[c-nsp] Multiple NAT & Rerouting Web Traffic
Hi y'all,
Got a customer router (2801, IOS 12.4(15)T10) with two upstream interfaces. Both need to do NAT (private IPs inside). One is the default route, the other should be used for web traffic. After trying various configs, I got rerouting web traffic out the 2nd interface working, but it's not NATed properly (going out with the default interface IP. I can also get multiple NAT working, but not with the reroute web traffic route-map (only with static routes).
Has anyone done this? Is it even possible with IOS or am I missing something here? It seems like the "which interface am I NATing" part occurs before the "which interface do I need to send this packet through" part.
Below are the "relevant" parts of this config first, then the whole config (in case something else is mucking me up). There is also some VPN & VoIP Appliance priority stuff. Any clues would be much appreciated!
TIA,
Ray
----------------------------------------------------------------------
interface FastEthernet0/0
description Internal LAN
ip address 192.168.8.254 255.255.255.0
ip nat inside
ip policy route-map RerouteWebTraffic
interface FastEthernet0/1
description Upstream SDSL (123.123.123.104 /29)
ip address 123.123.123.108 255.255.255.248
ip nbar protocol-discovery
ip nat outside
crypto map CustVPNs
service-policy output StarfacePolicy
interface Dialer3
description Upstream VDSL (dynamic ip)
ip nat outside
ip route 0.0.0.0 0.0.0.0 123.123.123.105
ip route 10.0.0.1 255.255.255.255 Dialer3
ip nat inside source route-map sdsl interface FastEthernet0/1 overload
ip nat inside source route-map vdsl interface Dialer3 overload
access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 443
route-map sdsl permit 10
match ip address NAT_Exempt
!
route-map sdsl permit 20
match interface FastEthernet0/1
!
route-map vdsl permit 10
match interface Dialer3
!
route-map RerouteWebTraffic permit 10
match ip address 110
set ip default next-hop 10.0.0.1
----------------------------------------------------------------------
I also tried this instead of the next-hop route-map above, but no-workie:
route-map RerouteWebTraffic permit 10
match ip address 110
set interface Dialer3
===== Whole Config ===================================================
!
! Last configuration change at 18:19:40 CEDT Fri Aug 20 2010 by ray
! NVRAM config last updated at 18:05:03 CEDT Fri Aug 20 2010 by ray
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname cust-wi-r0
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 blablabla
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login xauth_list local
aaa authentication ppp default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone CET 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.8.0 192.168.8.9
ip dhcp excluded-address 192.168.8.200 192.168.8.254
!
ip dhcp pool cust-wi-internal
network 192.168.8.0 255.255.255.0
default-router 192.168.8.254
dns-server 192.168.8.1
!
ip dhcp pool ORACLE
host 192.168.8.25 255.255.255.0
hardware-address 0019.991b.fb4a
client-name ORACLE
!
ip dhcp pool DSS
host 192.168.8.66 255.255.255.0
hardware-address 0016.7674.6195
client-name DSS
!
ip dhcp pool LEXMARK
host 192.168.8.99 255.255.255.0
hardware-address 00c0.026a.03bd
client-name LEXMARK
!
ip dhcp pool NPI29E03B
host 192.168.8.22 255.255.255.0
hardware-address 001f.2929.e03b
client-name NPI29E03B
!
ip dhcp pool HP_LaserJet_Flur
host 192.168.8.16 255.255.255.0
hardware-address 001f.2928.79da
client-name HP_LaserJet_Flur
!
