modes
asked on
Cisco 1811 Configuration: Sample Please
I am attempting to setup a cisco 1811 and am a nub when it comes to cisco's IOS. Something you don't want to hear from the guy working on your router..."can't I do that through the GUI?"
And I can't do it through the GUI!
I have two static IPs that I would like to assign to the router and want both of them to be utilized by the same network segment. I'd also like the connections to be used concurrently rather than a primary and redundant connection. Is it possible to do this with the 1811?
I wish to implement a site to site vpn connection later using the 1811 to a pix 515e , so the current setup should not be a detriment to those future plans if possible.
Anyway, Id like FE0 to have X.X.X.97 and FE1 to have X.X.X.24 and only a single network segment using 10.0.0.3/253 via DHCP with both WAN interfaces servicing the 10.0.0.* range. The *.97 IP has a subnet of 255.255.255.248 and the *.24 has a subnet of 255.255.255.252.
Any help would be appreciated.
And I can't do it through the GUI!
I have two static IPs that I would like to assign to the router and want both of them to be utilized by the same network segment. I'd also like the connections to be used concurrently rather than a primary and redundant connection. Is it possible to do this with the 1811?
I wish to implement a site to site vpn connection later using the 1811 to a pix 515e , so the current setup should not be a detriment to those future plans if possible.
Anyway, Id like FE0 to have X.X.X.97 and FE1 to have X.X.X.24 and only a single network segment using 10.0.0.3/253 via DHCP with both WAN interfaces servicing the 10.0.0.* range. The *.97 IP has a subnet of 255.255.255.248 and the *.24 has a subnet of 255.255.255.252.
Any help would be appreciated.
ASKER
The ips are both statics , the *.24 is from a local cable company and the *.97 is from a dsl provider, both seperate providers.
Here is the basic configuration . The problem I had with basically the same config the other day was the inability of the router's second wan interface to take over traffic when the *.24 was offline. I should be able to test the current config later this evening and will post further details at that point. What I would like is to utilize both wan channels simultaneosly and am unsure whether I need to do something to specify that. That would be preferrable to a primary / secondary(backup) config.
The username and Ips are x-ed out , but are the correct working numbers in another router I am aiming to replace with the 1811.
Building configuration...
Current configuration : 6601 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LocalLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$I8tK$lNSXj1qDboNBDtT5o/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 205.xx.xx.xx
ip name-server 205.xx.xx.xx
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-1173857563
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313733 38353735 3633301E 170D3036 30373139 31353337
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
73010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 174C6F63 616C4C61 6E2E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1401DF61 2F5ECEEE 0D96C260 D291E872 A7304C27
A2301D06 03551D0E 04160414 01DF612F 5ECEEE0D 96C260D2 91E872A7 304C27A2
300D0609 2A864886 F70D0101 04050003 81810055 D26F8484 01F7F59D EFE5ADC0
38CB08F9 A8EF4302 2883BF2A 91973B11 6DE805B8 E7B4867C 4CAFE845 3BA32236
BAD56897 86FF39B6 B9A6064C 73B4F8E2 A40B058E 93BE92FD D37F8644 7EBEC454
53187847 9937B1B2 8D062760 FC60A413 4699D0B7 D597A6EF B78CE20B 46202231
6AC084D1 B54F94B8 F822E965 F7490274 6AC58E
quit
username xxxxx privilege 15 secret 5 $1$161N$7wineklYRZj6TbyYeJ
!
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address xx.xx.xx.97 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$
ip address xx.xx.xx.24 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xx.xx.xx.48 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xx.xx.xx.65 eq domain host xx.xx.xx.24
access-list 101 permit udp host xx.xx.xx.65 eq domain host xx.xx.xx.24
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.24 echo-reply
access-list 101 permit icmp any host xx.xx.xx.24 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.24 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thanks agian.
Here is the basic configuration . The problem I had with basically the same config the other day was the inability of the router's second wan interface to take over traffic when the *.24 was offline. I should be able to test the current config later this evening and will post further details at that point. What I would like is to utilize both wan channels simultaneosly and am unsure whether I need to do something to specify that. That would be preferrable to a primary / secondary(backup) config.
