RLComputing
asked on
Cisco 1841 - VPNPool - Change network addresses
Hi Experts,
I have a Cisco 1841 router supplying the VPN connection for my organization. Currently, the VPNPool is assigned addresses 192.168.2.50 thru 192.168.2.100. However, we are running out of addresses and I can not expand it any more within the 192.168.2.0/24 network. I did try changing the VPNPool to 192.168.20.100 thru 192.168.20.150, however when I did the end users (PPTP connections) where able to connect to the VPN and get the proper address and dns server but they where unable to access any of the local resources on the 192.168.2.0/24 network. I believe it was due to the access-list but ACL's are not my stong point. Does something need to be added to allow traffic from the 192.168.20.0/24 network?
Here is the config for VPN:
interface Virtual-Template1
ip unnumbered Serial0/1/0.531
peer default ip address pool VPNpool
ppp max-bad-auth 3
ppp authentication ms-chap-v2
!
ip local pool VPNpool 192.168.2.50 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!
access-list 125 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
Thanks!
I have a Cisco 1841 router supplying the VPN connection for my organization. Currently, the VPNPool is assigned addresses 192.168.2.50 thru 192.168.2.100. However, we are running out of addresses and I can not expand it any more within the 192.168.2.0/24 network. I did try changing the VPNPool to 192.168.20.100 thru 192.168.20.150, however when I did the end users (PPTP connections) where able to connect to the VPN and get the proper address and dns server but they where unable to access any of the local resources on the 192.168.2.0/24 network. I believe it was due to the access-list but ACL's are not my stong point. Does something need to be added to allow traffic from the 192.168.20.0/24 network?
Here is the config for VPN:
interface Virtual-Template1
ip unnumbered Serial0/1/0.531
peer default ip address pool VPNpool
ppp max-bad-auth 3
ppp authentication ms-chap-v2
!
ip local pool VPNpool 192.168.2.50 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!
access-list 125 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
Thanks!
Hello- I believe we need more information to troubleshoot your problem. Can you send us more of the config? Are you running NAT on this router? If so, it's possible that your device is NATing traffic bound to the 192.168.20.x network from the 192.168.2.x network. It'd be helpful to get more of your config, particulary the interfaces, NAT config, and crypto config, since the ACLs aren't labeled.
Can't see where your ACLs are applied, so that's part of the equation, but in general if you want to allow 192.168.20.x users to get to resources on 192.168.2.0/24, you would configure:
access-list yyy permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
Where you apply this depends on your topology. I don't see anything in the ACLs you listed that would block traffic destined for 192.168.2.0; your ACLs permit traffic if 192.168.2.0 is the source, not the destination. The syntax for ACLs is:
access-list zzz permit ip <source> <wildcard mask> <destination> <wildcard mask>
Be careful that your new subnet (192.168.20.0) gets injected into the routing somewhere, otherwise hosts that need to send traffic back to 192.168.20.0 won't know where to send it. This can be done through static routes, reverse route injection, etc.
access-list yyy permit ip 192.168.20.0 0.0.0.255 192.168.2.0 0.0.0.255
Where you apply this depends on your topology. I don't see anything in the ACLs you listed that would block traffic destined for 192.168.2.0; your ACLs permit traffic if 192.168.2.0 is the source, not the destination. The syntax for ACLs is:
access-list zzz permit ip <source> <wildcard mask> <destination> <wildcard mask>
Be careful that your new subnet (192.168.20.0) gets injected into the routing somewhere, otherwise hosts that need to send traffic back to 192.168.20.0 won't know where to send it. This can be done through static routes, reverse route injection, etc.
ASKER
Sorry about that. The full config is below. Here are the main devices
Cisco 1841 - 192.168.2.1 (VPN and RADIUS)
Windows Server 2003 with IAS - 192.168.2.28
DNS - 192.168.2.28
version 12.4
<!------->
aaa group server radius primary
server 192.168.2.28 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login DOMAIN local
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
clock timezone EDT -5
ip cef
!
!
!
!
ip domain name xxxxx.com
ip name-server 192.168.2.28
ip inspect name DOMAIN-FW http
ip inspect name DOMAIN-FW https
ip inspect name DOMAIN-FW ftp
ip inspect name DOMAIN-FW realaudio
ip inspect name DOMAIN-FW smtp
ip inspect name DOMAIN-FW tcp
ip inspect name DOMAIN-FW udp
ip inspect name DOMAIN-FW rcmd
ip inspect name DOMAIN-FW tftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-XXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-XXXX
!
!
<!--User Accounts -->
!
!
!
class-map match-any VOIP-Stream
match access-group 100
class-map match-any VOIP-MAnagement
match access-group 102
class-map match-any VOIP-Control
match access-group 101
!
!
policy-map WAN-QOS
class VOIP-Stream
priority percent 75
set dscp ef
class VOIP-Control
priority percent 15
set dscp af41
class VOIP-MAnagement
priority percent 9
set dscp af21
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
authentication pre-share
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 67.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 208.XXX.XXX.XXX
!
!
crypto ipsec transform-set trans171 XXXXX
crypto ipsec transform-set trans174 XXXXX
!
crypto map mymap 1 ipsec-isakmp
set peer 67.XXX.XXX.XXX
set transform-set trans171
match address 171
crypto map mymap 2 ipsec-isakmp
set peer 72.XXX.XXX.XXX
crypto map mymap 3 ipsec-isakmp
set peer 208.XXX.XXX.XXX
set transform-set trans171
match address 173
crypto map mymap 4 ipsec-isakmp
set peer 67.XXX.XXX.XXX
set transform-set trans174
match address 174
crypto map mymap 5 ipsec-isakmp
set peer 72.XXX.XXX.XXX
set transform-set trans171
match address 175
crypto map mymap 6 ipsec-isakmp
set peer 72.XXX.XXX.XXX
set transform-set trans171
match address 176
crypto map mymap 7 ipsec-isakmp
set peer 208.XXX.XXX.XXX
set transform-set trans171
match address 177
!
!
!
interface Loopback0
ip address 4.0.0.40 255.255.255.255
!
interface Loopback1
ip address 10.255.0.40 255.255.255.255
!
interface Tunnel0
description Tunnel to Remote Site #1
bandwidth 400
ip address 10.xxx.xxx.xxx 255.255.255.252
ip mtu 1390
ip route-cache flow
tunnel source Serial0/1/0.531
tunnel destination 208.xxx.xxx.xxx
tunnel key XXXXXXX
!
interface FastEthernet0/0
description <<Choice One Internet>>
ip address 10.XXX.XXX.XXX 255.255.255.0
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1
description << LAN >>
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
speed auto
full-duplex
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Serial0/1/0
description Connection to GBLX Cloud
no ip address
ip virtual-reassembly
encapsulation frame-relay IETF
no ip route-cache cef
no ip route-cache
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/1/0.16 point-to-point
description Connection to GBLX MPLS
ip address 67.XXX.XXX.XXXX 255.255.255.252
no ip route-cache
no cdp enable
frame-relay interface-dlci 16
class VOIP-CLASS
!
interface Serial0/1/0.531 point-to-point
description Connection to DIA
ip address 146.XXX.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly
no ip route-cache
no cdp enable
frame-relay interface-dlci 552
class Data-CLASS
crypto map mymap
!
interface Virtual-Template1
ip unnumbered Serial0/1/0.531
peer default ip address pool VPNpool
ppp max-bad-auth 3
ppp authentication ms-chap-v2
!
router eigrp 500
network 10.XXX.XXX.XX 0.0.0.255
network 192.168.2.0
no auto-summary
eigrp stub connected summary
!