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect name Internal_FE00 tcp
ip inspect name Internal_FE00 udp
ip inspect name Internal_FE00 cuseeme
ip inspect name Internal_FE00 ftp
ip inspect name Internal_FE00 h323
ip inspect name Internal_FE00 rcmd
ip inspect name Internal_FE00 realaudio
ip inspect name Internal_FE00 streamworks
ip inspect name Internal_FE00 vdolive
ip inspect name Internal_FE00 tftp
ip inspect name Internal_FE00 ntp
ip inspect name Internal_FE00 sip
ip inspect name Internal_FE00 sip-tls
ip inspect name External_FE01 smtp
ip inspect name External_FE01 tcp
ip inspect name External_FE01 udp
no ip bootp server
ip domain name blablabla.net
ip name-server 101.102.103.138
ip name-server 103.102.101.153
!
multilink bundle-name authenticated
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-545859614
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-545859614
revocation-check none
rsakeypair TP-self-signed-545859614
!
!
crypto pki certificate chain TP-self-signed-545859614
certificate self-signed 01
30820253 308201BC 6E65642D 43657274 (...junk...)
quit
!
!
username foo password 7 blablabla
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key blablabla address 1.2.3.4 no-xauth
crypto isakmp key blablabla address 5.6.7.8 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CustVPNs 10 ipsec-isakmp
description VPN RemoteOffice1 (1.2.3.4)
set peer 1.2.3.4
set transform-set ESP-3DES-SHA
match address VPN_RemoteOffice1
crypto map CustVPNs 20 ipsec-isakmp
description VPN RemoteOffice2 (5.6.7.8)
set peer 5.6.7.8
set transform-set ESP-3DES-SHA
match address VPN_RemoteOffice2
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map match-any StarfaceTraffic
match access-group name Starface
!
!
policy-map StarfacePolicy
class StarfaceTraffic
priority percent 70
class class-default
fair-queue
!
!
!
!
interface FastEthernet0/0
description Internal LAN
ip address 192.168.8.254 255.255.255.0
no ip redirects
no ip proxy-arp
ip inspect Internal_FE00 in
ip nat inside
ip virtual-reassembly
ip policy route-map RerouteWebTraffic
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Upstream SDSL (123.123.123.104 /29)
bandwidth 5836
ip address 123.123.123.108 255.255.255.248
no ip redirects
no ip proxy-arp
ip nbar protocol-discovery
ip inspect External_FE01 in
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map CustVPNs
service-policy output StarfacePolicy
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
switchport access vlan 3
!
interface FastEthernet0/3/3
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
no ip proxy-arp
ip tcp adjust-mss 1452
no ip mroute-cache
pppoe enable group global
pppoe-client dial-pool-number 2
!
interface Vlan3
no ip address
no ip proxy-arp
ip tcp adjust-mss 1452
no ip mroute-cache
pppoe enable group global
pppoe-client dial-pool-number 3
!
interface Dialer2
description Pay no attention the man behind the curtain! (currently unused)
mtu 1456
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
dialer idle-timeout 30
dialer hold-queue 100
dialer-group 2
no keepalive
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username kakamole-static password 7 blablabla
!
interface Dialer3
description Upstream VDSL (dynamic ip)
mtu 1456
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 3
dialer hold-queue 100
dialer-group 3
no keepalive
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username foobarmumble password 7 blablabla
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 123.123.123.105
ip route 10.0.0.1 255.255.255.255 Dialer3
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map sdsl interface FastEthernet0/1 overload
ip nat inside source route-map vdsl interface Dialer3 overload
ip nat inside source static tcp 192.168.8.1 443 123.123.123.108 443 extendable
ip nat inside source static tcp 192.168.8.1 1723 123.123.123.108 1723 extendable
ip nat inside source static tcp 192.168.8.1 3389 123.123.123.108 3389 extendable
ip nat inside source static udp 192.168.8.1 3389 123.123.123.108 3389 extendable
ip nat inside source static tcp 192.168.8.200 5222 123.123.123.108 5222 extendable
!
ip access-list extended NAT_Exempt
deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
permit ip 192.168.8.0 0.0.0.255 any
ip access-list extended Starface
permit ip any host 192.168.68.200
permit ip host 192.168.68.200 any
ip access-list extended VPN_RemoteOffice2
permit ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
ip access-list extended VPN_RemoteOffice1
permit ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
!