The username and Ips are x-ed out , but are the correct working numbers in another router I am aiming to replace with the 1811.
Building configuration...
Current configuration : 6601 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LocalLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$I8tK$lNSXj1qDboNBDtT5o/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 205.xx.xx.xx
ip name-server 205.xx.xx.xx
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-1173857563
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313733 38353735 3633301E 170D3036 30373139 31353337
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
73010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 174C6F63 616C4C61 6E2E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1401DF61 2F5ECEEE 0D96C260 D291E872 A7304C27
A2301D06 03551D0E 04160414 01DF612F 5ECEEE0D 96C260D2 91E872A7 304C27A2
300D0609 2A864886 F70D0101 04050003 81810055 D26F8484 01F7F59D EFE5ADC0
38CB08F9 A8EF4302 2883BF2A 91973B11 6DE805B8 E7B4867C 4CAFE845 3BA32236
BAD56897 86FF39B6 B9A6064C 73B4F8E2 A40B058E 93BE92FD D37F8644 7EBEC454
53187847 9937B1B2 8D062760 FC60A413 4699D0B7 D597A6EF B78CE20B 46202231
6AC084D1 B54F94B8 F822E965 F7490274 6AC58E
quit
username xxxxx privilege 15 secret 5 $1$161N$7wineklYRZj6TbyYeJ
!
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address xx.xx.xx.97 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$
ip address xx.xx.xx.24 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xx.xx.xx.48 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xx.xx.xx.65 eq domain host xx.xx.xx.24
access-list 101 permit udp host xx.xx.xx.65 eq domain host xx.xx.xx.24
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.24 echo-reply
access-list 101 permit icmp any host xx.xx.xx.24 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.24 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thanks agian.
Do these;
ip cef
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip route 0.0.0.0 0.0.0.0 Ethernet0
So by default, cef will enable the load balancing (Cisco Express Forwarding). So the default behaviour will be;
One session is sent out through Ethernet1 and other session is sent through Ethernet0.
http://www.cisco.com/en/US/tech/tk827/tk831/technologies_tech_note09186a0080094806.shtml#whatis
The link above should let you introduce yourselves to CEF. Don't go for the per-packet load balancing...
Cheers,
Rajesh
ip cef
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip route 0.0.0.0 0.0.0.0 Ethernet0
So by default, cef will enable the load balancing (Cisco Express Forwarding). So the default behaviour will be;
One session is sent out through Ethernet1 and other session is sent through Ethernet0.
http://www.cisco.com/en/US/tech/tk827/tk831/technologies_tech_note09186a0080094806.shtml#whatis
The link above should let you introduce yourselves to CEF. Don't go for the per-packet load balancing...
Cheers,
Rajesh
ASKER
It would appear to me that I have a routing table problem. The SDM check on the wan interfaces comes back with a positive report, indicating that they are up and running, but I cannot ping from the router out and get no functionality from machines that pick up an ip from the router. Below is the running config in hopes that you can see where I am obviously missing something.
Building configuration...
Current configuration : 6694 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LocalLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$I8tK$lNSXj1qDboNBDtT5o/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server xx.xx.3.65
ip name-server xx.xx.2.65
ip name-server xx.xx.0.11
ip name-server xx.xx.0.10
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-1173857563
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313733 38353735 3633301E 170D3036 30373139 31353337
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
73010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 174C6F63 616C4C61 6E2E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1401DF61 2F5ECEEE 0D96C260 D291E872 A7304C27
A2301D06 03551D0E 04160414 01DF612F 5ECEEE0D 96C260D2 91E872A7 304C27A2
300D0609 2A864886 F70D0101 04050003 81810055 D26F8484 01F7F59D EFE5ADC0
38CB08F9 A8EF4302 2883BF2A 91973B11 6DE805B8 E7B4867C 4CAFE845 3BA32236
BAD56897 86FF39B6 B9A6064C 73B4F8E2 A40B058E 93BE92FD D37F8644 7EBEC454
53187847 9937B1B2 8D062760 FC60A413 4699D0B7 D597A6EF B78CE20B 46202231
6AC084D1 B54F94B8 F822E965 F7490274 6AC58E
quit
username myusername privilege 15 secret 5 $1$161N$7wineklYRZj6TbyYeJ
!
