Router Configuration With ADSL / SHDSL Local LAN, DMZ. WebVPN, Normal VPN

The router configuration that i made with a colleageu. Is a configuration with a adsl connection, shdsl connection.
The configuration has a Local Lan IP and a DMZ IP. Further you can use this configuration by your own and create a new config for your own solution. If you have any question about it do not hessistate toe contact.

You will find some dutch words ( Like naar, this word means TO ) 

Building configuration…
 
Current configuration : 21094 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname < Hostname >
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
enable password < password >
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login CVPN group radius
aaa authentication ppp default local
aaa authorization network default local
!
!
aaa session-id common
clock timezone GMT+1 1
clock summer-time GMT+1 recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-1719397329
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1719397329
 revocation-check none
 rsakeypair TP-self-signed-1719397329
!
!
crypto pki certificate chain TP-self-signed-1719397329
 certificate self-signed 01
  < Will be created on its own >
        quit
crypto pki certificate storage flash:/certificat/
!
!
ip cef
!
!
ip domain name < domain name >
ip name-server < dns server 1 >
ip name-server < dns server 2 >
ip inspect name FW_Dialer10_IN tcp
ip inspect name FW_Dialer10_IN udp
ip inspect name FW_Dialer10_IN icmp
ip inspect name FW_Dialer10_IN ftp
ip inspect name FW_Dialer10_IN ssh
ip inspect name FW_Dialer10_IN ntp
ip inspect name FW_Dialer10_IN isakmp
ip inspect name FW_Dialer10_IN fragment maximum 256 timeout 1
ip inspect name FW_Dialer10_OUT icmp
ip inspect name FW_Dialer10_OUT ftp
ip inspect name FW_Dialer10_OUT rtsp
ip inspect name FW_Dialer10_OUT fragment maximum 256 timeout 1
ip inspect name FW_Dialer10_OUT tcp router-traffic
ip inspect name FW_Dialer10_OUT udp router-traffic
ip inspect name FW_Dialer11_IN tcp
ip inspect name FW_Dialer11_IN udp
ip inspect name FW_Dialer11_IN icmp
ip inspect name FW_Dialer11_IN ftp
ip inspect name FW_Dialer11_IN ssh
ip inspect name FW_Dialer11_IN ntp
ip inspect name FW_Dialer11_IN isakmp
ip inspect name FW_Dialer11_IN fragment maximum 256 timeout 1
ip inspect name FW_Dialer11_OUT icmp
ip inspect name FW_Dialer11_OUT rtsp
ip inspect name FW_Dialer11_OUT fragment maximum 256 timeout 1
ip inspect name FW_Dialer11_OUT tcp router-traffic
ip inspect name FW_Dialer11_OUT udp router-traffic
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips notify SDEE
ip ips name IPS_Dialer10_OUT
ip ips name IPS_Dialer10_IN
ip ips name IPS_Dialer11_OUT
ip ips name IPS_Dialer11_IN
!
multilink bundle-name authenticated
!
async-bootp dns-server < internal dns server >
async-bootp nbns-server < internal nbns server >
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username < name > password < password >
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp nat keepalive 15
!
crypto isakmp client configuration group < Group Name >
 key < key name >
 dns < internal dns server >
 wins < internal wins server >
 domain < domain name >
 pool VPNCLIENT
 acl ACL_VPN
 save-password
 split-dns < domain name >
 backup-gateway < backup gateway >
 netmask 255.255.255.0
crypto isakmp profile CIP_CVPN_CLIENT
   match identity group < Group Name >
   client authentication list CVPN
   isakmp authorization list CVPN
   client configuration address respond
!
!
crypto ipsec transform-set CIT_CVPN_CLIENT esp-aes 256 esp-sha-hmac
!
crypto dynamic-map CDM_CVPN_CLIENT 10
 set transform-set CIT_CVPN_CLIENT
 set isakmp-profile CIP_CVPN_CLIENT
!
!
crypto map CMP_CVPN_CLIENT 10 ipsec-isakmp dynamic CDM_CVPN_CLIENT