router bgp 60040
no synchronization
bgp log-neighbor-changes
network 10.XXX.XXX.XXX
network 192.168.0.0
aggregate-address 10.XXX.XXX.XXX 255.255.255.255
aggregate-address 10.XXX.XXX.XXX 255.255.255.0
aggregate-address 192.168.2.0 255.255.255.0
redistribute connected
neighbor 67.xxx.xxx.xxx remote-as 6745
neighbor 67.xxx.xxx.xxx description OSN->GlobalX
neighbor 67.xxx.xxx.xxx version 4
neighbor 67.xxx.xxx.xxx soft-reconfiguration inbound
no auto-summary
!
ip local pool VPNpool 192.168.2.50 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/1/0.531 overload
ip nat inside source static tcp 192.168.2.20 25 146.xxx.xxx.xxxx 25 extendable
!
!
map-class frame-relay VOIP-CLASS
frame-relay cir 1024000
frame-relay bc 10240
frame-relay be 0
frame-relay mincir 1024000
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority high
service-policy output WAN-QOS
!
map-class frame-relay Data-CLASS
frame-relay cir 512000
frame-relay bc 5120
frame-relay be 5120
frame-relay mincir 512000
frame-relay fair-queue
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority low
logging trap debugging
logging 192.168.2.27
access-list 100 remark ****MArk VOIP RTP streaming Traffic (LLQ)
access-list 100 permit udp any any range 16384 32768
access-list 100 permit udp 10.255.0.0 0.0.255.255 64.xx.xx.0 0.0.0.255
access-list 101 remark MArk ****MGCP/Skinny/H.323 VOIP signaling traffic (CBWFQ)
access-list 101 permit udp any any eq 2727
access-list 101 permit tcp any any eq 2727
access-list 101 permit udp any any eq 2427
access-list 101 permit tcp any any eq 2427
access-list 101 permit udp any any eq 2428
access-list 101 permit tcp any any eq 2428
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any range 11000 11999
access-list 101 remark Mark ****IAX/IAX2/SIP VOIP signaling traffic
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any range 5060 5069
access-list 101 permit udp any any range 5070 5079
access-list 101 permit udp any any range 5080 5099
access-list 102 remark Mark ****Client Endpoints --> NOC/Management Servers (CBWFQ-AF21)
access-list 102 permit tcp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx.0 0.0.0.255
access-list 125 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
snmp-server community monitoring RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
!
route-map nonat permit 10
match ip address 125
!
!
!
radius-server host 192.168.2.28 auth-port 1645 acct-port 1646
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
control-plane
!
!
banner login ^CCC
Warning !!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide
the results of such monitoring to appropriate officials.
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login authentication SASi
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178389
ntp server 132.236.56.250
end version 12.4
<!------->
aaa group server radius primary
server 192.168.2.28 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login DOMAIN local
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
clock timezone EDT -5
ip cef
!
!
!
!
ip domain name xxxxx.com
ip name-server 192.168.2.28
ip inspect name DOMAIN-FW http
ip inspect name DOMAIN-FW https
ip inspect name DOMAIN-FW ftp
ip inspect name DOMAIN-FW realaudio
ip inspect name DOMAIN-FW smtp
ip inspect name DOMAIN-FW tcp
ip inspect name DOMAIN-FW udp
ip inspect name DOMAIN-FW rcmd
ip inspect name DOMAIN-FW tftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-XXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-XXXX
!
!
<!--User Accounts -->
!
!
!
class-map match-any VOIP-Stream
match access-group 100
class-map match-any VOIP-MAnagement
match access-group 102
class-map match-any VOIP-Control
match access-group 101
!
!
policy-map WAN-QOS
class VOIP-Stream
priority percent 75
set dscp ef
class VOIP-Control
priority percent 15
set dscp af41
class VOIP-MAnagement
priority percent 9
set dscp af21
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
authentication pre-share
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 67.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 208.XXX.XXX.XXX
!
