captnops
IS-IT--Management
- Feb 12, 2003
- 141
- 0
- 0
We recently moved and have installed new MPLS WAN circuits. I have made the DNS changes for MX records and websites publicly, and made the appropriate address changes internally, but I am still unable to get mail, web, etc into my network.
I am able to access the internet.
I am including a config below. All help is GREATLY appreciated.
CISCO-RH-2821A#sh run
Building configuration...
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO-XXXXXX
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/0
no logging console
dot11 syslog
!
!
ip cef
!
!
ip host CISCO-XXXXX 10.x.x.x
ip name-server 10.x.x.x
ip name-server 8.8.8.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key XXXXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp keepalive 10
!
crypto isakmp client configuration group XXXXX
key global2world
dns 10.10.10.4
pool vpnpool
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set XXXXXX esp-3des esp-sha-hmac
crypto ipsec transform-set XXXXXXX esp-3des esp-sha-hmac
!
crypto dynamic-map XXXXXX 10
set transform-set XXXXXX
!
!
crypto map HEDI 10 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set XXXXX
match address 100
!
crypto map VPN client authentication list XXXXX
crypto map VPN isakmp authorization list XXXXXX
crypto map VPN client configuration address respond
crypto map VPN 1 ipsec-isakmp
description XXXXL2L VPN
set peer XXX.XXX.XXX.XXX
set transform-set XXXX
match address 100
crypto map VPN 10 ipsec-isakmp dynamic XXXXXXX
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description INTERNAL LAN
ip address 10.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map STATIC
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description WAN/INTERNET
ip address 173.210.x.x 255.255.255.248
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/3/0
shutdown
!
interface FastEthernet0/3/1
shutdown
!
interface FastEthernet0/3/2
shutdown
!
interface FastEthernet0/3/3
shutdown
!
interface FastEthernet0/3/4
shutdown
!
interface FastEthernet0/3/5
shutdown
!
interface FastEthernet0/3/6
shutdown
!
interface FastEthernet0/3/7
shutdown
!
interface FastEthernet0/3/8
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip local pool vpnpool 192.x.x.x 192.x.x.x
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.210.x.x
ip route 10.x.y.x 255.255.255.0 10.x.x.x
!
!
no ip http server
ip http authentication local
ip http secure-server
ip nat source static tcp 10.10.10.4 25 173.210.x.x 25 extendable
ip nat source static tcp 10.10.10.4 443 173.210.x.x 443 extendable
ip nat source static tcp 10.10.10.47 80 173.210.x.x 80 extendable
ip nat source static tcp 10.10.10.47 443 173.210.x.x 443 extendable
ip nat source static tcp 10.10.10.43 25 173.210.x.x 25 extendable
ip nat source static tcp 10.10.10.43 80 173.210.x.x 80 extendable
ip nat source static tcp 10.10.10.43 443 173.210.x.x 443 extendable
ip nat inside source route-map NO-NAT interface GigabitEthernet0/1 overload
!
access-list 100 deny ip 10.10.10.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit tcp any host 173.210.x.x eq 443
access-list 101 permit tcp any host 173.210.x.x eq smtp
access-list 101 permit tcp any host 173.210.x.x eq 443
access-list 101 permit icmp any any echo
access-list 101 permit udp any host 173.210.x.x eq non500-isakmp
access-list 101 permit udp host 192.5.41.41 host 173.210.x.x eq ntp
access-list 101 permit tcp any host 173.210.x.x eq www
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any host 173.210.x.x eq www
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit udp host 192.5.41.209 host 173.210.x.x eq ntp
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any host 173.210.x.x eq www
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 173.210.x.x eq smtp
access-list 101 permit tcp any host 173.210.x.x eq 1723
access-list 101 permit tcp any host 173.210.x.x eq 443
access-list 101 permit udp any host 173.210.x.x eq isakmp
access-list 101 permit esp any host 173.210.x.x
access-list 101 permit icmp any any traceroute
access-list 101 permit gre any host 173.210.x.x
access-list 101 permit ip 192.x.x.x 0.0.0.255 10.x.x.0 0.0.0.255
access-list 101 permit icmp any any packet-too-big
access-list 101 permit udp host 173.210.x.x any eq non500-isakmp
access-list 101 permit ip any any
access-list 102 permit ip 10.x.x.x 0.0.0.255 192.x.x.x 0.0.0.255
!
!
route-map STATIC permit 10
match ip address 102
!
route-map NO-NAT permit 10
match ip address 100
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
!
scheduler allocate 20000 1000
ntp clock-period 17180354
ntp update-calendar
I am able to access the internet.
