Solved

Dual WAN on Cisco 1841

Posted on 2012-04-10
11
602 Views
Last Modified: 2013-05-15
I currently have a Cisco 1841 with the two embedded NIC's, one is for inside and the other is for the outside. The outside has five staic IP's and we have some one to one NAT's and ports mapped to inside devices. We need to add a second WAN for redundancy, the new connection will have static IP's as well. We want normal web brousing and VPN traffic to use the second WAN connection and if it goes offline all the traffic should use the original WAN. Also the original WAN will be used primarily for server traffic (i.e. smtp, web.....).
When I added the new HWIC and configured it for the backup ISP, I was able to browse the internet but all traffic stopped flowing for the original WAN, no smtp or other traffic at all.

What am I doing wrong, is there a way to have primary web going through my second  WAN and if it goes offline all traffic failover to the primary WAN? Also can both WAN connections have NAT'ing to inside devices, even NAT'ing of the same port number like 25?
0
Comment
Question by:telcoengineer
  • 7
  • 4
11 Comments
 
LVL 15

Expert Comment

by:wingatesl
ID: 37828017
It is quite doable. Please post your config (after masking your external IP info). Typically you will create a route map for each outside connection and use this on your nat overlaod statements. For dual inbound access you will put 2 ip addresses on the target servers and use a route map to handle the return traffic. For failover you will use a SLA and track statements to manage your routing table.
0
 