!
crypto ipsec transform-set trans171 XXXXX
crypto ipsec transform-set trans174 XXXXX
!
crypto map mymap 1 ipsec-isakmp
set peer 67.XXX.XXX.XXX
set transform-set trans171
match address 171
crypto map mymap 2 ipsec-isakmp
set peer 72.XXX.XXX.XXX
crypto map mymap 3 ipsec-isakmp
set peer 208.XXX.XXX.XXX
set transform-set trans171
match address 173
crypto map mymap 4 ipsec-isakmp
set peer 67.XXX.XXX.XXX
set transform-set trans174
match address 174
crypto map mymap 5 ipsec-isakmp
set peer 72.XXX.XXX.XXX
set transform-set trans171
match address 175
crypto map mymap 6 ipsec-isakmp
set peer 72.XXX.XXX.XXX
set transform-set trans171
match address 176
crypto map mymap 7 ipsec-isakmp
set peer 208.XXX.XXX.XXX
set transform-set trans171
match address 177
!
!
!
interface Loopback0
ip address 4.0.0.40 255.255.255.255
!
interface Loopback1
ip address 10.255.0.40 255.255.255.255
!
interface Tunnel0
description Tunnel to Remote Site #1
bandwidth 400
ip address 10.xxx.xxx.xxx 255.255.255.252
ip mtu 1390
ip route-cache flow
tunnel source Serial0/1/0.531
tunnel destination 208.xxx.xxx.xxx
tunnel key XXXXXXX
!
interface FastEthernet0/0
description <<Choice One Internet>>
ip address 10.XXX.XXX.XXX 255.255.255.0
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1
description << LAN >>
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
speed auto
full-duplex
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Serial0/1/0
description Connection to GBLX Cloud
no ip address
ip virtual-reassembly
encapsulation frame-relay IETF
no ip route-cache cef
no ip route-cache
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/1/0.16 point-to-point
description Connection to GBLX MPLS
ip address 67.XXX.XXX.XXXX 255.255.255.252
no ip route-cache
no cdp enable
frame-relay interface-dlci 16
class VOIP-CLASS
!
interface Serial0/1/0.531 point-to-point
description Connection to DIA
ip address 146.XXX.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly
no ip route-cache
no cdp enable
frame-relay interface-dlci 552
class Data-CLASS
crypto map mymap
!
interface Virtual-Template1
ip unnumbered Serial0/1/0.531
peer default ip address pool testpool
ppp max-bad-auth 3
ppp authentication ms-chap-v2
!
router eigrp 500
network 10.XXX.XXX.XX 0.0.0.255
network 192.168.2.0
no auto-summary
eigrp stub connected summary
!
router bgp 60040
no synchronization
bgp log-neighbor-changes
network 10.XXX.XXX.XXX
network 192.168.0.0
aggregate-address 10.XXX.XXX.XXX 255.255.255.255
aggregate-address 10.XXX.XXX.XXX 255.255.255.0
aggregate-address 192.168.2.0 255.255.255.0
redistribute connected
neighbor 67.xxx.xxx.xxx remote-as 6745
neighbor 67.xxx.xxx.xxx description OSN->GlobalX
neighbor 67.xxx.xxx.xxx version 4
neighbor 67.xxx.xxx.xxx soft-reconfiguration inbound
no auto-summary
!
ip local pool testpool 192.168.2.75 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/1/0.531 overload
ip nat inside source static tcp 192.168.2.20 25 146.xxx.xxx.xxxx 25 extendable
!
