CpTnCuRt
asked on
I am setting up a Cisco 3845 ISR and we have 3 internet connections, need the best way to configure the router to automatically switch routing to next best/available connection.
I am setting up a Cisco 3845 (security bundle) and we have 3 internet connections (for redundancy if one of them fails) a 10 meg Ethernet, a T1 and a 1 Meg Ethernet (via satellite).
Im trying to find the best way to configure it so that it automatically routes traffic thru the next
best/available connection.
We currently have 2 public subnets
164.50.24.81 255.255.255.240 14 addresses
164.50.24.198 255.255.255.248 6 addresses
ISP1 ISP2 ISP3
10 meg T1 1 meg satellite
\ | /
\ | /
\ | /
\ | /
\ | /
----------------------
| CR1 - 3845 |
----------------------
|
|
|
Private network
Im trying to find the best way to configure it so that it automatically routes traffic thru the next
best/available connection.
We currently have 2 public subnets
164.50.24.81 255.255.255.240 14 addresses
164.50.24.198 255.255.255.248 6 addresses
ISP1 ISP2 ISP3
10 meg T1 1 meg satellite
\ | /
\ | /
\ | /
\ | /
\ | /
----------------------
| CR1 - 3845 |
----------------------
|
|
|
Private network
You will likely also want load balanced NAT, which you can find here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a00808d2b72.shtml
ASKER
I can now ping from the router to the outside world, but can't ping from my computer on the private side of the router. I can ping the routers private address, but nothing public
An after thought I have is that we have some public IP addresses. Is there a way to automatically have them available when the primary circuit goes down?
An after thought I have is that we have some public IP addresses. Is there a way to automatically have them available when the primary circuit goes down?
Post your current config.
ASKER
IP addresses and names have been changed for privacy
sh run
~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~
Current configuration : 13329 bytes
!
! Last configuration change at 14:04:03 PCTime Wed Jan 6 2010 by admin
! NVRAM config last updated at 15:43:17 PCTime Thu Dec 31 2009 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CR1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***********************
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*******
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-***** **
revocation-check none
rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
certificate self-signed 01
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ***
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.90.1.1 172.90.1.99
ip dhcp excluded-address 172.90.1.120 172.90.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.90.1.0 255.255.255.0
dns-server 164.105.1.129 164.105.1.130
default-router 172.90.1.254
!
!
ip cef
!
!
no ip bootp server
ip domain name somedomain.com
ip name-server 164.50.1.129
ip name-server 164.50.1.130
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail. com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yaho o.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo .com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 ***********************
archive
log config
hidekeys
!
!
!
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any BootPS192
match protocol udp
match protocol bootpc
match protocol bootps
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservice s
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map BootPS192
match access-group name BootPS192
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservice s
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I NTF-INFO-G E 0/0$$ES_LAN$$FW_INSIDE$
ip address 172.90.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security in-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
description $ES_WAN$$ETH-WAN$$FW_OUTSI DE$
ip address 67.109.39.71 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface FastEthernet0/0/0
description Sat_backup
ip address 109.35.82.65 255.255.255.0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
description PTP T-1 to **** CID#123412341234$FW_OUTSID E$
ip address 164.50.20.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.109.39.65 5
ip route 0.0.0.0 0.0.0.0 164.50.20.6 10
ip route 0.0.0.0 0.0.0.0 109.35.82.1 15
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended BootPS192
remark SDM_ACL Category=128
permit ip host 192.168.11.6 any
!
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.64 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 109.35.82.65 0.0.0.255 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~
sh run
~~~~~~~~~~~~~~~~~~~~~~~~~~
Current configuration : 13329 bytes
!
! Last configuration change at 14:04:03 PCTime Wed Jan 6 2010 by admin
! NVRAM config last updated at 15:43:17 PCTime Thu Dec 31 2009 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CR1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***********************
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*******
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
certificate self-signed 01
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ***
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.90.1.1 172.90.1.99
ip dhcp excluded-address 172.90.1.120 172.90.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.90.1.0 255.255.255.0
dns-server 164.105.1.129 164.105.1.130
default-router 172.90.1.254
!
!
ip cef
!
!
no ip bootp server
ip domain name somedomain.com
ip name-server 164.50.1.129
ip name-server 164.50.1.130
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yaho
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 ***********************
archive
log config
hidekeys
!
!