Author Comment

by:telcoengineer
ID: 37828315
Thanks for the reply wingatesl,  her is the config, note that FA0/0/0 will be the new internet connection.
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gate
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$JVzu$X0UtR94gX5y2BJLlUmzSz/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
clock timezone America -6 0
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip domain name mydomain.local
ip name-server 192.168.250.220
ip name-server 134.215.200.126
!
multilink bundle-name authenticated
!
password encryption aes
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2329787546
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2329787546
 revocation-check none
 rsakeypair TP-self-signed-2329787546
!
!
crypto pki certificate chain TP-self-signed-2329787546
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333239 37383735 3436301E 170D3032 30333031 30303233
  30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33323937
  38373534 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C592 65F1B188 9C2C7EE7 1A4C144A 96F6E756 529370C9 BD3167F7 2792D647
  E17AF456 93FCC326 2F9A8463 4C69A428 BD953751 713D7107 B67DE1F1 C80A1D41
  2D729491 70E0F1E8 5B18E761 1936F24F 12D89B7B 4E6DEF95 3B95ADB0 B45734E2
  EED5420F F6F0856A 3870173E 9C25289B C7A644AE 4B70DD7B D8606E09 073C026B
  81DD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
  551D1104 15301382 11676174 652E6B69 6E746572 2E6C6F63 616C301F 0603551D
  23041830 16801484 D9B8BC54 979D30BA 01B6D312 EC869847 C6001930 1D060355
  1D0E0416 041484D9 B8BC5497 9D30BA01 B6D312EC 869847C6 0019300D 06092A86
  4886F70D 01010405 00038181 00053529 C47B72B5 628D3354 60C27C15 6E738CBD
  71956D14 AAB03688 DA38B696 1F3C599A 6A350B09 4CE441CC 8EA1DA8F 07AA2844
  BEB2315B 7A93C73A 4A008F63 AD8A9386 F561D3D5 86BB20DD 54DD097F 3FBA68DA
  D65DCC3B DF89B8FF E30D9FCA 5064F0F4 65226C70 0E4DC779 70D40D8D EC50F1E8
  5E543557 C0619FA9 DB3D7B9C 07
        quit
!
!
license udi pid CISCO1841 sn FTX0916Y0JY
username admin privilege 15 secret 5 nachos
!
redundancy
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 5
crypto isakmp key 6 gJETIgWRbXRJUQYdc\BUfMXCfUf]UZETXA`J address VPN-b no-xauth
crypto isakmp key 6 HMBPbO[M_WdN]TOSII`NbWiSaRBUffGb[RbW address VPN-a no-xauth
!
crypto isakmp client configuration group remoteteam
 key 6 256axxess
 dns 192.168.250.220
 wins 192.168.250.220
 domain kinter.local
 pool ssl
 acl 162
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto dynamic-map MyMap 10
 set transform-set 3DES
 reverse-route
!
!
crypto map vpn client authentication list ciscocp_vpn_xauth_ml_1
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp
 set peer VPN-a
 set transform-set esp-aes-sha
 match address 160
crypto map vpn 20 ipsec-isakmp
 set peer VPN-b
 set transform-set esp-aes-sha
 match address 161
crypto map vpn 65535 ipsec-isakmp dynamic MyMap
!
!
!
!
!
interface FastEthernet0/0
 description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$
 ip address 192.168.250.254 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description $FW_OUTSIDE$$ETH-WAN$
 ip address A.A.A.234 255.255.255.248
 ip flow ingress
 ip flow egress
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly in
 speed auto
 full-duplex
 crypto map vpn
!
interface FastEthernet0/0/0
 description Comcast WAN
 ip address B.B.B.B
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly in
 shutdown
 speed auto
 full-duplex
 crypto map vpn
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
!
!
router eigrp 33
!
ip local pool ssl 192.168.10.1 192.168.10.20
no ip forward-protocol nd
ip http server
ip http secure-server
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/1
ip flow-export version 5 peer-as
ip flow-export destination 192.168.250.253 2020
ip flow-aggregation cache as
 cache entries 2046
 cache timeout inactive 200
 cache timeout active 45
 export destination 192.168.250.253 2020
 enabled
!
!
ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.250.220 25 A.A.A.234 25 extendable
ip nat inside source static tcp 192.168.250.220 443 A.A.A.234 443 extendable
ip nat inside source static tcp 192.168.250.220 587 A.A.A.234 587 extendable
ip nat inside source static tcp 192.168.250.220 993 A.A.A.234 993 extendable
ip nat inside source static tcp 192.168.250.37 3389 A.A.A.234 1065 extendable
ip nat inside source static tcp 192.168.250.253 3389 A.A.A.234 3389 extendable
ip nat inside source static tcp 192.168.250.213 8080 A.A.A.234 8080 extendable
ip nat inside source static 192.168.250.249 A.A.A.235 extendable
ip nat inside source static 192.168.250.223 A.A.A.236 route-map mitel_NAT
ip route 0.0.0.0 0.0.0.0 A.A.A.233 permanent
!
ip access-list extended mitel
 permit tcp any host A.A.A.236 eq 443
 permit tcp any host A.A.A.236 eq 22
 permit tcp any host A.A.A.236 eq 4000
 permit tcp any host A.A.A.236 eq 44000
 permit tcp any host A.A.A.236 eq 5566
 permit udp any host A.A.A.236 eq 5567
 permit udp host A.A.A.236 any range 5004 5069
 permit udp host A.A.A.236 any range 6004 6604
 permit udp host A.A.A.236 any eq tftp
 permit tcp host A.A.A.236 any range 6800 6802
 permit udp host A.A.A.236 any range 50098 50508
!
logging esm config
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any host 192.168.250.254
access-list 100 deny   ip A.A.A.232 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 permit icmp any host A.A.A.234 echo-reply
access-list 101 permit icmp any host A.A.A.234 time-exceeded
access-list 101 permit icmp any host A.A.A.234 unreachable
access-list 101 permit tcp any host A.A.A.234 eq 3389
access-list 101 permit tcp any host A.A.A.234 eq 1065
access-list 101 permit tcp any host A.A.A.234 eq 443
access-list 101 permit tcp any host A.A.A.234 eq 993
access-list 101 permit tcp any host A.A.A.234 eq 587
access-list 101 permit tcp any host A.A.A.234 eq smtp
access-list 101 permit udp any host A.A.A.234 eq non500-isakmp
access-list 101 permit udp any host A.A.A.234 eq isakmp
access-list 101 permit esp any host A.A.A.234
access-list 101 permit tcp any host A.A.A.234 eq 22
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 deny   ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny   ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 deny   ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 102 deny   ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 102 permit ip any any
access-list 160 permit ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 161 permit ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 162 permit ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
route-map RMAP_1 permit 1
 match ip address 102
!
route-map mitel_NAT permit 10
 match ip address mitel
!
!
!
!
control-plane
!
!
banner login ^C
-----------------------------------------------------------------------
For Support Call 1-847-249-2027
Allied Tele-Com
-----------------------------------------------------------------------