access-list 23 permit 192.168.8.0 0.0.0.255
access-list 23 permit 212.96.136.32 0.0.0.31
access-list 101 remark ***** ACL on Inbound Interface *****
access-list 101 remark *** allow ssh/telnet to this router (but see acl 170)
access-list 101 permit tcp any host 123.123.123.108 eq 22
access-list 101 permit tcp any host 123.123.123.108 eq telnet
access-list 101 remark *** allow icmp
access-list 101 permit icmp any any
access-list 101 remark *** allow to 192.168.68.1
access-list 101 permit tcp any host 123.123.123.108 eq 143
access-list 101 permit tcp any host 123.123.123.108 eq 1723
access-list 101 permit gre any host 123.123.123.108
access-list 101 remark *** allow to 192.168.68.200
access-list 101 permit tcp any host 123.123.123.108 eq 5222
access-list 101 deny ip any any
access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
access-list 110 permit tcp any any eq www
access-list 110 permit tcp any any eq 443
access-list 170 remark ***** allowed telnet access
access-list 170 permit ip 192.168.6.0 0.0.0.255 any
access-list 170 deny ip any any log
dialer-list 2 protocol ip permit
dialer-list 3 protocol ip permit
no cdp run
!
!
route-map sdsl permit 10
match ip address NAT_Exempt
!
route-map sdsl permit 20
match interface FastEthernet0/1
!
route-map vdsl permit 10
match interface Dialer3
!
route-map RerouteWebTraffic permit 10
match ip address 110
set ip default next-hop 10.0.0.1
!
route-map nonat permit 10
match ip address NAT_Exempt
!
!
!
control-plane
!
line con 0
exec-timeout 0 0
password 7 blablabla
transport output all
escape-character 27
line aux 0
exec-timeout 0 0
password 7 blablabla
transport output all
escape-character 27
line vty 0 4
access-class 170 in
exec-timeout 60 0
privilege level 15
password 7 blablabla
transport input telnet ssh
transport output all
escape-character 27
line vty 5 15
access-class 170 in
privilege level 15
password 7 blablabla
transport input telnet ssh
transport output all
escape-character 27
!
scheduler allocate 20000 1000
end
----------------------------------------------------------------------
_______________________________________________
cisco-nsp mailing list cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Type: Q&A - Source: puck.nether.net -
Sent by Ray Davis - August 30, 2010 20:25:31
Tags: interface authentication nat dhcp crypto tcp ppp address
View Replies
Roger Wiklund : access-list 100 deny icmp any any access-list 100 permit ip 192.1...
Sent by Roger Wiklund - August 31, 2010 13:59:31
Roger Wiklund : access-list 100 deny icmp any any access-list 100 permit ip 192.1...
Sent by Roger Wiklund - August 31, 2010 14:01:33
Roger Wiklund : Which means that SNMP will never be NAT:ed on Fa0/1.
Sent by Roger Wiklund - August 31, 2010 14:10:58
Jan Gregor : I guess this is the problem.
Sent by Jan Gregor - September 06, 2010 20:35:04
Ray Davis : Aug 2010, at 15:59 Uhr, Roger Wiklund wrote:
Sent by Ray Davis - September 07, 2010 16:44:44
Ray Davis : If I do a "sh ip nat translations" it looks like http traffic is be...
Sent by Ray Davis - September 07, 2010 16:57:13
Roger Wiklund : http://forums.whirlpool.net.au/archive/1498451
Sent by Roger Wiklund - September 07, 2010 20:18:29
Jan Gregor : glad that first part worked.