!
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any BootPS192
match protocol udp
match protocol bootpc
match protocol bootps
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservice
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map BootPS192
match access-group name BootPS192
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservice
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 172.90.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security in-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
description $ES_WAN$$ETH-WAN$$FW_OUTSI
ip address 67.109.39.71 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface FastEthernet0/0/0
description Sat_backup
ip address 109.35.82.65 255.255.255.0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
description PTP T-1 to **** CID#123412341234$FW_OUTSID
ip address 164.50.20.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.109.39.65 5
ip route 0.0.0.0 0.0.0.0 164.50.20.6 10
ip route 0.0.0.0 0.0.0.0 109.35.82.1 15
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended BootPS192
remark SDM_ACL Category=128
permit ip host 192.168.11.6 any
!
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.64 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 109.35.82.65 0.0.0.255 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
~~~~~~~~~~~~~~~~~~~~~~~~~~
I don't see any NAT statements.
ASKER
I added
ip nat inside
to the inside interface and I still can't see the outside world.
sh run
~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~
Current configuration : 13329 bytes
!
! Last configuration change at 11:25:14 PCTime Wed Jan 15 2010 by admin
! NVRAM config last updated at 11:26:51 PCTime Wed Jan 15 2010 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CR1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***********************
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*******
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-***** **
revocation-check none
rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
certificate self-signed 01
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ***
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.90.1.1 172.90.1.99
ip dhcp excluded-address 172.90.1.120 172.90.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.90.1.0 255.255.255.0
dns-server 164.105.1.129 164.105.1.130
default-router 172.90.1.254
!
!
ip cef
!
!
no ip bootp server
ip domain name somedomain.com
ip name-server 164.50.1.129
ip name-server 164.50.1.130
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail. com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yaho o.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo .com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 ***********************
archive
log config
hidekeys
!
!
!
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any BootPS192
match protocol udp
match protocol bootpc
match protocol bootps
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservice s
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map BootPS192
match access-group name BootPS192
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservice s
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I NTF-INFO-G E 0/0$$ES_LAN$$FW_INSIDE$
ip address 172.90.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
zone-member security in-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
description $ES_WAN$$ETH-WAN$$FW_OUTSI DE$
ip address 67.109.39.71 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface FastEthernet0/0/0
description Sat_backup
ip address 109.35.82.65 255.255.255.0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
description PTP T-1 to **** CID#123412341234$FW_OUTSID E$
ip address 164.50.20.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.109.39.65 5
ip route 0.0.0.0 0.0.0.0 164.50.20.6 10
ip route 0.0.0.0 0.0.0.0 109.35.82.1 15
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended BootPS192
remark SDM_ACL Category=128
permit ip host 192.168.11.6 any
!
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.64 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 109.35.82.65 0.0.0.255 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~
ip nat inside
to the inside interface and I still can't see the outside world.
sh run
~~~~~~~~~~~~~~~~~~~~~~~~~~
Current configuration : 13329 bytes
!
! Last configuration change at 11:25:14 PCTime Wed Jan 15 2010 by admin
! NVRAM config last updated at 11:26:51 PCTime Wed Jan 15 2010 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CR1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***********************
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*******
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
certificate self-signed 01
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ***
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.90.1.1 172.90.1.99
ip dhcp excluded-address 172.90.1.120 172.90.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.90.1.0 255.255.255.0
dns-server 164.105.1.129 164.105.1.130
default-router 172.90.1.254
!
!
ip cef
!
!
no ip bootp server
ip domain name somedomain.com
ip name-server 164.50.1.129
ip name-server 164.50.1.130
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yaho
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret 5 ***********************
archive
log config
hidekeys
!
!
!
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any BootPS192
match protocol udp
match protocol bootpc
match protocol bootps
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservice
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map BootPS192
match access-group name BootPS192
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservice
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 172.90.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
zone-member security in-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
description $ES_WAN$$ETH-WAN$$FW_OUTSI
ip address 67.109.39.71 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface FastEthernet0/0/0
description Sat_backup
ip address 109.35.82.65 255.255.255.0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
description PTP T-1 to **** CID#123412341234$FW_OUTSID
ip address 164.50.20.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.109.39.65 5
ip route 0.0.0.0 0.0.0.0 164.50.20.6 10
ip route 0.0.0.0 0.0.0.0 109.35.82.1 15
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended BootPS192
remark SDM_ACL Category=128
permit ip host 192.168.11.6 any
!
