[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1327
  • Last Modified:

Unable to ping to dsl modem connected to cisco router

Hi,
I am trying to setup my router to managed/ping the dsl modem(10.0.0.1) connected to my router. From the router, I am able to ping the dsl modem, but clients connected behind the router are not able to get a reply/managed the modem. I have enabled nating on the interface connected to the modem. Not sure if additional config is required?  Do note that there are no issues with internet.
Network Diagram:

client <--> router <-->modem

Thanks.
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime year
service timestamps log datetime localtime show-timezone year
service password-encryption
service compress-config
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging count
logging buffered 51200 informational
no logging console
no logging monitor
!
no aaa new-model
clock timezone SGP 8
no ip source-route
no ip gratuitous-arps
ip cef
!
ip nbar pdlm flash:bittorrent.pdlm
!
!
!
no ip bootp server
ip domain lookup source-interface FastEthernet0/1
ip name-server 192.168.254.138
ip port-map user-ASA--2 port udp 460
ip port-map user-ASA--1 port tcp 460
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3 alert off
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp router-traffic
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
ip ddns update method sdm_ddns1
 HTTP
  add http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<
a>
  remove http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myi
p=<a>
!
vpdn enable
!
vpdn-group 1
!
!
!
crypto pki trustpoint TP-self-signed-933800604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-933800604
 revocation-check none
 rsakeypair TP-self-signed-933800604
!
!
crypto pki certificate chain TP-self-signed-933800604
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39333338 30303630 34301E17 0D303930 34313831 33353831
  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3933 33383030
  36303430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B53C1DE4 B6D02F84 F095F8E0 A144F041 779C101B 44905287 E68E6F0E 4413A43E
  C03AEBBF 28F2438F 3C134624 945C21F6 33E9B037 DA57F6F8 4D7AC693 0CD05B1C
  289B9928 0D79C7D8 95ECF68B 3B96DA32 3BDBE8D8 BD94B179 E45EACC0 6E9DC9F2
  D9CC53F4 E77E85DE B650C699 7BF89EFB 1EB27B34 A9189CEE 86DAC4B7 58D20BBF
  02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355
  1D110424 30228220 436F7265 5F486F6D 655F526F 75746572 2E6D7964 672E6479
  6E646E73 2E6F7267 301F0603 551D2304 18301680 14D31E36 B406D1A1 F8215D57
  666242B6 2C1E3A9D 25301D06 03551D0E 04160414 D31E36B4 06D1A1F8 215D5766
  6242B62C 1E3A9D25 300D0609 2A864886 F70D0101 04050003 81810004 70015A39
  6B6434B9 799B4463 D2517F8F 807B0E14 502C47FA 012EA1BB D0034F0F 6796B439
  242E45A4 C92948F6 18C436C9 BB47CE3E 07E36DD5 DDBE8649 CFB06E8C FA388066
  B53B1A44 1C8D9FC2 7F2627CD 3540768C 83B97078 21B32B16 0B30B5B3 53EDF567
  273DD1B6 28D74033 5696B094 04E8C12F 5C5A2E66 A127FEC0 B3FC33
  quit
username Admin privilege 15 password 7 xxx
archive
 log config
  logging enable
  logging size 200
  notify syslog
  hidekeys
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Interface_2Wire$ETH-WAN$
 ip address 10.0.0.2 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no keepalive
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 description $FW_INSIDE$
 ip address 192.168.254.129 255.255.255.224
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface Dialer0
 description $FW_OUTSIDE$
 bandwidth 10240
 ip ddns update hostname xx.xxx.xxx
 ip ddns update sdm_ddns1
 ip address negotiated
 ip access-group Internet_In in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip inspect CCP_LOW out
 ip ips sdm_ips_rule in
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxx password 7 xxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list Test interface FastEthernet0/0 overload
ip nat inside source list Internet interface Dialer0 overload
ip nat inside source static tcp 192.168.254.138 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.254.133 460 interface Dialer0 460
ip nat inside source static udp 192.168.254.133 460 interface Dialer0 460
!
ip access-list extended Free_Access
 remark CCP_ACL Category=128
 permit ip host 192.168.254.157 any
ip access-list extended Internet
 permit ip 192.168.254.128 0.0.0.31 any
ip access-list extended Internet_In
 remark Allowed_Traffic_In
 permit tcp any any eq 1723 log
 permit gre any any
 permit tcp any any eq 460
 permit udp any any eq 460
 permit icmp any any echo-reply
 deny   ip 192.168.254.128 0.0.0.31 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   ip any any
ip access-list extended PPTP
 permit gre any host 192.168.254.138
 permit tcp any host 192.168.254.138 eq 1723
ip access-list extended Test
 permit ip 192.168.254.128 0.0.0.31 any
!
logging server-arp
logging 192.168.254.138
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.254.133
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.254.133
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp any any eq 1723
access-list 104 permit tcp any any eq 460
access-list 104 permit udp any any eq 460
access-list 104 deny   ip 192.168.254.128 0.0.0.31 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
no cdp run
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
 exec-timeout 0 1
 no exec
 transport output none
line vty 0 4
 login local
!
exception crashinfo maximum files 5
scheduler allocate 20000 1000
ntp clock-period 17178551
ntp update-calendar
ntp server 192.168.254.138 source FastEthernet0/1 prefer
end
Router#

