Solved

Configuring Redundant Internet Circuits on a Cisco 2801 router

Posted on 2010-08-13
16
615 Views
Last Modified: 2013-12-14
I have a cisco 2801 router that is currently configured for a T1.  I am adding a comcast cable modem for redundancy.  Below in my current interface information:

interface FastEthernet0/0
 description LAN
 ip address 172.16.0.1 255.255.0.0
 ip helper-address 172.18.10.1
 ip inspect DEFAULT101 in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map nonat-static
 speed auto
 full-duplex
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface Serial0/2/0
 description T1
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
 crypto ipsec df-bit clear
!
interface Serial0/2/0.1 point-to-point
 ip address x.x.x.33 255.255.255.224
 ip access-group 104 in
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 frame-relay interface-dlci 500 IETF
 crypto map SDM_CMAP_1

I want to add the comcast modem to int fa0/1.  I do have a static address.  What I want to do is push all port 80 and port 443 traffic out the cable modem, but if the T1 fails all traffic all traffic will go out the cable modem and vise versa.   I'm hoping someone can look at the way my interfaces are currently configured and then let me know what I have to do to make this happen.  thanks.
0
Comment
Question by:denver218
16 Comments
 
LVL 1

Expert Comment

by:chicka616
ID: 33434921
You will need to setup some type of NAT for port 80 and port 443 to go out fe0/1.
For all T1 traffic to converge to the cable modem, you would need to setup Link Backup.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 33435378
Hi,

you need this

http://www.ciscoblog.com/archives/2008/08/dynamic_failove.html

please show the whole config
0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
ID: 33435526
see the attached pdf , it will give you complete working  solution .
its workign fro me .
let me know for any furhter assistance.

Dual-Internet-links-with-PBR-and.pdf
0
 
LVL 4

Author Comment

by:denver218
ID: 33447859
Thanks.  Here is the entire configuration:

Router1#show run
Building configuration...