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.64 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 109.35.82.65 0.0.0.255 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
~~~~~~~~~~~~~~~~~~~~~~~~~~
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is my first shot at this tracking thing, so let me know if I have anything wrong.
~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~
Here I'm assuming that you have to have a seperate track for each outside interface.
Does rtr 1 need to be that acutal route
track 123 rtr 1 reachability
delay down 15 up 10
track 234 rtr 2 reachability
delay down 15 up 10
track 345 rtr 3 reachability
delay down 15 up 10
~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 123
ip route 0.0.0.0 0.0.0.0 Serial0/1/0 track 234
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0 track 345
ip nat inside source route-map Primary-nat interface GigabitEthernet0/1 0/0 overload
ip nat inside source route-map T1-secondary-nat interface Serial0/1/0 overload
ip nat inside source route-map Satillite-secondary-nat interface FastEthernet0/0/0 overload
ip sla schedule 1 life forever start-time now
ip sla schedule 2 life forever start-time now
ip sla schedule 3 life forever start-time now
ip sla 1
icmp-echo 106.192.226.165 source-interface GigabitEthernet0/1
timeout 1000
threshold 40
frequency 3
ip sla 2
icmp-echo 165.122.250.199 source-interface Serial0/1/0
timeout 1000
threshold 40
frequency 3
ip sla 3
icmp-echo 109.35.82.1 source-interface FastEthernet0/0/0
timeout 1000
threshold 40
frequency 3
access-list 100 permit ip 172.90.1.0 0.0.0.255 any
route-map Primary-nat permit 10
match ip address 100
match interface GigabitEthernet0/1
route-map T1-secondary-nat permit 10
match ip address 100
match interface Serial0/1/0
route-map Satillite-secondary-nat permit 10
match ip address 110
match interface FastEthernet0/0/0
~~~~~~~~~~~~~~~~~~~~~~~~~~
Here I'm assuming that you have to have a seperate track for each outside interface.
Does rtr 1 need to be that acutal route
track 123 rtr 1 reachability
delay down 15 up 10
track 234 rtr 2 reachability
delay down 15 up 10
track 345 rtr 3 reachability
delay down 15 up 10
~~~~~~~~~~~~~~~~~~~~~~~~~~
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 123
ip route 0.0.0.0 0.0.0.0 Serial0/1/0 track 234
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0/0 track 345
ip nat inside source route-map Primary-nat interface GigabitEthernet0/1 0/0 overload
ip nat inside source route-map T1-secondary-nat interface Serial0/1/0 overload
ip nat inside source route-map Satillite-secondary-nat interface FastEthernet0/0/0 overload
ip sla schedule 1 life forever start-time now
ip sla schedule 2 life forever start-time now
ip sla schedule 3 life forever start-time now
ip sla 1
icmp-echo 106.192.226.165 source-interface GigabitEthernet0/1
timeout 1000
threshold 40
frequency 3
ip sla 2
icmp-echo 165.122.250.199 source-interface Serial0/1/0
timeout 1000
threshold 40
frequency 3
ip sla 3
icmp-echo 109.35.82.1 source-interface FastEthernet0/0/0
timeout 1000
threshold 40
frequency 3
access-list 100 permit ip 172.90.1.0 0.0.0.255 any
route-map Primary-nat permit 10
match ip address 100
match interface GigabitEthernet0/1
route-map T1-secondary-nat permit 10
match ip address 100
match interface Serial0/1/0
route-map Satillite-secondary-nat permit 10
match ip address 110
match interface FastEthernet0/0/0
Looks good to me at a glance. Try it out and let us know!
ASKER
Well I had to change GigabitEthernet0/1 to the ip address of the next hop for the routes.
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 123
And also change the ip for the icpm-echo to the next hop for the route.
ip sla 1
icmp-echo 106.192.226.165 source-interface GigabitEthernet0/1
timeout 1000
threshold 40
frequency 3
I can now ping from the router to the real work, but I'm still not being able to ping from the private address. How do I tell if its a NAT problem or a firewall problem?