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address xx.xx.xx.97 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$
ip address xx.xx.xx.50 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xx.xx.xx.48 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xx.xx.2.65 eq domain host xx.xx.xx.50
access-list 101 permit udp host xx.xx.3.65 eq domain host xx.xx.xx.50
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.50 echo-reply
access-list 101 permit icmp any host xx.xx.xx.50 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.50 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thanks Again.
Building configuration...
Current configuration : 6694 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LocalLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$I8tK$lNSXj1qDboNBDtT5o/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server xx.xx.3.65
ip name-server xx.xx.2.65
ip name-server xx.xx.0.11
ip name-server xx.xx.0.10
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-1173857563
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313733 38353735 3633301E 170D3036 30373139 31353337
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
73010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 174C6F63 616C4C61 6E2E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1401DF61 2F5ECEEE 0D96C260 D291E872 A7304C27
A2301D06 03551D0E 04160414 01DF612F 5ECEEE0D 96C260D2 91E872A7 304C27A2
300D0609 2A864886 F70D0101 04050003 81810055 D26F8484 01F7F59D EFE5ADC0
38CB08F9 A8EF4302 2883BF2A 91973B11 6DE805B8 E7B4867C 4CAFE845 3BA32236
BAD56897 86FF39B6 B9A6064C 73B4F8E2 A40B058E 93BE92FD D37F8644 7EBEC454
53187847 9937B1B2 8D062760 FC60A413 4699D0B7 D597A6EF B78CE20B 46202231
6AC084D1 B54F94B8 F822E965 F7490274 6AC58E
quit
username myusername privilege 15 secret 5 $1$161N$7wineklYRZj6TbyYeJ
!
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address xx.xx.xx.97 255.255.255.248
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$
ip address xx.xx.xx.50 255.255.255.252
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xx.xx.xx.48 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xx.xx.2.65 eq domain host xx.xx.xx.50
access-list 101 permit udp host xx.xx.3.65 eq domain host xx.xx.xx.50
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.50 echo-reply
access-list 101 permit icmp any host xx.xx.xx.50 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.50 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thanks Again.
An easy thing. Can you remove the access-lists from both the interfaces and try to ping once for me ? The SDM created access-lists are horrible.
If it works then, we can concentrate on the acls.
Cheers,
Rajesh
If it works then, we can concentrate on the acls.
Cheers,
Rajesh
ASKER
Well, I can now browse using the FE1 , but FE0 still gives me nothing. I configured the router with the sdm startup guide for FE1 when I first booted and manually confiogured FE0, so Im guessing somewhere in there lies the problem.
ASKER
The ACLs are removed. I have full functionalty on FE1 and nothing on FE0. Do you see anything in the config that leaps out and says FE0 the *.97 address, is pooched?
I Would it be handy to include any other information that isnt outputted by default in the show running config?
Building configuration...
Current configuration : 6601 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LocalLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$I8tK$lNSXj1qDboNBDtT5o/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server xx.xx.xx.65
ip name-server xx.xx.xx.65
ip name-server xx.xx.xx.10
ip name-server xx.xx.xx.11
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-1173857563
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313733 38353735 3633301E 170D3036 30373139 31353337
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
73010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 174C6F63 616C4C61 6E2E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1401DF61 2F5ECEEE 0D96C260 D291E872 A7304C27
A2301D06 03551D0E 04160414 01DF612F 5ECEEE0D 96C260D2 91E872A7 304C27A2
300D0609 2A864886 F70D0101 04050003 81810055 D26F8484 01F7F59D EFE5ADC0
38CB08F9 A8EF4302 2883BF2A 91973B11 6DE805B8 E7B4867C 4CAFE845 3BA32236
BAD56897 86FF39B6 B9A6064C 73B4F8E2 A40B058E 93BE92FD D37F8644 7EBEC454
53187847 9937B1B2 8D062760 FC60A413 4699D0B7 D597A6EF B78CE20B 46202231
6AC084D1 B54F94B8 F822E965 F7490274 6AC58E
quit
username myusername privilege 15 secret 5 $1$161N$7wineklYRZj6TbyYeJ
!