!
map-class frame-relay VOIP-CLASS
frame-relay cir 1024000
frame-relay bc 10240
frame-relay be 0
frame-relay mincir 1024000
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority high
service-policy output WAN-QOS
!
map-class frame-relay Data-CLASS
frame-relay cir 512000
frame-relay bc 5120
frame-relay be 5120
frame-relay mincir 512000
frame-relay fair-queue
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority low
logging trap debugging
logging 192.168.2.27
access-list 100 remark ****MArk VOIP RTP streaming Traffic (LLQ)
access-list 100 permit udp any any range 16384 32768
access-list 100 permit udp 10.255.0.0 0.0.255.255 64.xx.xx.0 0.0.0.255
access-list 101 remark MArk ****MGCP/Skinny/H.323 VOIP signaling traffic (CBWFQ)
access-list 101 permit udp any any eq 2727
access-list 101 permit tcp any any eq 2727
access-list 101 permit udp any any eq 2427
access-list 101 permit tcp any any eq 2427
access-list 101 permit udp any any eq 2428
access-list 101 permit tcp any any eq 2428
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any range 11000 11999
access-list 101 remark Mark ****IAX/IAX2/SIP VOIP signaling traffic
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any range 5060 5069
access-list 101 permit udp any any range 5070 5079
access-list 101 permit udp any any range 5080 5099
access-list 102 remark Mark ****Client Endpoints --> NOC/Management Servers (CBWFQ-AF21)
access-list 102 permit tcp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx.0 0.0.0.255
access-list 125 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
snmp-server community monitoring RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
!
route-map nonat permit 10
match ip address 125
!
!
!
radius-server host 192.168.2.28 auth-port 1645 acct-port 1646
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
control-plane
!
!
banner login ^CCC
Warning !!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide
the results of such monitoring to appropriate officials.
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login authentication SASi
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178389
ntp server 132.236.56.250
end
Cisco 1841 - 192.168.2.1 (VPN and RADIUS)
Windows Server 2003 with IAS - 192.168.2.28
DNS - 192.168.2.28
version 12.4
<!------->
aaa group server radius primary
server 192.168.2.28 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login DOMAIN local
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
clock timezone EDT -5
ip cef
!
!
!
!
ip domain name xxxxx.com
ip name-server 192.168.2.28
ip inspect name DOMAIN-FW http
ip inspect name DOMAIN-FW https
ip inspect name DOMAIN-FW ftp
ip inspect name DOMAIN-FW realaudio
ip inspect name DOMAIN-FW smtp
ip inspect name DOMAIN-FW tcp
ip inspect name DOMAIN-FW udp
ip inspect name DOMAIN-FW rcmd
ip inspect name DOMAIN-FW tftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-XXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-XXXX
!
!
<!--User Accounts -->
!
!
!
class-map match-any VOIP-Stream
match access-group 100
class-map match-any VOIP-MAnagement
match access-group 102
class-map match-any VOIP-Control
match access-group 101
!
!
policy-map WAN-QOS
class VOIP-Stream
priority percent 75
set dscp ef
class VOIP-Control
priority percent 15
set dscp af41
class VOIP-MAnagement
priority percent 9
set dscp af21
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
authentication pre-share
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 67.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 208.XXX.XXX.XXX
!
!
crypto ipsec transform-set trans171 XXXXX
crypto ipsec transform-set trans174 XXXXX
!
crypto map mymap 1 ipsec-isakmp
set peer 67.XXX.XXX.XXX
set transform-set trans171
match address 171
crypto map mymap 2 ipsec-isakmp
set peer 72.XXX.XXX.XXX
crypto map mymap 3 ipsec-isakmp
set peer 208.XXX.XXX.XXX
set transform-set trans171
match address 173
crypto map mymap 4 ipsec-isakmp
set peer 67.XXX.XXX.XXX
set transform-set trans174
match address 174
crypto map mymap 5 ipsec-isakmp
set peer 72.XXX.XXX.XXX
set transform-set trans171
match address 175
crypto map mymap 6 ipsec-isakmp
set peer 72.XXX.XXX.XXX
set transform-set trans171
match address 176
crypto map mymap 7 ipsec-isakmp
set peer 208.XXX.XXX.XXX
set transform-set trans171
match address 177
!
!