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1 track 123
And also change the ip for the icpm-echo to the next hop for the route.
ip sla 1
icmp-echo 106.192.226.165 source-interface GigabitEthernet0/1
timeout 1000
threshold 40
frequency 3
I can now ping from the router to the real work, but I'm still not being able to ping from the private address. How do I tell if its a NAT problem or a firewall problem?
sh ip nat trans
and give us a current "sh run"
and give us a current "sh run"
ASKER
CR1#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
icmp 67.109.39.71:2 164.50.20.5:2 65.122.250.117:2 65.122.250.117:2
icmp 67.109.39.71:1 67.109.39.71:1 67.109.39.65:1 67.109.39.65:1
icmp 67.109.39.71:3 67.109.39.71:3 109.35.82.1:3 109.35.82.1:3
udp 67.109.39.71:49227 67.109.39.71:49227 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:49551 67.109.39.71:49551 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:49701 67.109.39.71:49701 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:50050 67.109.39.71:50050 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:50835 67.109.39.71:50835 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:51309 67.109.39.71:51309 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:51514 67.109.39.71:51514 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:52741 67.109.39.71:52741 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:53024 67.109.39.71:53024 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:53865 67.109.39.71:53865 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:55017 67.109.39.71:55017 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:56057 67.109.39.71:56057 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:56106 67.109.39.71:56106 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:56130 67.109.39.71:56130 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:57838 67.109.39.71:57838 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:59892 67.109.39.71:59892 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:61656 67.109.39.71:61656 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:61778 67.109.39.71:61778 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:61887 67.109.39.71:61887 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:62056 67.109.39.71:62056 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:62147 67.109.39.71:62147 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:62978 67.109.39.71:62978 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:63717 67.109.39.71:63717 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:63758 67.109.39.71:63758 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:65035 67.109.39.71:65035 209.40.64.1:53 209.40.64.1:53
icmp 67.109.39.71:768 172.90.1.51:768 8.8.8.8:768 8.8.8.8:768
Building configuration...
Current configuration : 14583 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CR1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 **********************
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*******
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-***** **
revocation-check none
rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
certificate self-signed 01
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ***
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.90.1.1 172.90.1.99
ip dhcp excluded-address 172.90.1.120 172.90.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.90.1.0 255.255.255.0
dns-server 164.50.1.129 164.50.1.130
default-router 172.90.1.254
!
!
ip cef
!
!
no ip bootp server
ip domain name somedomain.com
ip name-server 209.40.64.1
ip name-server 208.77.177.3
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail. com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yaho o.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo .com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username root privilege 15 secret 5 ************************** *******
!
!
archive
log config
hidekeys
!
!
!
track 123 rtr 1 reachability
delay down 15 up 10
!
track 234 rtr 2 reachability
delay down 15 up 10
!
track 345 rtr 3 reachability
delay down 15 up 10
!
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any BootPS192
match protocol udp
match protocol bootpc
match protocol bootps
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservice s
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map BootPS192
match access-group name BootPS192
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservice s
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I NTF-INFO-G E 0/0$$ES_LAN$$FW_INSIDE$
ip address 172.90.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
description $ES_WAN$$ETH-WAN$$FW_OUTSI DE$
ip address 67.109.39.71 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface FastEthernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/1
ip address 109.35.82.65 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
description PTP T-1 to **** CID#123412341234$FW_OUTSID E$
ip address 164.50.20.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.109.39.65 track 123
ip route 0.0.0.0 0.0.0.0 164.50.20.4 10 track 234
ip route 0.0.0.0 0.0.0.0 109.35.82.2 20 track 345
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map Primary-nat interface GigabitEthernet0/1 overload
ip nat inside source route-map Satillite-secondary-nat interface FastEthernet0/0/0 overload
ip nat inside source route-map T1-secondary-nat interface Serial0/1/0 overload
!
ip access-list extended BootPS192
remark SDM_ACL Category=128
permit ip host 192.168.11.6 any
!
ip sla 1
icmp-echo 67.219.239.65 source-interface GigabitEthernet0/1
timeout 1000
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 164.50.20.4 source-interface Serial0/1/0
timeout 1000
threshold 40
frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 109.35.82.1 source-interface FastEthernet0/0/0
timeout 1000
threshold 40
frequency 3
ip sla schedule 3 life forever start-time now
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.0 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
access-list 100 permit ip 172.90.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map Primary-nat permit 10
match ip address 100
match interface GigabitEthernet0/1
!
route-map Satillite-secondary-nat permit 10
match ip address 100
match interface FastEthernet0/0/0
!
