pauldunai
asked on
I wish to exclude WAN traffic from VPN tunnels being NATed but am not sure of the configuration syntax
Hi experts, I have recently purchased a Cisco 1801 IOS 12.4 router to replace a Draytek device (which works quite well except it has no netflow or equivalent fuctionality). My network consists of a hub site where this device is located and 8 remote sites that are connected via VPN tunnels to this router. The 1800 router also functions as a NAT device that allows outgoing IP sessions from the local LAN such as web browsing and has open ports to allow outside computers to connect to specific Servers on the local LAN. Everything works fine except for when computers from the other sites try to connect to any computer/server that has specific static nat associated with it. For instance I can ping a web server by name from another site but can't browse to it. I have used sniffers and IOS debug and can confirm that the return packets exist and are being NATed by the router and hence lost. I only have one public IP address and about 13 NAT statements. I wont submit the whole config because I'm sure most of it is sound.
Hub subnet 10.18.0.0/24
remote subnets are 10.18.1-7.0/24
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.18.0.21 23 interface Dialer0 23
ip nat inside source static tcp 10.18.0.22 23 interface Dialer0 2123
ip nat inside source static tcp 10.18.0.22 21 interface Dialer0 2121
ip nat inside source static tcp 10.18.0.21 21 interface Dialer0 21
ip nat inside source static tcp 10.18.0.20 8082 interface Dialer0 8082
ip nat inside source static tcp 10.18.0.20 4125 interface Dialer0 4125
ip nat inside source static tcp 10.18.0.20 3389 interface Dialer0 3389
ip nat inside source static tcp 10.18.0.20 3101 interface Dialer0 3101
ip nat inside source static tcp 10.18.0.20 1723 interface Dialer0 1723
ip nat inside source static tcp 10.18.0.20 444 interface Dialer0 444
ip nat inside source static tcp 10.18.0.20 443 interface Dialer0 443
ip nat inside source static tcp 10.18.0.20 80 interface Dialer0 80
ip nat inside source static tcp 10.18.0.20 25 interface Dialer0 25
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.7.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.6.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.5.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.1.0 0.0.0.255
access-list 103 permit ip 10.18.0.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 103
Please advise
Hub subnet 10.18.0.0/24
remote subnets are 10.18.1-7.0/24
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.18.0.21 23 interface Dialer0 23
ip nat inside source static tcp 10.18.0.22 23 interface Dialer0 2123
ip nat inside source static tcp 10.18.0.22 21 interface Dialer0 2121
ip nat inside source static tcp 10.18.0.21 21 interface Dialer0 21
ip nat inside source static tcp 10.18.0.20 8082 interface Dialer0 8082
ip nat inside source static tcp 10.18.0.20 4125 interface Dialer0 4125
ip nat inside source static tcp 10.18.0.20 3389 interface Dialer0 3389
ip nat inside source static tcp 10.18.0.20 3101 interface Dialer0 3101
ip nat inside source static tcp 10.18.0.20 1723 interface Dialer0 1723
ip nat inside source static tcp 10.18.0.20 444 interface Dialer0 444
ip nat inside source static tcp 10.18.0.20 443 interface Dialer0 443
ip nat inside source static tcp 10.18.0.20 80 interface Dialer0 80
ip nat inside source static tcp 10.18.0.20 25 interface Dialer0 25
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.7.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.6.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.5.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.1.0 0.0.0.255
access-list 103 permit ip 10.18.0.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 103
Please advise
ASKER
Hi Harbour235, It is applied in the route-map named SDM_RMAP_1 which is used in the first "ip nat ..." statement. I beleive that it is used to determine what not to NAT. Unfortunately I can't see how the route map can be used in all the other "ip nat" statements.. i'll post more of the configuration soon. Just need to modify a few "secrete bits"
ASKER
As requested config
City-rt-1#sh run
Building configuration...
Current configuration : 21619 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname City-rt-1
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$//7Y$Mi1T.gmSrVWg6UUJ/x pBv.
!
no aaa new-model
!
resource policy
!
clock timezone Sydney 10
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.18.0.1 10.18.0.49
ip dhcp excluded-address 10.18.0.80 10.18.0.254
!
ip dhcp pool City_LAN
import all
network 10.18.0.0 255.255.255.0
domain-name xray.local
dns-server 10.18.0.20
default-router 10.18.0.1
netbios-name-server 10.18.0.20
!
