalnet permit tcp any any eq 2083
116 access-list internalnet permit tcp any any eq 2086
117 access-list internalnet permit tcp any any eq 2095
118 access-list internalnet permit udp host ********253.86 any eq 10000
119 access-list internalnet permit udp host ********253.113 any eq 10000
120 access-list internalnet deny ip 66.151.158.0 255.255.255.0 any
121 access-list internalnet deny ip any 66.151.158.0 255.255.255.0
122 access-list internalnet deny udp any any eq 1214
123 access-list internalnet deny tcp any any eq 1214
124 access-list internalnet deny tcp any any eq 6660
125 access-list internalnet deny tcp any any eq 6661
126 access-list internalnet deny tcp any any eq 6662
127 access-list internalnet deny tcp any any eq 6663
128 access-list internalnet deny tcp any any eq 6664
129 access-list internalnet deny tcp any any eq 6665
130 access-list internalnet deny tcp any any eq 6666
131 access-list internalnet deny tcp any any eq 6667
132 access-list internalnet deny tcp any any eq 6668
133 access-list internalnet deny tcp any any eq 6669
134 access-list internalnet deny tcp any any eq 6670
135 access-list internalnet deny tcp any any eq 2018
136 access-list internalnet deny tcp any any eq 2019
137 access-list internalnet deny tcp any any eq 2020
138 access-list internalnet deny tcp any any eq 2021
139 access-list internalnet permit tcp host ********253.22 any eq smtp
140 access-list internalnet permit ip any host *********
141 access-list internalnet permit ip 172.200.200.0 255.255.255.0 any
142 access-list internalnet permit icmp any any
143 access-list internalnet permit tcp host ********253.13 any eq smtp
144 access-list internalnet deny tcp any any eq 5559
145 access-list internalnet deny udp any any eq 5559
146 access-list internalnet permit tcp host ********253.7 any eq smtp
147 access-list internalnet permit tcp host ********253.17 any eq smtp
148 access-list internalnet permit udp host ********253.95 any eq isakmp
149 access-list internalnet deny tcp any any eq 5050
150 access-list internalnet deny tcp any any eq aol
151 access-list internalnet permit tcp host ********253.15 any eq smtp
152 access-list internalnet permit tcp host ********254.41 any eq smtp
153 access-list internalnet permit tcp host ********252.90 any eq smtp
154 access-list internalnet permit tcp host ********252.91 any eq smtp
155 access-list internalnet permit ip host ********252.3 ********.2.0 255.255.255.0
156 access-list internalnet permit tcp host ********254.47 any eq smtp
157 access-list internalnet permit tcp host ********254.168 any eq smtp
158 access-list internalnet permit tcp host ********253.59 any eq smtp
159 access-list internalnet permit tcp host ********253.51 any eq smtp
160 access-list internalnet permit tcp host ********253.30 any eq smtp
161 access-list internalnet permit ip host ********253.81 any
162 access-list internalnet permit tcp any host 66.113.93.26 eq 8100
163 access-list internalnet permit tcp host ********252.89 any eq smtp
164 access-list internalnet permit tcp host ********252.100 any
165 access-list internalnet permit tcp host ********252.98 any
166 access-list internalnet permit tcp host ********252.99 any
167 access-list internalnet permit tcp any any eq 9100
168 access-list VMT permit ip host ************.113.21 host 63.251.99.220
169 access-list VMT permit ip host ************.113.21 host 63.251.99.216
170 access-list VMT permit ip host ************.113.21 host 205.239.223.74
171 access-list internet permit tcp host 209.209.9.127 host ************.113.42 eq pop3
172 access-list internet permit tcp any host ************.113.195 eq www
173 access-list internet permit tcp any host ************.113.196 eq www
174 access-list internet permit tcp any host ************.113.197 eq www
175 access-list internet permit tcp any host ************.113.201 eq www
176 access-list internet permit tcp any host ************.113.201 eq ftp
177 access-list internet permit tcp any host ************.113.71 eq ftp
178 access-list internet permit tcp host 12.8.2.2 host ************.113.73 eq ssh
179 access-list internet permit tcp host 209.142.244.66 host ************.113.73 eq ssh
180 access-list internet permit tcp host 12.42.142.180 host ************.113.73 eq ssh
181 access-list internet permit tcp host 207.208.157.29 host ************.113.73 eq ssh
182 access-list internet permit tcp host 207.208.157.27 host ************.113.73 eq ssh
183 access-list internet permit tcp host 64.1.90.29 host ************.113.73 eq ssh
184 access-list internet permit tcp host 12.1.237.131 host ************.113.73 eq ssh
185 access-list internet permit tcp host 12.1.237.135 host ************.113.73 eq ssh
186 access-list internet permit tcp host 64.236.243.31 host ************.113.73 eq ssh
187 access-list internet permit tcp host 12.46.139.162 host ************.113.73 eq ssh
188 access-list internet permit tcp host 65.197.209.2 host ************.113.21 eq ssh
189 access-list internet permit tcp host 65.219.52.22 host ************.113.38 eq ftp
190 access-list internet permit tcp host 65.223.39.25 host ************.113.73 eq ssh
191 access-list internet permit tcp host 64.173.92.11 host ************.113.73 eq ssh
192 access-list internet permit tcp host 65.119.0.68 host ************.113.73 eq ssh
193 access-list internet deny udp any any eq tftp
194 access-list internet deny udp any any eq 4444
195 access-list internet permit tcp any host ************.113.18 eq ftp
196 access-list internet permit tcp host 210.175.246.65 host ************.113.73 eq ssh
197 access-list internet deny ip host ************.113.220 any
198 access-list internet deny icmp host ************.113.220 any
199 access-list internet permit tcp host 64.165.135.130 host ************.113.73 eq ftp
200 access-list internet permit tcp host 64.165.135.132 host ************.113.73 eq ftp
201 access-list internet permit tcp host 167.229.23.12 host ************.113.73 eq ftp
202 access-list internet permit tcp host 167.229.23.76 host ************.113.73 eq ftp
203 access-list internet permit tcp host 65.223.39.2 host ************.113.73 eq ftp
204 access-list internet permit tcp host 65.223.39.25 host ************.113.73 eq ftp
205 access-list internet permit tcp host 208.253.155.193 host ************.113.73 eq ftp
206 access-list internet permit tcp any host ************.113.19 eq ftp
207 access-list internet permit tcp any host ************.113.20 eq ftp
208 access-list internet permit tcp host 199.201.1.18 host ************.113.73 eq ftp
209 access-list internet permit tcp host 63.80.59.249 host ************.113.73 eq ftp
210 access-list internet permit tcp host 66.91.145.147 host ************.113.73 eq ftp
211 access-list internet permit tcp host 203.63.39.9 host ************.113.73 eq ssh
212 access-list internet deny udp any any eq 1214
213 access-list internet deny tcp any any eq 1214
214 access-list internet deny tcp any any eq 6660
215 access-list internet deny tcp any any eq 6661
216 access-list internet deny tcp any any eq 6662
217 access-list internet deny tcp any any eq 6663
218 access-list internet deny tcp any any eq 6664
219 access-list internet deny tcp any any eq 6665
220 access-list internet deny tcp any any eq 6666
221 access-list internet deny tcp any any eq 6667
222 access-list internet deny tcp any any eq 6668
223 access-list internet deny tcp any any eq 6669
224 access-list internet deny tcp any any eq 6670
225 access-list internet deny tcp any any eq 2018
226 access-list internet deny tcp any any eq 2019
227 access-list internet deny tcp any any eq 2020
228 access-list internet deny tcp any any eq 2021
229 access-list internet deny ip host 66.151.158.183 any