I am including a config below. All help is GREATLY appreciated.
CISCO-RH-2821A#sh run
Building configuration...
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO-XXXXXX
!
boot-start-marker
boot-end-marker
!
! card type command needed for slot/vwic-slot 0/0
no logging console
dot11 syslog
!
!
ip cef
!
!
ip host CISCO-XXXXX 10.x.x.x
ip name-server 10.x.x.x
ip name-server 8.8.8.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key XXXXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp keepalive 10
!
crypto isakmp client configuration group XXXXX
key global2world
dns 10.10.10.4
pool vpnpool
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set XXXXXX esp-3des esp-sha-hmac
crypto ipsec transform-set XXXXXXX esp-3des esp-sha-hmac
!
crypto dynamic-map XXXXXX 10
set transform-set XXXXXX
!
!
crypto map HEDI 10 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set XXXXX
match address 100
!
crypto map VPN client authentication list XXXXX
crypto map VPN isakmp authorization list XXXXXX
crypto map VPN client configuration address respond
crypto map VPN 1 ipsec-isakmp
description XXXXL2L VPN
set peer XXX.XXX.XXX.XXX
set transform-set XXXX
match address 100
crypto map VPN 10 ipsec-isakmp dynamic XXXXXXX
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description INTERNAL LAN
ip address 10.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map STATIC
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description WAN/INTERNET
ip address 173.210.x.x 255.255.255.248
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
!
interface FastEthernet0/3/0
shutdown
!
interface FastEthernet0/3/1
shutdown
!
interface FastEthernet0/3/2
shutdown
!
interface FastEthernet0/3/3
shutdown
!
interface FastEthernet0/3/4
shutdown
!
interface FastEthernet0/3/5
shutdown
!
interface FastEthernet0/3/6
shutdown
!
interface FastEthernet0/3/7
shutdown
!
interface FastEthernet0/3/8
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip local pool vpnpool 192.x.x.x 192.x.x.x
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 173.210.x.x
ip route 10.x.y.x 255.255.255.0 10.x.x.x
!
!
no ip http server
ip http authentication local
ip http secure-server
ip nat source static tcp 10.10.10.4 25 173.210.x.x 25 extendable
ip nat source static tcp 10.10.10.4 443 173.210.x.x 443 extendable
ip nat source static tcp 10.10.10.47 80 173.210.x.x 80 extendable
ip nat source static tcp 10.10.10.47 443 173.210.x.x 443 extendable
ip nat source static tcp 10.10.10.43 25 173.210.x.x 25 extendable
ip nat source static tcp 10.10.10.43 80 173.210.x.x 80 extendable
ip nat source static tcp 10.10.10.43 443 173.210.x.x 443 extendable
ip nat inside source route-map NO-NAT interface GigabitEthernet0/1 overload
!
access-list 100 deny ip 10.10.10.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit tcp any host 173.210.x.x eq 443
access-list 101 permit tcp any host 173.210.x.x eq smtp
access-list 101 permit tcp any host 173.210.x.x eq 443
access-list 101 permit icmp any any echo
access-list 101 permit udp any host 173.210.x.x eq non500-isakmp
access-list 101 permit udp host 192.5.41.41 host 173.210.x.x eq ntp
access-list 101 permit tcp any host 173.210.x.x eq www
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any host 173.210.x.x eq www
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit udp host 192.5.41.209 host 173.210.x.x eq ntp
access-list 101 permit icmp any any time-exceeded
access-list 101 permit tcp any host 173.210.x.x eq www
access-list 101 permit icmp any any echo-reply
access-list 101 permit tcp any host 173.210.x.x eq smtp
access-list 101 permit tcp any host 173.210.x.x eq 1723
access-list 101 permit tcp any host 173.210.x.x eq 443
access-list 101 permit udp any host 173.210.x.x eq isakmp
access-list 101 permit esp any host 173.210.x.x
access-list 101 permit icmp any any traceroute
access-list 101 permit gre any host 173.210.x.x
access-list 101 permit ip 192.x.x.x 0.0.0.255 10.x.x.0 0.0.0.255
access-list 101 permit icmp any any packet-too-big
access-list 101 permit udp host 173.210.x.x any eq non500-isakmp
access-list 101 permit ip any any
access-list 102 permit ip 10.x.x.x 0.0.0.255 192.x.x.x 0.0.0.255
!
!
route-map STATIC permit 10
match ip address 102
!
route-map NO-NAT permit 10
match ip address 100
!
!
control-plane
!
line con 0
line aux 0
line vty 0 4
privilege level 15
!
scheduler allocate 20000 1000
ntp clock-period 17180354
ntp update-calendar