Open in new window

0
cwtang
Asked:
cwtang
  • 7
  • 6
1 Solution
 
suggestionstickCommented:
Hi
what are the model numbers of both the modem and the router?

I am assuming that you are not using the ADSL?? interface  (dialer 0) on the router, but are trying to use the fast ethernet ports instead.

based on the above assumption: the default route is incorrect

ip route 0.0.0.0 0.0.0.0 Dialer0

should be

Ip route 0.0.0.0 0.0.0.0 10.0.0.1

also  based on the above previous  assumption

you can remove the ip nat outside from Dialer 0

and  also remove the following command from the config

ip nat inside source list Internet interface Dialer0 overload

if the pervious assumption is incorrect and you are using dialer 0  via Bridging, etc pls mention in the next post.







0
 
blue-screenCommented:
You actually want NAT *OFF* to the modem interface, but if you do that you need to set a DEFAULT GATEWAY on the modem to 10.0.0.2.  You also need to set a NAT exception that traffic to 10.0.0.0 should not be translate, namely

ip access-list extended Internet
deny ip 192.168.254.128 0.0.0.31 10.0.0.0 0.255.255.255

If you can't set a default gateway on the two wire, you can leave it on NAT and set a static translate command for some address on the 192.168.254.128 network to map to the modem

ip nat inside 192.168.254.x 10.0.0.1
0
 
cwtangAuthor Commented:
Hi,
Thanks for the suggestions. What I am trying to perform would be as follows:

1. To web managed the 2wire modem/router from cisco router interface fastethernet 0/0 (Preferably overload)
2. The 2wire modem/router should not have access to the cisco router except for web management/ping from the cisco router via interface fastethernet 0/0
3. At all time, the cisco router should have its firewall externally facing both the internet and the 2wire modem/router
4. The reason for the firewall on the cisco router is the 2wire can be access from the isp (remote access from the isp; isp is able to access network connected to 2wire).
5. The 2wire modem/router is acting  as a adsl modem/voice/media streaming


0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
blue-screenCommented:
"Dialer 0" is the interface "facing the internet."

So to clarify: you want to access the 2 wire modem itself from the Internet?  That's s little trickier, but possible.

Since the Cisco router already has a web interface, you need to pick another port and will have to access the 2wire as http://dynamic-hostname.yourdomain.com:81 or whatever port number you pick.

Your translate becomes a more complex statement.  Let me know if this is what you are expecting - You want to reach the modem FROM THE INTERNET, using the exact same IP address dynamically assigned by the ISP?
0
 
cwtangAuthor Commented:
Hi,
I just need to access the 2wire from 192.168.254.128 network. I do not need to access the modem from the internet. (Reason is the modem can be access using vpn)


0
 
cwtangAuthor Commented:
Forgot to add:

example of access would be as follows:

clients (192.168.254.128)<-->(192.168.254.129 fastethernet 0/1)router(10.0.0.2 fastethernet 0/0)-->2wire (10.0.0.1)

Thanks.
0
 
blue-screenCommented:
OK, that is much easier.  Does the 2 Wire already have a static IP address set?  Which 2-Wire model is this?

REMOVE the ip NAT Outside from the interface where the 2-Wire is connected.  You do not need to NAT there: The NAT is only on the dialer 0.

The 10.0.0.0 network is directly connected, there is no route needed on the Cisco (presuming that all clients default-route to the Cisco and there is no other 10.0.0.0 subnet)

THEN: Add a static route to the 2-wire: 192.168.254.128 255.255.255.224 via 10.0.0.2

Or, if the 2 wire is NOT doing any NAT or routing (just a bridge) you can set the default route of the 2-wire to 10.0.0.2.