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address xx.xx.xx.97 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address xx.xx.xx.50 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xx.xx.xx.48 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xx.xx.xx.65 eq domain host 24.111.15.50
access-list 101 permit udp host xx.xx.xx.65 eq domain host 24.111.15.50
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.50 echo-reply
access-list 101 permit icmp any host xx.xx.xx.50 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.50 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
I Would it be handy to include any other information that isnt outputted by default in the show running config?
Building configuration...
Current configuration : 6601 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LocalLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$I8tK$lNSXj1qDboNBDtT5o/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.2
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server xx.xx.xx.65
ip name-server xx.xx.xx.65
ip name-server xx.xx.xx.10
ip name-server xx.xx.xx.11
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-1173857563
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313733 38353735 3633301E 170D3036 30373139 31353337
34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
73010203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 174C6F63 616C4C61 6E2E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 1401DF61 2F5ECEEE 0D96C260 D291E872 A7304C27
A2301D06 03551D0E 04160414 01DF612F 5ECEEE0D 96C260D2 91E872A7 304C27A2
300D0609 2A864886 F70D0101 04050003 81810055 D26F8484 01F7F59D EFE5ADC0
38CB08F9 A8EF4302 2883BF2A 91973B11 6DE805B8 E7B4867C 4CAFE845 3BA32236
BAD56897 86FF39B6 B9A6064C 73B4F8E2 A40B058E 93BE92FD D37F8644 7EBEC454
53187847 9937B1B2 8D062760 FC60A413 4699D0B7 D597A6EF B78CE20B 46202231
6AC084D1 B54F94B8 F822E965 F7490274 6AC58E
quit
username myusername privilege 15 secret 5 $1$161N$7wineklYRZj6TbyYeJ
!
!
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address xx.xx.xx.97 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address xx.xx.xx.50 255.255.255.252
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip xx.xx.xx.48 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host xx.xx.xx.65 eq domain host 24.111.15.50
access-list 101 permit udp host xx.xx.xx.65 eq domain host 24.111.15.50
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host xx.xx.xx.50 echo-reply
access-list 101 permit icmp any host xx.xx.xx.50 time-exceeded
access-list 101 permit icmp any host xx.xx.xx.50 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
no cdp run
!
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Do 'show ip int brief' and post it here.
I am guessing that interface is not up at all.
if that is the case, then you need to make it up;
int fa0
no shut
Cheers,
Rajesh
I am guessing that interface is not up at all.
if that is the case, then you need to make it up;
int fa0
no shut
Cheers,
Rajesh
ASKER
LocalLan#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 xx.xx.xx.97 YES NVRAM up down
FastEthernet1 xx.xx.xx.50 YES NVRAM up down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES unset up down
FastEthernet5 unassigned YES unset up down
FastEthernet6 unassigned YES unset up down
FastEthernet7 unassigned YES unset up down
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up down
Vlan1 10.0.0.2 YES NVRAM up up
Async1 unassigned YES NVRAM down down
NVI0 unassigned NO unset up up
LocalLan#
That doesn't appear to be the case unless I am reading this wrong.
Interface IP-Address OK? Method Status Protocol
FastEthernet0 xx.xx.xx.97 YES NVRAM up down
FastEthernet1 xx.xx.xx.50 YES NVRAM up down
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset up down
FastEthernet4 unassigned YES unset up down
FastEthernet5 unassigned YES unset up down
FastEthernet6 unassigned YES unset up down
FastEthernet7 unassigned YES unset up down
FastEthernet8 unassigned YES unset up down
FastEthernet9 unassigned YES unset up down
Vlan1 10.0.0.2 YES NVRAM up up
Async1 unassigned YES NVRAM down down
NVI0 unassigned NO unset up up
LocalLan#
That doesn't appear to be the case unless I am reading this wrong.