230 access-list internet permit ip host 64.164.227.198 any
231 access-list internet permit tcp host 207.207.170.150 host ************.113.73 eq ftp
232 access-list internet permit tcp host 203.63.39.10 host ************.113.73 eq ssh
233 access-list internet permit icmp host 64.164.227.197 any
234 access-list internet permit icmp host 64.164.227.199 any
235 access-list internet permit icmp host 64.164.227.198 any
236 access-list internet permit icmp host 64.164.227.200 any
237 access-list internet permit ip any host ************.113.132
238 access-list internet permit ip any host ************.113.190
239 access-list internet permit tcp host 155.44.84.163 host ************.113.73 eq ftp
240 access-list internet permit tcp host 155.44.83.137 host ************.113.73 eq ftp
241 access-list internet permit tcp host 151.198.243.82 host ************.113.73 eq ftp
242 access-list internet permit tcp host 205.166.37.100 host ************.113.73 eq ftp
243 access-list internet permit tcp host 203.63.39.10 host ************.113.73 eq ftp
244 access-list internet permit tcp host 203.63.39.9 host ************.113.73 eq ftp
245 access-list internet permit tcp host 63.93.126.54 host ************.113.73 eq ftp
246 access-list internet permit tcp host 12.46.139.166 host ************.113.73 eq ssh
247 access-list internet permit tcp host 12.174.92.2 host ************.113.73 eq ftp
248 access-list internet permit tcp host 66.88.100.147 host ************.113.73 eq ftp
249 access-list internet deny tcp any any eq 5050
250 access-list internet permit tcp any host ************.113.68 eq smtp
251 access-list internet permit tcp any host ************.113.68 eq www
252 access-list internet permit tcp any host ************.113.247 eq www
253 access-list internet permit tcp 64.164.227.192 255.255.255.248 host ************.113.251 eq www
254 access-list internet permit icmp any host ************.113.4 echo-reply
255 access-list internet permit tcp host 64.236.233.243 host ************.113.73 eq ssh
256 access-list internet permit tcp host 64.236.233.180 host ************.113.73 eq ssh
257 access-list internet permit tcp host 64.236.233.207 host ************.113.73 eq ssh
258 access-list internet permit tcp host 205.158.63.38 host ************.113.42 eq pop3
259 access-list internet permit tcp host 81.144.246.194 host ************.113.73 eq ftp
260 access-list internet permit tcp host 63.82.98.2 host ************.113.73 eq ssh
261 access-list internet permit tcp host 63.82.98.2 host ************.113.73 eq ftp
262 access-list internet permit tcp host 146.145.128.26 host ************.113.73 eq ftp
263 access-list internet permit tcp host 65.244.245.5 host ************.113.73 eq ssh
264 access-list internet permit tcp host 63.116.153.5 host ************.113.73 eq ssh
265 access-list 1722 permit ip host ********.2.205 host ********252.3
266 access-list 1722 permit ip host ********.2.201 host ********252.3
267 access-list 1722 permit ip host ********.2.21 ********.0.0 255.255.0.0
268 access-list 1722 permit ip host ********.2.21 host ********254.121
269 access-list 1722 permit ip host ********.2.21 host ********253.21
270 access-list 1722 permit icmp ********.2.0 255.255.255.0 ********.0.0 255.255.0.0
271 access-list 1722 permit tcp ********.2.0 255.255.255.0 host ********252.3 eq 1984
272 access-list 1722 permit icmp ********.2.0 255.255.255.0 ********253.0 255.255.255.0
273 access-list 1722 permit ip ********.2.0 255.255.255.0 host ********254.27
274 access-list 1722 permit tcp ********.2.0 255.255.255.0 any eq domain
275 access-list 1722 permit udp ********.2.0 255.255.255.0 any eq domain
276 access-list 1722 permit icmp ********.2.0 255.255.255.0 ********252.0 255.255.255.0 echo-reply
277 access-list 1722 deny ip ********.2.0 255.255.255.0 ********252.0 255.255.252.0
278 access-list 1722 permit ip ********.2.0 255.255.255.0 any
279 access-list 1722 deny ip any any
280 access-list 1722 permit udp ********.2.0 255.255.255.0 host ********254.27 eq 2967
281 access-list 1722 permit udp ********.2.0 255.255.255.0 host ********254.27 eq 38037
282 access-list VM permit ip host ************.113.21 host 205.239.227.105
283 access-list JF permit ip ********252.0 255.255.252.0 172.200.200.0 255.255.255.0
284 access-list JF permit ip ********0.0 255.255.224.0 172.200.200.0 255.255.255.0
285 access-list JF permit ip ********32.0 255.255.240.0 172.200.200.0 255.255.255.0
286 access-list JF permit ip ********99.0 255.255.255.0 172.200.200.0 255.255.255.0
287 access-list JF permit ip ********190.0 255.255.255.0 172.200.200.0 255.255.255.0
288 access-list JF permit ip 86.85.2.0 255.255.255.0 172.200.200.0 255.255.255.0
289 access-list JF permit ip 86.85.50.0 255.255.255.0 172.200.200.0 255.255.255.0
290 access-list JF permit ip ********.2.0 255.255.255.0 172.200.200.0 255.255.255.0
291 no pager
292 logging on
293 logging buffered debugging
294 logging facility 23
295 logging queue 1024
296 logging host inside ********254.149
297 interface ethernet0 100full
298 interface ethernet1 100full
299 interface ethernet2 100full
300 interface ethernet3 100full
301 interface ethernet4 100full
302 interface ethernet5 100full
303 mtu outside 1500
304 mtu inside 1500
305 mtu intf2 1500
306 mtu intf3 1500
307 mtu intf4 1500
308 mtu state 1500
309 ip address outside ************.113.2 255.255.255.0
310 ip address inside ********254.9 255.255.252.0
311 ip address intf2 ********.1.10 255.255.255.0
312 ip address intf3 ********.2.10 255.255.255.0
313 ip address intf4 ********99.11 255.255.255.0
314 ip address state 192.168.2.1 255.255.255.252
315 ip audit info action alarm
316 ip audit attack action alarm
317 failover
318 failover timeout 0:00:00
319 failover poll 15
320 failover ip address outside ************.113.253
321 failover ip address inside ********254.8
322 failover ip address intf2 ********.1.11
323 failover ip address intf3 ********.2.11
324 failover ip address intf4 ********99.12
325 failover ip address state 192.168.2.2
326 failover link intf4
327 pdm history enable
328 arp timeout 14400
329 global (outside) 1 ************.113.4 netmask 255.255.255.255
330 nat (inside) 0 access-list nonat
331 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
332 nat (intf2) 0 access-list nonat
333 nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
334 nat (intf3) 0 access-list nonat
335 nat (intf3) 1 0.0.0.0 0.0.0.0 0 0
336 nat (intf4) 0 access-list nonat
337 nat (intf4) 1 0.0.0.0 0.0.0.0 0 0
338 static (intf2,outside) ************.113.70 ********.1.70 netmask 255.255.255.255 0 0
339 static (intf2,outside) ************.113.72 ********.1.72 netmask 255.255.255.255 0 0
340 static (intf2,outside) ************.113.73 ********.1.73 netmask 255.255.255.255 0 0
341 static (intf3,outside) ************.113.195 ********.2.195 netmask 255.255.255.255 0 0
342 static (intf3,outside) ************.113.196 ********.2.196 netmask 255.255.255.255 0 0
343 static (intf3,outside) ************.113.201 ********.2.201 netmask 255.255.255.255 0 0
344 static (intf3,outside) ************.113.203 ********.2.203 netmask 255.255.255.255 0 0
345 static (intf3,outside) ************.113.204 ********.2.204 netmask 255.255.255.255 0 0
346 static (intf3,outside) ************.113.205 ********.2.205 netmask 255.255.255.255 0 0
347 static (intf3,outside) ************.113.207 ********.2.207 netmask 255.255.255.255 0 0
348 static (intf3,outside) ************.113.198 ********.2.198 netmask 255.255.255.255 0 0
349 static (intf3,outside) ************.113.202 ********.2.202 netmask 255.255.255.255 0 0
350 static (intf3,outside) ************.113.197 ********.1.197 netmask 255.255.255.255 0 0
351 static (inside,outside) ************.113.21 ********252.3 netmask 255.255.255.255 0 0
