KSM-TECH
asked on
NAT issue on site to site vpn's over cisco routers
Any connections from remote offices to main office where are servers are located, is blocked if it has a NAT rule setup for external to internal access.
Example: Port 25 is PAT'd from outside interface to inside server address. external access to 25 is fine. Internal access from main network is fine. Internal access through site to site vpn does not work.
Any help would be appreciated.
Cisco routers with typical site to site vpn configuraiton.
Example: Port 25 is PAT'd from outside interface to inside server address. external access to 25 is fine. Internal access from main network is fine. Internal access through site to site vpn does not work.
Any help would be appreciated.
Cisco routers with typical site to site vpn configuraiton.
ASKER
one of the remote configs
User Access Verification
Username: hahnadmin
Password:
HahnLouisvile871#wr t
Building configuration...
Current configuration : 6027 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname HahnLouisvile871
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.5.255.254
!
ip dhcp pool sdm-pool
import all
network 10.5.255.0 255.255.255.0
default-router 10.5.255.254
dns-server 192.168.255.108 192.168.255.109
lease 0 2
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect tcp idle-time 21600
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tcp timeout 10800
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW streamworks
!
!
crypto pki trustpoint TP-self-signed-1324931980
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-13249 31980
revocation-check none
rsakeypair TP-self-signed-1324931980
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key x.x.x.x address x.x.x.x no-xauth
!
!
crypto ipsec transform-set site_to_site esp-aes 256 esp-sha-hmac
!
crypto map tunnels 10 ipsec-isakmp
description Tunnel to Main site
set peer x.x.x.x
set transform-set site_to_site
match address vpntunnels
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address x.x.x.x1 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map tunnels
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO- HWIC 4ESW$$FW_INSIDE$
ip address 10.5.255.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet4 overload
!
ip access-list extended vpntunnels
permit ip 10.5.255.0 0.0.0.255 192.168.255.0 0.0.0.255
!
access-list 101 remark Inside ACL
access-list 101 deny ip 63.250.70.56 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 permit ahp host x.x.x.x host 206.221.227.91
access-list 102 permit esp host x.x.x.x host 206.221.227.91
access-list 102 permit udp host x.x.x.x host 206.221.227.91 eq isakmp
access-list 102 permit udp host x.x.x.x host 206.221.227.91 eq non500-isakmp
access-list 102 permit ip 10.5.255.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 102 permit icmp any host x.x.x.x echo-reply
access-list 102 permit icmp any host x.x.x.x time-exceeded
access-list 102 permit icmp any host x.x.x.x unreachable
access-list 102 deny ip 10.5.255.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark IPSec Nat Rule
access-list 103 deny ip 10.5.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 103 deny ip 10.5.255.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 permit ip 10.5.255.0 0.0.0.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
HahnLouisvile871#
User Access Verification
Username: hahnadmin
Password:
HahnLouisvile871#wr t
Building configuration...
Current configuration : 6027 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname HahnLouisvile871
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
!
no aaa new-model
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.5.255.254
!
ip dhcp pool sdm-pool
import all
network 10.5.255.0 255.255.255.0
default-router 10.5.255.254
dns-server 192.168.255.108 192.168.255.109
lease 0 2
!
!
no ip domain lookup
ip domain name yourdomain.com
ip inspect tcp idle-time 21600
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tcp timeout 10800
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW streamworks
!
!
crypto pki trustpoint TP-self-signed-1324931980
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1324931980
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key x.x.x.x address x.x.x.x no-xauth
!
!
crypto ipsec transform-set site_to_site esp-aes 256 esp-sha-hmac
!
crypto map tunnels 10 ipsec-isakmp
description Tunnel to Main site
set peer x.x.x.x
set transform-set site_to_site
match address vpntunnels
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$
ip address x.x.x.x1 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
crypto map tunnels
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.5.255.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet4 overload
!
ip access-list extended vpntunnels
permit ip 10.5.255.0 0.0.0.255 192.168.255.0 0.0.0.255
!
access-list 101 remark Inside ACL
access-list 101 deny ip 63.250.70.56 0.0.0.7 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 permit ahp host x.x.x.x host 206.221.227.91
access-list 102 permit esp host x.x.x.x host 206.221.227.91
access-list 102 permit udp host x.x.x.x host 206.221.227.91 eq isakmp
access-list 102 permit udp host x.x.x.x host 206.221.227.91 eq non500-isakmp
access-list 102 permit ip 10.5.255.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 102 permit icmp any host x.x.x.x echo-reply
access-list 102 permit icmp any host x.x.x.x time-exceeded
access-list 102 permit icmp any host x.x.x.x unreachable
access-list 102 deny ip 10.5.255.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark IPSec Nat Rule
access-list 103 deny ip 10.5.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 103 deny ip 10.5.255.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 permit ip 10.5.255.0 0.0.0.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
HahnLouisvile871#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
More specifically in your case where you have:
You need to make it:
ip nat inside source static tcp 192.168.255.110 25 x.x.x.x 25
You need to make it:
ip nat inside source static tcp 192.168.255.110 25 x.x.x.x 25 route-map nonat extendable
in the acl used for nat you must deny traffic destinated for vpn
That would only affect the nat overload statement. You must use route map for port forward nat statements.