!
ip domain name xray.local
ip name-server 10.18.0.20
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail. com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yaho o.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo .com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1419680130
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-14196 80130
revocation-check none
rsakeypair TP-self-signed-1419680130
!
!
crypto pki certificate chain TP-self-signed-1419680130
certificate self-signed 01
34C33A7C
quit
username admin privilege 15 secret 5
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key nowracity address 101.102.46.111
crypto isakmp key beachescity address 101.102.69.4
crypto isakmp key nowracity address 101.102.58.252
crypto isakmp key bowralcity address 101.102.68.160
crypto isakmp key vauclusecity address 101.102.51.233
crypto isakmp key watsonsbaycity address 101.102.69.2
crypto isakmp key maroubracity address 101.102.72.126
crypto isakmp key eastlakescity address 101.102.34.16
crypto isakmp key warriewoodcity address 101.102.81.232
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to101.102.69.4
set peer 101.102.69.4
set transform-set ESP-3DES-SHA1
match address 104
qos pre-classify
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to101.102.58.252
set peer 101.102.58.252
set transform-set ESP-3DES-SHA2
match address 105
qos pre-classify
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to101.102.68.160
set peer 101.102.68.160
set transform-set ESP-3DES-SHA3
match address 106
qos pre-classify
crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel to101.102.81.232
set peer 101.102.81.232
set transform-set ESP-3DES-SHA4
match address 107
crypto map SDM_CMAP_1 5 ipsec-isakmp
description Tunnel to101.102.51.233
set peer 101.102.51.233
set transform-set ESP-3DES-SHA5
match address 108
qos pre-classify
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Tunnel to101.102.69.2
set peer 101.102.69.2
set transform-set ESP-3DES-SHA6
match address 109
qos pre-classify
crypto map SDM_CMAP_1 7 ipsec-isakmp
description Tunnel to101.102.72.126
set peer 101.102.72.126
set transform-set ESP-3DES-SHA7
match address 110
qos pre-classify
crypto map SDM_CMAP_1 8 ipsec-isakmp
description Tunnel to101.102.34.16
set peer 101.102.34.16
set transform-set ESP-3DES-SHA8
match address 111
qos pre-classify
!
!
!
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO- FE 1$$FW_INSIDE$
ip address 10.18.0.1 255.255.255.0
ip access-group 100 in
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 101.102.118.40 255.255.0.0
ip access-group 101 in
ip nat outside
ip inspect SDM_MEDIUM out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname test@direct.telstra.net
ppp chap password 0 245254
ppp pap sent-username test@direct.telstra.net password 0 245254
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_MEDIUM
service-policy output sdmappfwp2p_SDM_MEDIUM
!
router rip
version 2
passive-interface Vlan1
network 10.0.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.18.0.21 23 interface Dialer0 23
ip nat inside source static tcp 10.18.0.22 23 interface Dialer0 2123
ip nat inside source static tcp 10.18.0.22 21 interface Dialer0 2121
ip nat inside source static tcp 10.18.0.21 21 interface Dialer0 21
ip nat inside source static tcp 10.18.0.20 8082 interface Dialer0 8082
ip nat inside source static tcp 10.18.0.20 4125 interface Dialer0 4125
ip nat inside source static tcp 10.18.0.20 3389 interface Dialer0 3389
ip nat inside source static tcp 10.18.0.20 3101 interface Dialer0 3101
ip nat inside source static tcp 10.18.0.20 1723 interface Dialer0 1723
ip nat inside source static tcp 10.18.0.20 444 interface Dialer0 444
ip nat inside source static tcp 10.18.0.20 443 interface Dialer0 443
ip nat inside source static tcp 10.18.0.20 80 interface Dialer0 80
ip nat inside source static tcp 10.18.0.20 25 interface Dialer0 25
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.18.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.18.0.0 0.0.15.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq telnet
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq 22
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq www
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq 443
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq cmd
access-list 100 permit udp host 10.18.0.20 host 10.18.0.1 eq snmp
access-list 100 deny tcp any host 10.18.0.1 eq telnet
access-list 100 deny tcp any host 10.18.0.1 eq 22
access-list 100 deny tcp any host 10.18.0.1 eq www
access-list 100 deny tcp any host 10.18.0.1 eq 443
access-list 100 deny tcp any host 10.18.0.1 eq cmd
access-list 100 deny udp any host 10.18.0.1 eq snmp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 101.102.81.232 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit udp host 101.102.81.232 host 101.102.118.40 eq isakmp
access-list 101 permit esp host 101.102.81.232 host 101.102.118.40
access-list 101 permit ahp host 101.102.81.232 host 101.102.118.40
access-list 101 permit ahp host 101.102.34.16 host 101.102.118.40
access-list 101 permit esp host 101.102.34.16 host 101.102.118.40
access-list 101 permit udp host 101.102.34.16 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.34.16 host 101.102.118.40 eq non500-isak
mp
access-list 101 permit ahp host 101.102.72.126 host 101.102.118.40
access-list 101 permit esp host 101.102.72.126 host 101.102.118.40
access-list 101 permit udp host 101.102.72.126 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.72.126 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.69.2 host 101.102.118.40
access-list 101 permit esp host 101.102.69.2 host 101.102.118.40