352 static (intf2,outside) ************.113.71 ********.1.71 netmask 255.255.255.255 0 0
353 static (intf2,outside) ************.113.68 ********************* netmask 255.255.255.255 0 0
354 static (intf2,outside) ************.113.18 ********.1.18 netmask 255.255.255.255 0 0
355 static (intf2,outside) ************.113.19 ********.1.19 netmask 255.255.255.255 0 0
356 static (intf2,outside) ************.113.20 ********.1.20 netmask 255.255.255.255 0 0
357 static (inside,outside) ************.113.69 ********254.41 netmask 255.255.255.255 0 0
358 static (intf3,outside) ************.113.190 ********.2.190 netmask 255.255.255.255 0 0
359 static (inside,outside) ************.113.42 ********254.42 netmask 255.255.255.255 0 0
360 static (intf3,outside) ************.113.169 ********.2.169 netmask 255.255.255.255 0 0
361 static (inside,outside) ************.113.247 ********253.47 netmask 255.255.255.255 0 0
362 static (inside,outside) ************.113.251 ********253.51 netmask 255.255.255.255 0 0
363 access-group internet in interface outside
364 access-group internalnet in interface inside
365 access-group 1721 in interface intf2
366 access-group 1722 in interface intf3
367 access-group any in interface intf4
368 route outside 0.0.0.0 0.0.0.0 ************.113.1 1
369 route inside ********0.0 255.255.0.0 ********254.10 1
370 route inside ********190.0 255.255.255.0 ********254.10 1
371 route inside 86.85.2.0 255.255.255.0 ********254.10 1
372 route inside 86.85.50.0 255.255.255.0 ********254.10 1
373 route inside ********.0.0 255.255.0.0 ********254.10 1
374 timeout xlate 3:00:00
375 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
376 timeout uauth 0:05:00 absolute
377 aaa-server TACACS+ protocol tacacs+
378 aaa-server RADIUS protocol radius
379 aaa-server LOCAL protocol local
380 snmp-server host inside ********252.35 poll
381 snmp-server host inside ********253.21 poll
382 snmp-server host inside ********253.2 poll
383 snmp-server host inside ********253.51 poll
384 snmp-server host inside ********254.149 poll
385 snmp-server host inside ********254.7 poll
386 snmp-server location HQ
387 snmp-server contact MDJ
388 snmp-server community access
389 snmp-server enable traps
390 floodguard enable
391 sysopt connection permit-ipsec
392 no sysopt route dnat
393 crypto ipsec transform-set md5-3des esp-3des esp-md5-hmac
394 crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac
395 crypto map vpn-map 21 ipsec-isakmp
396 crypto map vpn-map 21 match address VM
397 crypto map vpn-map 21 set peer *************
398 crypto map vpn-map 21 set transform-set md5-3des
399 crypto map vpn-map 22 ipsec-isakmp
400 crypto map vpn-map 22 match address Im
401 crypto map vpn-map 22 set peer ************
402 crypto map vpn-map 22 set transform-set sha-3des
403 crypto map vpn-map 24 ipsec-isakmp
404 crypto map vpn-map 24 match address ZM
405 crypto map vpn-map 24 set peer ************
406 crypto map vpn-map 24 set transform-set md5-3des
407 crypto map vpn-map 25 ipsec-isakmp
408 crypto map vpn-map 25 match address VMT
409 crypto map vpn-map 25 set peer *************
410 crypto map vpn-map 25 set transform-set sha-3des
411 crypto map vpn-map 26 ipsec-isakmp
412 crypto map vpn-map 26 match address JF
413 crypto map vpn-map 26 set peer Client IP (2600)
414 crypto map vpn-map 26 set transform-set md5-3des
415 crypto map vpn-map interface outside
416 isakmp enable outside
417 isakmp key ******** address ********* netmask 255.255.255.255
418 isakmp key ******** address ********** netmask 255.255.255.255
419 isakmp key ******** address ********** netmask 255.255.255.255
420 isakmp key ******** address ********** netmask 255.255.255.255
421 isakmp key ******** address ********** netmask 255.255.255.255
422 isakmp key ******** address Client IP (2600) netmask 255.255.255.255
423 isakmp identity address
424 isakmp policy 10 authentication pre-share
425 isakmp policy 10 encryption 3des
426 isakmp policy 10 hash md5
427 isakmp policy 10 group 2
428 isakmp policy 10 lifetime 86400
429 isakmp policy 20 authentication pre-share
430 isakmp policy 20 encryption 3des
431 isakmp policy 20 hash sha
432 isakmp policy 20 group 2
433 isakmp policy 20 lifetime 86400
434 telnet ******** ********* inside
435 telnet timeout 15
436 ssh ******** ********** inside
437 ssh timeout 60
438 terminal width 511
439 Cryptochecksum:3c787353308
440 : end
1 !
2 ! Telconi Terminal v0.94a
3 ! direct TELNET to ********254.9 [********254.9] from ********253.51
4 ! PIX device detected.
5 :
6 PIX Version 6.2(3)
7 nameif ethernet0 outside security0
8 nameif ethernet1 inside security100
9 nameif ethernet2 intf2 security10
10 nameif ethernet3 intf3 security15
11 nameif ethernet4 intf4 security20
12 nameif ethernet5 state security20
13 enable password ************* encrypted
14 passwd ************ encrypted
15 hostname pixfirewall
16 domain-name **************
17 clock timezone pacific 0
18 fixup protocol ftp 21
19 fixup protocol http 80
20 fixup protocol h323 h225 1720
21 fixup protocol h323 ras 1718-1719
22 fixup protocol ils 389
23 fixup protocol rsh 514
24 fixup protocol rtsp 554
25 fixup protocol sqlnet 1521
26 fixup protocol sip 5060
27 fixup protocol skinny 2000
28 fixup protocol smtp 25
29 fixup protocol sip udp 5060
30 names
31 access-list zm permit ip host *********** *********** 255.255.255.0
32 access-list internelnet permit tcp host ************** any eq 6882
33 access-list 1721 permit ip host ********************* host ********254.27
34 access-list 1721 permit ip host ********************* host ********254.23
35 access-list 1721 permit ip host ********************* host ********254.22
36 access-list 1721 permit ip host ********************* host ********254.42
37 access-list 1721 permit ip host ********************* host ********254.45
38 access-list 1721 permit ip host ********************* host ********254.30
39 access-list 1721 permit ip host ********************* host ********254.20
40 access-list 1721 permit ip host ********************* host ********254.168
41 access-list 1721 permit ip host ********************* host ********253.100
42 access-list 1721 permit ip host ********************* host ********254.142
43 access-list 1721 permit ip host ********************* host ********254.41
44 access-list 1721 permit ip host ********.1.18 host ********252.142
45 access-list 1721 permit tcp host ********************* any eq www
46 access-list 1721 permit udp host ********************* any eq www
47 access-list 1721 permit tcp host ********************* host ********252.3 eq 1984
48 access-list 1721 permit tcp host ********.1.71 host ********252.3 eq 1984
49 access-list 1721 permit tcp host ********.1.73 host ********252.3 eq 1984
50 access-list 1721 permit tcp host ********.1.18 host ********252.3 eq 1984
51 access-list 1721 permit icmp host ********************* host ********252.3
52 access-list 1721 permit icmp host ********.1.71 host ********252.3
53 access-list 1721 permit icmp host ********.1.73 host ********252.3
54 access-list 1721 permit icmp host ********.1.18 host ********252.3
55 access-list 1721 permit icmp ********.1.0 255.255.255.0 ********252.0 255.255.252.0 echo-reply
56 access-list 1721 deny ip any any
57 access-list any permit ip any any
58 access-list nonat permit ip ********252.0 255.255.252.0 172.200.200.0 255.255.255.0
59 access-list nonat permit ip ********32.0 255.255.240.0 172.200.200.0 255.255.255.0
60 access-list nonat permit ip ********99.0 255.255.255.0 172.200.200.0 255.255.255.0
61 access-list nonat permit ip 86.85.2.0 255.255.255.0 172.200.200.0 255.255.255.0
62 access-list nonat permit ip 86.85.50.0 255.255.255.0 172.200.200.0 255.255.255.0