!
interface Loopback0
ip address 4.0.0.40 255.255.255.255
!
interface Loopback1
ip address 10.255.0.40 255.255.255.255
!
interface Tunnel0
description Tunnel to Remote Site #1
bandwidth 400
ip address 10.xxx.xxx.xxx 255.255.255.252
ip mtu 1390
ip route-cache flow
tunnel source Serial0/1/0.531
tunnel destination 208.xxx.xxx.xxx
tunnel key XXXXXXX
!
interface FastEthernet0/0
description <<Choice One Internet>>
ip address 10.XXX.XXX.XXX 255.255.255.0
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1
description << LAN >>
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
speed auto
full-duplex
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Serial0/1/0
description Connection to GBLX Cloud
no ip address
ip virtual-reassembly
encapsulation frame-relay IETF
no ip route-cache cef
no ip route-cache
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/1/0.16 point-to-point
description Connection to GBLX MPLS
ip address 67.XXX.XXX.XXXX 255.255.255.252
no ip route-cache
no cdp enable
frame-relay interface-dlci 16
class VOIP-CLASS
!
interface Serial0/1/0.531 point-to-point
description Connection to DIA
ip address 146.XXX.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly
no ip route-cache
no cdp enable
frame-relay interface-dlci 552
class Data-CLASS
crypto map mymap
!
interface Virtual-Template1
ip unnumbered Serial0/1/0.531
peer default ip address pool VPNpool
ppp max-bad-auth 3
ppp authentication ms-chap-v2
!
router eigrp 500
network 10.XXX.XXX.XX 0.0.0.255
network 192.168.2.0
no auto-summary
eigrp stub connected summary
!
router bgp 60040
no synchronization
bgp log-neighbor-changes
network 10.XXX.XXX.XXX
network 192.168.0.0
aggregate-address 10.XXX.XXX.XXX 255.255.255.255
aggregate-address 10.XXX.XXX.XXX 255.255.255.0
aggregate-address 192.168.2.0 255.255.255.0
redistribute connected
neighbor 67.xxx.xxx.xxx remote-as 6745
neighbor 67.xxx.xxx.xxx description OSN->GlobalX
neighbor 67.xxx.xxx.xxx version 4
neighbor 67.xxx.xxx.xxx soft-reconfiguration inbound
no auto-summary
!
ip local pool VPNpool 192.168.2.50 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/1/0.531 overload
ip nat inside source static tcp 192.168.2.20 25 146.xxx.xxx.xxxx 25 extendable
!
!
map-class frame-relay VOIP-CLASS
frame-relay cir 1024000
frame-relay bc 10240
frame-relay be 0
frame-relay mincir 1024000
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority high
service-policy output WAN-QOS
!
map-class frame-relay Data-CLASS
frame-relay cir 512000
frame-relay bc 5120
frame-relay be 5120
frame-relay mincir 512000
frame-relay fair-queue
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority low
logging trap debugging
logging 192.168.2.27
access-list 100 remark ****MArk VOIP RTP streaming Traffic (LLQ)
access-list 100 permit udp any any range 16384 32768
access-list 100 permit udp 10.255.0.0 0.0.255.255 64.xx.xx.0 0.0.0.255
access-list 101 remark MArk ****MGCP/Skinny/H.323 VOIP signaling traffic (CBWFQ)
access-list 101 permit udp any any eq 2727
access-list 101 permit tcp any any eq 2727
access-list 101 permit udp any any eq 2427
access-list 101 permit tcp any any eq 2427
access-list 101 permit udp any any eq 2428
access-list 101 permit tcp any any eq 2428
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any range 11000 11999
access-list 101 remark Mark ****IAX/IAX2/SIP VOIP signaling traffic
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any range 5060 5069
access-list 101 permit udp any any range 5070 5079
access-list 101 permit udp any any range 5080 5099
access-list 102 remark Mark ****Client Endpoints --> NOC/Management Servers (CBWFQ-AF21)
access-list 102 permit tcp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx.0 0.0.0.255
access-list 125 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
snmp-server community monitoring RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
!
route-map nonat permit 10
match ip address 125
!