access-list 101 permit udp host 101.102.69.2 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.69.2 host 101.102.118.40 eq non500-isakm
p
access-list 101 permit ahp host 101.102.51.233 host 101.102.118.40
access-list 101 permit esp host 101.102.51.233 host 101.102.118.40
access-list 101 permit udp host 101.102.51.233 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.51.233 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.81.231 host 101.102.118.40
access-list 101 permit esp host 101.102.81.231 host 101.102.118.40
access-list 101 permit udp host 101.102.81.231 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.81.231 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.68.160 host 101.102.118.40
access-list 101 permit esp host 101.102.68.160 host 101.102.118.40
access-list 101 permit udp host 101.102.68.160 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.68.160 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.58.252 host 101.102.118.40
access-list 101 permit esp host 101.102.58.252 host 101.102.118.40
access-list 101 permit udp host 101.102.58.252 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.58.252 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.69.4 host 101.102.118.40
access-list 101 permit esp host 101.102.69.4 host 101.102.118.40
access-list 101 permit udp host 101.102.69.4 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.69.4 host 101.102.118.40 eq non500-isakm
p
access-list 101 remark IPSec Rule For Eastlakes VPN
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.34.16 any eq non500-isakmp
access-list 101 permit udp host 101.102.34.16 any eq isakmp
access-list 101 permit esp host 101.102.34.16 any
access-list 101 permit ahp host 101.102.34.16 any
access-list 101 remark IPSec Rule For Maroubra VPN
access-list 101 permit ip 10.18.7.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.72.126 any eq non500-isakmp
access-list 101 permit udp host 101.102.72.126 any eq isakmp
access-list 101 permit esp host 101.102.72.126 any
access-list 101 permit ahp host 101.102.72.126 any
access-list 101 remark IPSec Rule For Watsons Bay VPN
access-list 101 permit ip 10.18.6.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.69.2 any eq non500-isakmp
access-list 101 permit udp host 101.102.69.2 any eq isakmp
access-list 101 permit esp host 101.102.69.2 any
access-list 101 permit ahp host 101.102.69.2 any
access-list 101 remark IPSec Rule for Vaucluse VPN
access-list 101 permit ip 10.18.5.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.51.233 any eq non500-isakmp
access-list 101 permit udp host 101.102.51.233 any eq isakmp
access-list 101 permit esp host 101.102.51.233 any
access-list 101 permit ahp host 101.102.51.233 any
access-list 101 remark IPSec Rule for Warriewood VPN
access-list 101 permit ip 10.18.4.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.81.231 any eq non500-isakmp
access-list 101 permit udp host 101.102.81.231 any eq isakmp
access-list 101 permit esp host 101.102.81.231 any
access-list 101 permit ahp host 101.102.81.231 any
access-list 101 remark IPSec Rule For Bowral VPN
access-list 101 permit ip 10.18.3.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.68.160 any eq non500-isakmp
access-list 101 permit udp host 101.102.68.160 any eq isakmp
access-list 101 permit esp host 101.102.68.160 any
access-list 101 permit ahp host 101.102.68.160 any
access-list 101 remark IPSec Rule for Nowra VPN
access-list 101 permit ip 10.18.2.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.58.252 any eq non500-isakmp
access-list 101 permit udp host 101.102.58.252 any eq isakmp
access-list 101 permit esp host 101.102.58.252 any
access-list 101 permit ahp host 101.102.58.252 any
access-list 101 remark IPSec Rule for Beaches VPN
access-list 101 permit ip 10.18.1.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.69.4 any eq non500-isakmp
access-list 101 permit udp host 101.102.69.4 any eq isakmp
access-list 101 permit esp host 101.102.69.4 any
access-list 101 permit ahp host 101.102.69.4 any
access-list 101 remark Open ports
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 2123
access-list 101 permit tcp any any eq 2121
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 8082
access-list 101 permit tcp any any eq 4125
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 3101
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 444
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp
access-list 101 deny ip 10.18.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.7.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.6.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.5.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.1.0 0.0.0.255
access-list 103 permit ip 10.18.0.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.18.0.0 0.0.0.255 10.18.1.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.18.0.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.18.0.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.18.0.0 0.0.0.255 10.18.5.0 0.0.0.255
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.18.0.0 0.0.0.255 10.18.6.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.18.0.0 0.0.0.255 10.18.7.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.18.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark Auto generated by SDM Management Access feature
access-list 112 remark SDM_ACL Category=1
access-list 112 permit ip 10.18.0.0 0.0.15.255 any
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark SDM_ACL Category=1
access-list 113 permit ip 10.18.0.0 0.0.15.255 any
dialer-list 1 protocol ip permit
snmp-server community xray RO
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
!
