12-14-2011 10:04 AM - edited 03-04-2019 02:38 PM
Hi folks, need help. Bit of a newbie when it comes to cisco gear. Purchased an 887 my my home office. ADSL ATM0 and Dialer get an address from my ISP, have tried to configure NAT but none of my clients can browse the internet. I can't ping outside the network but I can ping clients internally as my clients are connected via a switch, which is plugged in before the 887. I can get access to the router via the Command Line and CP Express and Config Pro seems to work. I'm stumped as to what might be wrong. Can someone take a look at my config and let me know what else to try? It may be my default route config but it looks correct to me.
Thanks
George
Building configuration...
Current configuration : 8900 bytes
!
! Last configuration change at 12:47:16 NewYork Wed Dec 14 2011 by elrooko
! NVRAM config last updated at 22:04:17 NewYork Wed Nov 30 2011
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$QaX9$6/I1yyUEptsC4QkS25CL2/
enable password 7 ******************
!
no aaa new-model
memory-size iomem 10
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1168234260
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1168234260
revocation-check none
rsakeypair TP-self-signed-1168234260
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1168234260
certificate self-signed 02
3082023E 308201A7 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313638 32333432 3630301E 170D3131 31323031 30333334
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363832
33343236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EAD0 B620EAEB 6E3CB175 D3996716 04CFC479 FE7C5CAD 35066502 1DDE3030
4761EBFA 4EED4DF7 C942893B 5B5D7F72 AD1012F3 0CA23F68 7AA1C53F B02ECC54
EAD89E26 4A5486DE 9387AF91 6B6EC4F8 0EAE97DF 50DB63BB 3E368417 319630AB
9F88EAA2 D2BAF53C 22360606 F418B638 E9D53472 4C817CC9 105DA017 E2A7B5ED
90550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6B9C7015
D761BF15 22BAF7E3 4C2803C3 BA76AFEE 301D0603 551D0E04 1604146B 9C7015D7
61BF1522 BAF7E34C 2803C3BA 76AFEE30 0D06092A 864886F7 0D010104 05000381
8100A132 5E75A6AC F851F9A6 F9501063 9E0EAF93 A8F3788D EE4E9945 F073D2AF
3519D31B 3977AD26 E3D9C21F 5609D766 D86C5EE4 7DE7EFF4 E09034B0 C908BFA1
DFDAAD42 D1EE9C67 E4185CC4 14178632 77E52598 74F961BA 6D365B2D 46135B6F
E83C1871 F8835478 25AF7821 940FFEFF 0E9B32C8 3FF6F928 B2077D59 8D45D8A2 B4A7
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
no ip routing
!
!
ip dhcp excluded-address 10.0.0.1 10.1.1.2
ip dhcp excluded-address 10.1.1.254 10.255.255.254
!
ip dhcp pool ccp-pool1
import all
network 10.0.0.0 255.0.0.0
domain-name thedunphys.ca
default-router 10.1.1.1
dns-server 10.1.1.120 10.1.1.11
netbios-name-server 10.1.1.120 10.1.1.11
!
!
no ip cef
no ip bootp server
ip domain name thedunphys.ca
ip name-server 10.1.1.120
ip name-server 10.1.1.11
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FTX154380RQ
!
!
username e***** privilege 15 password 7 *******************
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
pass
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
no ip route-cache
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
no ip route-cache
no atm ilmi-keepalive
!
interface ATM0.3 point-to-point
zone-member security out-zone
no ip route-cache
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
zone-member security in-zone
no ip route-cache
ip tcp adjust-mss 1412
!
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ******@ncf.ca password 7 ******************
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static tcp 10.1.1.120 25 interface Dialer0 25
ip nat inside source static tcp 10.1.1.120 80 interface Dialer0 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer0 443
ip nat inside source list 3 interface Dialer2 overload
ip route 10.1.1.0 255.255.255.0 Vlan1 2
ip route 0.0.0.0 0.0.0.0 Dialer0 dhcp
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark CCP_ACL Category=2
access-list 2 permit any
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.0.0.0 0.255.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.1.1.120
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 03345A1815182E5E4A58
login
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
12-14-2011 01:14 PM
I have several questions for you.
1) Do you see the ip address assigned to the arm 0.3 p2p connection?
2) If you get an ip address from your pppoe server can you ping your default route?
3) I don't see any configuration for dialer0? According to the first nat statement there should be on configured.
ip nat inside source list 2 interface Dialer0 overload
ip nat inside source static tcp 10.1.1.120 25 interface Dialer0 25
ip nat inside source static tcp 10.1.1.120 80 interface Dialer0 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer0 443
ip route 0.0.0.0 0.0.0.0 Dialer0 dhcp
Your default route is pointing to Dialer0 which I couldn't find in the configuration???