ASKER
I killed the existing config and reset router to factory specs. Reconfigured and will test tomorrow. Changed the channels that the two services were coming into.
ASKER
After doing the configuration a couple of different ways. It appears as though the problem is in my routing and nat tables.
If I configure the FE1 or FE0 interfaces rather than the first hop (or gateway on the dsl and cable modems) , I am unable to browse. If I have the first hop and nat configured for the interface associated with the first hop, it works fine. However, I cannot have two routes configured or it appears as though I am getting out only part of the time. I just configured a loopback address and will see if that has anything to do with it.
I would like to configure both FE0 and FE1 to service vlan1 (the only vlan configured) and the NAT pool associated wth the Vlan. Right now if I do nat by the Interface that I have the default route created for. then I can browse. Basically I need to associate the nat pool with both interfaces and the one vlan.. That works on one channel, but I would like to be able to have both wan interfaces route traffic back to the only nat pool on the router. So how do I configure both ooutside interfaces to use the same nat pool.
If I configure the FE1 or FE0 interfaces rather than the first hop (or gateway on the dsl and cable modems) , I am unable to browse. If I have the first hop and nat configured for the interface associated with the first hop, it works fine. However, I cannot have two routes configured or it appears as though I am getting out only part of the time. I just configured a loopback address and will see if that has anything to do with it.
I would like to configure both FE0 and FE1 to service vlan1 (the only vlan configured) and the NAT pool associated wth the Vlan. Right now if I do nat by the Interface that I have the default route created for. then I can browse. Basically I need to associate the nat pool with both interfaces and the one vlan.. That works on one channel, but I would like to be able to have both wan interfaces route traffic back to the only nat pool on the router. So how do I configure both ooutside interfaces to use the same nat pool.
ASKER
Ingore most of the above post.
Basically I have the NAT pool configured for the IP address of the DSL connection . This prevents traffic going out on the cable connection from getting to the outside as its trying to route through the .97 address. How can I configure the 1811 to use a single nat pool for both the *.24 and *.97 addresses? Thats what my problem has finally boiled down to.
The inside interface is 10.0.0.* and the outside interfaces need to be both the *.97 address and the *.50 addresses. I am unsure whether PAT is what I am looking for. Any futher insights?
Basically I have the NAT pool configured for the IP address of the DSL connection . This prevents traffic going out on the cable connection from getting to the outside as its trying to route through the .97 address. How can I configure the 1811 to use a single nat pool for both the *.24 and *.97 addresses? Thats what my problem has finally boiled down to.
The inside interface is 10.0.0.* and the outside interfaces need to be both the *.97 address and the *.50 addresses. I am unsure whether PAT is what I am looking for. Any futher insights?
Modes,
From your previous post >>FastEthernet0 xx.xx.xx.97 YES NVRAM up down
That interface is down! and only FE0/1 and vlan1 is up.
So can you do that once again and post it here since you reconfigured everything ?
Cheers,
Rajesh
From your previous post >>FastEthernet0 xx.xx.xx.97 YES NVRAM up down
That interface is down! and only FE0/1 and vlan1 is up.
So can you do that once again and post it here since you reconfigured everything ?
Cheers,
Rajesh
ASKER
The problem was when I had both interfaces enabled, I was getting traffic out only through one of them. When looking at the traffic, it was trying to route traffic out only one of the interfaces.
The question is resolved using the below config.
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname myLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$fbEz$CGWMezys0uzcsaVT9R
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
dns-server IP.IP.IP.65 IP.IP.IP.65
default-router 10.0.0.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server IP.IP.IP.65
ip name-server IP.IP.IP.65
ip ssh time-out 60
ip ssh authentication-retries 2
ip sla 1
icmp-echo IP.IP.IP.49 source-interface FastEthernet0
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo IP.IP.IP.102 source-interface FastEthernet1
timeout 1000
threshold 2
frequency 3
ip sla schedule 2 life forever start-time now
!