route-map T1-secondary-nat permit 10
match ip address 100
match interface Serial0/1/0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
Pro Inside global Inside local Outside local Outside global
icmp 67.109.39.71:2 164.50.20.5:2 65.122.250.117:2 65.122.250.117:2
icmp 67.109.39.71:1 67.109.39.71:1 67.109.39.65:1 67.109.39.65:1
icmp 67.109.39.71:3 67.109.39.71:3 109.35.82.1:3 109.35.82.1:3
udp 67.109.39.71:49227 67.109.39.71:49227 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:49551 67.109.39.71:49551 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:49701 67.109.39.71:49701 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:50050 67.109.39.71:50050 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:50835 67.109.39.71:50835 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:51309 67.109.39.71:51309 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:51514 67.109.39.71:51514 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:52741 67.109.39.71:52741 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:53024 67.109.39.71:53024 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:53865 67.109.39.71:53865 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:55017 67.109.39.71:55017 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:56057 67.109.39.71:56057 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:56106 67.109.39.71:56106 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:56130 67.109.39.71:56130 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:57838 67.109.39.71:57838 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:59892 67.109.39.71:59892 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:61656 67.109.39.71:61656 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:61778 67.109.39.71:61778 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:61887 67.109.39.71:61887 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:62056 67.109.39.71:62056 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:62147 67.109.39.71:62147 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:62978 67.109.39.71:62978 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:63717 67.109.39.71:63717 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:63758 67.109.39.71:63758 209.40.64.1:53 209.40.64.1:53
udp 67.109.39.71:65035 67.109.39.71:65035 209.40.64.1:53 209.40.64.1:53
icmp 67.109.39.71:768 172.90.1.51:768 8.8.8.8:768 8.8.8.8:768
Building configuration...
Current configuration : 14583 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CR1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 **********************
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-*******
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-*******
!
!
crypto pki certificate chain TP-self-signed-*******
certificate self-signed 01
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ******** ******** ******** ******** ******** ********
******** ******** ***
quit
dot11 syslog
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 172.90.1.1 172.90.1.99
ip dhcp excluded-address 172.90.1.120 172.90.1.254
!
ip dhcp pool sdm-pool1
import all
network 172.90.1.0 255.255.255.0
dns-server 164.50.1.129 164.50.1.130
default-router 172.90.1.254
!
!
ip cef
!
!
no ip bootp server
ip domain name somedomain.com
ip name-server 209.40.64.1
ip name-server 208.77.177.3
!
multilink bundle-name authenticated
!
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yaho
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username root privilege 15 secret 5 **************************
!
!
archive
log config
hidekeys
!
!
!
track 123 rtr 1 reachability
delay down 15 up 10
!
track 234 rtr 2 reachability
delay down 15 up 10
!
track 345 rtr 3 reachability
delay down 15 up 10
!
class-map type inspect imap match-any sdm-app-imap
match invalid-command
class-map type inspect match-any BootPS192
match protocol udp
match protocol bootpc
match protocol bootps
class-map type inspect match-any sdm-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect gnutella match-any sdm-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any sdm-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any sdm-app-yahoo-otherservice
match service any
class-map type inspect match-all sdm-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any sdm-app-aol-otherservices
match service any
class-map type inspect pop3 match-any sdm-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any sdm-app-kazaa2
match file-transfer
class-map type inspect match-all sdm-cls-sdm-permit-1
match class-map BootPS192
match access-group name BootPS192
class-map type inspect match-all sdm-protocol-p2p
match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect ymsgr match-any sdm-app-yahoo
match service text-chat
class-map type inspect msnmsgr match-any sdm-app-msn
match service text-chat
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect http match-any sdm-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any sdm-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect fasttrack match-any sdm-app-fasttrack
match file-transfer
class-map type inspect http match-any sdm-http-allowparam
match request port-misuse tunneling
class-map type inspect edonkey match-any sdm-app-edonkeydownload
