Unanswered Question


We have a cisco 1721 having one "FastEthernet 0" and one "Eth 0" interfaces; connecting a DSL line to our internal LAN.

FastEthernet 0 interface is connected to the DSL line via ADSL modem (Zyxel) which is configured as bridge mode.

Eth 0 is connected to our LAN.

The router is configured primarily for IPSec and internet access.

We are able to access internet site from our internal network however the incoming traffic from the internet to our internal LAN (say for a web server hosted in our LAN) access fails.

Please find the configuration on our router as shown below.

I would appreciate if you could help us in configuring for incoming traffic.

Thank you


My present router sh run details are as follows :--

sh run

Building configuration...

Current configuration : 1942 bytes


version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption





no aaa new-model


resource policy


mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

--More-- ip subnet-zero



no ip dhcp use vrf connected



ip cef

no ip ips deny-action ips-interface


no ftp-server write-enable







crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key b001 address 111.x.x.20


--More-- !

crypto ipsec transform-set VF_GPRS esp-des esp-md5-hmac

crypto ipsec df-bit clear


crypto map VF_B 10 ipsec-isakmp

set peer 111.x.x.20

set transform-set VF_GPRS

match address b_VF




interface Ethernet0

ip address

ip nat inside

ip virtual-reassembly



interface FastEthernet0

ip address 130.x.x..49 secondary

ip address 130.x.x..44

ip nat outside

ip virtual-reassembly

speed auto

--More-- no cdp enable

crypto map VF_B


ip default-gateway 130.x.x..1

ip classless

ip route 130.x.x..1

no ip http server

no ip http secure-server


ip nat inside source list 101 interface FastEthernet0 overload

ip nat inside source static 130.x.x..49




ip access-list extended b_VF

permit ip

deny ip any any

ip access-list extended telnet

permit ip host 111.x.x.130 any

permit ip any

deny ip any any

access-list 101 deny ip

--More-- access-list 101 permit ip any






line con 0

line aux 0

line vty 0 4

access-class telnet in

login local



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 01/24/2008 - 05:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

After posting the question here Ramie also posted it on the WAN Routing and Switching forum where it has received a couple of responses. I suggest that any further discussion be consolidated in the WAN forum.




This Discussion