Current configuration : 17074 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
logging monitor warnings
enable secret 5
!
clock timezone est -5
clock summer-time EDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT101 cuseeme
ip inspect name DEFAULT101 ftp
ip inspect name DEFAULT101 h323
ip inspect name DEFAULT101 icmp
ip inspect name DEFAULT101 netshow
ip inspect name DEFAULT101 rcmd
ip inspect name DEFAULT101 realaudio
ip inspect name DEFAULT101 rtsp
ip inspect name DEFAULT101 sqlnet
ip inspect name DEFAULT101 streamworks
ip inspect name DEFAULT101 tftp
ip inspect name DEFAULT101 tcp
ip inspect name DEFAULT101 udp
ip inspect name DEFAULT101 vdolive
ip tcp synwait-time 10
!
!
ip ips po max-events 100
no ip bootp server
no ip domain lookup
ip host Central2801 172.16.0.1
ip name-server x.x.x.x
ip name-server x.x.x.x
no ftp-server write-enable
!
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxx address x.x.x.x
crypto isakmp key xxx address x.x.x.x
crypto isakmp key xxx address x.x.x.x 255.255.255.224 no-xauth
crypto isakmp key xxx address x.x.x.x 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set to_cti esp-3des esp-md5-hmac
!
crypto dynamic-map VPN3
 description VPN1
 set transform-set ESP-3DES-SHA1
!
crypto dynamic-map VPN2
 description VPN2
 set transform-set ESP-3DES-SHA
!
crypto dynamic-map VPN1
 description VPN3
 set transform-set ESP-3DES-SHA1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel
 set peer x.x.116.97
 set transform-set ESP-3DES-SHA1
 match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel tox.x.86.122
 set peer x.x.12.1
 set transform-set ESP-3DES-SHA2
 match address 103
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel
 set peer x.x.52.135
 set transform-set to_cti
 match address 110
crypto map SDM_CMAP_1 4 ipsec-isakmp dynamic VPN1
!
!
!
interface Loopback10
 ip address 192.168.254.1 255.255.255.0
!
interface FastEthernet0/0
 description INSIDE LAN
 ip address 172.16.0.1 255.255.0.0
 ip helper-address 172.18.10.1
 ip inspect DEFAULT101 in
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip policy route-map nonat-static
 speed auto
 full-duplex
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface Serial0/2/0
 description Verizon T1
 bandwidth 1536
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
 crypto ipsec df-bit clear
!
interface Serial0/2/0.1 point-to-point
 ip address x.x.x.33 255.255.255.224
 ip access-group 104 in
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 frame-relay interface-dlci 500 IETF
 crypto map SDM_CMAP_1
!
router eigrp 300
 network 172.16.0.0
 network 172.17.0.0
 network 172.18.0.0
 network 192.168.0.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/2/0.1
ip route 172.17.0.0 255.255.0.0 67.134.86.141
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip nat inside source route-map nonat-Pat interface Serial0/2/0.1 overload
ip nat inside source static 172.16.10.1 x.x.12.40
ip nat inside source static 172.16.10.2 x.x.12.41
ip nat inside source static 172.16.10.11 x.x.12.42
ip nat inside source static 172.16.0.3 x.x.12.43
ip nat inside source static 172.16.0.4 x.x.12.44
ip nat inside source static 172.16.10.5 x.x.12.45
ip nat inside source static 172.16.10.10 x.x.12.46
ip nat inside source static 172.16.10.20 x.x.12.47
ip nat inside source static 172.17.5.26 x.x.12.48
ip nat inside source static 172.16.10.6 x.x.12.49
ip nat inside source static 172.16.10.12 x.x.12.50
ip nat inside source static 172.16.10.3 x.x.12.51
ip nat inside source static 172.16.1.30 x.x.12.52
!
!
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 102 permit ip 172.17.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 103 permit ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 104 permit tcp any any eq 22
access-list 104 permit icmp any any
access-list 104 permit udp any host x.x.12.33 eq isakmp
access-list 104 permit esp any host x.x.12.33
access-list 104 permit esp host x.x.12.1 host x.x.12.33
access-list 104 permit ahp host x.x.12.1 host x.x.12.33
access-list 104 permit udp host x.x.12.1 host x.x.12.33 eq isakmp
access-list 104 permit udp host x.x.12.1 host x.x.12.33 eq non500-isakmp
access-list 104 permit ahp host 141.151.127.82 host x.x.12.33
access-list 104 permit esp host 141.151.127.82 host x.x.12.33
access-list 104 permit udp host 141.151.127.82 host x.x.12.33 eq isakmp
access-list 104 permit udp host 141.151.127.82 host x.x.12.33 eq non500-isakmp
access-list 104 permit esp host x.x.52.135 host x.x.12.33
access-list 104 permit ahp host x.x.52.135 host x.x.12.33
access-list 104 permit udp host x.x.52.135 host x.x.12.33 eq isakmp
access-list 104 permit udp host x.x.52.135 host x.x.12.33 eq non500-isakmp
access-list 104 permit icmp x.x.52.128 0.0.0.63 any
access-list 104 permit tcp x.x.52.128 0.0.0.63 host x.x.12.33 eq telnet
access-list 104 permit tcp x.x.52.128 0.0.0.63 x.x.12.32 0.0.0.31 eq 5631
access-list 104 permit udp x.x.52.128 0.0.0.63 x.x.12.32 0.0.0.31 eq 5632
access-list 104 permit tcp x.x.52.128 0.0.0.63 any eq 22
access-list 104 permit icmp any x.x.12.32 0.0.0.31 echo-reply
access-list 104 permit icmp any x.x.12.32 0.0.0.31 time-exceeded
access-list 104 permit icmp any x.x.12.32 0.0.0.31 unreachable
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 permit tcp any host x.x.12.46 eq 1494
access-list 104 permit tcp any host x.x.12.42 eq 1494
access-list 104 permit tcp any host x.x.12.50 eq 1494
access-list 104 permit tcp any host x.x.12.40 eq pop3
access-list 104 permit udp any host x.x.12.40 eq domain
access-list 104 permit tcp any host x.x.12.43 eq domain
access-list 104 permit tcp any host x.x.12.44 eq domain
access-list 104 permit tcp any host x.x.12.52 eq domain
access-list 104 permit tcp any host x.x.12.43 eq smtp
access-list 104 permit tcp any host x.x.12.43 eq pop3
access-list 104 permit tcp any host x.x.12.40 eq smtp
access-list 104 permit tcp any host x.x.12.40 eq www
access-list 104 permit tcp any host x.x.12.51 eq www
access-list 104 permit tcp any host x.x.12.52 eq smtp
access-list 104 permit tcp any host x.x.12.45 eq 8990
access-list 104 permit gre host x.x.173.12 host x.x.12.48
access-list 104 permit tcp host x.x.173.12 host x.x.12.48 eq 1723
access-list 104 permit icmp host x.x.173.12 host x.x.12.48
access-list 104 permit udp host x.x.173.12 host x.x.12.48 eq isakmp
access-list 104 permit esp host x.x.173.12 host x.x.12.48
access-list 104 permit ahp host x.x.173.12 host x.x.12.48
access-list 104 permit tcp any host x.x.12.45 eq 9990
access-list 104 permit tcp host x.x.174.234 host x.x.12.47 eq 5631
access-list 104 permit udp host x.x.174.234 host x.x.12.47 eq 5632
access-list 104 permit tcp host x.x.101.202 host x.x.12.47 eq 5631
access-list 104 permit udp host x.x.101.202 host x.x.12.47 eq 5632
access-list 104 permit tcp host 8.2.182.176 host x.x.12.45 eq 5632
access-list 104 deny   ip any any log-input
access-list 108 permit ip 172.0.0.0 0.255.255.255 any
access-list 108 permit ip 10.0.0.0 0.255.255.255 any
access-list 108 permit ip x.x.52.128 0.0.0.63 any
access-list 110 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 110 permit ip 172.16.0.0 0.0.255.255 0.0.0.0 255.255.252.0
access-list 110 permit ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 140 deny   ip 172.16.0.0 0.0.255.255 any
access-list 150 remark SDM_ACL Category=16
access-list 150 permit ip 172.16.0.0 0.0.0.255 172.18.0.0 0.0.0.255
access-list 151 remark SDM_ACL Category=18
access-list 151 remark IPSec Rule
access-list 151 deny   ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 151 remark IPSec Rule
access-list 151 deny   ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny   ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 151 remark Trexler
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 151 remark IPSec Rule
access-list 151 permit ip 172.16.0.0 0.0.255.255 any
access-list 151 permit ip 172.18.0.0 0.0.255.255 any
snmp-server community kindern RO
snmp-server enable traps tty
no cdp run
route-map nonat-Pat permit 10
 match ip address 151
!
route-map nonat-static permit 10
 match ip address 140
 set ip next-hop 192.168.254.2
!
!
!
control-plane
!
banner login ^CCC Unauthorized Access is Prohibited! ^C
!
line con 0
 password 7
line aux 0
line vty 0 4
 access-class 108 in
 exec-timeout 0 0
 privilege level 15
 password 7
 transport input telnet ssh
line vty 5 15
 access-class 108 in
 privilege level 15
 password 7
 transport input telnet ssh
!
ntp clock-period 17180080
ntp server 192.5.41.41
ntp server 192.5.41.209
end
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33447896
did u try my comment
0
 