^C
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 69.65.40.29
end
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 37833025
Lets start with simple failover. Once that is done, we will work on the redundant inbound connections.
This is what you will need to change in your existing config;

! Create the route-maps for the nat overload statements

Route-Map ISP1 permit 10
 match ip address 102
 match interface FastEthernet0/1
Route-Map ISP2 permit 10
 match ip address 102
 match interface FastEthernet0/0/0

! delete your old overload statement and add new using the route-maps. Notice the routemap relation to the interface
no ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload
ip nat inside source route-map ISP1 interface FastEthernet0/1 overload
ip nat inside source route-map ISP2 interface FastEthernet0/0/0 overload


! Create a sla to track the reachability of a public ip address
ip sla 1
icmp-echo 4.2.2.2
timeout 500
threshold 2
frequency 3
ip sla schedule 1 life forever start now

! track the sla reachability status

track 1 ip sla reach

! remove your current default route and replace it with a permanent route to your tracked object, and then a route
! to your primary ISP that uses your track statement. Add a route for the second ISP with a higher metric.  
no ip route 0.0.0.0
ip route 4.2.2.2 255.255.255.255 <ISP1 Gateway> permanent
ip route 0.0.0.0 0.0.0.0 <ISP1 Gateway> track 1
ip route 0.0.0.0 0.0.0.0 <ISP2 Gateway> 10


In the event the first ISP does not allow the sla to return ok, the router will remove the traced route and the secondary will take over.
0
 

Author Comment

by:telcoengineer
ID: 37833766
So ISP1 would the Internet that I want to be primary, correct?
0
 

Author Comment

by:telcoengineer
ID: 37852195
Sorry for the late response, I did as you suggested and I was able to have the traffice use my preffered ISP2 and once I unplugged the connection to that ISP2 the IPS1 kicked in within about 2 minutes. Not sure if thats normal or not.
However when I did that all of my NAT'ed traffic from ISP1 stopped as well as teh VPN tunnels, that is the original WAN connection and NAT'ed IP's on FA0/1. So I removed all of the added statements to take the router back to original config.
Is there something that I overlooked, should my NAT'ing have stopped?
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 15

Expert Comment

by:wingatesl
ID: 37852275
The natting should have stopped. We wanted to start with simple failover. In order to failover the inbound NAT, you will need to add a secondary IP address to the internal servers, then you will create a nat statement for each new IP to  the secondary ISP. We will then create a route-map to "push" traffic from the secondary IP to the new internet connection. For the VPN that is going to be a lot more work, and should be the subject of another post.  Is it a router at the other end, and do they have two connections as well?

Please set the secondary addresses on your natted servers and write back what they are and I will help you build the nat statements and route-map.
0
 

Author Comment

by:telcoengineer
ID: 37927285
hi wingatsel,

sorry for not getting back sooner, I had an accident thats kept me incapacitated for a while.

my sbs server is 192.168.250.220  the secondary ip will be 192.168.250.111
terminal serv  is 192.168.250.253 the secondary ip will be 192.168.250.153
NVR                 is 192.168.250.213 the secondary ip will be 192.168.250.113

I am not sure how to handle the phone system, we have remote IP phones, the system does not support alternate IP addresses
0
 