!
archive
 log config
  hidekeys
!
!
controller DSL 0/1/0
 mode atm
 line-term cpe
 line-mode auto enhanced
 dsl-mode shdsl symmetric annex B
 description < Description line >
!
ip ssh rsa keypair-name RSA_SSH
!
track 10 rtr 10 reachability
!
track 12 rtr 12 reachability
!
!
!
!
interface Loopback10
 description Bypass NAT for IPsec traffic
 ip address 1.1.192.1 255.255.255.0
!
interface Loopback252
 description Cisco SSL VPN Client for WebVPN
 ip address < loopback address >
 ip route-cache same-interface
 ip route-cache policy
 ip route-cache flow
!
interface Null0
 no ip unreachables
!
interface GigabitEthernet0/0
 description < LAN Description >
 ip address < Lan IP Address >
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 ip route-cache flow
 ip policy route-map RMP_GigabitEthernet0/0_NO_NAT
 duplex auto
 speed auto
 hold-queue 100 in
 hold-queue 100 out
!
interface GigabitEthernet0/1
 description DMZ to Webserver
 ip address < DMZ IP address >
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache policy
 ip route-cache flow
 ip policy route-map RMP_GigabitEthernet0/1_NO_NAT
 duplex auto
 speed auto
 hold-queue 100 in
 hold-queue 100 out
!
interface ATM0/0/0
 description < Adsl description >
 no ip address
 no ip route-cache cef
 no ip route-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/48 < can be various of your ISP >
  encapsulation aal5mux ppp dialer
  dialer pool-member 10
 !
!
interface ATM0/1/0
 description < shdsl description >
 no ip address
 no ip route-cache cef
 no ip route-cache
 no atm auto-configuration
 no atm ilmi-keepalive
 no atm address-registration
 no atm ilmi-enable
 pvc 0 0/35 < can be various of your ISP >
  encapsulation aal5mux ppp dialer
  dialer pool-member 11
 !
!
interface Dialer10
 description connected to ATM0 – ADSL over Pots –
 ip address negotiated
 ip access-group ACL_Dialer10_IN in
 ip access-group ACL_Dialer10_OUT out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect FW_Dialer10_IN in
 ip inspect FW_Dialer10_OUT out
 ip ips IPS_Dialer10_IN in
 ip ips IPS_Dialer10_OUT out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 10
 dialer idle-timeout 0
 dialer persistent
 dialer-group 10
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username < username@ISP.xxx password < password >
 crypto map CMP_CVPN_CLIENT
!
interface Dialer11
 description connected to ATM0 – SDSL
 ip address negotiated
 ip access-group ACL_Dialer11_IN in
 ip access-group ACL_Dialer11_OUT out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip inspect FW_Dialer11_IN in
 ip inspect FW_Dialer11_OUT out
 ip ips IPS_Dialer11_IN in
 ip ips IPS_Dialer11_OUT out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 11
 dialer idle-timeout 0
 dialer persistent
 dialer-group 11
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username < username@ISP.xxx password < password >
 crypto map CMP_CVPN_CLIENT
!
ip local policy route-map RMP_LOCAL_POLICY
ip local pool VPNCLIENT < VPN IP Range DHCP Pool >
ip local pool ILP_WVPN_CLIENT < WebVPN IP Range DHCP Pool >
no ip forward-protocol nd
ip route < VPN IP Range with subnetmask > Dialer11 track 10
ip route 0.0.0.0 0.0.0.0 Dialer10 track 12
ip route 0.0.0.0 0.0.0.0 Dialer11 200
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route < VPN IP Range with subnetmask > Dialer10 200
ip route 192.168.0.0 255.255.0.0 Null0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat translation timeout 300
ip nat inside source route-map RMP_Dialer10_OVERLOAD interface Dialer10 overload
ip nat inside source route-map RMP_Dialer11_OVERLOAD interface Dialer11 overload
ip nat inside source static tcp < local IP > 3389 < external IP > 3389 extendable