12-15-2011 12:07 AM
Hi,
1) ip routing is disabled so reenable it with the global config command ip routing
2) ip cef is also disabled so same thing as 1: ip cef
3) your default route should point out dialer 2:
no ip route 0.0.0.0 0.0.0.0 Dialer0 dhcp
ip route 0.0.0.0 0.0.0.0 dialer2
4) no ip nat inside source list 2 interface Dialer0 overload
5)
no ip nat inside source static tcp 10.1.1.120 25 interface Dialer0 25
no ip nat inside source static tcp 10.1.1.120 80 interface Dialer0 80
no ip nat inside source static tcp 10.1.1.120 443 interface Dialer0 443
ip nat inside source static tcp 10.1.1.120 25 interface Dialer2 25
ip nat inside source static tcp 10.1.1.120 80 interface Dialer2 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer2 443
6) int vlan 1
no ip nat enable
7) add this command in global config: ip inspect log drop-pkt
Regards.
Alain
12-15-2011 02:31 AM
lol cadet, I didn't even notice ip routing was disabled
12-15-2011 02:46 AM
Hi George,
Modify the access-list 2 like below..
1. access-list 2 permit any any --->because you need to access from any LAN pc to any in the outside.
2. no ip nat inside source list 2 interface Dialer0 overload
ip nat inside source list 2 interface Dialer2 overload
3. remove the "ip nat enable" command under the Vlan1 interface not required exactly. If you keep this then your nat statements config type will be change.
See the below explain for the same.
https://learningnetwork.cisco.com/message/124959
Please rate the helpfull posts.
Regards,
Naidu.
12-15-2011 06:28 AM
Hi guys - thanks for the help, still no access. Running config is now posted below. Anyone else have any ideas?
Building configuration...
Current configuration : 8731 bytes
!
! Last configuration change at 09:10:28 NewYork Thu Dec 15 2011 by elrooko
! NVRAM config last updated at 09:07:34 NewYork Thu Dec 15 2011 by elrooko
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ***********
enable password 7 ***********
!
no aaa new-model
memory-size iomem 10
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1168234260
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1168234260
revocation-check none
rsakeypair TP-self-signed-1168234260
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1168234260
certificate self-signed 02
3082023E 308201A7 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313638 32333432 3630301E 170D3131 31323031 30333334
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363832
33343236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EAD0 B620EAEB 6E3CB175 D3996716 04CFC479 FE7C5CAD 35066502 1DDE3030
4761EBFA 4EED4DF7 C942893B 5B5D7F72 AD1012F3 0CA23F68 7AA1C53F B02ECC54
EAD89E26 4A5486DE 9387AF91 6B6EC4F8 0EAE97DF 50DB63BB 3E368417 319630AB
9F88EAA2 D2BAF53C 22360606 F418B638 E9D53472 4C817CC9 105DA017 E2A7B5ED
90550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6B9C7015
D761BF15 22BAF7E3 4C2803C3 BA76AFEE 301D0603 551D0E04 1604146B 9C7015D7
61BF1522 BAF7E34C 2803C3BA 76AFEE30 0D06092A 864886F7 0D010104 05000381
8100A132 5E75A6AC F851F9A6 F9501063 9E0EAF93 A8F3788D EE4E9945 F073D2AF
3519D31B 3977AD26 E3D9C21F 5609D766 D86C5EE4 7DE7EFF4 E09034B0 C908BFA1
DFDAAD42 D1EE9C67 E4185CC4 14178632 77E52598 74F961BA 6D365B2D 46135B6F
E83C1871 F8835478 25AF7821 940FFEFF 0E9B32C8 3FF6F928 B2077D59 8D45D8A2 B4A7
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.1.1.2
ip dhcp excluded-address 10.1.1.254 10.255.255.254
!
ip dhcp pool ccp-pool1
import all
network 10.0.0.0 255.0.0.0
domain-name thedunphys.ca
default-router 10.1.1.1
dns-server 10.1.1.120 10.1.1.11
netbios-name-server 10.1.1.120 10.1.1.11
!
!
ip cef
no ip bootp server
ip domain name thedunphys.ca
ip name-server 10.1.1.120
ip name-server 10.1.1.11
ip inspect log drop-pkt
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FTX154380RQ
!
!
username *********** privilege 15 password 7 ***************
!
!
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
pass
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
no atm ilmi-keepalive
!
interface ATM0.3 point-to-point
zone-member security out-zone
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username fl383@ncf.ca password 7 0701224A1C031C160E05081502
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 10.1.1.120 25 interface Dialer2 25
ip nat inside source static tcp 10.1.1.120 80 interface Dialer2 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer2 443
ip nat inside source list 3 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.1.1.0 255.255.255.0 Vlan1 2
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark CCP_ACL Category=2
access-list 2 permit any
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.0.0.0 0.255.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.1.1.120
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 ***********
login
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
12-15-2011 06:28 AM
Hi guys - thanks for the help, still no access. Running config is now posted below. Anyone else have any ideas?