LVL 15

Expert Comment

by:wingatesl
ID: 37927301
Can you post a current sanitized config please.
0
 

Author Comment

by:telcoengineer
ID: 38146969
The current config is the same as the original posted.
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gate
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$JVzu$X0UtR94gX5y2BJLlUmzSz/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
clock timezone America -6 0
clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
dot11 syslog
ip source-route
!
!
!
!
!
ip cef
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip domain name mydomain.local
ip name-server 192.168.250.220
ip name-server 134.215.200.126
!
multilink bundle-name authenticated
!
password encryption aes
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2329787546
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2329787546
 revocation-check none
 rsakeypair TP-self-signed-2329787546
!
!
crypto pki certificate chain TP-self-signed-2329787546
 certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333239 37383735 3436301E 170D3032 30333031 30303233
  30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33323937
  38373534 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C592 65F1B188 9C2C7EE7 1A4C144A 96F6E756 529370C9 BD3167F7 2792D647
  E17AF456 93FCC326 2F9A8463 4C69A428 BD953751 713D7107 B67DE1F1 C80A1D41
  2D729491 70E0F1E8 5B18E761 1936F24F 12D89B7B 4E6DEF95 3B95ADB0 B45734E2
  EED5420F F6F0856A 3870173E 9C25289B C7A644AE 4B70DD7B D8606E09 073C026B
  81DD0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
  551D1104 15301382 11676174 652E6B69 6E746572 2E6C6F63 616C301F 0603551D
  23041830 16801484 D9B8BC54 979D30BA 01B6D312 EC869847 C6001930 1D060355
  1D0E0416 041484D9 B8BC5497 9D30BA01 B6D312EC 869847C6 0019300D 06092A86
  4886F70D 01010405 00038181 00053529 C47B72B5 628D3354 60C27C15 6E738CBD
  71956D14 AAB03688 DA38B696 1F3C599A 6A350B09 4CE441CC 8EA1DA8F 07AA2844
  BEB2315B 7A93C73A 4A008F63 AD8A9386 F561D3D5 86BB20DD 54DD097F 3FBA68DA
  D65DCC3B DF89B8FF E30D9FCA 5064F0F4 65226C70 0E4DC779 70D40D8D EC50F1E8
  5E543557 C0619FA9 DB3D7B9C 07
        quit
!
!
license udi pid CISCO1841 sn FTX0916Y0JY
username admin privilege 15 secret 5 nachos
!
redundancy
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 5
crypto isakmp key 6 gJETIgWRbXRJUQYdc\BUfMXCfUf]UZETXA`J address VPN-b no-xauth
crypto isakmp key 6 HMBPbO[M_WdN]TOSII`NbWiSaRBUffGb[RbW address VPN-a no-xauth
!
crypto isakmp client configuration group remoteteam
 key 6 256axxess
 dns 192.168.250.220
 wins 192.168.250.220
 domain kinter.local
 pool ssl
 acl 162
!
!
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto dynamic-map MyMap 10
 set transform-set 3DES
 reverse-route
!
!
crypto map vpn client authentication list ciscocp_vpn_xauth_ml_1
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp
 set peer VPN-a
 set transform-set esp-aes-sha
 match address 160
crypto map vpn 20 ipsec-isakmp
 set peer VPN-b
 set transform-set esp-aes-sha
 match address 161
crypto map vpn 65535 ipsec-isakmp dynamic MyMap
!
!
!
!
!
interface FastEthernet0/0
 description $FW_INSIDE$$ETH-LAN$$ETH-SW-LAUNCH$
 ip address 192.168.250.254 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description $FW_OUTSIDE$$ETH-WAN$
 ip address A.A.A.234 255.255.255.248
 ip flow ingress
 ip flow egress
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly in
 speed auto
 full-duplex
 crypto map vpn
!
interface FastEthernet0/0/0
 description Comcast WAN
 ip address B.B.B.B
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly in
 shutdown
 speed auto
 full-duplex
 crypto map vpn
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
!
!
router eigrp 33
!
ip local pool ssl 192.168.10.1 192.168.10.20
