Hi,

I have a 1760 central site router, connected to two 1721 routers. VPN is finally up and running, but during the last bit of configuration, the static to an inside mail server stopped working.

Here's the config (all outside addresses have been changed to 1.1.1.1 2.2.2.2 etc and passwords changed).

Current configuration : 8242 bytes

!

! Last configuration change at 00:25:43 GMT0 Thu Dec 11 2003 by sicl

!

version 12.3

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service compress-config

!

hostname Harpenden

!

boot-start-marker

boot-end-marker

!

no logging console

enable secret xxxx

!

username xxxx password xxxx

username xxxx password xxxx

username xxxx password xxxx

username xxxx password xxxx

clock timezone GMT0 0

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login default local

aaa authentication login authenvpn local

aaa authentication enable default enable

aaa authentication ppp default local

aaa authorization network authorvpn local

aaa session-id common

ip subnet-zero

!

!

ip tcp selective-ack

ip tcp path-mtu-discovery

ip domain name harpendenbs.co.uk

ip name-server 158.152.1.43

ip name-server 158.152.1.58

!

no ip cef

ip inspect audit-trail

ip inspect max-incomplete high 1000

ip inspect max-incomplete low 800

ip inspect one-minute high 600

ip inspect tcp synwait-time 20

ip inspect name fwallfset rcmd timeout 10

ip inspect name fwallfset cuseeme timeout 10

ip inspect name fwallfset tcp

ip inspect name fwallfset udp

ip inspect name fwallfset rtsp

ip inspect name fwallfset fragment maximum 100 timeout 1

ip inspect name fwallfset ftp

ip inspect name fwallfset http

ip inspect name fwallfset realaudio

ip audit notify log

ip audit po max-events 100

ip ssh time-out 30

no ftp-server write-enable

isdn switch-type basic-net3

!

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key radlett address 1.1.1.1

crypto isakmp key leighton address 2.2.2.2

crypto isakmp key harpenden address 3.3.3.3

crypto isakmp keepalive 20

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map grevpn 10 ipsec-isakmp

description VPN connection to Radlett

set peer 1.1.1.1

set transform-set myset

match address 101

crypto map grevpn 20 ipsec-isakmp

description VPN connection to Leighton Buzzard

set peer 2.2.2.2

set transform-set myset

match address 102

crypto map grevpn 30 ipsec-isakmp

description VPN connection to SICL

set peer 3.3.3.3

set transform-set myset

match address 103

!

!

!

!

interface Tunnel1

bandwidth 512

ip address 10.0.0.1 255.255.255.252

keepalive 10 20

tunnel source Dialer1

tunnel destination 1.1.1.1

crypto map grevpn

!

interface Tunnel2

bandwidth 512

ip address 10.4.4.1 255.255.255.252

keepalive 10 20

tunnel source 4.4.4.4

tunnel destination 2.2.2.2

crypto map grevpn

!

interface ATM0/0

bandwidth 1024

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0/0

description SN: FHK073022M4

ip address x.x.x.x 255.255.255.0

ip helper-address 192.9.200.1

no ip redirects

no ip unreachables

ip nat inside

ip policy route-map nonat

no ip mroute-cache

speed auto

no cdp enable

hold-queue 100 out

!

interface BRI1/0

no ip address

no ip redirects

no ip unreachables

encapsulation ppp

dialer pool-member 2

isdn switch-type basic-net3

ppp authentication chap

!

interface Dialer1

bandwidth 1024

ip address x.x.x.x x.255.255.248

ip access-group 110 in

ip nat outside

ip inspect fwallfset out

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname xxxxbs@dsl2.mi

ppp chap password xxxxx

crypto map grevpn

!

interface Dialer2

description Backup dialer to radlett

bandwidth 64

ip address 10.2.2.1 255.255.255.252

no ip redirects

no ip unreachables

encapsulation ppp

no ip mroute-cache

dialer pool 2

dialer remote-name Radlett

dialer idle-timeout 30

dialer wait-for-carrier-time 10

dialer string 01923856720 class timers

dialer hold-queue 10

dialer watch-disable 30

dialer watch-group 1

dialer-group 1

fair-queue

no cdp enable

ppp authentication chap

!

interface Dialer3

description Backup dialer to leighton

bandwidth 64

ip address 10.3.3.1 255.255.255.252

no ip redirects

no ip unreachables

encapsulation ppp

no ip mroute-cache

dialer pool 2

dialer remote-name Leighton

dialer idle-timeout 30

dialer wait-for-carrier-time 10

dialer string 01525373542 class timers

dialer hold-queue 10

dialer watch-disable 30

dialer watch-group 2

dialer-group 1

fair-queue

no cdp enable

ppp authentication chap

!

router eigrp 1

network 10.0.0.0

network 192.9.200.0

no auto-summary

!

ip nat inside source route-map nonat interface Dialer1 overload

ip nat inside source static tcp x.x.x.x 25 4.4.4.5 25 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

!

logging trap warnings

access-list 10 permit any

access-list 101 permit ip 192.9.200.0 0.0.0.255 192.9.199.0 0.0.0.255

access-list 101 permit gre host 4.4.4.4 host 1.1.1.1

access-list 102 permit ip 192.9.200.0 0.0.0.255 192.9.197.0 0.0.0.255

access-list 102 permit gre host 4.4.4.4 host 2.2.2.2

access-list 103 permit ip 192.9.200.0 0.0.0.255 172.31.0.0 0.0.255.255

access-list 110 remark CBAC access list - always allowed packets

access-list 110 remark allow inbound smtp

access-list 110 permit tcp any host 4.4.4.5 eq smtp

access-list 110 remark permit vpn traffic from sicl to harpenden

access-list 110 permit esp host 3.3.3.3 host 4.4.4.4

access-list 110 permit udp host 3.3.3.3 host 4.4.4.4 eq isakmp

access-list 110 permit ip 172.31.0.0 0.0.255.255 192.9.200.0 0.0.0.255

access-list 110 remark permit grevpn traffic from Leighton to harpenden

access-list 110 permit gre host 2.2.2.2 host 4.4.4.4

access-list 110 permit esp host 2.2.2.2 host 4.4.4.4

access-list 110 permit udp host 2.2.2.2 host 4.4.4.4 eq isakmp

access-list 110 permit ip 192.9.197.0 0.0.0.255 192.9.200.0 0.0.0.255

access-list 110 remark permit grevpn Radlett to Harpenden

access-list 110 permit gre host 1.1.1.1 host 4.4.4.4

access-list 110 permit esp host 1.1.1.1 host 4.4.4.4

access-list 110 permit udp host 1.1.1.1 host 4.4.4.4 eq isakmp

access-list 110 permit ip 192.9.199.0 0.0.0.255 192.9.200.0 0.0.0.255

access-list 110 remark allow icmp required types back in

access-list 110 permit icmp any any echo-reply

access-list 110 permit icmp any any unreachable

access-list 110 permit icmp any any packet-too-big

access-list 110 permit icmp any any traceroute

access-list 110 remark allow SSH sessions inbound

access-list 110 permit tcp any any eq 22

access-list 111 deny eigrp any any

access-list 111 permit ip any any

access-list 130 deny ip 192.9.200.0 0.0.0.255 192.9.199.0 0.0.0.255

access-list 130 deny ip 192.9.200.0 0.0.0.255 192.9.197.0 0.0.0.255

access-list 130 deny ip 192.9.200.0 0.0.0.255 172.31.0.0 0.0.255.255

access-list 130 permit ip 192.9.200.0 0.0.0.255 any

dialer watch-list 2 ip 192.9.197.0 255.255.255.0

dialer watch-list 1 ip 192.9.199.0 255.255.255.0

dialer-list 1 protocol ip list 111

!

route-map nonat permit 20

match ip address 130

!

!

line con 0

exec-timeout 0 0

password xxxx

logging synchronous

login authentication local

line aux 0

line vty 0 4

access-class 10 in

exec-timeout 15 0

password xxxxx

line vty 5 15

access-class 10 in

exec-timeout 0 0

password xxxxx

!

no scheduler allocate

ntp server 130.159.196.115 version 1

!

end

Until we got the VPN working reliably, the static was working. I tried taking the access list down to just allowing inbound smtp and icmp echo-request. The echo request works and the access-list shows hits, but the smtp access-list shows no hits.

Have I chosen the wrong IOS?

Help!

Simon