LVL 4

Author Comment

by:denver218
ID: 33453917
Hi anoopkmr, I am reading over this article right now.  I do have some questions about the IP SLA Configurations:

Lets say my T1 internface ip address is 10.100.50.1 255.255.255.248
Let say my Cable Modem ip address is 192..168.50.1 255.255.255.248

For the icmp-echo relpy will I have to have another public address for this.  See below:

ip sla 1
icmp-echo 10.100.50.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.168.50.2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now



0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33453946
ok no problem , only need to take care those IP has to be trusted (  I mean always alive  and has to reply to icmp)

but remember to set route like below

ip route 10.100.50.2 255.255.255.255 <T1 gateway IP>
ip route 192.168.50.2 255.255.255.255 <Cable  gateway ip>

0
 
LVL 4

Author Comment

by:denver218
ID: 33453997
Thanks, but I'm still a little confused.  So I do need a another public address for ip sla?  Or can I accomplish my goal without it?  
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 14

Expert Comment

by:anoopkmr
ID: 33454027
no its not necessary , try ur  ISPs DNS servers are responding to ICMP  
or you can  add ur Gateway  IP  in  SLA.

ip sla 1
icmp-echo <ISP1 gw>
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo <ISP2 gw>
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

0
 
LVL 4

Author Comment

by:denver218
ID: 33454134
I do have extra Public IP addresses for each circuit, so I can use one for IP SLA.  I won't be on site until later this week to configure this.  I am getting my configurations ready now.  I will post the configs when I'm done, and maybe you can see if they look right.  thanks.
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33454168
i think still u confused, dont put IP address given by ISP for ur use  in IP SLA.
I think u know the function of  SLA.

IP mentioned int IP SLA has to reachable via ICMP that it. u configure ur  GW IP address. ( I mean the default route IP)

also dont forgot to put

ip route 10.100.50.2 255.255.255.255 <T1 gateway IP>
ip route 192.168.50.2 255.255.255.255 <Cable  gateway ip>
0
 
LVL 4

Author Comment

by:denver218
ID: 33454992
Ok.  Last thing and I think I got it.
I'm looking at this part in the example:

route-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1

ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
ip nat inside source route-map ISP2 interface FastEthernet2/0 overload

I have 3 LAN-to-LAN VPNs configured on on this router using the verizon circuit IP's.  I'm not looking for VPN failover or anything, As you see below, all my nonat staments for VPN are associated with this route-map that I already have configured on this router.   See below:

ip nat inside source route-map nonat-Pat interface Serial0/2/0.1 overload

route-map nonat-Pat permit 10
 match ip address 151

access-list 151 remark SDM_ACL Category=18
access-list 151 remark IPSec Rule
access-list 151 deny   ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 151 remark IPSec Rule
access-list 151 deny   ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny   ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 151 remark Trexler
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 151 remark IPSec Rule
access-list 151 permit ip 172.16.0.0 0.0.255.255 any
access-list 151 permit ip 172.18.0.0 0.0.255.255 any

Woudl I add "permit 10.100.50.0 0.0.0.7" to access-list 151?  Would this effect VPN traffic in any way?
0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33455097
what is  10.100.50.0

if it is the IP going to metioned in the IP SLA,  then dont add it in 151
0
 
LVL 4

Author Comment

by:denver218
ID: 33455367
I'm sorry wrong addresses,  My LAN network is 172.16.0.0 255.255.0.0.  In the example I see the following:

access-list 10 permit 10.1.1.0 0.0.0.255

route-map ISP1 permit 10
match ip address 10
match int fa1/1

ip nat inside source route-map ISP1 interface FastEthernet1/1 overload

Since I already have a route-map for my "ip nat overload" statement can I just add my local LAN to access-list 151?  See below.  I hope I'm not confusing you to much

This is what mine looks like:
ip nat inside source route-map nonat-Pat interface Serial0/2/0.1 overload

route-map nonat-Pat permit 10
 match ip address 151

access-list 151 remark SDM_ACL Category=18
access-list 151 remark IPSec Rule
access-list 151 deny   ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 151 remark IPSec Rule
access-list 151 deny   ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny   ip 172.18.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.3.0 0.0.0.255
access-list 151 remark Trexler
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.7.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 192.168.8.0 0.0.0.255
access-list 151 deny   ip 172.16.0.0 0.0.255.255 172.31.252.0 0.0.3.255
access-list 151 remark IPSec Rule
access-list 151 permit ip 172.16.0.0 0.0.255.255 any
access-list 151 permit ip 172.18.0.0 0.0.255.255 any

0
 
LVL 14

Expert Comment

by:anoopkmr
ID: 33455844
above no-nat is for those traffic that doesn't required natting . if u want to get internet u need to do nat

so dont add
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 33458532
Thanks.  The document was very useful
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco 1830 AP behaving wierdly 7 25
Route summarization 5 21
catalyst 6500 - recover from corrupted IOS 4 41
DHCP on ASA 3 23
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now