no ip forward-protocol nd
ip http server
ip http secure-server
!
ip flow-cache timeout active 1
ip flow-export source FastEthernet0/1
ip flow-export version 5 peer-as
ip flow-export destination 192.168.250.253 2020
ip flow-aggregation cache as
 cache entries 2046
 cache timeout inactive 200
 cache timeout active 45
 export destination 192.168.250.253 2020
 enabled
!
!
ip nat inside source route-map RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.250.220 25 A.A.A.234 25 extendable
ip nat inside source static tcp 192.168.250.220 443 A.A.A.234 443 extendable
ip nat inside source static tcp 192.168.250.220 587 A.A.A.234 587 extendable
ip nat inside source static tcp 192.168.250.220 993 A.A.A.234 993 extendable
ip nat inside source static tcp 192.168.250.37 3389 A.A.A.234 1065 extendable
ip nat inside source static tcp 192.168.250.253 3389 A.A.A.234 3389 extendable
ip nat inside source static tcp 192.168.250.213 8080 A.A.A.234 8080 extendable
ip nat inside source static 192.168.250.249 A.A.A.235 extendable
ip nat inside source static 192.168.250.223 A.A.A.236 route-map mitel_NAT
ip route 0.0.0.0 0.0.0.0 A.A.A.233 permanent
!
ip access-list extended mitel
 permit tcp any host A.A.A.236 eq 443
 permit tcp any host A.A.A.236 eq 22
 permit tcp any host A.A.A.236 eq 4000
 permit tcp any host A.A.A.236 eq 44000
 permit tcp any host A.A.A.236 eq 5566
 permit udp any host A.A.A.236 eq 5567
 permit udp host A.A.A.236 any range 5004 5069
 permit udp host A.A.A.236 any range 6004 6604
 permit udp host A.A.A.236 any eq tftp
 permit tcp host A.A.A.236 any range 6800 6802
 permit udp host A.A.A.236 any range 50098 50508
!
logging esm config
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any host 192.168.250.254
access-list 100 deny   ip A.A.A.232 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 101 permit icmp any host A.A.A.234 echo-reply
access-list 101 permit icmp any host A.A.A.234 time-exceeded
access-list 101 permit icmp any host A.A.A.234 unreachable
access-list 101 permit tcp any host A.A.A.234 eq 3389
access-list 101 permit tcp any host A.A.A.234 eq 1065
access-list 101 permit tcp any host A.A.A.234 eq 443
access-list 101 permit tcp any host A.A.A.234 eq 993
access-list 101 permit tcp any host A.A.A.234 eq 587
access-list 101 permit tcp any host A.A.A.234 eq smtp
access-list 101 permit udp any host A.A.A.234 eq non500-isakmp
access-list 101 permit udp any host A.A.A.234 eq isakmp
access-list 101 permit esp any host A.A.A.234
access-list 101 permit tcp any host A.A.A.234 eq 22
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 deny   ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny   ip 192.168.250.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 deny   ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 102 deny   ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 102 permit ip any any
access-list 160 permit ip 192.168.250.0 0.0.0.255 192.168.230.0 0.0.0.255
access-list 161 permit ip 192.168.250.0 0.0.0.255 192.168.220.0 0.0.0.255
access-list 162 permit ip 192.168.250.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!
route-map RMAP_1 permit 1
 match ip address 102
!
route-map mitel_NAT permit 10
 match ip address mitel
!
!
!
!
control-plane
!
!
banner login ^C
-----------------------------------------------------------------------
For Support Call 1-847-249-2027
Allied Tele-Com
-----------------------------------------------------------------------

^C
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server 69.65.40.29
end
0
 

Accepted Solution

by:
telcoengineer earned 0 total points
ID: 38329914
Can anyone please help us on this?
0
 

Author Closing Comment

by:telcoengineer
ID: 39167390
no responses
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now