ASKER
Thank you for your help. We figured it out a few hours later, but this just confirms that it was the correct answer that we came up with.
ASKER
login as: hahnadmin
hahnadmin@192.168.255.252'
Hahn1841#wr t
Building configuration...
Current configuration : 12593 bytes
!
! Last configuration change at 22:18:54 EDT Tue Nov 1 2011 by hahnadmin
! NVRAM config last updated at 22:16:29 EDT Tue Nov 1 2011 by hahnadmin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Hahn1841
!
boot-start-marker
boot system flash c1841-advipservicesk9-mz.1
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen group radius local
aaa authentication login local_authen local
aaa authorization exec default local
aaa authorization exec local_author local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name hahn.int
ip name-server 192.168.255.108
ip name-server 192.168.255.109
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect tcp idle-time 21600
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp timeout 10800
ip inspect name SDM_LOW citriximaclient
ip inspect name SDM_LOW citrix
!
!
crypto pki trustpoint TP-self-signed-1252328365
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-1252328365
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key ***** address 63.250.70.59 no-xauth
crypto isakmp key ***** address 63.250.70.75 no-xauth
crypto isakmp key ***** address 63.250.70.115 no-xauth
crypto isakmp key ***** address 63.250.83.131 no-xauth
crypto isakmp key ***** address 63.250.70.123 no-xauth
crypto isakmp key ***** address 206.221.227.51 no-xauth
crypto isakmp key ***** address 206.221.227.91 no-xauth
crypto isakmp key ***** address 206.221.227.83 no-xauth
crypto isakmp key ***** address 192.168.50.253 no-xauth
!
crypto isakmp client configuration group sysadmin
key vpnclient
pool SDM_POOL_1
acl 100
!
crypto isakmp client configuration group remoteuser
key vpnclient
dns 192.168.255.108 192.168.255.109
domain hahn.int
pool vpnclient
netmask 255.255.255.0
!
!
crypto ipsec transform-set remoteaccess esp-3des esp-sha-hmac
crypto ipsec transform-set site_to_site esp-aes 256 esp-sha-hmac
crypto ipsec transform-set akh esp-3des esp-md5-hmac
crypto ipsec transform-set AES256SHATRAN esp-aes 256 esp-sha-hmac
mode transport
!
crypto dynamic-map remoteaccess 10
set transform-set remoteaccess
reverse-route
!
!
crypto map tunnels client authentication list userauthen
crypto map tunnels isakmp authorization list groupauthor
crypto map tunnels client configuration address respond
crypto map tunnels 30 ipsec-isakmp
description Tunnel To Carmel
set peer x.x.x.x
set transform-set site_to_site
match address CarmelVPN
crypto map tunnels 40 ipsec-isakmp
description Tunnel to Real Carmel
set peer x.x.x.x
set transform-set site_to_site
match address NewCarmelVPN
crypto map tunnels 50 ipsec-isakmp
description Tunnel to Real Carmel
set peer x.x.x.x
set transform-set site_to_site
match address FtWayneVPN
crypto map tunnels 60 ipsec-isakmp
description Tunnel to Louisville
set peer x.x.x.x
set transform-set site_to_site
match address Louisville
crypto map tunnels 70 ipsec-isakmp
description Tunnel to Real Carmel
set peer x.x.x.x
set transform-set site_to_site
match address ElkhartVPN
crypto map tunnels 80 ipsec-isakmp
description Tunnel to Bristol
set peer x.x.x.x
set transform-set site_to_site
match address BristolVPN
crypto map tunnels 90 ipsec-isakmp
description Tunnel to Bristol
set peer x.x.x.x
set transform-set AES256SHATRAN
match address LivoniaVPN
crypto map tunnels 65535 ipsec-isakmp dynamic remoteaccess
!
!
!