!
control-plane
!
banner login ^C
-------------------------- ---------- ---------- ---------- ---------- -----
Authorised Access Only. Disconnect immediately if you are not
an authorised user
-------------------------- ---------- ---------- ---------- ---------- -----
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 112 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 113 in
privilege level 15
login local
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
City-rt-1#
City-rt-1#sh run
Building configuration...
Current configuration : 21619 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname City-rt-1
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$//7Y$Mi1T.gmSrVWg6UUJ/x
!
no aaa new-model
!
resource policy
!
clock timezone Sydney 10
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.18.0.1 10.18.0.49
ip dhcp excluded-address 10.18.0.80 10.18.0.254
!
ip dhcp pool City_LAN
import all
network 10.18.0.0 255.255.255.0
domain-name xray.local
dns-server 10.18.0.20
default-router 10.18.0.1
netbios-name-server 10.18.0.20
!
!
ip domain name xray.local
ip name-server 10.18.0.20
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yaho
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1419680130
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1419680130
!
!
crypto pki certificate chain TP-self-signed-1419680130
certificate self-signed 01
34C33A7C
quit
username admin privilege 15 secret 5
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_SDM_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key nowracity address 101.102.46.111
crypto isakmp key beachescity address 101.102.69.4
crypto isakmp key nowracity address 101.102.58.252
crypto isakmp key bowralcity address 101.102.68.160
crypto isakmp key vauclusecity address 101.102.51.233
crypto isakmp key watsonsbaycity address 101.102.69.2
crypto isakmp key maroubracity address 101.102.72.126
crypto isakmp key eastlakescity address 101.102.34.16
crypto isakmp key warriewoodcity address 101.102.81.232
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to101.102.69.4
set peer 101.102.69.4
set transform-set ESP-3DES-SHA1
match address 104
qos pre-classify
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to101.102.58.252
set peer 101.102.58.252
set transform-set ESP-3DES-SHA2
match address 105
qos pre-classify
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel to101.102.68.160
set peer 101.102.68.160
set transform-set ESP-3DES-SHA3
match address 106
qos pre-classify
crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel to101.102.81.232
set peer 101.102.81.232
set transform-set ESP-3DES-SHA4
match address 107
crypto map SDM_CMAP_1 5 ipsec-isakmp
description Tunnel to101.102.51.233
set peer 101.102.51.233
set transform-set ESP-3DES-SHA5
match address 108
qos pre-classify
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Tunnel to101.102.69.2
set peer 101.102.69.2
set transform-set ESP-3DES-SHA6
match address 109
qos pre-classify
crypto map SDM_CMAP_1 7 ipsec-isakmp
description Tunnel to101.102.72.126
set peer 101.102.72.126
set transform-set ESP-3DES-SHA7
match address 110
qos pre-classify
crypto map SDM_CMAP_1 8 ipsec-isakmp
description Tunnel to101.102.34.16
set peer 101.102.34.16
set transform-set ESP-3DES-SHA8
match address 111
qos pre-classify
!
!
!
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.18.0.1 255.255.255.0
ip access-group 100 in
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 101.102.118.40 255.255.0.0
ip access-group 101 in
ip nat outside
ip inspect SDM_MEDIUM out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname test@direct.telstra.net
ppp chap password 0 245254
ppp pap sent-username test@direct.telstra.net password 0 245254
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_MEDIUM
service-policy output sdmappfwp2p_SDM_MEDIUM
!
router rip
version 2
passive-interface Vlan1
network 10.0.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.18.0.21 23 interface Dialer0 23
ip nat inside source static tcp 10.18.0.22 23 interface Dialer0 2123
ip nat inside source static tcp 10.18.0.22 21 interface Dialer0 2121
ip nat inside source static tcp 10.18.0.21 21 interface Dialer0 21
ip nat inside source static tcp 10.18.0.20 8082 interface Dialer0 8082
ip nat inside source static tcp 10.18.0.20 4125 interface Dialer0 4125
ip nat inside source static tcp 10.18.0.20 3389 interface Dialer0 3389
ip nat inside source static tcp 10.18.0.20 3101 interface Dialer0 3101
ip nat inside source static tcp 10.18.0.20 1723 interface Dialer0 1723
ip nat inside source static tcp 10.18.0.20 444 interface Dialer0 444
ip nat inside source static tcp 10.18.0.20 443 interface Dialer0 443
ip nat inside source static tcp 10.18.0.20 80 interface Dialer0 80
ip nat inside source static tcp 10.18.0.20 25 interface Dialer0 25
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.18.0.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.18.0.0 0.0.15.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq telnet
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq 22
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq www
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq 443
access-list 100 permit tcp 10.18.0.0 0.0.15.255 host 10.18.0.1 eq cmd
access-list 100 permit udp host 10.18.0.20 host 10.18.0.1 eq snmp
access-list 100 deny tcp any host 10.18.0.1 eq telnet
access-list 100 deny tcp any host 10.18.0.1 eq 22
access-list 100 deny tcp any host 10.18.0.1 eq www
access-list 100 deny tcp any host 10.18.0.1 eq 443
access-list 100 deny tcp any host 10.18.0.1 eq cmd
access-list 100 deny udp any host 10.18.0.1 eq snmp
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 101.102.81.232 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit udp host 101.102.81.232 host 101.102.118.40 eq isakmp
access-list 101 permit esp host 101.102.81.232 host 101.102.118.40
access-list 101 permit ahp host 101.102.81.232 host 101.102.118.40
access-list 101 permit ahp host 101.102.34.16 host 101.102.118.40
access-list 101 permit esp host 101.102.34.16 host 101.102.118.40
access-list 101 permit udp host 101.102.34.16 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.34.16 host 101.102.118.40 eq non500-isak
mp
access-list 101 permit ahp host 101.102.72.126 host 101.102.118.40
access-list 101 permit esp host 101.102.72.126 host 101.102.118.40
access-list 101 permit udp host 101.102.72.126 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.72.126 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.69.2 host 101.102.118.40
access-list 101 permit esp host 101.102.69.2 host 101.102.118.40
access-list 101 permit udp host 101.102.69.2 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.69.2 host 101.102.118.40 eq non500-isakm
p
access-list 101 permit ahp host 101.102.51.233 host 101.102.118.40
access-list 101 permit esp host 101.102.51.233 host 101.102.118.40
access-list 101 permit udp host 101.102.51.233 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.51.233 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.81.231 host 101.102.118.40
access-list 101 permit esp host 101.102.81.231 host 101.102.118.40
access-list 101 permit udp host 101.102.81.231 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.81.231 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.68.160 host 101.102.118.40
access-list 101 permit esp host 101.102.68.160 host 101.102.118.40
access-list 101 permit udp host 101.102.68.160 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.68.160 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.58.252 host 101.102.118.40
access-list 101 permit esp host 101.102.58.252 host 101.102.118.40
access-list 101 permit udp host 101.102.58.252 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.58.252 host 101.102.118.40 eq non500-isa
kmp
access-list 101 permit ahp host 101.102.69.4 host 101.102.118.40
access-list 101 permit esp host 101.102.69.4 host 101.102.118.40
access-list 101 permit udp host 101.102.69.4 host 101.102.118.40 eq isakmp
access-list 101 permit udp host 101.102.69.4 host 101.102.118.40 eq non500-isakm
p
access-list 101 remark IPSec Rule For Eastlakes VPN
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.34.16 any eq non500-isakmp
access-list 101 permit udp host 101.102.34.16 any eq isakmp
access-list 101 permit esp host 101.102.34.16 any
access-list 101 permit ahp host 101.102.34.16 any
access-list 101 remark IPSec Rule For Maroubra VPN
access-list 101 permit ip 10.18.7.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.72.126 any eq non500-isakmp
access-list 101 permit udp host 101.102.72.126 any eq isakmp
access-list 101 permit esp host 101.102.72.126 any
access-list 101 permit ahp host 101.102.72.126 any
access-list 101 remark IPSec Rule For Watsons Bay VPN
access-list 101 permit ip 10.18.6.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.69.2 any eq non500-isakmp
access-list 101 permit udp host 101.102.69.2 any eq isakmp
access-list 101 permit esp host 101.102.69.2 any
access-list 101 permit ahp host 101.102.69.2 any
access-list 101 remark IPSec Rule for Vaucluse VPN
access-list 101 permit ip 10.18.5.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.51.233 any eq non500-isakmp
access-list 101 permit udp host 101.102.51.233 any eq isakmp
access-list 101 permit esp host 101.102.51.233 any
access-list 101 permit ahp host 101.102.51.233 any
access-list 101 remark IPSec Rule for Warriewood VPN
access-list 101 permit ip 10.18.4.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.81.231 any eq non500-isakmp
access-list 101 permit udp host 101.102.81.231 any eq isakmp
access-list 101 permit esp host 101.102.81.231 any
access-list 101 permit ahp host 101.102.81.231 any
access-list 101 remark IPSec Rule For Bowral VPN
access-list 101 permit ip 10.18.3.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.68.160 any eq non500-isakmp
access-list 101 permit udp host 101.102.68.160 any eq isakmp
access-list 101 permit esp host 101.102.68.160 any
access-list 101 permit ahp host 101.102.68.160 any
access-list 101 remark IPSec Rule for Nowra VPN
access-list 101 permit ip 10.18.2.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.58.252 any eq non500-isakmp
access-list 101 permit udp host 101.102.58.252 any eq isakmp
access-list 101 permit esp host 101.102.58.252 any
access-list 101 permit ahp host 101.102.58.252 any
access-list 101 remark IPSec Rule for Beaches VPN
access-list 101 permit ip 10.18.1.0 0.0.0.255 10.18.0.0 0.0.0.255
access-list 101 permit udp host 101.102.69.4 any eq non500-isakmp
access-list 101 permit udp host 101.102.69.4 any eq isakmp
access-list 101 permit esp host 101.102.69.4 any
access-list 101 permit ahp host 101.102.69.4 any
access-list 101 remark Open ports
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 2123
access-list 101 permit tcp any any eq 2121
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 8082
access-list 101 permit tcp any any eq 4125
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 3101
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 444
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq smtp
access-list 101 deny ip 10.18.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.7.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.6.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.5.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny ip 10.18.0.0 0.0.0.255 10.18.1.0 0.0.0.255
access-list 103 permit ip 10.18.0.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.18.0.0 0.0.0.255 10.18.1.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.18.0.0 0.0.0.255 10.18.2.0 0.0.0.255
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 10.18.0.0 0.0.0.255 10.18.3.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.18.0.0 0.0.0.255 10.18.4.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 10.18.0.0 0.0.0.255 10.18.5.0 0.0.0.255
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 10.18.0.0 0.0.0.255 10.18.6.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 10.18.0.0 0.0.0.255 10.18.7.0 0.0.0.255
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 10.18.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 112 remark Auto generated by SDM Management Access feature
access-list 112 remark SDM_ACL Category=1
access-list 112 permit ip 10.18.0.0 0.0.15.255 any
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark SDM_ACL Category=1
access-list 113 permit ip 10.18.0.0 0.0.15.255 any
dialer-list 1 protocol ip permit
snmp-server community xray RO
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
!
!
control-plane
!
banner login ^C
--------------------------
Authorised Access Only. Disconnect immediately if you are not
an authorised user
--------------------------
^C
!
line con 0
login local
line aux 0
line vty 0 4
access-class 112 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 113 in
privilege level 15
login local
transport input telnet ssh
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
City-rt-1#
The only IP address that would allow port 80 traffic through for and that has a valid translation for port 80 is 10.108.0.20, does this box have a web server running? There is also a translation for 8082, is that a backup web port? If so it is for the same server 10.108.0.20, is that the box you are trying to browse to? From my first look at your lengthy config is that u can only browse to 10.108.0.20 on ports 80 or 8082, is thaat what you are doing?