63 access-list nonat permit ip ********190.0 255.255.255.0 172.200.200.0 255.255.255.0
64 access-list nonat permit ip any ********.0.0 255.255.0.0
65 access-list nonat permit ip any ********.0.0 255.255.0.0
66 access-list nonat permit ip any ********0.0 255.255.0.0
67 access-list nonat permit ip any 85.85.0.0 255.255.0.0
68 access-list nonat permit ip ********.2.0 255.255.255.0 172.200.200.0 255.255.255.0
69 access-list nonat permit ip ********16.0 255.255.255.0 172.200.200.0 255.255.255.0
70 access-list hv permit ip host ********** host 10.********
71 access-list VM permit ip host *********** host **********
72 access-list Im permit ip host ********** 192.168.8.0 255.255.252.0
73 access-list internalnet permit ip any ********.1.0 255.255.255.0
74 access-list internalnet permit ip any ********.2.0 255.255.255.0
75 access-list internalnet permit tcp any any eq domain
76 access-list internalnet permit udp any any eq domain
77 access-list internalnet permit tcp any any eq ftp
78 access-list internalnet permit tcp any any eq ssh
79 access-list internalnet permit tcp any any eq telnet
80 access-list internalnet permit tcp any any eq whois
81 access-list internalnet permit tcp any any eq www
82 access-list internalnet permit tcp any any eq pop3
83 access-list internalnet permit tcp any any eq imap4
84 access-list internalnet permit tcp any any eq https
85 access-list internalnet permit tcp any any eq ldaps
86 access-list internalnet permit udp any any eq isakmp
87 access-list internalnet permit udp any any eq ntp
88 access-list internalnet permit tcp any any eq ldap
89 access-list internalnet permit tcp any any eq 1474
90 access-list internalnet permit tcp any any eq h323
91 access-list internalnet permit tcp any any eq 3389
92 access-list internalnet permit tcp any any eq 8080
93 access-list internalnet permit tcp any any eq 8081
94 access-list internalnet permit tcp any any eq 1755
95 access-list internalnet permit tcp any any eq 7000
96 access-list internalnet permit tcp any any eq 14579
97 access-list internalnet permit tcp any any eq 15217
98 access-list internalnet permit tcp any any eq 16660
99 access-list internalnet permit tcp any any eq 16662
100 access-list internalnet permit udp host ********252.3 any eq snmp
101 access-list internalnet permit tcp any any eq 2703
102 access-list internalnet permit tcp any any eq sqlnet
103 access-list internalnet permit tcp any any eq 1433
104 access-list internalnet permit tcp host ********252.3 any eq smtp
105 access-list internalnet permit tcp host ********190.254 any eq smtp
106 access-list internalnet permit tcp any any eq 20000
107 access-list internalnet permit tcp any any eq 8000
108 access-list internalnet permit tcp any any eq 889
109 access-list internalnet deny udp any any eq tftp
110 access-list internalnet deny udp any any eq 4444
111 access-list internalnet permit tcp any any eq 5556
112 access-list internalnet permit udp any any eq 5556
113 access-list internalnet permit tcp any any eq 1863
114 access-list internalnet permit tcp any any eq 2082
115 access-list internalnet permit tcp any any eq 2083
116 access-list internalnet permit tcp any any eq 2086
117 access-list internalnet permit tcp any any eq 2095
118 access-list internalnet permit udp host ********253.86 any eq 10000
119 access-list internalnet permit udp host ********253.113 any eq 10000
120 access-list internalnet deny ip 66.151.158.0 255.255.255.0 any
121 access-list internalnet deny ip any 66.151.158.0 255.255.255.0
122 access-list internalnet deny udp any any eq 1214
123 access-list internalnet deny tcp any any eq 1214
124 access-list internalnet deny tcp any any eq 6660
125 access-list internalnet deny tcp any any eq 6661
126 access-list internalnet deny tcp any any eq 6662
127 access-list internalnet deny tcp any any eq 6663
128 access-list internalnet deny tcp any any eq 6664
129 access-list internalnet deny tcp any any eq 6665
130 access-list internalnet deny tcp any any eq 6666
131 access-list internalnet deny tcp any any eq 6667
132 access-list internalnet deny tcp any any eq 6668
133 access-list internalnet deny tcp any any eq 6669
134 access-list internalnet deny tcp any any eq 6670
135 access-list internalnet deny tcp any any eq 2018
136 access-list internalnet deny tcp any any eq 2019
137 access-list internalnet deny tcp any any eq 2020
138 access-list internalnet deny tcp any any eq 2021
139 access-list internalnet permit tcp host ********253.22 any eq smtp
140 access-list internalnet permit ip any host *********
141 access-list internalnet permit ip 172.200.200.0 255.255.255.0 any
142 access-list internalnet permit icmp any any
143 access-list internalnet permit tcp host ********253.13 any eq smtp
144 access-list internalnet deny tcp any any eq 5559
145 access-list internalnet deny udp any any eq 5559
146 access-list internalnet permit tcp host ********253.7 any eq smtp
147 access-list internalnet permit tcp host ********253.17 any eq smtp
148 access-list internalnet permit udp host ********253.95 any eq isakmp
149 access-list internalnet deny tcp any any eq 5050
150 access-list internalnet deny tcp any any eq aol
151 access-list internalnet permit tcp host ********253.15 any eq smtp
152 access-list internalnet permit tcp host ********254.41 any eq smtp
153 access-list internalnet permit tcp host ********252.90 any eq smtp
154 access-list internalnet permit tcp host ********252.91 any eq smtp
155 access-list internalnet permit ip host ********252.3 ********.2.0 255.255.255.0
156 access-list internalnet permit tcp host ********254.47 any eq smtp
157 access-list internalnet permit tcp host ********254.168 any eq smtp
158 access-list internalnet permit tcp host ********253.59 any eq smtp
159 access-list internalnet permit tcp host ********253.51 any eq smtp
160 access-list internalnet permit tcp host ********253.30 any eq smtp
161 access-list internalnet permit ip host ********253.81 any
162 access-list internalnet permit tcp any host 66.113.93.26 eq 8100
163 access-list internalnet permit tcp host ********252.89 any eq smtp
164 access-list internalnet permit tcp host ********252.100 any
165 access-list internalnet permit tcp host ********252.98 any
166 access-list internalnet permit tcp host ********252.99 any
167 access-list internalnet permit tcp any any eq 9100
168 access-list VMT permit ip host ************.113.21 host 63.251.99.220
169 access-list VMT permit ip host ************.113.21 host 63.251.99.216
170 access-list VMT permit ip host ************.113.21 host 205.239.223.74
171 access-list internet permit tcp host 209.209.9.127 host ************.113.42 eq pop3
172 access-list internet permit tcp any host ************.113.195 eq www
173 access-list internet permit tcp any host ************.113.196 eq www
174 access-list internet permit tcp any host ************.113.197 eq www
175 access-list internet permit tcp any host ************.113.201 eq www
176 access-list internet permit tcp any host ************.113.201 eq ftp
177 access-list internet permit tcp any host ************.113.71 eq ftp
178 access-list internet permit tcp host 12.8.2.2 host ************.113.73 eq ssh
179 access-list internet permit tcp host 209.142.244.66 host ************.113.73 eq ssh
180 access-list internet permit tcp host 12.42.142.180 host ************.113.73 eq ssh
181 access-list internet permit tcp host 207.208.157.29 host ************.113.73 eq ssh
182 access-list internet permit tcp host 207.208.157.27 host ************.113.73 eq ssh
183 access-list internet permit tcp host 64.1.90.29 host ************.113.73 eq ssh
184 access-list internet permit tcp host 12.1.237.131 host ************.113.73 eq ssh
185 access-list internet permit tcp host 12.1.237.135 host ************.113.73 eq ssh
