Search results for query: *

Imagefree, OK. So the only thing left is ssh. By default https uses port 443. I would check check which port your application uses and remove redundant one. Regards, t00r

For ftp you need to add tcp port 20 rule into your acl 110 like in my earlier post. Let's try to use some debugs to find out what happens with ssh. Could you make the following acl access-list 160 permit tcp any eq 22 any access-list 160 permit tcp any any eq 22 then temporary turn off cef no...

One more thing - you need to add access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 20 any access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 21 any to enable ftp through T1 (and make sure you've removed your deny tcp 21 line). t00r

Hi Imagefree, ftp actually uses 2 ports: 21 - control port 20 - data port you need to have them both for ftp to work just for the record: tcp/20 - ftp data tcp/21 - ftp control tcp/22 - ssh tcp/80 - http tcp/443 - https Could you post your current config, do clear access-list counters 110...

Hi Minue, Hmm... Maybe the modem was deactivating it's Ethernet interfaces when DSL connectivity was lost? If that is the case you I agree there is no need in object tracking. The problem with inbound redundancy is that ISP has configured static routing for 200.100.49.56/29 to go to...

Hi Imagefree, I would change ACL 1 to access-list 1 permit 200.100.49.56 0.0.0.7 since the original one includes more that your addresses. Technically it doesn't matter in this case, just misleading. As for redundancy right now your outgoing connections that normally through T1 should be...

I think we've cross-posted. Are you talking about my earlier posts? Because I didn't receive anything through email yet. Anyway it's good to know that your problem is solved :) P.S.: I've received your config when I was just about to post So far I've found 3 places that I would change: 1...

You still have acl 1 in your nat config (Id: 4 line) You need to clear ip nat translation * no ip nat inside source list 1 interface FastEthernet0/1 overload to get rid of that. I'll work on your config when I receive one. t00r

Hi imagefree, Could you check check that you've actually got rif of your nat acl 1? You can do that by show ip nat statistics and look into dynamic mappings section of the output. 200.100.49.56 0.0.0.7 in acl includes all addresses from 200.100.49.56 to 200.100.49.63. It covers the whole...

Hi Imagefree, I think Minue is right - there is a PBR issue. You'll need to send your ssh and http(s) traffic to s0/0 too, not just udp. acl 110 should look like: access-list 110 permit udp any any access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 22 any access-list 110 permit tcp...

Hi Imagefree, If you want your web and ssh traffic to use your T1 line you shouldn't include that traffic in your acl called from route-map NO_NAT - acl 120. Your acl should look like: access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 22 any access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 80...

Hi Imagefree, Those tracking commands would be helpful if you have static IPs since you'd need to know your local and gateway IPs. In later versions of IOS you can do that with dynamic IPs referencing to interfaces instead of IPs. Regards, t00r

You have 2 VCIs configured on your modem. Which one do you use - PPPoA or bridging? Here is how you can do your tracking config: 1. Define your SLAs: rtr 1 type echo protocol ipIcmpEcho <Remote-ip-address> source-ipaddr <Your-local-IP> timeout...

One more thing - if you have more than one web-server you'll be able to put only of them on actual port 80 when NATting, just like in ssh config. t00r

Sure you can specify which addresses to NAT. But for the addresses that belong to your T1 line your return traffic will always go through T1 line. When you NAT the traffic then for the rest of the world all packets look like they sent from the IP address of the interface that were specified in...

Lets assume you have ip nat inside in the f0/0 config. here is what router does when the packet is received at f0/0: 1. Checks packet destination IP-address and defines next-hop IP and outgoing interface (192.168.6.1 and f0/1 - see ip route 0.0.0.0 0.0.0.0 192.168.6.1 and ip route 192.168.6.0...

One more thing you can do is to get static IP for your DSL connection and do static NAT for your web-servers. In this case you would be doing all NATting on 2621. You'd need to poind your DNS records to DSL IP. The downsides of that: 1. You can have only 1 public web-server on tcp port 80 2. If...

Your incoming traffic for 200.100.49.56/29 would be coming thru T1 no matter what you do since your ISP has static route for that subnet pointing to your T1 line. When you NATting that subnet all of the traffic looks like it's coming from ADSL connection IP address, that is why returning traffic...

Some like this? And I assume your servers public IP block (200.100.49.56/29 ?) belongs to ADSL ISP not to T1 ISP. Am I correct? Do you need to use NAT for your LAN IPs on T1 connection? t00rhttp://eccentric.mae.cornell.edu/~andrey/testtopology2.png

Where are your public servers located? I've put two scenarios in the attachment. Does any of this correlates to your network? Just trying to understand where the NAT should be t00rhttp://eccentric.mae.cornell.edu/~andrey/testtopology1.png