In any event, NAT is not what you want here, if you can avoid it.  If you can't make the simple changes on the 2Wire, You CAN do it with NAT, by mapping a "phantom" available inside address to 10.0.0.1.  However, since addresses are so scarce on that subnet, I'd recommend he routing case.

You *MAY* be able to overload the address of 192.168.254.129 in s static translation, but I have not tried it

I'd have to think it through and test, but something like adding a nat EXCEPTION on the first NAT statement for traffic destined to a specific TCP port (e.g. 81) on the router address, followed by a second NAT statement specifically allowing the excepted address/port combo and sending it to 10.0.0.1.

I prefer the non-NAT path if you can make the simple static route on the 2-Wire.

 

0
 
cwtangAuthor Commented:
Hi,
For the 2wire, it should not contain any routes(I dont want the isp to be aware of my network).  I have tried to overload interface fa0/0, however I am not able to ping/web managed  the 2wire. Previously, I added another hardware firewall to access/web maanged the 2wire modem
I was wondering if it would be possible by removing the hardware firewall and using nating on the cisco router to accss/web managed the 2wire?
Thanks
0
 
blue-screenCommented:
Most  2Wire models have ability to add static routes, so just add a route back to your network.  

If you insist on using NAT is should be possible, but may cost an extra inside ip address.  You can do it with something like

ip nat inside source static  (phantom inside address) 10.0.0.2

If you want to overload, it would de somthing like

ip nat inside source static 192.168.254.129 tcp 8080 10.0.0.2 tcp 80 extendable

I think the extendable keyword is needed to share the IP address of the interface.

If that is allowed, connections to http://192.168.254.129:8080 should go to the modem.

DANGER:  I have not tested this - it is a hunch.  Should send you in the right direction, though.

0
 
cwtangAuthor Commented:
Hi,
I have tried doing the ip nat inside/outisde, however it keeps going to the router instead of the modem.

Diagram as follows:

PC <--------------------------------------------> router -----------------------------> modem
192.168.254.xx     192.168.254.129(internal) & 10.0.0.2(External)            10.0.0.1

From the pc, if possible, it would just need to type a phantom ip address(192.168.254.x) or 10.0.0.1 to managed the 2wire modem.

Not sure if it is a requirement to have nat using route map for it to work. I will try that out to see if it will help.
0
 
blue-screenCommented:
If you can spare a phantom IP address, that would be great.  

You need to make sure that you have an exception in the list "Internet" to stop modem-bound traffic from hitting the first NAT.

ip access-list extended Internet
 deny ip 192.168.254.128 0.0.0.31 10.0.0.1
 permit ip 192.168.254.128 0.0.0.31 any

0
 
cwtangAuthor Commented:
Hi,
Thanks for the information. I managed to resolved it sometime earlier.  Yup, nating with route map is required for it to work. In fact I would need 2 route maps for it to work; 1 for defining internet traffic while the other to define 2wire traffic. It would also work with overloading using interface fa0/0 ip address/nat pool ip address.

Thanks for the assistance :)
0
 
blue-screenCommented:
You should post your final working configuration for posterity!
0
 
cwtangAuthor Commented:
Hi,
As requested, I have attached the updated code for reference :)