186 access-list internet permit tcp host 64.236.243.31 host ************.113.73 eq ssh
187 access-list internet permit tcp host 12.46.139.162 host ************.113.73 eq ssh
188 access-list internet permit tcp host 65.197.209.2 host ************.113.21 eq ssh
189 access-list internet permit tcp host 65.219.52.22 host ************.113.38 eq ftp
190 access-list internet permit tcp host 65.223.39.25 host ************.113.73 eq ssh
191 access-list internet permit tcp host 64.173.92.11 host ************.113.73 eq ssh
192 access-list internet permit tcp host 65.119.0.68 host ************.113.73 eq ssh
193 access-list internet deny udp any any eq tftp
194 access-list internet deny udp any any eq 4444
195 access-list internet permit tcp any host ************.113.18 eq ftp
196 access-list internet permit tcp host 210.175.246.65 host ************.113.73 eq ssh
197 access-list internet deny ip host ************.113.220 any
198 access-list internet deny icmp host ************.113.220 any
199 access-list internet permit tcp host 64.165.135.130 host ************.113.73 eq ftp
200 access-list internet permit tcp host 64.165.135.132 host ************.113.73 eq ftp
201 access-list internet permit tcp host 167.229.23.12 host ************.113.73 eq ftp
202 access-list internet permit tcp host 167.229.23.76 host ************.113.73 eq ftp
203 access-list internet permit tcp host 65.223.39.2 host ************.113.73 eq ftp
204 access-list internet permit tcp host 65.223.39.25 host ************.113.73 eq ftp
205 access-list internet permit tcp host 208.253.155.193 host ************.113.73 eq ftp
206 access-list internet permit tcp any host ************.113.19 eq ftp
207 access-list internet permit tcp any host ************.113.20 eq ftp
208 access-list internet permit tcp host 199.201.1.18 host ************.113.73 eq ftp
209 access-list internet permit tcp host 63.80.59.249 host ************.113.73 eq ftp
210 access-list internet permit tcp host 66.91.145.147 host ************.113.73 eq ftp
211 access-list internet permit tcp host 203.63.39.9 host ************.113.73 eq ssh
212 access-list internet deny udp any any eq 1214
213 access-list internet deny tcp any any eq 1214
214 access-list internet deny tcp any any eq 6660
215 access-list internet deny tcp any any eq 6661
216 access-list internet deny tcp any any eq 6662
217 access-list internet deny tcp any any eq 6663
218 access-list internet deny tcp any any eq 6664
219 access-list internet deny tcp any any eq 6665
220 access-list internet deny tcp any any eq 6666
221 access-list internet deny tcp any any eq 6667
222 access-list internet deny tcp any any eq 6668
223 access-list internet deny tcp any any eq 6669
224 access-list internet deny tcp any any eq 6670
225 access-list internet deny tcp any any eq 2018
226 access-list internet deny tcp any any eq 2019
227 access-list internet deny tcp any any eq 2020
228 access-list internet deny tcp any any eq 2021
229 access-list internet deny ip host 66.151.158.183 any
230 access-list internet permit ip host 64.164.227.198 any
231 access-list internet permit tcp host 207.207.170.150 host ************.113.73 eq ftp
232 access-list internet permit tcp host 203.63.39.10 host ************.113.73 eq ssh
233 access-list internet permit icmp host 64.164.227.197 any
234 access-list internet permit icmp host 64.164.227.199 any
235 access-list internet permit icmp host 64.164.227.198 any
236 access-list internet permit icmp host 64.164.227.200 any
237 access-list internet permit ip any host ************.113.132
238 access-list internet permit ip any host ************.113.190
239 access-list internet permit tcp host 155.44.84.163 host ************.113.73 eq ftp
240 access-list internet permit tcp host 155.44.83.137 host ************.113.73 eq ftp
241 access-list internet permit tcp host 151.198.243.82 host ************.113.73 eq ftp
242 access-list internet permit tcp host 205.166.37.100 host ************.113.73 eq ftp
243 access-list internet permit tcp host 203.63.39.10 host ************.113.73 eq ftp
244 access-list internet permit tcp host 203.63.39.9 host ************.113.73 eq ftp
245 access-list internet permit tcp host 63.93.126.54 host ************.113.73 eq ftp
246 access-list internet permit tcp host 12.46.139.166 host ************.113.73 eq ssh
247 access-list internet permit tcp host 12.174.92.2 host ************.113.73 eq ftp
248 access-list internet permit tcp host 66.88.100.147 host ************.113.73 eq ftp
249 access-list internet deny tcp any any eq 5050
250 access-list internet permit tcp any host ************.113.68 eq smtp
251 access-list internet permit tcp any host ************.113.68 eq www
252 access-list internet permit tcp any host ************.113.247 eq www
253 access-list internet permit tcp 64.164.227.192 255.255.255.248 host ************.113.251 eq www
254 access-list internet permit icmp any host ************.113.4 echo-reply
255 access-list internet permit tcp host 64.236.233.243 host ************.113.73 eq ssh
256 access-list internet permit tcp host 64.236.233.180 host ************.113.73 eq ssh
257 access-list internet permit tcp host 64.236.233.207 host ************.113.73 eq ssh
258 access-list internet permit tcp host 205.158.63.38 host ************.113.42 eq pop3
259 access-list internet permit tcp host 81.144.246.194 host ************.113.73 eq ftp
260 access-list internet permit tcp host 63.82.98.2 host ************.113.73 eq ssh
261 access-list internet permit tcp host 63.82.98.2 host ************.113.73 eq ftp
262 access-list internet permit tcp host 146.145.128.26 host ************.113.73 eq ftp
263 access-list internet permit tcp host 65.244.245.5 host ************.113.73 eq ssh
264 access-list internet permit tcp host 63.116.153.5 host ************.113.73 eq ssh
265 access-list 1722 permit ip host ********.2.205 host ********252.3
266 access-list 1722 permit ip host ********.2.201 host ********252.3
267 access-list 1722 permit ip host ********.2.21 ********.0.0 255.255.0.0
268 access-list 1722 permit ip host ********.2.21 host ********254.121
269 access-list 1722 permit ip host ********.2.21 host ********253.21
270 access-list 1722 permit icmp ********.2.0 255.255.255.0 ********.0.0 255.255.0.0
271 access-list 1722 permit tcp ********.2.0 255.255.255.0 host ********252.3 eq 1984
272 access-list 1722 permit icmp ********.2.0 255.255.255.0 ********253.0 255.255.255.0
273 access-list 1722 permit ip ********.2.0 255.255.255.0 host ********254.27
274 access-list 1722 permit tcp ********.2.0 255.255.255.0 any eq domain
275 access-list 1722 permit udp ********.2.0 255.255.255.0 any eq domain
276 access-list 1722 permit icmp ********.2.0 255.255.255.0 ********252.0 255.255.255.0 echo-reply
277 access-list 1722 deny ip ********.2.0 255.255.255.0 ********252.0 255.255.252.0
278 access-list 1722 permit ip ********.2.0 255.255.255.0 any
279 access-list 1722 deny ip any any
280 access-list 1722 permit udp ********.2.0 255.255.255.0 host ********254.27 eq 2967
281 access-list 1722 permit udp ********.2.0 255.255.255.0 host ********254.27 eq 38037
282 access-list VM permit ip host ************.113.21 host 205.239.227.105
283 access-list JF permit ip ********252.0 255.255.252.0 172.200.200.0 255.255.255.0
284 access-list JF permit ip ********0.0 255.255.224.0 172.200.200.0 255.255.255.0
285 access-list JF permit ip ********32.0 255.255.240.0 172.200.200.0 255.255.255.0
286 access-list JF permit ip ********99.0 255.255.255.0 172.200.200.0 255.255.255.0
287 access-list JF permit ip ********190.0 255.255.255.0 172.200.200.0 255.255.255.0
288 access-list JF permit ip 86.85.2.0 255.255.255.0 172.200.200.0 255.255.255.0