Sent by Jan Gregor - September 08, 2010 12:47:40
Ray Davis : Thanks, Ray
Sent by Ray Davis - September 09, 2010 14:43:06
Ray Davis : Sep 2010, at 22:18 Uhr, Roger Wiklund wrote:
Sent by Ray Davis - September 09, 2010 15:26:40
Here is the NAT order of operations in a Cisco router:
http://www.cisco.com/en/US/tech/tk648/tk361/tec...
I just put something together in the lab, not sure if this is what you
want to accomplish, but it works like this:
interface FastEthernet0/0
INSIDE INTERFACE
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map PBR
speed 100
full-duplex
!
interface FastEthernet0/1
OUTSIDE 1 (your ethernet)
ip address 172.18.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet1/0
OUTSIDE 2 (your Dialer3)
ip address 10.10.10.1 255.255.255.0
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
This is just to simulate Internet access on both routers. Behind Fa0/1
is a router with a loopback that has 1.1.1.1/24, the same goes for
Fa1/0.
ip route 0.0.0.0 0.0.0.0 172.18.1.2
ip route 0.0.0.0 0.0.0.0 10.10.10.2
!
standard PAT config. ACL 100 denys ICMP. Which means that SNMP will
never be NAT:ed on Fa0/1. In your case this needs to be HTTP/HTTPS
deny.
ip nat inside source list 100 interface FastEthernet0/1 overload
ip nat inside source list 101 interface FastEthernet1/0 overload
!
access-list 100 deny icmp any any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Then we do PBR, basically when the protocol is ICMP. Send it out of
the Fa1/0 interface (Dialer3, again this should be web traffic for
you)
access-list 150 permit icmp any any
!
!
route-map PBR permit 10
match ip address 150
set interface FastEthernet1/0
So when I ping 1.1.1.1 from the client, PBR kicks in and sends it to
Fa1/0, and it gets NAT:ed
isp2>
*Mar 1 00:49:17.799: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1
*Mar 1 00:49:17.955: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1
*Mar 1 00:49:18.095: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1
*Mar 1 00:49:18.147: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1
*Mar 1 00:49:18.199: ICMP: echo reply sent, src 1.1.1.1, dst 10.10.10.1
And when I try a telnet to 1.1.1.1 PBR will not kick in, and it will
just NAT it to Fa0/1.
client#telnet 1.1.1.1
Trying 1.1.1.1 ... Open
User Access Verification
Password:
isp1>
Again, I'm not sure this will suit your environment. but perhaps you
can get something from it ..
Regards
Roger
On Mon, Aug 30, 2010 at 10:25 PM, Ray Davis <ray-li...@carpe.net> wrote:
> Hi y'all,
>
> Got a customer router (2801, IOS 12.4(15)T10) with two upstream interfaces. Both need to do NAT (private IPs inside). One is the default route, the other should be used for web traffic. After trying various configs, I got rerouting web traffic out the 2nd interface working, but it's not NATed properly (going out with the default interface IP. I can also get multiple NAT working, but not with the reroute web traffic route-map (only with static routes).
>
> Has anyone done this? Is it even possible with IOS or am I missing something here? It seems like the "which interface am I NATing" part occurs before the "which interface do I need to send this packet through" part.
>
> Below are the "relevant" parts of this config first, then the whole config (in case something else is mucking me up). There is also some VPN & VoIP Appliance priority stuff. Any clues would be much appreciated!
>
> TIA,
> Ray
>
> ----------------------------------------------------------------------
>
> interface FastEthernet0/0
> description Internal LAN
> ip address 192.168.8.254 255.255.255.0
> ip nat inside
> ip policy route-map RerouteWebTraffic
>
> interface FastEthernet0/1
> description Upstream SDSL (123.123.123.104 /29)
> ip address 123.123.123.108 255.255.255.248
> ip nbar protocol-discovery
> ip nat outside
> crypto map CustVPNs
> service-policy output StarfacePolicy
>
> interface Dialer3
> description Upstream VDSL (dynamic ip)
> ip nat outside
>
> ip route 0.0.0.0 0.0.0.0 123.123.123.105
> ip route 10.0.0.1 255.255.255.255 Dialer3
>
> ip nat inside source route-map sdsl interface FastEthernet0/1 overload
> ip nat inside source route-map vdsl interface Dialer3 overload
>
> access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
> access-list 110 permit tcp any any eq www
> access-list 110 permit tcp any any eq 443
>
> route-map sdsl permit 10
> match ip address NAT_Exempt
> !