Building configuration...
Current configuration : 8731 bytes
!
! Last configuration change at 09:10:28 NewYork Thu Dec 15 2011 by elrooko
! NVRAM config last updated at 09:07:34 NewYork Thu Dec 15 2011 by elrooko
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ***********
enable password 7 ***********
!
no aaa new-model
memory-size iomem 10
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1168234260
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1168234260
revocation-check none
rsakeypair TP-self-signed-1168234260
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1168234260
certificate self-signed 02
3082023E 308201A7 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313638 32333432 3630301E 170D3131 31323031 30333334
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363832
33343236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EAD0 B620EAEB 6E3CB175 D3996716 04CFC479 FE7C5CAD 35066502 1DDE3030
4761EBFA 4EED4DF7 C942893B 5B5D7F72 AD1012F3 0CA23F68 7AA1C53F B02ECC54
EAD89E26 4A5486DE 9387AF91 6B6EC4F8 0EAE97DF 50DB63BB 3E368417 319630AB
9F88EAA2 D2BAF53C 22360606 F418B638 E9D53472 4C817CC9 105DA017 E2A7B5ED
90550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6B9C7015
D761BF15 22BAF7E3 4C2803C3 BA76AFEE 301D0603 551D0E04 1604146B 9C7015D7
61BF1522 BAF7E34C 2803C3BA 76AFEE30 0D06092A 864886F7 0D010104 05000381
8100A132 5E75A6AC F851F9A6 F9501063 9E0EAF93 A8F3788D EE4E9945 F073D2AF
3519D31B 3977AD26 E3D9C21F 5609D766 D86C5EE4 7DE7EFF4 E09034B0 C908BFA1
DFDAAD42 D1EE9C67 E4185CC4 14178632 77E52598 74F961BA 6D365B2D 46135B6F
E83C1871 F8835478 25AF7821 940FFEFF 0E9B32C8 3FF6F928 B2077D59 8D45D8A2 B4A7
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.1.1.2
ip dhcp excluded-address 10.1.1.254 10.255.255.254
!
ip dhcp pool ccp-pool1
import all
network 10.0.0.0 255.0.0.0
domain-name thedunphys.ca
default-router 10.1.1.1
dns-server 10.1.1.120 10.1.1.11
netbios-name-server 10.1.1.120 10.1.1.11
!
!
ip cef
no ip bootp server
ip domain name thedunphys.ca
ip name-server 10.1.1.120
ip name-server 10.1.1.11
ip inspect log drop-pkt
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FTX154380RQ
!
!
username *********** privilege 15 password 7 ***************
!
!
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
pass
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
no atm ilmi-keepalive
!
interface ATM0.3 point-to-point
zone-member security out-zone
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username fl383@ncf.ca password 7 0701224A1C031C160E05081502
no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 10.1.1.120 25 interface Dialer2 25
ip nat inside source static tcp 10.1.1.120 80 interface Dialer2 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer2 443
ip nat inside source list 3 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.1.1.0 255.255.255.0 Vlan1 2
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark CCP_ACL Category=2
access-list 2 permit any
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.0.0.0 0.255.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.1.1.120
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 ***********
login
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
12-15-2011 07:06 AM
Hi,
interface ATM0.3 point-to-point
ip nat outside
also remove ip nat outside and ip nat enable from physical interface
if it aint working then : sh ip nat translation
Regards.
Alain
12-15-2011 08:23 AM
Really appreciate all the help. Still no dice. ip nat out put is below
NAT OUTPUT
Router#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 69.196.181.162:25 10.1.1.120:25 --- ---
tcp 69.196.181.162:80 10.1.1.120:80 --- ---
tcp 69.196.181.162:443 10.1.1.120:443 66.110.7.180:18613 66.110.7.180:18613
tcp 69.196.181.162:443 10.1.1.120:443 --- ---
Router#
Building configuration...
Current configuration : 8621 bytes
!