!
ip access-list standard ACL_VTY04_IN
 permit < ip range who has access for telnet >
!
ip access-list extended ACL_Dailer10_IN
 remark VPN
 permit udp any any eq isakmp
 permit esp any any
 permit gre any any
 permit tcp any any eq 1723
 permit udp any any eq non500-isakmp
 permit udp any eq non500-isakmp any
 permit ip < VPN IP Range to Local LAN ip with both wild cards >
 permit ip < VPN IP Range to Local DMZ ip with both wild cards >
 remark router poorten
 permit tcp any any eq 22
 permit udp any any eq ntp
 permit udp any any eq snmp
 remark < servername >
 permit tcp any any eq 3389
 remark < servername >
 permit tcp any any eq www
 permit tcp any any eq 443
 remark < servername >
 permit tcp any any eq smtp
 remark ABN-AMRO OfficeNet Extra
 permit tcp host 193.172.44.45 any
 permit tcp host 193.172.44.78 any
 permit tcp host 194.151.107.44 any
 permit tcp host 194.151.107.76 any
 remark Anti-spoofing
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 remark ICMP
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   icmp any any
 deny   tcp any range 0 65535 any range 0 65535
 deny   udp any range 0 65535 any range 0 65535
 deny   ip any any
ip access-list extended ACL_Dialer10_OUT
 remark VPN
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit udp any eq non500-isakmp any
 permit esp any any
 permit gre any any
 permit tcp any any eq 1723
 remark Standard WWW services
 permit tcp any any eq www
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any any eq smtp
 permit tcp any any eq 443
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq pop3
 permit tcp any any eq nntp
 permit tcp any any eq 22
 permit tcp any any eq telnet
 permit udp any any eq ntp
 remark Belastingdienst
 permit tcp any any eq 143
 permit tcp any any eq 587
 remark LDAP
 permit tcp any any eq 389
 remark HDN Lite
 permit tcp any any eq 1150
 remark Rabobank Telebankieren Extra
 permit tcp any any eq 2901
 remark Citrix ICA
 permit tcp any any eq 1494
 permit tcp any any eq 2598
 remark Windows Media
 permit tcp any any eq 1755
 remark Windows Messenger
 permit tcp any any eq 1863
 permit udp any any range 1024 65535
 permit tcp any any range 6891 6900
 remark Microsoft RDP
 permit tcp any any eq 3389
 permit icmp any any
 remark Mcafee
 permit tcp any any eq 8801
 deny   tcp any range 0 65535 any range 0 65535
 deny   udp any range 0 65535 any range 0 65535
 deny   ip any any
ip access-list extended ACL_Dialer10_OVERLOAD
 deny   ip < local LAN IP Range to VPN IP Range with wildcards >
 deny   ip < local DMZ IP Range to VPN IP Range with wildcards >
 permit ip < Local LAN IP Range with wildcard > any
 permit ip < Local DMZ IP Range with wildcard > any
ip access-list extended ACL_Dialer11_IN
 remark VPN
 permit udp any any eq isakmp
 permit esp any any
 permit gre any any
 permit tcp any any eq 1723
 permit udp any any eq non500-isakmp
 permit udp any eq non500-isakmp any
 permit ip < VPN IP Range to Local LAN ip with both wild cards >
 permit ip < VPN IP Range to Local DMZ ip with both wild cards >
 remark router poorten
 permit tcp any any eq 22
 permit udp any any eq snmp
 remark SSL VPN
 permit tcp any host < SSL VPN IP ADDRESS > eq www
 permit tcp any host < SSL VPN IP ADDRESS > eq 443
 remark < servername >
 permit tcp any host < 2nd External IP > eq 3389
 remark XCH01
 permit tcp any host < 1st External IP > eq 3389
 remark < servername >
 permit tcp any host < 3rd External IP > eq www
 permit tcp any host < 3rd External IP > eq 443
 permit tcp any host < 3rd External IP > eq 3389
 remark < servername >
 permit tcp any host < 4th External IP > eq 3389
 remark Anti-spoofing
 deny   ip host 0.0.0.0 any
 deny   ip host 255.255.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 224.0.0.0 15.255.255.255 any
 remark ICMP
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   icmp any any
 deny   tcp any range 0 65535 any range 0 65535
 deny   udp any range 0 65535 any range 0 65535
 deny   ip any any
ip access-list extended ACL_Dialer11_OUT
 remark VPN
 permit udp any any eq isakmp
 permit udp any any eq non500-isakmp
 permit udp any eq non500-isakmp any
 permit esp any any
 permit gre any any
 permit tcp any any eq 1723
 remark Standard WWW services
 permit tcp any any eq www
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any any eq smtp
 permit tcp any any eq 443
 permit tcp any any eq ftp
 permit tcp any any eq ftp-data
 permit tcp any any eq pop3
 permit tcp any any eq nntp
 permit tcp any any eq 22
 permit tcp any any eq telnet
 permit udp any any eq ntp
 remark Belastingdienst
 permit tcp any any eq 143
 permit tcp any any eq 587
 remark LDAP
 permit tcp any any eq 389
 remark HDN Lite
 permit tcp any any eq 1150
 remark Rabobank Telebankieren Extra
 permit tcp any any eq 2901
 remark Citrix ICA
 permit tcp any any eq 1494
 permit tcp any any eq 2598
 remark Windows Media
 permit tcp any any eq 1755
 remark Windows Messenger
 permit tcp any any eq 1863
 permit udp any any range 1024 65535
 permit tcp any any range 6891 6900
 remark Microsoft RDP
 permit tcp any any eq 3389
 permit icmp any any
 remark Mcafee
 permit tcp any any eq 8801
 deny   tcp any range 0 65535 any range 0 65535
 deny   udp any range 0 65535 any range 0 65535
 deny   ip any any
ip access-list extended ACL_Dialer11_OVERLOAD
 deny   ip < local LAN IP Range to VPN IP Range with wildcards >
 deny   ip < local DMZ IP Range to VPN IP Range with wildcards >
 permit ip < Local LAN IP Range with wildcard > any
 permit ip < Local DMZ IP Range with wildcard > any
ip access-list extended ACL_GigabitEthernet0/0_NO_NAT
 permit ip < local LAN IP Range to VPN IP Range with wildcards >
ip access-list extended ACL_GigabitEthernet0/1_NO_NAT
 permit ip < local DMZ IP Range to VPN IP Range with wildcards >
ip access-list extended ACL_NAAR_ISP
 remark Ping dns
 permit icmp any host < ISP dns > echo
ip access-list extended ACL_SDSL_REDIRECT
 remark VPN
 deny   ip any < VPN IP Range with wild card >
 remark < servername > (< domain name application >)
 permit tcp host < DMZ IP address > eq www any
 permit tcp host < DMZ IP address > eq 443 any
 permit tcp host < DMZ IP address > eq 3389 any
 remark < servername > (servername.domain name)
 permit tcp host < LAN IP Exchange server > eq 3389 any
 remark < servername > (servername.domain name)
 permit tcp host < LAN IP server > eq 3389 any
 remark < servername > (remote.domain name)
 permit tcp host < LAN IP Terminal server > eq 3389 any
ip access-list extended ACL_VPN
 permit ip < local LAN IP Range to VPN IP Range with wildcards >
 permit ip < local DMZ IP Range to VPN IP Range with wildcards >
!
ip sla 10
 icmp-echo < first hop >  source-interface Dialer11
ip sla schedule 10 life forever start-time now
ip sla 12
 icmp-echo < first hop > source-interface Dialer10
ip sla schedule 12 life forever start-time now
ip sla 80
 http get http://www.google.nl/ name-server < dns server 1 > cache disable
 threshold 500
 tag Google
 frequency 300
ip sla schedule 80 life forever start-time now
no logging trap
access-list 21 remark ———————————————————-
access-list 21 remark SNMP
access-list 21 remark ———————————————————
access-list 21 permit < IP address >
access-list 21 permit < IP Range external >
access-list 21 permit < IP Range Local LAN >
access-list 21 permit < IP Range Local DMZ >
access-list 110 remark ———————————————————
access-list 110 remark Dialer-list 10, Dialer10
access-list 110 remark ——————————————————–
access-list 110 permit ip any any
access-list 120 remark ———————————————————
access-list 120 remark Dialer-list 11
access-list 120 remark ——————————————————–
access-list 120 permit ip any any
dialer-list 10 protocol ip list 110
dialer-list 11 protocol ip list 120
snmp-server community mrtg RO 21
snmp-server location < Location Name >
snmp-server contact < Contact information >
snmp-server enable traps tty
snmp-server enable traps frame-relay multilink bundle-mismatch
!
!
!
route-map RMP_LOCAL_POLICY permit 10
 match ip address ACL_NAAR_ISP
 set ip next-hop < First hop see tracert / Traceroute >
 set interface Null0
!        
route-map RMP_GigabitEthernet0/1_NO_NAT permit 10
 match ip address ACL_GigabitEthernet0/1_NO_NAT
 set ip next-hop 1.1.192.2
!
route-map RMP_GigabitEthernet0/1_NO_NAT permit 12
 match ip address ACL_SDSL_REDIRECT
 set interface Dialer11
!
route-map RMP_GigabitEthernet0/0_NO_NAT permit 10
 match ip address ACL_GigabitEthernet0/0_NO_NAT
 set ip next-hop 1.1.192.2
!
route-map RMP_GigabitEthernet0/0_NO_NAT permit 12
 match ip address ACL_SDSL_REDIRECT
 set interface Dialer11
!
route-map RMP_Dialer11_OVERLOAD permit 10
 match ip address ACL_Dialer11_OVERLOAD
 match interface Dialer11
!
route-map RMP_Dialer10_OVERLOAD permit 10
 match ip address ACL_Dialer10_OVERLOAD
 match interface Dialer10
!
!
!
radius-server host < Radius server IP Address> auth-port 1645 acct-port 1646 key < Password >
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd #
*************************************************************
This system is restricted to authorized users for legitimate
purposes and is subject to audit. The unauthorized access,
use or modification of computer systems or the data contained
therein or in transit to/from, may be illegal.
*************************************************************
#
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 1800 0
 timeout login response 200
 privilege level 15
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp clock-period 17179872
ntp update-calendar
sntp server 145.24.129.6
sntp server 213.239.154.12
sntp server 193.79.237.14
sntp broadcast client
!
end

Advertisements

31 thoughts on “Router Configuration With ADSL / SHDSL Local LAN, DMZ. WebVPN, Normal VPN

    • Hello,

      The Ip sla 80 is a track to meassure. the connection to a DNS server of your IPS.

      even you could use this track for using a fallback on 2 dsl lines.

      so you track one DNS server of connection one. so if that line fail it would track the ping to line 2 so you could continue with internet.

      may you i hope this will bring you further.

  1. hello,
    sorry if i disturd you but i have a big problem.
    i have a cisco 2621xm with 128mb ram and 32mb flash i installed a wic-1shdsl-v3 on my router but don’t work do you know which ios i must u use ?
    thanks very much

    • Hello,

      Well i don’t know which IOS you use right now. but. You should at least use one of the 12.4 versions ( i know those are not compatible with your hardware configuration )

      ADVANCED IP SERVICES
      c2600-advipservicesk9-mz.124-15.T9.bin
      Release Date: 29/Apr/2009
      Size: 32396.16 KB (33173660 bytes)
      Minimum Memory: DRAM:192 MB Flash:48 MB

      I know that this one should work. I work normal at my work with advanced IP Services IOS.
      may be you can say which IOS version you currently use?

  2. hello,
    i test this ios but don’t works:
    c2600-ipbase-mz.124-15.T9.bin
    c2600-advsecurityk9-mz.124-15.T9.bin
    c2600-adventerprisek9-mz.124-25a.bin
    thanks

    • Hmm.

      i should be working. like i checked it at the site of Cisco. how every. you don’t see it in your show version. probably?
      You are not able to test the IOS version i sugested?

      c2600-advipservicesk9-mz.124-15.T9.bin

      it’s different than the onces you used. and if you are able to create a tac request at the site of cisco. i would like to say you could ask them They will look for the best IOS version you need if you have troubles with it.

  3. i can not test your ios because i have only 128 mb ram 32 mb flash not 256mb ram snd 48 flash
    if i do show ver i see a dsl controller but if i do show ip int brief, i see only 2 fast ethernet, i can’t a tac request at the site of cisco.
    thanks

    • The DSL controller is the SHDSL wic.

      you could look at one of the other configurations if you i have some dsl controllers if i’m right ;-)

      controller dsl 0
      mode atm
      no shut

      i hope this works out =)

  4. i have a another cisco 2621xm with a wic adsl and i see a controller dsl but i see also a atm interface. tomorrow i test your command
    thanks

    • I think this would work now

      below a controller configuration of a cisco router 878 i think the settings are not that much different for sure.

      controller DSL 0
      mode atm
      line-term cpe
      line-mode 2-wire line-zero
      dsl-mode shdsl symmetric annex B
      line-rate auto

  5. hello,
    thanks; now it work
    i must insert “no shut”

    controller DSL 0/1
    mode atm
    line-term cpe
    line-mode 4-wire standard
    dsl-mode shdsl symmetric annex B
    line-rate 4096
    no shutdown

    i test this ip sla but don’t work

    ip sla monitor 80
    type http operation get url http://www.google.it/ name-server 217.22.224.51 cache disable
    threshold 500
    frequency 120
    ip sla monitor schedule 80 life forever start-time now

    • With the IP SLA monitor. you need to use your won ISP DNS.
      may be the IOS version does not support this command.

      It is not necessary to use this ip sla

  6. hello,
    i don’t know good “ip sla”. can you tell me a title book or site ?
    how i can use 2 o more ip sla in a track command ?
    sorry if i distrurb you.
    thanks

  7. thanks,
    i have a router with a primary line shdsl and a backup line adsl
    i must create a vpn site-to-site with remote router.
    i create a loopback with pubblic ip address /32 and vpn is ok because i insert:

    int lo10
    ip address pubblic ip 255.255.255.255
    crypto map pluto

    but don’t route the traffic on remote site
    how can i route the traffic on remote site ?
    thanks very much

  8. hello,
    i resolve this problem with
    crypto map pluto local-address Loopback10and remove crypto map to loopback 10

  9. hello,
    can i configure a loopback with ip address 192.168.0.1 255.255.255.255 how dns address for my lan?
    if yes how ?

    p.s.
    this loopback is under nat

    thanks
    niger

    • Hello,
      You could configue the loopback address with the address above how ever I thought it wasn’t recommended.

      The loopback address is for the no nat routing traffic for VPN etc.