!
interface Tunnel1
description GRE Tunnel to Livonia
ip address 192.168.50.252 255.255.255.0
shutdown
tunnel source FastEthernet0/1
tunnel destination x.x.x.x
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-
bandwidth 3000
ip address 192.168.255.252 255.255.255.0
ip access-group 109 in
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address x.x.x.x 255.255.255.240
ip access-group 111 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map tunnels
!
ip local pool vpnclient 192.168.100.0 192.168.100.255
ip route 0.0.0.0 0.0.0.0 206.221.225.49
ip route 10.7.255.0 255.255.255.0 192.168.255.253
ip route 192.168.250.0 255.255.255.0 192.168.255.253
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.255.13 23 206.x.x.x.x route-map nonat extendable
ip nat inside source static tcp 192.168.255.108 12489 x.x.x.x 12489 extendable
ip nat inside source static tcp 192.168.255.109 12490 x.x.x.x 12490 extendable
ip nat inside source static tcp 192.168.255.106 12491 x.x.x.x 12491 extendable
ip nat inside source static tcp 192.168.255.110 25 x.x.x.x 25 extendable
ip nat inside source static tcp 192.168.255.110 80 x.x.x.x 80 extendable
ip nat inside source static tcp 192.168.255.110 443 x.x.x.x 443 extendable
!
ip access-list extended BristolVPN
permit ip 192.168.255.0 0.0.0.255 10.9.255.0 0.0.0.255
ip access-list extended CarmelVPN
permit ip 192.168.255.0 0.0.0.255 10.3.255.0 0.0.0.255
ip access-list extended ElkhartVPN
permit ip 192.168.255.0 0.0.0.255 10.15.255.0 0.0.0.255
ip access-list extended FtWayneVPN
permit ip 192.168.255.0 0.0.0.255 10.12.255.0 0.0.0.255
ip access-list extended LIVGREVPN
permit gre host 206.221.225.51 host 206.221.227.83
ip access-list extended LivoniaVPN
permit ip 192.168.255.0 0.0.0.255 10.7.255.0 0.0.0.255
ip access-list extended Louisville
permit ip 192.168.255.0 0.0.0.255 10.5.255.0 0.0.0.255
ip access-list extended NewCarmelVPN
permit ip 192.168.255.0 0.0.0.255 10.6.255.0 0.0.0.255
ip access-list extended SupplyWorxVPN
permit ip 192.168.255.0 0.0.0.255 10.4.255.0 0.0.0.255
ip access-list extended vpntunnels
!
logging trap debugging
logging 10.0.1.7
access-list 100 remark Cisco VPN Client ACL
access-list 100 permit ip 192.168.255.0 0.0.0.255 any
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.3.255.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.5.255.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.6.255.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.7.255.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.4.255.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.12.255.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.15.255.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.16.0.0 0.0.255.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 10.9.255.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 103 deny ip 192.168.255.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 103 permit ip 192.168.255.0 0.0.0.255 any
access-list 109 remark Inside access List
access-list 109 permit udp host 192.168.255.100 eq 1645 host 192.168.255.252
access-list 109 permit udp host 192.168.255.100 eq 1646 host 192.168.255.252
access-list 109 deny ip host 255.255.255.255 any
access-list 109 deny ip 127.0.0.0 0.255.255.255 any
access-list 109 permit ip any any
access-list 111 permit ip host 206.221.227.83 any
access-list 111 permit ip 10.9.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.6.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.15.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.12.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.3.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.7.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.5.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.4.255.0 0.0.0.255 192.168.255.0 0.0.0.255
access-list 111 permit ip 10.16.0.0 0.0.255.255 192.168.255.0 0.0.0.255
access-list 111 permit tcp any host 206.221.225.54 eq smtp
access-list 111 permit tcp any host 206.221.225.54 eq 443
access-list 111 permit tcp any host 206.221.225.54 eq www
access-list 111 permit tcp any host 206.221.225.53 eq telnet
access-list 111 permit tcp any host 206.221.225.53 range 12489 12491
access-list 111 permit ahp any host 206.221.225.51
access-list 111 permit esp any host 206.221.225.51
access-list 111 permit udp any host 206.221.225.51 eq isakmp
access-list 111 permit udp any host 206.221.225.51 eq non500-isakmp
access-list 111 permit icmp any any
access-list 111 deny ip 192.168.255.0 0.0.0.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any
access-list 111 deny ip 172.16.0.0 0.15.255.255 any
access-list 111 deny ip 192.168.0.0 0.0.255.255 any
access-list 111 deny ip 127.0.0.0 0.255.255.255 any
access-list 111 deny ip host 255.255.255.255 any
access-list 111 deny ip host 0.0.0.0 any
access-list 111 deny ip any any log
no cdp run
!
!
!
route-map nonat permit 1
match ip address 103
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
session-timeout 5000
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178696
ntp source FastEthernet0/0
ntp server 192.168.255.108
end
Hahn1841#