! Last configuration change at 11:12:40 NewYork Thu Dec 15 2011
! NVRAM config last updated at 09:58:47 NewYork Thu Dec 15 2011 by elrooko
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 **************
enable password 7 **************
!
no aaa new-model
memory-size iomem 10
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1168234260
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1168234260
revocation-check none
rsakeypair TP-self-signed-1168234260
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1168234260
certificate self-signed 02
3082023E 308201A7 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313638 32333432 3630301E 170D3131 31323031 30333334
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363832
33343236 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100EAD0 B620EAEB 6E3CB175 D3996716 04CFC479 FE7C5CAD 35066502 1DDE3030
4761EBFA 4EED4DF7 C942893B 5B5D7F72 AD1012F3 0CA23F68 7AA1C53F B02ECC54
EAD89E26 4A5486DE 9387AF91 6B6EC4F8 0EAE97DF 50DB63BB 3E368417 319630AB
9F88EAA2 D2BAF53C 22360606 F418B638 E9D53472 4C817CC9 105DA017 E2A7B5ED
90550203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 6B9C7015
D761BF15 22BAF7E3 4C2803C3 BA76AFEE 301D0603 551D0E04 1604146B 9C7015D7
61BF1522 BAF7E34C 2803C3BA 76AFEE30 0D06092A 864886F7 0D010104 05000381
8100A132 5E75A6AC F851F9A6 F9501063 9E0EAF93 A8F3788D EE4E9945 F073D2AF
3519D31B 3977AD26 E3D9C21F 5609D766 D86C5EE4 7DE7EFF4 E09034B0 C908BFA1
DFDAAD42 D1EE9C67 E4185CC4 14178632 77E52598 74F961BA 6D365B2D 46135B6F
E83C1871 F8835478 25AF7821 940FFEFF 0E9B32C8 3FF6F928 B2077D59 8D45D8A2 B4A7
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
!
!
ip dhcp excluded-address 10.0.0.1 10.1.1.2
ip dhcp excluded-address 10.1.1.254 10.255.255.254
!
ip dhcp pool ccp-pool1
import all
network 10.0.0.0 255.0.0.0
domain-name thedunphys.ca
default-router 10.1.1.1
dns-server 10.1.1.120 10.1.1.11
netbios-name-server 10.1.1.120 10.1.1.11
!
!
ip cef
no ip bootp server
ip domain name thedunphys.ca
ip name-server 10.1.1.120
ip name-server 10.1.1.11
ip inspect log drop-pkt
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FTX154380RQ
!
!
username elrooko privilege 15 password 7 **************
!
!
ip tcp synwait-time 10
no ip ftp passive
!
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
pass
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security out-zone
no atm ilmi-keepalive
!
interface ATM0.3 point-to-point
ip nat outside
ip nat enable
ip virtual-reassembly
zone-member security out-zone
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ************** password 7 **************
no cdp enable
!
router rip
passive-interface Vlan1
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static tcp 10.1.1.120 25 interface Dialer2 25
ip nat inside source static tcp 10.1.1.120 80 interface Dialer2 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer2 443
ip nat inside source list 2 interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 10.1.1.0 255.255.255.0 Vlan1 2
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit any
access-list 2 remark CCP_ACL Category=2
access-list 2 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 03345A1815182E5E4A58
login
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
12-15-2011 08:36 AM
Does the dialer-pool need to be 2 instead of 1?
12-15-2011 08:39 AM
Hi,
ip dhcp pool ccp-pool1
import all
network 10.0.0.0 255.0.0.0
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
you DHCP pool must have the same mask as the VLAN interface so change your pool to network 10.1.1.0 255.255.255.0
Also get rid of this: ip route 10.1.1.0 255.255.255.0 Vlan1 2 it serves no purpose as this is a directly connected network already.
Regards.
Alain
12-15-2011 12:48 PM
So that wasn't it either....so in true fashion I reloaded the scratch OS config and started from the base config and applying changes based on the suggestions made by folks here. My config now works perfectly. Here is my final running config, with the firewall configured and my port forwarding enabled and NAT configured. Many thanks to everyone that helped out, much appreciated.
Building configuration...
Current configuration : 13799 bytes
!
! Last configuration change at 14:01:01 PCTime Thu Dec 15 2011
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 *******************
enable password 7 *******************
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name thedunphys.ca
ip name-server 10.1.1.120
ip name-server 10.1.1.11
ip port-map user-protocol--1 port tcp 1701
no ipv6 cef
!
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
license udi pid CISCO887-K9 sn FTX154380RQ
!
!
username elrooko privilege 15 view root secret 5 *******************
!
!
ip tcp synwait-time 10
no ip ftp passive
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 102
match protocol pptp
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-pptp-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class class-default
drop log
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
description $FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ******************* password 7 *******************
!
ip forward-protocol nd
ip http server
ip http access-class 2
no ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.1.1.120 80 interface Dialer0 80
ip nat inside source static tcp 10.1.1.120 443 interface Dialer0 443
ip nat inside source static tcp 10.1.1.120 25 interface Dialer0 25
ip nat inside source static tcp 10.1.1.11 1723 interface Dialer0 1723
ip nat inside source static tcp 10.1.1.11 1701 interface Dialer0 1701
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.1.1.120
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.1.1.11
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
password 7 073F205F5D1E16171343
authorization exec local_author
login authentication local_authen
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide