Tatster
Technical User
- Mar 23, 2009
- 1
Hi all,
I am struggling to get my 1721 config doing what I want it to do.
What I have is a 1721 connected to an ADSL connection with static IP, and an internal network 192.168.200.0/24
I can connect successfully from a remote machine with VPN client software and get assigned an IP by the router from 192.168.201.1-20 range.
I can access servers within 192.168.200.0/24 range via RDP (TCP3389) but I can't HTTP to any devices inside the LAN, ie access point web interface etc. and I can't talk to internal DNS server, 192.168.200.200
Please could someone have a look through my config and tell me what I'm doing wrong - this is driving me nuts!!!
Thanks in advance,
Anthony
PS. Apologies for the long post, I figured it might be easier to see the config.
I am struggling to get my 1721 config doing what I want it to do.
What I have is a 1721 connected to an ADSL connection with static IP, and an internal network 192.168.200.0/24
I can connect successfully from a remote machine with VPN client software and get assigned an IP by the router from 192.168.201.1-20 range.
I can access servers within 192.168.200.0/24 range via RDP (TCP3389) but I can't HTTP to any devices inside the LAN, ie access point web interface etc. and I can't talk to internal DNS server, 192.168.200.200
Please could someone have a look through my config and tell me what I'm doing wrong - this is driving me nuts!!!
Thanks in advance,
Anthony
PS. Apologies for the long post, I figured it might be easier to see the config.
Code:
!This is the running config of the router: 192.168.200.254
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTR-1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 4096 errors
enable secret 5 <removed>
!
username rtr<snip> privilege 15 password 7 <removed>
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 192.168.200.1 192.168.200.9
ip dhcp excluded-address 192.168.200.51 192.168.200.254
!
!
ip tcp synwait-time 10
ip domain name <removed>
ip name-server 208.67.222.222
no ip bootp server
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group ICT
key <removed>
dns 192.168.200.254
domain <removed>.local
pool SDM_POOL_1
acl 104
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
description $FW_INSIDE$
ip address 192.168.200.254 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed auto
no cdp enable
!
interface Dialer0
description $FW_OUTSIDE$
ip address xxx.xxx.48.253 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <removed>
ppp chap password 7 <removed>
ppp pap sent-username <removed> password 7 <removed>
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.201.1 192.168.201.20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip dns server
!
!
logging trap errors
access-list 1 remark INSIDE_IF=FastEthernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.200.0 0.0.0.255
access-list 2 deny any
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip any host 192.168.201.1
access-list 100 deny ip any host 192.168.201.2
access-list 100 deny ip any host 192.168.201.3
access-list 100 deny ip any host 192.168.201.4
access-list 100 deny ip any host 192.168.201.5
access-list 100 deny ip any host 192.168.201.6
access-list 100 deny ip any host 192.168.201.7
access-list 100 deny ip any host 192.168.201.8
access-list 100 deny ip any host 192.168.201.9
access-list 100 deny ip any host 192.168.201.10
access-list 100 deny ip any host 192.168.201.11
access-list 100 deny ip any host 192.168.201.12
access-list 100 deny ip any host 192.168.201.13
access-list 100 deny ip any host 192.168.201.14
access-list 100 deny ip any host 192.168.201.15
access-list 100 deny ip any host 192.168.201.16
access-list 100 deny ip any host 192.168.201.17
access-list 100 deny ip any host 192.168.201.18
access-list 100 deny ip any host 192.168.201.19
access-list 100 deny ip any host 192.168.201.20
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip xxx.xxx.48.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 208.67.222.222 eq domain host xxx.xxx.48.253
access-list 103 remark Auto generated by SDM for NTP (123) 194.164.127.5
access-list 103 permit udp host 194.164.127.5 eq ntp host xxx.xxx.48.253 eq ntp
access-list 103 permit ahp any host xxx.xxx.48.253
access-list 103 permit esp any host xxx.xxx.48.253
access-list 103 permit udp any host xxx.xxx.48.253 eq isakmp
access-list 103 permit udp any host xxx.xxx.48.253 eq non500-isakmp
access-list 103 permit icmp any host xxx.xxx.48.253 echo-reply
access-list 103 permit icmp any host xxx.xxx.48.253 time-exceeded
access-list 103 permit icmp any host xxx.xxx.48.253 unreachable
access-list 103 permit ip 192.168.200.0 0.0.0.255 any
access-list 103 permit ip 192.168.201.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 104 permit ip 192.168.200.0 0.0.0.255 any
access-list 104 permit ip 192.168.201.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
banner login ^CThis is a protected system. Authorised Users Only. All system access is logged.^C
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
password 7 <removed>
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end