!
!
radius-server host 192.168.2.28 auth-port 1645 acct-port 1646
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
control-plane
!
!
banner login ^CCC
Warning !!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide
the results of such monitoring to appropriate officials.
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login authentication SASi
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178389
ntp server 132.236.56.250
end version 12.4
<!------->
aaa group server radius primary
server 192.168.2.28 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login DOMAIN local
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
clock timezone EDT -5
ip cef
!
!
!
!
ip domain name xxxxx.com
ip name-server 192.168.2.28
ip inspect name DOMAIN-FW http
ip inspect name DOMAIN-FW https
ip inspect name DOMAIN-FW ftp
ip inspect name DOMAIN-FW realaudio
ip inspect name DOMAIN-FW smtp
ip inspect name DOMAIN-FW tcp
ip inspect name DOMAIN-FW udp
ip inspect name DOMAIN-FW rcmd
ip inspect name DOMAIN-FW tftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-XXXX
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-XXXX
!
!
<!--User Accounts -->
!
!
!
class-map match-any VOIP-Stream
match access-group 100
class-map match-any VOIP-MAnagement
match access-group 102
class-map match-any VOIP-Control
match access-group 101
!
!
policy-map WAN-QOS
class VOIP-Stream
priority percent 75
set dscp ef
class VOIP-Control
priority percent 15
set dscp af41
class VOIP-MAnagement
priority percent 9
set dscp af21
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 2
hash md5
authentication pre-share
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 67.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 208.XXX.XXX.XXX
!
!
crypto ipsec transform-set trans171 XXXXX
crypto ipsec transform-set trans174 XXXXX
!
crypto map mymap 1 ipsec-isakmp
set peer 67.XXX.XXX.XXX
set transform-set trans171
match address 171
crypto map mymap 2 ipsec-isakmp
set peer 72.XXX.XXX.XXX
crypto map mymap 3 ipsec-isakmp
set peer 208.XXX.XXX.XXX
set transform-set trans171
match address 173
crypto map mymap 4 ipsec-isakmp
set peer 67.XXX.XXX.XXX
set transform-set trans174
match address 174
crypto map mymap 5 ipsec-isakmp
set peer 72.XXX.XXX.XXX
set transform-set trans171
match address 175
crypto map mymap 6 ipsec-isakmp
set peer 72.XXX.XXX.XXX
set transform-set trans171
match address 176
crypto map mymap 7 ipsec-isakmp
set peer 208.XXX.XXX.XXX
set transform-set trans171
match address 177
!
!
!
interface Loopback0
ip address 4.0.0.40 255.255.255.255
!
interface Loopback1
ip address 10.255.0.40 255.255.255.255
!
interface Tunnel0
description Tunnel to Remote Site #1
bandwidth 400
ip address 10.xxx.xxx.xxx 255.255.255.252
ip mtu 1390
ip route-cache flow
tunnel source Serial0/1/0.531
tunnel destination 208.xxx.xxx.xxx
tunnel key XXXXXXX
!
interface FastEthernet0/0
description <<Choice One Internet>>
ip address 10.XXX.XXX.XXX 255.255.255.0
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1
description << LAN >>
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
speed auto
full-duplex
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Serial0/1/0
description Connection to GBLX Cloud
no ip address
ip virtual-reassembly
encapsulation frame-relay IETF
no ip route-cache cef
no ip route-cache
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/1/0.16 point-to-point
description Connection to GBLX MPLS
ip address 67.XXX.XXX.XXXX 255.255.255.252
no ip route-cache
no cdp enable
frame-relay interface-dlci 16
class VOIP-CLASS
!
interface Serial0/1/0.531 point-to-point
description Connection to DIA
ip address 146.XXX.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly
no ip route-cache
no cdp enable
frame-relay interface-dlci 552
class Data-CLASS
crypto map mymap
!