match file-transfer
class-map type inspect match-all sdm-protocol-imap
match protocol imap
class-map type inspect aol match-any sdm-app-aol
match service text-chat
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p sdm-action-app-p2p
class type inspect edonkey sdm-app-edonkeychat
log
allow
class type inspect edonkey sdm-app-edonkeydownload
log
allow
class type inspect fasttrack sdm-app-fasttrack
log
allow
class type inspect gnutella sdm-app-gnutella
log
allow
class type inspect kazaa2 sdm-app-kazaa2
log
allow
class class-default
policy-map type inspect http sdm-action-app-http
class type inspect http sdm-http-blockparam
log
reset
class type inspect http sdm-app-httpmethods
log
reset
class type inspect http sdm-http-allowparam
log
allow
class class-default
policy-map type inspect imap sdm-action-imap
class type inspect imap sdm-app-imap
log
class class-default
policy-map type inspect pop3 sdm-action-pop3
class type inspect pop3 sdm-app-pop3
log
class class-default
policy-map type inspect im sdm-action-app-im
class type inspect aol sdm-app-aol
log
allow
class type inspect msnmsgr sdm-app-msn
log
allow
class type inspect ymsgr sdm-app-yahoo
log
allow
class type inspect aol sdm-app-aol-otherservices
log
reset
class type inspect msnmsgr sdm-app-msn-otherservices
log
reset
class type inspect ymsgr sdm-app-yahoo-otherservice
log
reset
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-protocol-http
inspect
service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
inspect
service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
inspect
service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-p2p
inspect
service-policy p2p sdm-action-app-p2p
class type inspect sdm-protocol-im
inspect
service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$I
ip address 172.90.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface GigabitEthernet0/1
description $ES_WAN$$ETH-WAN$$FW_OUTSI
ip address 67.109.39.71 255.255.255.192
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface FastEthernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/1
ip address 109.35.82.65 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface Serial0/1/0
description PTP T-1 to **** CID#123412341234$FW_OUTSID
ip address 164.50.20.5 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 67.109.39.65 track 123
ip route 0.0.0.0 0.0.0.0 164.50.20.4 10 track 234
ip route 0.0.0.0 0.0.0.0 109.35.82.2 20 track 345
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map Primary-nat interface GigabitEthernet0/1 overload
ip nat inside source route-map Satillite-secondary-nat interface FastEthernet0/0/0 overload
ip nat inside source route-map T1-secondary-nat interface Serial0/1/0 overload
!
ip access-list extended BootPS192
remark SDM_ACL Category=128
permit ip host 192.168.11.6 any
!
ip sla 1
icmp-echo 67.219.239.65 source-interface GigabitEthernet0/1
timeout 1000
threshold 40
frequency 3
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 164.50.20.4 source-interface Serial0/1/0
timeout 1000
threshold 40
frequency 3
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 109.35.82.1 source-interface FastEthernet0/0/0
timeout 1000
threshold 40
frequency 3
ip sla schedule 3 life forever start-time now
logging trap debugging
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.0 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
access-list 100 permit ip 172.90.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map Primary-nat permit 10
match ip address 100
match interface GigabitEthernet0/1
!
route-map Satillite-secondary-nat permit 10
match ip address 100
match interface FastEthernet0/0/0
!
route-map T1-secondary-nat permit 10
match ip address 100
match interface Serial0/1/0
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.0 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
access-list 100 permit ip 172.90.1.0 0.0.0.255 any
Cut that ACL down to just:
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
You're NATing all over the place right now. That one line will cover your LAN.
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.109.39.0 0.0.0.63 any
access-list 100 permit ip 164.50.20.4 0.0.0.3 any
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
access-list 100 permit ip 172.90.1.0 0.0.0.255 any
Cut that ACL down to just:
access-list 100 permit ip 172.90.0.0 0.0.255.255 any
You're NATing all over the place right now. That one line will cover your LAN.
ASKER
Thanks for the help
ASKER
Now for the next problem.
https://www.experts-exchange.com/questions/25108850/Cisco-3845-trying-to-statically-NAT-a-public-IP-to-a-private-IP.html
Adding static NAT translation and overload at the same time.
https://www.experts-exchange.com/questions/25108850/Cisco-3845-trying-to-statically-NAT-a-public-IP-to-a-private-IP.html
Adding static NAT translation and overload at the same time.
ip route 0.0.0.0 0.0.0.0 <next hop address of the 10mbps link> 5
ip route 0.0.0.0 0.0.0.0 <next hop address of the T1 link> 10
ip route 0.0.0.0 0.0.0.0 <next hop address of the 1mbps link> 15
To make it failover if the link failure is not detected, use object tracking.
http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html