12-12-2003 01:45 AM - edited 02-21-2020 12:57 PM
Hi,
I have a 1760 central site router, connected to two 1721 routers. VPN is finally up and running, but during the last bit of configuration, the static to an inside mail server stopped working.
Here's the config (all outside addresses have been changed to 1.1.1.1 2.2.2.2 etc and passwords changed).
Current configuration : 8242 bytes
!
! Last configuration change at 00:25:43 GMT0 Thu Dec 11 2003 by sicl
!
version 12.3
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
!
hostname Harpenden
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret xxxx
!
username xxxx password xxxx
username xxxx password xxxx
username xxxx password xxxx
username xxxx password xxxx
clock timezone GMT0 0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login authenvpn local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization network authorvpn local
aaa session-id common
ip subnet-zero
!
!
ip tcp selective-ack
ip tcp path-mtu-discovery
ip domain name harpendenbs.co.uk
ip name-server 158.152.1.43
ip name-server 158.152.1.58
!
no ip cef
ip inspect audit-trail
ip inspect max-incomplete high 1000
ip inspect max-incomplete low 800
ip inspect one-minute high 600
ip inspect tcp synwait-time 20
ip inspect name fwallfset rcmd timeout 10
ip inspect name fwallfset cuseeme timeout 10
ip inspect name fwallfset tcp
ip inspect name fwallfset udp
ip inspect name fwallfset rtsp
ip inspect name fwallfset fragment maximum 100 timeout 1
ip inspect name fwallfset ftp
ip inspect name fwallfset http
ip inspect name fwallfset realaudio
ip audit notify log
ip audit po max-events 100
ip ssh time-out 30
no ftp-server write-enable
isdn switch-type basic-net3
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key radlett address 1.1.1.1
crypto isakmp key leighton address 2.2.2.2
crypto isakmp key harpenden address 3.3.3.3
crypto isakmp keepalive 20
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map grevpn 10 ipsec-isakmp
description VPN connection to Radlett
set peer 1.1.1.1
set transform-set myset
match address 101
crypto map grevpn 20 ipsec-isakmp
description VPN connection to Leighton Buzzard
set peer 2.2.2.2
set transform-set myset
match address 102
crypto map grevpn 30 ipsec-isakmp
description VPN connection to SICL
set peer 3.3.3.3
set transform-set myset
match address 103
!
!
!
!
interface Tunnel1
bandwidth 512
ip address 10.0.0.1 255.255.255.252
keepalive 10 20
tunnel source Dialer1
tunnel destination 1.1.1.1
crypto map grevpn
!
interface Tunnel2
bandwidth 512
ip address 10.4.4.1 255.255.255.252
keepalive 10 20
tunnel source 4.4.4.4
tunnel destination 2.2.2.2
crypto map grevpn
!
interface ATM0/0
bandwidth 1024
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0/0
description SN: FHK073022M4
ip address x.x.x.x 255.255.255.0
ip helper-address 192.9.200.1
no ip redirects
no ip unreachables
ip nat inside
ip policy route-map nonat
no ip mroute-cache
speed auto
no cdp enable
hold-queue 100 out
!
interface BRI1/0
no ip address
no ip redirects
no ip unreachables
encapsulation ppp
dialer pool-member 2
isdn switch-type basic-net3
ppp authentication chap
!
interface Dialer1
bandwidth 1024
ip address x.x.x.x x.255.255.248
ip access-group 110 in
ip nat outside
ip inspect fwallfset out
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxbs@dsl2.mi
ppp chap password xxxxx
crypto map grevpn
!
interface Dialer2
description Backup dialer to radlett
bandwidth 64
ip address 10.2.2.1 255.255.255.252
no ip redirects
no ip unreachables
encapsulation ppp
no ip mroute-cache
dialer pool 2
dialer remote-name Radlett
dialer idle-timeout 30
dialer wait-for-carrier-time 10
dialer string 01923856720 class timers
dialer hold-queue 10
dialer watch-disable 30
dialer watch-group 1
dialer-group 1
fair-queue
no cdp enable
ppp authentication chap
!
interface Dialer3
description Backup dialer to leighton
bandwidth 64
ip address 10.3.3.1 255.255.255.252
no ip redirects
no ip unreachables
encapsulation ppp
no ip mroute-cache
dialer pool 2
dialer remote-name Leighton
dialer idle-timeout 30
dialer wait-for-carrier-time 10
dialer string 01525373542 class timers
dialer hold-queue 10
dialer watch-disable 30
dialer watch-group 2
dialer-group 1
fair-queue
no cdp enable
ppp authentication chap
!
router eigrp 1
network 10.0.0.0
network 192.9.200.0
no auto-summary
!