      The dns for your lan.
      Do you mean the:
      ip name-server server
      ip domain-lookup ( this is for the icmp ping http://www.google.com for example )

      or the following

      no ip dhcp use vrf connected
      ip dhcp excluded-address 192.168.x.0 192.168.x.x
      !
      ip dhcp pool CLIENT
      import all
      network 192.168.x.x 255.255.255.0
      default-router 192.168.x.x
      dns-server 192.168.x.x ( router ip address )
      domain-name xxx.local
      lease 32

      ip name-server

      ip dns view default
      logging
      ip dns server ( this command make your router a dns server )

      ip access-list extende ACL_OUTSIDEINTERFACE_IN
      remark Standard WWW services
      permit udp any any eq domain
      permit udp any eq domain any

      ip sla 80
      http get http://www.google.com/ name-server cache disable
      threshold 500
      tag Google
      frequency 300
      ip sla schedule 80 life forever start-time now

      Fred

  10. i have 80 pc with dns ip address 192.168.0.1 but i change configuration lan. i have a cisco 2621xm with switch module nm-16esw with 16 fastethernet so i create a trunk etherchannel layer 2 with a cisco 3550 but i must use this address for dns in my router because i can’t change configuration pc so i think a loopback on my router. do you have any idea? all subnet have a gateway in a vlan interface (6 vlan interface).
    can i create a etherchannel layer 3 ?
    thanks
    niger

    • Hi,

      If i’m correct you have a now a new subnet range different than the 192.168.0.x ip address which has the DNS 192.168.0.1 right now? So i guess you want to make a vlan configuration. I think the best way / idea is to let the Cisco Catalyst 3550 do the routing. check if you have the correct IOS for Layer 3 swtiching.

      You can’t use the look back for the dns configuration. best way is to set a route to the dns server. which is in a different lan segment.

      On the nm-16esw layer 3 switching wasn’t available. I have actually not been able to use such card before. But i found on the net that layer 3 switching wasn’t available on that card. http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aca3e.html

      Above is was thinking yesterday. But probabaly i know situation like you.

      Router > switch configuration Router has one connection Switch serveral vlan configurations.

      route than you can use the router as dns for the others

      I have certain configuration with an cisco 1841 router and a catalyst switch 3560 probably

      Fred

  11. thank very much
    i found a method for “etherchannel l2/l3”

    on router:
    int range fa1/0 – 7
    switchport access vlan 7
    channel-group 1 mode on

    int vlan 7
    ip address 192.168.0.5 255.255.255.252
    ip nat inside

    on switch cisco 3550:
    int range fa0/0 – 7
    switchport access vlan 7
    switchport mode access
    channel-group 1 mode on

    int vlan 7
    ip address 192.168.0.6 255.255.255.252

    but i not understand because if don’t do NAT of 192.168.0.4/30 all my lan don’t go on internet
    thanks

    • I think it’s because your dns server need to access internet for requesting his dns settings. which will be used for your clients. it sends a request on port 53 ( domain )

      I’m glad you found a workaround for the situation. =)

  12. hi, sorry if i disturb you again but i have a problem:
    i have this configuration:
    ip nat inside source static tcp 192.168.1.20 20 xxx.yyy.zzz.34 20 extendable
    ip nat inside source static tcp 192.168.1.20 21 xxx.yyy.zzz.34 21 extendable
    ip nat inside source static tcp 192.168.1.20 22 xxx.yyy.zzz.34 22 extendable
    ip nat inside source static tcp 192.168.1.20 80 xxx.yyy.zzz.34 80 extendable
    ip nat inside source static tcp 192.168.1.20 10000 xxx.yyy.zzz.34 10000 extendable
    and i must bind with this acees-list:
    access-list 161 deny ip host 192.168.1.20 192.168.50.0 0.0.0.255
    access-list 161 deny ip host 192.168.1.20 192.168.40.0 0.0.0.3
    access-list 161 permit tcp host 192.168.1.20 eq 22 85.18.119.120 0.0.0.7
    access-list 161 permit tcp host 192.168.1.20 eq 10000 85.18.119.120 0.0.0.7
    access-list 161 permit tcp host 192.168.1.20 eq ftp-data any
    access-list 161 permit tcp host 192.168.1.20 eq ftp any
    access-list 161 permit tcp host 192.168.1.20 eq www any
    i have also a nat OVERLOAR FOR ALL TARIIFIC FOR THE SUBNET 192.168.1.0/22
    CAN YOU HELP ME ?
    192.168.1.20 IS A SERVER
    THANKS

    • Hello,

      The configuration seems normal to mee what does it not? Is the access-list 161 an outside to inside access-list or from inside to outside?