289 access-list JF permit ip 86.85.50.0 255.255.255.0 172.200.200.0 255.255.255.0
290 access-list JF permit ip ********.2.0 255.255.255.0 172.200.200.0 255.255.255.0
291 no pager
292 logging on
293 logging buffered debugging
294 logging facility 23
295 logging queue 1024
296 logging host inside ********254.149
297 interface ethernet0 100full
298 interface ethernet1 100full
299 interface ethernet2 100full
300 interface ethernet3 100full
301 interface ethernet4 100full
302 interface ethernet5 100full
303 mtu outside 1500
304 mtu inside 1500
305 mtu intf2 1500
306 mtu intf3 1500
307 mtu intf4 1500
308 mtu state 1500
309 ip address outside ************.113.2 255.255.255.0
310 ip address inside ********254.9 255.255.252.0
311 ip address intf2 ********.1.10 255.255.255.0
312 ip address intf3 ********.2.10 255.255.255.0
313 ip address intf4 ********99.11 255.255.255.0
314 ip address state 192.168.2.1 255.255.255.252
315 ip audit info action alarm
316 ip audit attack action alarm
317 failover
318 failover timeout 0:00:00
319 failover poll 15
320 failover ip address outside ************.113.253
321 failover ip address inside ********254.8
322 failover ip address intf2 ********.1.11
323 failover ip address intf3 ********.2.11
324 failover ip address intf4 ********99.12
325 failover ip address state 192.168.2.2
326 failover link intf4
327 pdm history enable
328 arp timeout 14400
329 global (outside) 1 ************.113.4 netmask 255.255.255.255
330 nat (inside) 0 access-list nonat
331 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
332 nat (intf2) 0 access-list nonat
333 nat (intf2) 1 0.0.0.0 0.0.0.0 0 0
334 nat (intf3) 0 access-list nonat
335 nat (intf3) 1 0.0.0.0 0.0.0.0 0 0
336 nat (intf4) 0 access-list nonat
337 nat (intf4) 1 0.0.0.0 0.0.0.0 0 0
338 static (intf2,outside) ************.113.70 ********.1.70 netmask 255.255.255.255 0 0
339 static (intf2,outside) ************.113.72 ********.1.72 netmask 255.255.255.255 0 0
340 static (intf2,outside) ************.113.73 ********.1.73 netmask 255.255.255.255 0 0
341 static (intf3,outside) ************.113.195 ********.2.195 netmask 255.255.255.255 0 0
342 static (intf3,outside) ************.113.196 ********.2.196 netmask 255.255.255.255 0 0
343 static (intf3,outside) ************.113.201 ********.2.201 netmask 255.255.255.255 0 0
344 static (intf3,outside) ************.113.203 ********.2.203 netmask 255.255.255.255 0 0
345 static (intf3,outside) ************.113.204 ********.2.204 netmask 255.255.255.255 0 0
346 static (intf3,outside) ************.113.205 ********.2.205 netmask 255.255.255.255 0 0
347 static (intf3,outside) ************.113.207 ********.2.207 netmask 255.255.255.255 0 0
348 static (intf3,outside) ************.113.198 ********.2.198 netmask 255.255.255.255 0 0
349 static (intf3,outside) ************.113.202 ********.2.202 netmask 255.255.255.255 0 0
350 static (intf3,outside) ************.113.197 ********.1.197 netmask 255.255.255.255 0 0
351 static (inside,outside) ************.113.21 ********252.3 netmask 255.255.255.255 0 0
352 static (intf2,outside) ************.113.71 ********.1.71 netmask 255.255.255.255 0 0
353 static (intf2,outside) ************.113.68 ********************* netmask 255.255.255.255 0 0
354 static (intf2,outside) ************.113.18 ********.1.18 netmask 255.255.255.255 0 0
355 static (intf2,outside) ************.113.19 ********.1.19 netmask 255.255.255.255 0 0
356 static (intf2,outside) ************.113.20 ********.1.20 netmask 255.255.255.255 0 0
357 static (inside,outside) ************.113.69 ********254.41 netmask 255.255.255.255 0 0
358 static (intf3,outside) ************.113.190 ********.2.190 netmask 255.255.255.255 0 0
359 static (inside,outside) ************.113.42 ********254.42 netmask 255.255.255.255 0 0
360 static (intf3,outside) ************.113.169 ********.2.169 netmask 255.255.255.255 0 0
361 static (inside,outside) ************.113.247 ********253.47 netmask 255.255.255.255 0 0
362 static (inside,outside) ************.113.251 ********253.51 netmask 255.255.255.255 0 0
363 access-group internet in interface outside
364 access-group internalnet in interface inside
365 access-group 1721 in interface intf2
366 access-group 1722 in interface intf3
367 access-group any in interface intf4
368 route outside 0.0.0.0 0.0.0.0 ************.113.1 1
369 route inside ********0.0 255.255.0.0 ********254.10 1
370 route inside ********190.0 255.255.255.0 ********254.10 1
371 route inside 86.85.2.0 255.255.255.0 ********254.10 1
372 route inside 86.85.50.0 255.255.255.0 ********254.10 1
373 route inside ********.0.0 255.255.0.0 ********254.10 1
374 timeout xlate 3:00:00
375 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
376 timeout uauth 0:05:00 absolute
377 aaa-server TACACS+ protocol tacacs+
378 aaa-server RADIUS protocol radius
379 aaa-server LOCAL protocol local
380 snmp-server host inside ********252.35 poll
381 snmp-server host inside ********253.21 poll
382 snmp-server host inside ********253.2 poll
383 snmp-server host inside ********253.51 poll
384 snmp-server host inside ********254.149 poll
385 snmp-server host inside ********254.7 poll
386 snmp-server location HQ
387 snmp-server contact MDJ
388 snmp-server community access
389 snmp-server enable traps
390 floodguard enable
391 sysopt connection permit-ipsec
392 no sysopt route dnat
393 crypto ipsec transform-set md5-3des esp-3des esp-md5-hmac
394 crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac
395 crypto map vpn-map 21 ipsec-isakmp
396 crypto map vpn-map 21 match address VM
397 crypto map vpn-map 21 set peer *************
398 crypto map vpn-map 21 set transform-set md5-3des
399 crypto map vpn-map 22 ipsec-isakmp
400 crypto map vpn-map 22 match address Im
401 crypto map vpn-map 22 set peer ************
402 crypto map vpn-map 22 set transform-set sha-3des
403 crypto map vpn-map 24 ipsec-isakmp
404 crypto map vpn-map 24 match address ZM
405 crypto map vpn-map 24 set peer ************
406 crypto map vpn-map 24 set transform-set md5-3des
407 crypto map vpn-map 25 ipsec-isakmp
408 crypto map vpn-map 25 match address VMT
409 crypto map vpn-map 25 set peer *************
410 crypto map vpn-map 25 set transform-set sha-3des
411 crypto map vpn-map 26 ipsec-isakmp
412 crypto map vpn-map 26 match address JF
413 crypto map vpn-map 26 set peer Client IP (2600)
414 crypto map vpn-map 26 set transform-set md5-3des
415 crypto map vpn-map interface outside
416 isakmp enable outside
417 isakmp key ******** address ********* netmask 255.255.255.255
418 isakmp key ******** address ********** netmask 255.255.255.255
419 isakmp key ******** address ********** netmask 255.255.255.255
420 isakmp key ******** address ********** netmask 255.255.255.255
421 isakmp key ******** address ********** netmask 255.255.255.255
422 isakmp key ******** address Client IP (2600) netmask 255.255.255.255
423 isakmp identity address
424 isakmp policy 10 authentication pre-share
425 isakmp policy 10 encryption 3des
426 isakmp policy 10 hash md5
427 isakmp policy 10 group 2
428 isakmp policy 10 lifetime 86400
429 isakmp policy 20 authentication pre-share
430 isakmp policy 20 encryption 3des
431 isakmp policy 20 hash sha
432 isakmp policy 20 group 2
433 isakmp policy 20 lifetime 86400
434 telnet ******** ********* inside
435 telnet timeout 15
436 ssh ******** ********** inside
437 ssh timeout 60
438 terminal width 511
439 Cryptochecksum:3c787353308
440 : end
ASKER
Also, here's a debug of ISAKMP and IPSEC, if this helps.... (172.200.200.0 is the 2600's internal IP range, 113.2 is the outside of the HQ Pix)
*Mar 1 02:26:45.439: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= *********.3.220, remote= *********.113.2,
local_proxy= 172.200.200.0/255.255.255.