> route-map sdsl permit 20
> match interface FastEthernet0/1
> !
> route-map vdsl permit 10
> match interface Dialer3
> !
> route-map RerouteWebTraffic permit 10
> match ip address 110
> set ip default next-hop 10.0.0.1
>
> ----------------------------------------------------------------------
>
> I also tried this instead of the next-hop route-map above, but no-workie:
>
> route-map RerouteWebTraffic permit 10
> match ip address 110
> set interface Dialer3
>
> ===== Whole Config ===================================================
>
> !
> ! Last configuration change at 18:19:40 CEDT Fri Aug 20 2010 by ray
> ! NVRAM config last updated at 18:05:03 CEDT Fri Aug 20 2010 by ray
> !
> version 12.4
> service nagle
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> !
> hostname cust-wi-r0
> !
> boot-start-marker
> boot-end-marker
> !
> logging buffered 51200
> logging console critical
> enable secret 5 blablabla
> !
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login xauth_list local
> aaa authentication ppp default local
> aaa authorization exec default local
> !
> !
> aaa session-id common
> clock timezone CET 1
> clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 2:00
> dot11 syslog
> no ip source-route
> ip cef
> !
> !
> no ip dhcp use vrf connected
> ip dhcp excluded-address 192.168.8.0 192.168.8.9
> ip dhcp excluded-address 192.168.8.200 192.168.8.254
> !
> ip dhcp pool cust-wi-internal
> network 192.168.8.0 255.255.255.0
> default-router 192.168.8.254
> dns-server 192.168.8.1
> !
> ip dhcp pool ORACLE
> host 192.168.8.25 255.255.255.0
> hardware-address 0019.991b.fb4a
> client-name ORACLE
> !
> ip dhcp pool DSS
> host 192.168.8.66 255.255.255.0
> hardware-address 0016.7674.6195
> client-name DSS
> !
> ip dhcp pool LEXMARK
> host 192.168.8.99 255.255.255.0
> hardware-address 00c0.026a.03bd
> client-name LEXMARK
> !
> ip dhcp pool NPI29E03B
> host 192.168.8.22 255.255.255.0
> hardware-address 001f.2929.e03b
> client-name NPI29E03B
> !
> ip dhcp pool HP_LaserJet_Flur
> host 192.168.8.16 255.255.255.0
> hardware-address 001f.2928.79da
> client-name HP_LaserJet_Flur
> !
> !
> ip inspect max-incomplete high 1100
> ip inspect max-incomplete low 900
> ip inspect one-minute high 1100
> ip inspect one-minute low 900
> ip inspect name Internal_FE00 tcp
> ip inspect name Internal_FE00 udp
> ip inspect name Internal_FE00 cuseeme
> ip inspect name Internal_FE00 ftp
> ip inspect name Internal_FE00 h323
> ip inspect name Internal_FE00 rcmd
> ip inspect name Internal_FE00 realaudio
> ip inspect name Internal_FE00 streamworks
> ip inspect name Internal_FE00 vdolive
> ip inspect name Internal_FE00 tftp
> ip inspect name Internal_FE00 ntp
> ip inspect name Internal_FE00 sip
> ip inspect name Internal_FE00 sip-tls
> ip inspect name External_FE01 smtp
> ip inspect name External_FE01 tcp
> ip inspect name External_FE01 udp
> no ip bootp server
> ip domain name blablabla.net
> ip name-server 101.102.103.138
> ip name-server 103.102.101.153
> !
