I have a primary MPLS router doing HSRP with an 1841. The 1841 has an HWIC-3G-CDMA-V that I am using for the internet connection. I really only need to create a tunnel from the 1841 to the ASA at my Hub. The problem is that the cellular call is dropping as the VPN tunnel is establishing. This is due to a (I TERMREQ) termination request from Verizon as they say I am leaking 2 private IP addresses to them, a 192. that is the loopback of the MPLS router, and a 10.0.0.120 address that doesn't seem to be on my network anywhere. How do I block all other IPs trying to get out? I thought my access list should handle that how I have it.
chat-script cdma "" ATDT#777" TIMEOUT 60 CONNECT
crypto isakmp policy 35 encr 3des authentication pre-share group 2 crypto isakmp key greif address y.y.y.yno-xauth ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map outside_map 35 ipsec-isakmp set peer y.y.y.y set transform-set ESP-3DES-SHA match address 120 ! ! ! ! ! ! interface FastEthernet0/0 description Eth to LAN Switch HSRP standby ip address 126.96.36.199 255.255.255.0 secondary ip address 10.104.33.253 255.255.248.0 ip nat inside ip virtual-reassembly speed 100 full-duplex standby 1 ip 188.8.131.52 standby 1 preempt standby 2 ip 10.104.33.254 standby 2 preempt ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Cellular0/0/0 description Backup Link ip address negotiated no ip unreachables ip nat outside ip virtual-reassembly encapsulation ppp dialer in-band dialer idle-timeout 3000 dialer string cdma dialer-group 1 async mode interactive no peer neighbor-route no peer default ip address ppp ipcp dns request crypto map outside_map ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ip nat pool branch x.x.x.x x.x.x.x netmask 255.255.255.0 ip nat inside source route-map nonat pool branch overload ! logging history debugging access-list 120 permit ip 184.108.40.206 0.0.0.255 10.110.0.0 0.0.255.255 access-list 120 permit ip 10.104.32.0 0.0.7.255 10.110.0.0 0.0.255.255 access-list 120 permit ip 220.127.116.11 0.0.0.255 172.22.0.0 0.0.255.255 access-list 120 permit ip 10.104.32.0 0.0.7.255 172.22.0.0 0.0.255.255 access-list 120 deny ip any any access-list 130 deny ip 18.104.22.168 0.0.0.255 10.110.0.0 0.0.255.255 access-list 130 deny ip 22.214.171.124 0.0.0.255 172.22.0.0 0.0.255.255 access-list 130 permit ip 126.96.36.199 0.0.0.255 any access-list 130 deny ip 10.104.32.0 0.0.7.255 10.110.0.0 0.0.255.255 access-list 130 deny ip 10.104.32.0 0.0.7.255 172.22.0.0 0.0.255.255 access-list 130 permit ip 10.104.32.0 0.0.7.255 any access-list 130 deny ip any any ! ! ! ! route-map nonat permit 10 match ip address 130 !
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...