      May be you could use ip access-list extended It coud make your configuration bit orgenized and to see where the problem is located.

      However did you configure your internet interface with the following command? access-group 161 out

      Fred

    • Hello

      the probleem seems in the last rule of the access-list. it blocks http traffic from other ip adresses. if it’s the outbound access-list than would there some problem with the configuration?

      If you have further questions don’t hesitate to contact

      Fred

  13. my problem is that subet 192.168.1.0/22 must have a full access to internet type: “permit ip any any” and i don’t know how bind this rule with access-list 161
    thanks

    • Lets see,

      if you type access-list 161 permit ip any any this should bind it to the access-list you want to have

      access-list 161 deny ip host 192.168.1.20 192.168.50.0 0.0.0.255
      access-list 161 deny ip host 192.168.1.20 192.168.40.0 0.0.0.3
      access-list 161 permit tcp host 192.168.1.20 eq 22 85.18.119.120 0.0.0.7
      access-list 161 permit tcp host 192.168.1.20 eq 10000 85.18.119.120 0.0.0.7
      access-list 161 permit tcp host 192.168.1.20 eq ftp-data any
      access-list 161 permit tcp host 192.168.1.20 eq ftp
      >>> remove >>> access-list 161 permit tcp host 192.168.1.20 eq www any
      access-list 161 permit ip any any

      so actually it seems that the following access-list rules are unneeded.
      —————————————————————————————————-
      access-list 161 permit tcp host 192.168.1.20 eq 22 85.18.119.120 0.0.0.7
      access-list 161 permit tcp host 192.168.1.20 eq 10000 85.18.119.120 0.0.0.7
      access-list 161 permit tcp host 192.168.1.20 eq ftp-data any
      access-list 161 permit tcp host 192.168.1.20 eq ftp any
      access-list 161 permit tcp host 192.168.1.20 eq www any
      —————————————————————————————————-
      The access-list would be as follow:

      int |outside interface|
      ip access-group 161 out

      access-list 161 deny ip host 192.168.1.20 192.168.50.0 0.0.0.255
      access-list 161 deny ip host 192.168.1.20 192.168.40.0 0.0.0.3
      access-list 161 permit gre any any
      access-list 161 permit esp any any
      access-list 161 permit ahp any any
      access-list 161 permit ip any any

      The rules below are for VPN usage this i expliciet add to the access-list
      because you could have some problems with it when you don’t add these to your access-list
      access-list 161 permit gre any any
      access-list 161 permit esp any any
      access-list 161 permit ahp any any

      Try if this will work.

  14. thanks but so i have a “deny of service” attack or illegal access on the ports: 22 – 10000 of pubblic server xxx.yyy.zzz.34

    • Are these public servers inside the 192.168.1x range or on an other location. otherwise you have to create an inboun access-list. where you permit ports to.

      but if you only want to have such access to ssh ( port 22 ) or port 10000 than you create indeed the the lines of

      access-list 161 permit tcp host 192.168.1.20 eq 22 85.18.119.120 0.0.0.7
      access-list 161 permit tcp host 192.168.1.20 eq 10000 85.18.119.120 0.0.0.7

      But those externalip address are not on the location where you have the ssh / port 10000?
      if the webserver is on your own netwerk xxx.yyy.zzz.34 than you should create an access-list

      access-list 162 deny tcp any external ip address eq 22
      access-list 162 deny tcp any external ip dddress eq 10000

      or am i wrong?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s