remote_proxy= *********.252.0/255.255.25
*Mar 1 02:26:45.439: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= *********.3.220, remote= *********.113.2,
local_proxy= 172.200.200.0/255.255.255.
remote_proxy= *********.252.0/255.255.25
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xC03F9BA2(3225394082), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 02:26:45.443: ISAKMP: received ke message (1/1)
*Mar 1 02:26:45.443: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 02:26:45.443: ISAKMP (0:18): SA is still budding. Attached new ipsec request to it. (local *********.3.220, remote *********.113.2)
*Mar 1 02:26:46.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 02:26:46.571: ISAKMP (0:18): incrementing error counter on sa: retransmit phase 1
*Mar 1 02:26:46.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 02:26:46.571: ISAKMP (0:18): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:26:56.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 02:26:56.571: ISAKMP (0:18): incrementing error counter on sa: retransmit phase 1
*Mar 1 02:26:56.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 02:26:56.571: ISAKMP (0:18): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:27:04.603: ISAKMP (0:17): purging node -1294753914
*Mar 1 02:27:04.603: ISAKMP (0:17): purging node -982990144
*Mar 1 02:27:06.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 02:27:06.571: ISAKMP (0:18): incrementing error counter on sa: retransmit phase 1
*Mar 1 02:27:06.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 02:27:06.571: ISAKMP (0:18): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:27:14.603: ISAKMP (0:17): purging SA., sa=82F64A58, delme=82F64A58
*Mar 1 02:27:15.439: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= *********.3.220, remote= *********.113.2,
local_proxy= 172.200.200.0/255.255.255.
remote_proxy= *********.252.0/255.255.25
*Mar 1 02:27:15.439: ISAKMP: received ke message (3/1)
*Mar 1 02:27:15.439: ISAKMP (0:18): peer does not do paranoid keepalives.
*Mar 1 02:27:15.443: ISAKMP (0:18): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (peer *********.113.2) input queue 0
*Mar 1 02:27:15.443: ISAKMP (0:18): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (peer *********.113.2) input queue 0
*Mar 1 02:27:15.443: ISAKMP (0:18): deleting node 1115628476 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 02:27:15.447: ISAKMP (0:18): deleting node 1462972016 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 02:27:15.447: ISAKMP (0:18): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 02:27:15.447: ISAKMP (0:18): Old State = IKE_I_MM5 New State = IKE_DEST_SA
*Mar 1 02:27:16.275: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= *********.3.220, remote= *********.113.2,
local_proxy= 172.200.200.0/255.255.255.
remote_proxy= *********.252.0/255.255.25
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xEBA67DAC(3953556908), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 02:27:16.279: ISAKMP: received ke message (1/1)
*Mar 1 02:27:16.279: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 02:27:16.279: ISAKMP: local port 500, remote port 500
*Mar 1 02:27:16.283: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 02:27:16.283: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82F638E0
*Mar 1 02:27:16.283: ISAKMP (0:19): Can not start Aggressive mode, trying Main mode.
*Mar 1 02:27:16.283: ISAKMP: Looking for a matching key for *********.113.2 in default : success
*Mar 1 02:27:16.283: ISAKMP (0:19): found peer pre-shared key matching *********.113.2
*Mar 1 02:27:16.287: ISAKMP (0:19): constructed NAT-T vendor-03 ID
*Mar 1 02:27:16.287: ISAKMP (0:19): constructed NAT-T vendor-02 ID
*Mar 1 02:27:16.287: ISAKMP (0:19): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 02:27:16.287: ISAKMP (0:19): Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 02:27:16.287: ISAKMP (0:19): beginning Main Mode exchange
*Mar 1 02:27:16.287: ISAKMP (0:19): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 02:27:16.515: ISAKMP (0:19): received packet from *********.113.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 02:27:16.515: ISAKMP (0:19): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:27:16.519: ISAKMP (0:19): Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 02:27:16.519: ISAKMP (0:19): processing SA payload. message ID = 0
*Mar 1 02:27:16.519: ISAKMP: Looking for a matching key for *********.113.2 in default : success
*Mar 1 02:27:16.519: ISAKMP (0:19): found peer pre-shared key matching *********.113.2
*Mar 1 02:27:16.519: ISAKMP (0:19) local preshared key found
*Mar 1 02:27:16.523: ISAKMP : Scanning profiles for xauth ...
*Mar 1 02:27:16.523: ISAKMP (0:19): Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 02:27:16.523: ISAKMP: encryption 3DES-CBC
*Mar 1 02:27:16.523: ISAKMP: hash MD5
*Mar 1 02:27:16.523: ISAKMP: default group 2
*Mar 1 02:27:16.523: ISAKMP: auth pre-share
*Mar 1 02:27:16.523: ISAKMP: life type in seconds
*Mar 1 02:27:16.523: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 02:27:16.523: ISAKMP (0:19): atts are acceptable. Next payload is 0
*Mar 1 02:27:16.771: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:27:16.771: ISAKMP (0:19): Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 02:27:16.779: ISAKMP (0:19): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 02:27:16.779: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:27:16.779: ISAKMP (0:19): Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 02:27:17.027: ISAKMP (0:19): received packet from *********.113.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 02:27:17.031: ISAKMP (0:19): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:27:17.031: ISAKMP (0:19): Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 02:27:17.031: ISAKMP (0:19): processing KE payload. message ID = 0
*Mar 1 02:27:17.335: ISAKMP (0:19): processing NONCE payload. message ID = 0
*Mar 1 02:27:17.335: ISAKMP: Looking for a matching key for *********.113.2 in default : success
*Mar 1 02:27:17.335: ISAKMP (0:19): found peer pre-shared key matching *********.113.2
*Mar 1 02:27:17.339: ISAKMP (0:19): SKEYID state generated
*Mar 1 02:27:17.339: ISAKMP (0:19): processing vendor id payload
*Mar 1 02:27:17.339: ISAKMP (0:19): vendor ID seems Unity/DPD but major 242 mismatch
*Mar 1 02:27:17.343: ISAKMP (0:19): vendor ID is XAUTH
*Mar 1 02:27:17.343: ISAKMP (0:19): processing vendor id payload
*Mar 1 02:27:17.343: ISAKMP (0:19): vendor ID is Unity
*Mar 1 02:27:17.343: ISAKMP (0:19): processing vendor id payload
*Mar 1 02:27:17.343: ISAKMP (0:19): vendor ID is DPD
*Mar 1 02:27:17.343: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:27:17.347: ISAKMP (0:19): Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 02:27:17.351: ISAKMP (0:19): Send initial contact
*Mar 1 02:27:17.351: ISAKMP (0:19): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 02:27:17.351: ISAKMP (0:19): ID payload
next-payload : 8
type : 1
address : *********.3.220
protocol : 17
port : 500
length : 12
*Mar 1 02:27:17.351: ISAKMP (19): Total payload length: 12
*Mar 1 02:27:17.355: ISAKMP (0:19): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:27:17.355: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:27:17.355: ISAKMP (0:19): Old State = IKE_I_MM4 New State = IKE_I_MM5
*Mar 1 02:26:45.439: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= *********.3.220, remote= *********.113.2,
local_proxy= 172.200.200.0/255.255.255.
remote_proxy= *********.252.0/255.255.25
*Mar 1 02:26:45.439: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= *********.3.220, remote= *********.113.2,
local_proxy= 172.200.200.0/255.255.255.
remote_proxy= *********.252.0/255.255.25
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xC03F9BA2(3225394082), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 02:26:45.443: ISAKMP: received ke message (1/1)
*Mar 1 02:26:45.443: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 02:26:45.443: ISAKMP (0:18): SA is still budding. Attached new ipsec request to it. (local *********.3.220, remote *********.113.2)
*Mar 1 02:26:46.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 02:26:46.571: ISAKMP (0:18): incrementing error counter on sa: retransmit phase 1
*Mar 1 02:26:46.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 02:26:46.571: ISAKMP (0:18): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:26:56.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 02:26:56.571: ISAKMP (0:18): incrementing error counter on sa: retransmit phase 1
*Mar 1 02:26:56.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 02:26:56.571: ISAKMP (0:18): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:27:04.603: ISAKMP (0:17): purging node -1294753914
*Mar 1 02:27:04.603: ISAKMP (0:17): purging node -982990144
*Mar 1 02:27:06.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH...