!
crypto pki trustpoint TP-self-signed-1173857563
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313733 38353735 3633301E 170D3036 30383231 31333138
33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
73010203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15626973 6C616E2E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 16801401 DF612F5E CEEE0D96 C260D291 E872A730 4C27A230
1D060355 1D0E0416 041401DF 612F5ECE EE0D96C2 60D291E8 72A7304C 27A2300D
06092A86 4886F70D 01010405 00038181 00A98DDC F7D58C3D 7C22CBF7 752973A9
18F24A04 5CB951BE D51AB086 CB6D648C 1C80C725 77F87A36 3936E874 1002CFD1
E77E3521 AD8C7832 7C231BC5 7E453F84 F2B8359E 8BFB7482 5CE4AB9C 33060064
62418160 10F283F6 5FEA9423 6119B955 A44B19F6 5162DF09 5A20E438 0483FA28
91B01A04 F33B1044 5A5BDE67 9DE35530 1A
quit
username XXXXXXXX privilege 15 secret 5 $1$aFMI$MGgoZCHNtPqjAAAhP3
!
!
track 100 rtr 1 reachability
!
track 101 rtr 2 reachability
!
class-map type inspect match-any internet-traffic-class
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect private-internet-policy
class type inspect internet-traffic-class
inspect
class class-default
!
zone security private
zone security internet
zone-pair security private-internet source private destination internet
service-policy type inspect private-internet-policy
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key XXXXXXX address IP.IP.IP.158
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to IP.IP.IP.158
set peer IP.IP.IP.158
set transform-set ESP-DES-SHA
match address 103
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address IP.IP.IP.50 255.255.255.252
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security internet
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$
ip address IP.IP.IP.97 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security internet
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security private
ip route-cache flow
ip tcp adjust-mss 1452
ip policy route-map ForceOutInt
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 IP.IP.IP.49 track 100
ip route 0.0.0.0 0.0.0.0 IP.IP.IP.102 track 101
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map CABLE interface FastEthernet0 overload
ip nat inside source route-map DSL interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=3
access-list 100 remark IPSec Rule
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.35.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Midco Only
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.0.0.0 0.0.0.255 IP.IP.IP.48 0.0.0.3
access-list 102 remark Qwest Only
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.0.0.0 0.0.0.255 IP.IP.IP.96 0.0.0.7
access-list 102 permit ip 10.0.0.0 0.0.0.255 host IP.IP.IP.158
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.0.0 0.0.0.255 10.35.1.0 0.0.0.255
no cdp run
!
!
!
route-map ForceOutInt permit 10
description Send traffic to CABLE
match ip address 101
set interface FastEthernet0
!
route-map ForceOutInt permit 20
description Send traffic to DSL
match ip address 102
set interface FastEthernet1
!
route-map DSL permit 10
match ip address 100
match interface FastEthernet1
!
route-map CABLE permit 10
match ip address 100
match interface FastEthernet0
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thanks for your help
The question is resolved using the below config.
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname myLan
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$fbEz$CGWMezys0uzcsaVT9R
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
dns-server IP.IP.IP.65 IP.IP.IP.65
default-router 10.0.0.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server IP.IP.IP.65
ip name-server IP.IP.IP.65
ip ssh time-out 60
ip ssh authentication-retries 2
ip sla 1
icmp-echo IP.IP.IP.49 source-interface FastEthernet0
timeout 1000
threshold 2
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo IP.IP.IP.102 source-interface FastEthernet1
timeout 1000
threshold 2
frequency 3
ip sla schedule 2 life forever start-time now
!
!
crypto pki trustpoint TP-self-signed-1173857563
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1173857563
!