> multilink bundle-name authenticated
> vpdn enable
> !
> !
> !
> crypto pki trustpoint TP-self-signed-545859614
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-545859614
> revocation-check none
> rsakeypair TP-self-signed-545859614
> !
> !
> crypto pki certificate chain TP-self-signed-545859614
> certificate self-signed 01
> 30820253 308201BC 6E65642D 43657274 (...junk...)
> quit
> !
> !
> username foo password 7 blablabla
> archive
> log config
> hidekeys
> !
> !
> crypto isakmp policy 10
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp key blablabla address 1.2.3.4 no-xauth
> crypto isakmp key blablabla address 5.6.7.8 no-xauth
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> !
> crypto map CustVPNs 10 ipsec-isakmp
> description VPN RemoteOffice1 (1.2.3.4)
> set peer 1.2.3.4
> set transform-set ESP-3DES-SHA
> match address VPN_RemoteOffice1
> crypto map CustVPNs 20 ipsec-isakmp
> description VPN RemoteOffice2 (5.6.7.8)
> set peer 5.6.7.8
> set transform-set ESP-3DES-SHA
> match address VPN_RemoteOffice2
> !
> !
> !
> ip tcp synwait-time 10
> ip ssh time-out 60
> ip ssh authentication-retries 2
> !
> class-map match-any StarfaceTraffic
> match access-group name Starface
> !
> !
> policy-map StarfacePolicy
> class StarfaceTraffic
> priority percent 70
> class class-default
> fair-queue
> !
> !
> !
> !
> interface FastEthernet0/0
> description Internal LAN
> ip address 192.168.8.254 255.255.255.0
> no ip redirects
> no ip proxy-arp
> ip inspect Internal_FE00 in
> ip nat inside
> ip virtual-reassembly
> ip policy route-map RerouteWebTraffic
> no ip mroute-cache
> duplex auto
> speed auto
> no cdp enable
> !
> interface FastEthernet0/1
> description Upstream SDSL (123.123.123.104 /29)
> bandwidth 5836
> ip address 123.123.123.108 255.255.255.248
> no ip redirects
> no ip proxy-arp
> ip nbar protocol-discovery
> ip inspect External_FE01 in
> ip nat outside
> ip virtual-reassembly
> no ip mroute-cache
> duplex auto
> speed auto
> no cdp enable
> crypto map CustVPNs
> service-policy output StarfacePolicy
> !
> interface FastEthernet0/3/0
> !
> interface FastEthernet0/3/1
> !
> interface FastEthernet0/3/2
> switchport access vlan 3
> !
> interface FastEthernet0/3/3
> switchport access vlan 2
> !
> interface Vlan1
> no ip address
> !
> interface Vlan2
> no ip address
> no ip proxy-arp
> ip tcp adjust-mss 1452
> no ip mroute-cache
> pppoe enable group global
> pppoe-client dial-pool-number 2
> !
> interface Vlan3
> no ip address
> no ip proxy-arp
> ip tcp adjust-mss 1452
> no ip mroute-cache
> pppoe enable group global
> pppoe-client dial-pool-number 3
> !
> interface Dialer2
> description Pay no attention the man behind the curtain! (currently unused)
> mtu 1456
> ip address negotiated
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 2
> dialer idle-timeout 30
> dialer hold-queue 100
> dialer-group 2
> no keepalive
> no cdp enable
> ppp authentication pap callin
> ppp chap refuse
> ppp pap sent-username kakamole-static password 7 blablabla
> !
> interface Dialer3
> description Upstream VDSL (dynamic ip)
> mtu 1456
> ip address negotiated
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> ip tcp adjust-mss 1452
> dialer pool 3
> dialer hold-queue 100
> dialer-group 3
> no keepalive
> no cdp enable
> ppp authentication pap callin
> ppp chap refuse
> ppp pap sent-username foobarmumble password 7 blablabla
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 123.123.123.105
> ip route 10.0.0.1 255.255.255.255 Dialer3
> !
