I sent you some comments on this last Fri. First look up the reload in xx min command. There is a way to have the router reboot in a given time interval unless you rescind the command. So if you lock yourself out of the router it reboots and restores the startup config which allows you back in. If your changes are not fatal then cancel the reload command. Then do a copy run start. My guess is that you are killing your VPN by removing the access list at the far end. You are most likely telnetting to that router from your local PC. Its traffic traverses the VPN. Instead bring up a console connection on your local router and telnet to the remote router. That won't use the VPN. I don't see an access list that would block that connection. There is an issue if you have statically NATed addresses. People out on the Internet can reach your local servers but folks on the far end of the VPN cannot. There is a solution on CCO. Last time I looked you had to start on the Documentation page and work towards it. The solution is not on the 707? page. I don't have time to look it up. Sort of goes like: interface Loopback0 ip address 2.2.2.1 255.255.255.0 interface FastEthernet0 (This is the interface where your servers are located.) ip route-cache policy ip policy route-map StaticNAT
ip access-list extended StaticNAT remark Allows statically mapped NAT addresses through IPSec tunnel permit ip host 192.168.250.19 172.16.1.0 0.0.0.255 (USE YOUR OWN IP ADDRESSES) route-map StaticNAT permit 10 match ip address StaticNAT set ip next-hop 2.2.2.2 (Note the address is not the address of the loopback.) To use a basketball analogy - a direct pass won't work because a blocker is in the way. Instead use a bounce pass. > -----Original Message----- > From: CTM CTM [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 2:54 PM > To: [EMAIL PROTECTED] > Subject: Messing up Access Lists [7:54268] > > > I've been trying to optimize communications between two > distant routers. So > far I've managed to lock myself out of the far router three > times, folks > over there are getting weary of my mistakes ;-) > > I have a subnet of 172.29.30.0/24 and a subnet of > 172.29.10.0/24, the latter > is physically the same devices multihomed as 192.168.100.0/24. > > I realize my NAT is messed up and I'm wrapping my head around > the literature > pulled from Cisco (led to by links provided by you generous folks). > Looks like I also need to look in depth at access lists. I'm > taking baby > steps but am slowly making progress. > > Would love to solicit comments/advice on the following: > > ip nat pool SCISANRTR001-natpool-1 64.172.228.155 > 64.172.228.158 netmask > 255.255.255.224 > ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload > ip nat inside source static 172.29.10.20 64.172.228.154 > ip nat inside source static 192.168.100.20 64.172.228.132 > ip nat inside source static 192.168.100.135 64.172.228.135 > ip nat inside source static 172.29.20.20 64.172.228.133 > ip classless > ip route 0.0.0.0 0.0.0.0 Serial0/0.1 > ip route 172.29.20.0 255.255.255.0 Serial0/1.474 > ip route 172.29.40.0 255.255.255.0 Serial0/1.474 > ! > logging history size 250 > logging history errors > logging facility syslog > access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 > 0.0.0.255 > access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 > 0.0.0.255 > access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 > 0.0.0.255 > access-list 101 permit ip 192.168.100.0 0.0.0.255 any > access-list 101 permit ip 172.29.10.0 0.0.0.255 any > route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54275&t=54268 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