!
crypto pki certificate chain TP-self-signed-1173857563
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313733 38353735 3633301E 170D3036 30383231 31333138
33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31373338
35373536 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C4EF 16374242 B89E5AFD 4F3BB8DA 08185321 7594AE76 AEEC5648 8EA0E832
56F54C94 9787AB56 E8CDE4DA FC603472 2B125C65 94E4AFCE 0536D804 951F9743
2055BF9E 3271911E 23FE749B DECA4ED8 288FFBA1 EAD4E699 B993C8FD 902267D2
D2F241AC 2F23ABC8 E6FDEE93 3FA5288D DD3467EA 9E856E1E 33239428 69AF5276
73010203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15626973 6C616E2E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 16801401 DF612F5E CEEE0D96 C260D291 E872A730 4C27A230
1D060355 1D0E0416 041401DF 612F5ECE EE0D96C2 60D291E8 72A7304C 27A2300D
06092A86 4886F70D 01010405 00038181 00A98DDC F7D58C3D 7C22CBF7 752973A9
18F24A04 5CB951BE D51AB086 CB6D648C 1C80C725 77F87A36 3936E874 1002CFD1
E77E3521 AD8C7832 7C231BC5 7E453F84 F2B8359E 8BFB7482 5CE4AB9C 33060064
62418160 10F283F6 5FEA9423 6119B955 A44B19F6 5162DF09 5A20E438 0483FA28
91B01A04 F33B1044 5A5BDE67 9DE35530 1A
quit
username XXXXXXXX privilege 15 secret 5 $1$aFMI$MGgoZCHNtPqjAAAhP3
!
!
track 100 rtr 1 reachability
!
track 101 rtr 2 reachability
!
class-map type inspect match-any internet-traffic-class
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect private-internet-policy
class type inspect internet-traffic-class
inspect
class class-default
!
zone security private
zone security internet
zone-pair security private-internet source private destination internet
service-policy type inspect private-internet-policy
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key XXXXXXX address IP.IP.IP.158
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to IP.IP.IP.158
set peer IP.IP.IP.158
set transform-set ESP-DES-SHA
match address 103
!
!
!
!
interface FastEthernet0
description $ETH-WAN$
ip address IP.IP.IP.50 255.255.255.252
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security internet
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
description $ES_WAN$$FW_OUTSIDE$
ip address IP.IP.IP.97 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security internet
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security private
ip route-cache flow
ip tcp adjust-mss 1452
ip policy route-map ForceOutInt
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 IP.IP.IP.49 track 100
ip route 0.0.0.0 0.0.0.0 IP.IP.IP.102 track 101
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map CABLE interface FastEthernet0 overload
ip nat inside source route-map DSL interface FastEthernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=3
access-list 100 remark IPSec Rule
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.35.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark Midco Only
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.0.0.0 0.0.0.255 IP.IP.IP.48 0.0.0.3
access-list 102 remark Qwest Only
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.0.0.0 0.0.0.255 IP.IP.IP.96 0.0.0.7
access-list 102 permit ip 10.0.0.0 0.0.0.255 host IP.IP.IP.158
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.0.0.0 0.0.0.255 10.35.1.0 0.0.0.255
no cdp run
!
!
!
route-map ForceOutInt permit 10
description Send traffic to CABLE
match ip address 101
set interface FastEthernet0
!
route-map ForceOutInt permit 20
description Send traffic to DSL
match ip address 102
set interface FastEthernet1
!
route-map DSL permit 10
match ip address 100
match interface FastEthernet1
!
route-map CABLE permit 10
match ip address 100
match interface FastEthernet0
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thanks for your help
So it is working now ? What was the problem ?
Cheers,
Rajesh
Cheers,
Rajesh
ASKER
Yes it is working now.
Basically, having NAT enabled and both wan interfaces turned on, all traffic was trying to route out through one interface as I had nat configured with a default interface. Route mapping the way above allows traffic to go out bother interfaces.
Is it possible to do the peer to peer tunnel on the DSL line and a easy vpn server on cable to allow dialin?
Basically, having NAT enabled and both wan interfaces turned on, all traffic was trying to route out through one interface as I had nat configured with a default interface. Route mapping the way above allows traffic to go out bother interfaces.
Is it possible to do the peer to peer tunnel on the DSL line and a easy vpn server on cable to allow dialin?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you gone through Cisco site for configurations ? If NO, then do it which should let you configure the basic items.
One question though, for wan .97 and .24, are they given by different ISPs or is it not on the same network ?
Once you are done with basic configuration like configuring interfaces etc, post the configuration here and we can help out.
Cheers,
Rajesh