interface Virtual-Template1
ip unnumbered Serial0/1/0.531
peer default ip address pool testpool
ppp max-bad-auth 3
ppp authentication ms-chap-v2
!
router eigrp 500
network 10.XXX.XXX.XX 0.0.0.255
network 192.168.2.0
no auto-summary
eigrp stub connected summary
!
router bgp 60040
no synchronization
bgp log-neighbor-changes
network 10.XXX.XXX.XXX
network 192.168.0.0
aggregate-address 10.XXX.XXX.XXX 255.255.255.255
aggregate-address 10.XXX.XXX.XXX 255.255.255.0
aggregate-address 192.168.2.0 255.255.255.0
redistribute connected
neighbor 67.xxx.xxx.xxx remote-as 6745
neighbor 67.xxx.xxx.xxx description OSN->GlobalX
neighbor 67.xxx.xxx.xxx version 4
neighbor 67.xxx.xxx.xxx soft-reconfiguration inbound
no auto-summary
!
ip local pool testpool 192.168.2.75 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/1/0.531 overload
ip nat inside source static tcp 192.168.2.20 25 146.xxx.xxx.xxxx 25 extendable
!
!
map-class frame-relay VOIP-CLASS
frame-relay cir 1024000
frame-relay bc 10240
frame-relay be 0
frame-relay mincir 1024000
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority high
service-policy output WAN-QOS
!
map-class frame-relay Data-CLASS
frame-relay cir 512000
frame-relay bc 5120
frame-relay be 5120
frame-relay mincir 512000
frame-relay fair-queue
frame-relay interface-queue fair queue-limit 32
frame-relay interface-queue priority low
logging trap debugging
logging 192.168.2.27
access-list 100 remark ****MArk VOIP RTP streaming Traffic (LLQ)
access-list 100 permit udp any any range 16384 32768
access-list 100 permit udp 10.255.0.0 0.0.255.255 64.xx.xx.0 0.0.0.255
access-list 101 remark MArk ****MGCP/Skinny/H.323 VOIP signaling traffic (CBWFQ)
access-list 101 permit udp any any eq 2727
access-list 101 permit tcp any any eq 2727
access-list 101 permit udp any any eq 2427
access-list 101 permit tcp any any eq 2427
access-list 101 permit udp any any eq 2428
access-list 101 permit tcp any any eq 2428
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any range 11000 11999
access-list 101 remark Mark ****IAX/IAX2/SIP VOIP signaling traffic
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any range 5060 5069
access-list 101 permit udp any any range 5070 5079
access-list 101 permit udp any any range 5080 5099
access-list 102 remark Mark ****Client Endpoints --> NOC/Management Servers (CBWFQ-AF21)
access-list 102 permit tcp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx.0 0.0.0.255
access-list 125 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
snmp-server community monitoring RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
!
route-map nonat permit 10
match ip address 125
!
!
!
radius-server host 192.168.2.28 auth-port 1645 acct-port 1646
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
control-plane
!
!
banner login ^CCC
Warning !!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel. Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide
the results of such monitoring to appropriate officials.
^C
!
line con 0
line aux 0
line vty 0 4
privilege level 15
login authentication SASi
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178389
ntp server 132.236.56.250
end
ASKER
Forgot to mention, when I did change the VPNPool to 192.168.20.0 network, I added the following to the config:
ip route 192.168.20.0 255.255.255.0 146.xxx.xxx.xxx
ip route 192.168.20.0 255.255.255.0 146.xxx.xxx.xxx
Does the 192.168.20.0 pool exist over on the other device, reachable by 146.xxx.xxx.xxx?
ASKER
What would you be referring by the other device? The 146.xxx.xxx.xxx is our ISP default gateway.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thank you. I will have to make this changes this evening and see how it goes. In the meantime, I'm going to read up on ACL's :)