*Mar 1 02:27:06.571: ISAKMP (0:18): incrementing error counter on sa: retransmit phase 1
*Mar 1 02:27:06.571: ISAKMP (0:18): retransmitting phase 1 MM_KEY_EXCH
*Mar 1 02:27:06.571: ISAKMP (0:18): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:27:14.603: ISAKMP (0:17): purging SA., sa=82F64A58, delme=82F64A58
*Mar 1 02:27:15.439: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= *********.3.220, remote= *********.113.2,
local_proxy= 172.200.200.0/255.255.255.
remote_proxy= *********.252.0/255.255.25
*Mar 1 02:27:15.439: ISAKMP: received ke message (3/1)
*Mar 1 02:27:15.439: ISAKMP (0:18): peer does not do paranoid keepalives.
*Mar 1 02:27:15.443: ISAKMP (0:18): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (peer *********.113.2) input queue 0
*Mar 1 02:27:15.443: ISAKMP (0:18): deleting SA reason "gen_ipsec_isakmp_delete but doi isakmp" state (I) MM_KEY_EXCH (peer *********.113.2) input queue 0
*Mar 1 02:27:15.443: ISAKMP (0:18): deleting node 1115628476 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 02:27:15.447: ISAKMP (0:18): deleting node 1462972016 error TRUE reason "gen_ipsec_isakmp_delete but doi isakmp"
*Mar 1 02:27:15.447: ISAKMP (0:18): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 02:27:15.447: ISAKMP (0:18): Old State = IKE_I_MM5 New State = IKE_DEST_SA
*Mar 1 02:27:16.275: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= *********.3.220, remote= *********.113.2,
local_proxy= 172.200.200.0/255.255.255.
remote_proxy= *********.252.0/255.255.25
protocol= ESP, transform= esp-3des esp-md5-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0xEBA67DAC(3953556908), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 02:27:16.279: ISAKMP: received ke message (1/1)
*Mar 1 02:27:16.279: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 02:27:16.279: ISAKMP: local port 500, remote port 500
*Mar 1 02:27:16.283: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 02:27:16.283: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 82F638E0
*Mar 1 02:27:16.283: ISAKMP (0:19): Can not start Aggressive mode, trying Main mode.
*Mar 1 02:27:16.283: ISAKMP: Looking for a matching key for *********.113.2 in default : success
*Mar 1 02:27:16.283: ISAKMP (0:19): found peer pre-shared key matching *********.113.2
*Mar 1 02:27:16.287: ISAKMP (0:19): constructed NAT-T vendor-03 ID
*Mar 1 02:27:16.287: ISAKMP (0:19): constructed NAT-T vendor-02 ID
*Mar 1 02:27:16.287: ISAKMP (0:19): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar 1 02:27:16.287: ISAKMP (0:19): Old State = IKE_READY New State = IKE_I_MM1
*Mar 1 02:27:16.287: ISAKMP (0:19): beginning Main Mode exchange
*Mar 1 02:27:16.287: ISAKMP (0:19): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 1 02:27:16.515: ISAKMP (0:19): received packet from *********.113.2 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar 1 02:27:16.515: ISAKMP (0:19): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:27:16.519: ISAKMP (0:19): Old State = IKE_I_MM1 New State = IKE_I_MM2
*Mar 1 02:27:16.519: ISAKMP (0:19): processing SA payload. message ID = 0
*Mar 1 02:27:16.519: ISAKMP: Looking for a matching key for *********.113.2 in default : success
*Mar 1 02:27:16.519: ISAKMP (0:19): found peer pre-shared key matching *********.113.2
*Mar 1 02:27:16.519: ISAKMP (0:19) local preshared key found
*Mar 1 02:27:16.523: ISAKMP : Scanning profiles for xauth ...
*Mar 1 02:27:16.523: ISAKMP (0:19): Checking ISAKMP transform 1 against priority 1 policy
*Mar 1 02:27:16.523: ISAKMP: encryption 3DES-CBC
*Mar 1 02:27:16.523: ISAKMP: hash MD5
*Mar 1 02:27:16.523: ISAKMP: default group 2
*Mar 1 02:27:16.523: ISAKMP: auth pre-share
*Mar 1 02:27:16.523: ISAKMP: life type in seconds
*Mar 1 02:27:16.523: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Mar 1 02:27:16.523: ISAKMP (0:19): atts are acceptable. Next payload is 0
*Mar 1 02:27:16.771: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:27:16.771: ISAKMP (0:19): Old State = IKE_I_MM2 New State = IKE_I_MM2
*Mar 1 02:27:16.779: ISAKMP (0:19): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar 1 02:27:16.779: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:27:16.779: ISAKMP (0:19): Old State = IKE_I_MM2 New State = IKE_I_MM3
*Mar 1 02:27:17.027: ISAKMP (0:19): received packet from *********.113.2 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar 1 02:27:17.031: ISAKMP (0:19): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 02:27:17.031: ISAKMP (0:19): Old State = IKE_I_MM3 New State = IKE_I_MM4
*Mar 1 02:27:17.031: ISAKMP (0:19): processing KE payload. message ID = 0
*Mar 1 02:27:17.335: ISAKMP (0:19): processing NONCE payload. message ID = 0
*Mar 1 02:27:17.335: ISAKMP: Looking for a matching key for *********.113.2 in default : success
*Mar 1 02:27:17.335: ISAKMP (0:19): found peer pre-shared key matching *********.113.2
*Mar 1 02:27:17.339: ISAKMP (0:19): SKEYID state generated
*Mar 1 02:27:17.339: ISAKMP (0:19): processing vendor id payload
*Mar 1 02:27:17.339: ISAKMP (0:19): vendor ID seems Unity/DPD but major 242 mismatch
*Mar 1 02:27:17.343: ISAKMP (0:19): vendor ID is XAUTH
*Mar 1 02:27:17.343: ISAKMP (0:19): processing vendor id payload
*Mar 1 02:27:17.343: ISAKMP (0:19): vendor ID is Unity
*Mar 1 02:27:17.343: ISAKMP (0:19): processing vendor id payload
*Mar 1 02:27:17.343: ISAKMP (0:19): vendor ID is DPD
*Mar 1 02:27:17.343: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar 1 02:27:17.347: ISAKMP (0:19): Old State = IKE_I_MM4 New State = IKE_I_MM4
*Mar 1 02:27:17.351: ISAKMP (0:19): Send initial contact
*Mar 1 02:27:17.351: ISAKMP (0:19): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar 1 02:27:17.351: ISAKMP (0:19): ID payload
next-payload : 8
type : 1
address : *********.3.220
protocol : 17
port : 500
length : 12
*Mar 1 02:27:17.351: ISAKMP (19): Total payload length: 12
*Mar 1 02:27:17.355: ISAKMP (0:19): sending packet to *********.113.2 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar 1 02:27:17.355: ISAKMP (0:19): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar 1 02:27:17.355: ISAKMP (0:19): Old State = IKE_I_MM4 New State = IKE_I_MM5
Had to actually get work done - will look at it later tonight - sorry for the delay
The access list 101 on the 2600 needs to match (backwards) the JF access list here. Could you check it?
ip nat inside source list 1 interface Dialer1 overload
should be
ip nat inside source list 110 interface Dialer1 overload
so as not to nat the vpn traffic.
crypto map to_vpn needs to be on the dialer1 interface.
--------------------------
non pppoe
The inside config has NAT rules on the niterfaces, but no ip nat inside .... rules. The DSL modem probably expects everything to come from it's 192.168.1.x address rnage, and has no way of knowing how to get packets to 172.200.
(172.200 is a valid public ip address, just so you know. The RFC1918 range is 172.16 to 172.31)