> ip http server
> ip http access-class 23
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 60 life 86400 requests 10000
> ip nat inside source route-map sdsl interface FastEthernet0/1 overload
> ip nat inside source route-map vdsl interface Dialer3 overload
> ip nat inside source static tcp 192.168.8.1 443 123.123.123.108 443 extendable
> ip nat inside source static tcp 192.168.8.1 1723 123.123.123.108 1723 extendable
> ip nat inside source static tcp 192.168.8.1 3389 123.123.123.108 3389 extendable
> ip nat inside source static udp 192.168.8.1 3389 123.123.123.108 3389 extendable
> ip nat inside source static tcp 192.168.8.200 5222 123.123.123.108 5222 extendable
> !
> ip access-list extended NAT_Exempt
> deny ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
> deny ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
> permit ip 192.168.8.0 0.0.0.255 any
> ip access-list extended Starface
> permit ip any host 192.168.68.200
> permit ip host 192.168.68.200 any
> ip access-list extended VPN_RemoteOffice2
> permit ip 192.168.8.0 0.0.0.255 192.168.6.0 0.0.0.255
> ip access-list extended VPN_RemoteOffice1
> permit ip 192.168.8.0 0.0.0.255 192.168.7.0 0.0.0.255
> !
> access-list 23 permit 192.168.8.0 0.0.0.255
> access-list 23 permit 212.96.136.32 0.0.0.31
> access-list 101 remark ***** ACL on Inbound Interface *****
> access-list 101 remark *** allow ssh/telnet to this router (but see acl 170)
> access-list 101 permit tcp any host 123.123.123.108 eq 22
> access-list 101 permit tcp any host 123.123.123.108 eq telnet
> access-list 101 remark *** allow icmp
> access-list 101 permit icmp any any
> access-list 101 remark *** allow to 192.168.68.1
> access-list 101 permit tcp any host 123.123.123.108 eq 143
> access-list 101 permit tcp any host 123.123.123.108 eq 1723
> access-list 101 permit gre any host 123.123.123.108
> access-list 101 remark *** allow to 192.168.68.200
> access-list 101 permit tcp any host 123.123.123.108 eq 5222
> access-list 101 deny ip any any
> access-list 110 remark ***** ACL route-map RerouteWebTraffic *****
> access-list 110 permit tcp any any eq www
> access-list 110 permit tcp any any eq 443
> access-list 170 remark ***** allowed telnet access
> access-list 170 permit ip 192.168.6.0 0.0.0.255 any
> access-list 170 deny ip any any log
> dialer-list 2 protocol ip permit
> dialer-list 3 protocol ip permit
> no cdp run
> !
> !
> route-map sdsl permit 10
> match ip address NAT_Exempt
> !
> route-map sdsl permit 20
> match interface FastEthernet0/1
> !
> route-map vdsl permit 10
> match interface Dialer3
> !
> route-map RerouteWebTraffic permit 10
> match ip address 110
> set ip default next-hop 10.0.0.1
> !
> route-map nonat permit 10
> match ip address NAT_Exempt
> !
> !
> !
> control-plane
> !
> line con 0
> exec-timeout 0 0
> password 7 blablabla
> transport output all
> escape-character 27
> line aux 0
> exec-timeout 0 0
> password 7 blablabla
> transport output all
> escape-character 27
> line vty 0 4
> access-class 170 in
> exec-timeout 60 0
> privilege level 15
> password 7 blablabla
> transport input telnet ssh
> transport output all
> escape-character 27
> line vty 5 15
> access-class 170 in
> privilege level 15
> password 7 blablabla
> transport input telnet ssh
> transport output all
> escape-character 27
> !
> scheduler allocate 20000 1000
> end
> ----------------------------------------------------------------------
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-...@puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list cisco-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/