You also have CBAC running but you are not inspecting HTTP, is that what you want to do?
harbor235 ;}
You also have CBAC running but you are not inspecting HTTP, is that what you want to do?
harbor235 ;}
ASKER
Yes, 10.18.0.20 has a web server (+ serveral other ports). It can be accesses from the local LAN (10.18.0.0/24) and the internet (using NAT). It can't be accessed from any other WAN/VPN subnet because the packets get NATed on their return. This happens for any TCP session started from the WAN/VPN subnets (10.18.1.0/24, 10.18.2.0/24 etc) for which a Static NAT has been configured. Another way to put it. Given my current configuration I could access the server 10.18.0.20 from the WAN/VPN subnets on all ports except the ones being NATed.
I see now, you are doing overload NAT and static NAt simualtaneously. This can be done but there are some restrictions. I would try using a different global address for your static NATs.
Here is a good link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
harbor235 ;}
Here is a good link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
harbor235 ;}
ASKER
Ok I have made progress although I have some limitations . I should mention I only have 1 external IP address to play with.
I have replaced all "IP nat" commands with the following 2.
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static 10.18.0.20 101.102.118.40 route-map SDM_RMAP_1
This lets me access all servers internally from the private subnets and local LAN (no NAT), and 1 server 10.18.0.20 from the Internet using static NAT. The thing I can't do is open up ports to another internal server (10.18.0.21 & 22) from the Internet. It looks like I may need another external IP address as you suggest above.
I can do this with my $250 Draytek but unfortunately not the Cisco 1801. Do you see another option?
I have replaced all "IP nat" commands with the following 2.
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static 10.18.0.20 101.102.118.40 route-map SDM_RMAP_1
This lets me access all servers internally from the private subnets and local LAN (no NAT), and 1 server 10.18.0.20 from the Internet using static NAT. The thing I can't do is open up ports to another internal server (10.18.0.21 & 22) from the Internet. It looks like I may need another external IP address as you suggest above.
I can do this with my $250 Draytek but unfortunately not the Cisco 1801. Do you see another option?
Have you tried excluding the servers .20 and .21 explicitly so there are never overload NAT'd?
access-list 103 deny ip 10.108.0.20 0.0.0.0 any
access-list 103 deny ip 10.108.0.21 0.0.0.0 any
make sure you add this before this line:
access-list 103 permit ip 10.18.0.0 0.0.0.255 any
Also, what version of code are you using?
harbor235 ;}
access-list 103 deny ip 10.108.0.20 0.0.0.0 any
access-list 103 deny ip 10.108.0.21 0.0.0.0 any
make sure you add this before this line:
access-list 103 permit ip 10.18.0.0 0.0.0.255 any
Also, what version of code are you using?
harbor235 ;}
ASKER
harbor235, I'm not sure how that would help, Would that not exclude 10.18.0.21 & 22 from any form of NAT. i.e. these 2 machines would have no way of communication outside of the private network, even sessions initiated from the inside?
What I really would need is to be able to attach a route-map to the following line and similar.
ip nat inside source static tcp 10.18.0.21 23 interface Dialer0 23
because the static NAT (1 to 1) that I use (below) excludes me puting any other static NAT statments without an additional IP address (for another 1 to 1 mapping)
ip nat inside source static 10.18.0.20 101.102.118.40 route-map SDM_RMAP_1
Version of IOS version 12.4. unfortunately I can't verify exactly ther variant. The router is new and I believe it was an "enhancement from the basic version for the 1801, same as the 1841 etc) sorry.
What I really would need is to be able to attach a route-map to the following line and similar.
ip nat inside source static tcp 10.18.0.21 23 interface Dialer0 23
because the static NAT (1 to 1) that I use (below) excludes me puting any other static NAT statments without an additional IP address (for another 1 to 1 mapping)
ip nat inside source static 10.18.0.20 101.102.118.40 route-map SDM_RMAP_1
Version of IOS version 12.4. unfortunately I can't verify exactly ther variant. The router is new and I believe it was an "enhancement from the basic version for the 1801, same as the 1841 etc) sorry.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Harbor235 for your answers and feed back. I have gone down the path of aquiring more public IP addresses. This should make life easier all round. I think I can easily configure with multiple IPs
The ACL specifies the inside addresses
More info is needed
harbor235 ;}