version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime year
service timestamps log datetime localtime show-timezone year
service password-encryption
service compress-config
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging count
logging buffered 51200 informational
no logging console
no logging monitor
!
no aaa new-model
clock timezone SGP 8
no ip source-route
no ip gratuitous-arps
ip cef
!
ip nbar pdlm flash:bittorrent.pdlm
!
!
!
no ip bootp server
ip domain lookup source-interface FastEthernet0/1
ip name-server 192.168.254.138
ip port-map user-ASA--2 port udp 460
ip port-map user-ASA--1 port tcp 460
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3 alert off
ip inspect name CCP_LOW netshow
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp router-traffic
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
ip inspect name 2Wire https
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
ip ddns update method sdm_ddns1
 HTTP
  add http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<
a>
  remove http://xxx:xxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myi
p=<a>
!
vpdn enable
!
vpdn-group 1
!
!
!
crypto pki trustpoint TP-self-signed-933800604
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-933800604
 revocation-check none
 rsakeypair TP-self-signed-933800604
!
!
crypto pki certificate chain TP-self-signed-933800604
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39333338 30303630 34301E17 0D303930 34313831 33353831
  335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3933 33383030
  36303430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B53C1DE4 B6D02F84 F095F8E0 A144F041 779C101B 44905287 E68E6F0E 4413A43E
  C03AEBBF 28F2438F 3C134624 945C21F6 33E9B037 DA57F6F8 4D7AC693 0CD05B1C
  289B9928 0D79C7D8 95ECF68B 3B96DA32 3BDBE8D8 BD94B179 E45EACC0 6E9DC9F2
  D9CC53F4 E77E85DE B650C699 7BF89EFB 1EB27B34 A9189CEE 86DAC4B7 58D20BBF
  02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355
  1D110424 30228220 436F7265 5F486F6D 655F526F 75746572 2E6D7964 672E6479
  6E646E73 2E6F7267 301F0603 551D2304 18301680 14D31E36 B406D1A1 F8215D57
  666242B6 2C1E3A9D 25301D06 03551D0E 04160414 D31E36B4 06D1A1F8 215D5766
  6242B62C 1E3A9D25 300D0609 2A864886 F70D0101 04050003 81810004 70015A39
  6B6434B9 799B4463 D2517F8F 807B0E14 502C47FA 012EA1BB D0034F0F 6796B439
  242E45A4 C92948F6 18C436C9 BB47CE3E 07E36DD5 DDBE8649 CFB06E8C FA388066
  B53B1A44 1C8D9FC2 7F2627CD 3540768C 83B97078 21B32B16 0B30B5B3 53EDF567
  273DD1B6 28D74033 5696B094 04E8C12F 5C5A2E66 A127FEC0 B3FC33
  quit
username Admin privilege 15 password 7 xxx
archive
 log config
  logging enable
  logging size 200
  notify syslog
  hidekeys
!
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Interface_2Wire$ETH-WAN$
 ip address 10.0.0.2 255.255.255.248
 ip access-group Traffic_Frm_2Wire in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect 2Wire out
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no keepalive
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 description $FW_INSIDE$
 ip address 192.168.254.129 255.255.255.224
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface Dialer0
 description $FW_OUTSIDE$
 bandwidth 10240
 ip ddns update hostname xxx
 ip ddns update sdm_ddns1
 ip address negotiated
 ip access-group Internet_In in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip inspect CCP_LOW out
 ip ips sdm_ips_rule in
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username xxx password 7 xxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map 2wire interface FastEthernet0/0 overload
ip nat inside source route-map Internet interface Dialer0 overload
ip nat inside source static tcp 192.168.254.138 1723 interface Dialer0 1723
ip nat inside source static tcp 192.168.254.133 460 interface Dialer0 460
ip nat inside source static udp 192.168.254.133 460 interface Dialer0 460
!
ip access-list extended Free_Access
 remark CCP_ACL Category=128
 permit ip host 192.168.254.157 any
ip access-list extended H2Wire
 permit ip 192.168.254.128 0.0.0.31 10.0.0.0 0.0.0.7
ip access-list extended Internet
 deny   ip 192.168.254.128 0.0.0.31 10.0.0.0 0.0.0.7
 permit ip 192.168.254.128 0.0.0.31 any
ip access-list extended Internet_In
 remark Allowed_Traffic_In
 permit tcp any any eq 1723 log
 permit gre any any
 permit tcp any any eq 460 log
 permit udp any any eq 460 log
 permit icmp any any echo-reply
 deny   ip 192.168.254.128 0.0.0.31 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   ip any any
ip access-list extended PPTP
 permit gre any host 192.168.254.138
 permit tcp any host 192.168.254.138 eq 1723
ip access-list extended Traffic_Frm_2Wire
 permit icmp any host 10.0.0.2 echo-reply
 
!
logging server-arp
logging 192.168.254.138
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.254.133
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.254.133
access-list 104 remark auto generated by CCP firewall configuration
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp any any eq 1723
access-list 104 permit tcp any any eq 460
access-list 104 permit udp any any eq 460
access-list 104 deny   ip 192.168.254.128 0.0.0.31 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
no cdp run
!
route-map 2wire permit 10
 match ip address H2Wire
 match interface FastEthernet0/0 
!
route-map Internet permit 10
 match ip address Internet
!
!
!
!
control-plane
!
!
!
line con 0
 session-timeout 5
line aux 0
 exec-timeout 0 1
 no exec
 transport output none
line vty 0 4
 session-timeout 5
 timeout login response 90
 login local
!
exception crashinfo maximum files 5
scheduler allocate 20000 1000
ntp clock-period 17178546
ntp update-calendar
ntp server 192.168.254.138 source FastEthernet0/1 prefer
end

Open in new window

0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now