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp x.x.x.x 25 4.4.4.5 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
logging trap warnings
access-list 10 permit any
access-list 101 permit ip 192.9.200.0 0.0.0.255 192.9.199.0 0.0.0.255
access-list 101 permit gre host 4.4.4.4 host 1.1.1.1
access-list 102 permit ip 192.9.200.0 0.0.0.255 192.9.197.0 0.0.0.255
access-list 102 permit gre host 4.4.4.4 host 2.2.2.2
access-list 103 permit ip 192.9.200.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 110 remark CBAC access list - always allowed packets
access-list 110 remark allow inbound smtp
access-list 110 permit tcp any host 4.4.4.5 eq smtp
access-list 110 remark permit vpn traffic from sicl to harpenden
access-list 110 permit esp host 3.3.3.3 host 4.4.4.4
access-list 110 permit udp host 3.3.3.3 host 4.4.4.4 eq isakmp
access-list 110 permit ip 172.31.0.0 0.0.255.255 192.9.200.0 0.0.0.255
access-list 110 remark permit grevpn traffic from Leighton to harpenden
access-list 110 permit gre host 2.2.2.2 host 4.4.4.4
access-list 110 permit esp host 2.2.2.2 host 4.4.4.4
access-list 110 permit udp host 2.2.2.2 host 4.4.4.4 eq isakmp
access-list 110 permit ip 192.9.197.0 0.0.0.255 192.9.200.0 0.0.0.255
access-list 110 remark permit grevpn Radlett to Harpenden
access-list 110 permit gre host 1.1.1.1 host 4.4.4.4
access-list 110 permit esp host 1.1.1.1 host 4.4.4.4
access-list 110 permit udp host 1.1.1.1 host 4.4.4.4 eq isakmp
access-list 110 permit ip 192.9.199.0 0.0.0.255 192.9.200.0 0.0.0.255
access-list 110 remark allow icmp required types back in
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any unreachable
access-list 110 permit icmp any any packet-too-big
access-list 110 permit icmp any any traceroute
access-list 110 remark allow SSH sessions inbound
access-list 110 permit tcp any any eq 22
access-list 111 deny eigrp any any
access-list 111 permit ip any any
access-list 130 deny ip 192.9.200.0 0.0.0.255 192.9.199.0 0.0.0.255
access-list 130 deny ip 192.9.200.0 0.0.0.255 192.9.197.0 0.0.0.255
access-list 130 deny ip 192.9.200.0 0.0.0.255 172.31.0.0 0.0.255.255
access-list 130 permit ip 192.9.200.0 0.0.0.255 any
dialer watch-list 2 ip 192.9.197.0 255.255.255.0
dialer watch-list 1 ip 192.9.199.0 255.255.255.0
dialer-list 1 protocol ip list 111
!
route-map nonat permit 20
match ip address 130
!
!
line con 0
exec-timeout 0 0
password xxxx
logging synchronous
login authentication local
line aux 0
line vty 0 4
access-class 10 in
exec-timeout 15 0
password xxxxx
line vty 5 15
access-class 10 in
exec-timeout 0 0
password xxxxx
!
no scheduler allocate
ntp server 130.159.196.115 version 1
!
end
Until we got the VPN working reliably, the static was working. I tried taking the access list down to just allowing inbound smtp and icmp echo-request. The echo request works and the access-list shows hits, but the smtp access-list shows no hits.
Have I chosen the wrong IOS?
Help!
Simon
12-22-2003 08:12 AM
Can you paste the error you are getting it might give some clue, as going through the entire configuration might take a lot of time.
12-22-2003 09:34 AM
Hi,
No error messages - just a failure to get through on the static.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide