How about posting the complete config with a brief explaination? We don't need the passwords or the actual IP addresses.
""CTM CTM"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > You did indeed send me comments, and most appreciated. You even bailed me > out when I misapplied the advice, and again much appreciated. > I'm taking baby steps with the wisdom offered, and seem to get deeper than > intended, ultimately confused, then reach out for a breather. > > Thanks, as always, for your generous help, I will digest the latest. > > Daniel Cotts wrote: > > > > I sent you some comments on this last Fri. > > First look up the reload in xx min command. There is a way to > > have the > > router reboot in a given time interval unless you rescind the > > command. So if > > you lock yourself out of the router it reboots and restores the > > startup > > config which allows you back in. If your changes are not fatal > > then cancel > > the reload command. Then do a copy run start. > > My guess is that you are killing your VPN by removing the > > access list at the > > far end. You are most likely telnetting to that router from > > your local PC. > > Its traffic traverses the VPN. Instead bring up a console > > connection on your > > local router and telnet to the remote router. That won't use > > the VPN. I > > don't see an access list that would block that connection. > > There is an issue if you have statically NATed addresses. > > People out on the > > Internet can reach your local servers but folks on the far end > > of the VPN > > cannot. There is a solution on CCO. Last time I looked you had > > to start on > > the Documentation page and work towards it. The solution is not > > on the 707? > > page. I don't have time to look it up. Sort of goes like: > > interface Loopback0 > > ip address 2.2.2.1 255.255.255.0 > > interface FastEthernet0 > > (This is the interface where your servers are located.) > > ip route-cache policy > > ip policy route-map StaticNAT > > > > ip access-list extended StaticNAT > > remark Allows statically mapped NAT addresses through IPSec > > tunnel > > permit ip host 192.168.250.19 172.16.1.0 0.0.0.255 > > (USE YOUR OWN IP ADDRESSES) > > > > route-map StaticNAT permit 10 > > match ip address StaticNAT > > set ip next-hop 2.2.2.2 > > (Note the address is not the address of the loopback.) > > > > To use a basketball analogy - a direct pass won't work because > > a blocker is > > in the way. Instead use a bounce pass. > > > > > -----Original Message----- > > > From: CTM CTM [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, September 26, 2002 2:54 PM > > > To: [EMAIL PROTECTED] > > > Subject: Messing up Access Lists [7:54268] > > > > > > > > > I've been trying to optimize communications between two > > > distant routers. So > > > far I've managed to lock myself out of the far router three > > > times, folks > > > over there are getting weary of my mistakes ;-) > > > > > > I have a subnet of 172.29.30.0/24 and a subnet of > > > 172.29.10.0/24, the latter > > > is physically the same devices multihomed as 192.168.100.0/24. > > > > > > I realize my NAT is messed up and I'm wrapping my head around > > > the literature > > > pulled from Cisco (led to by links provided by you generous > > folks). > > > Looks like I also need to look in depth at access lists. I'm > > > taking baby > > > steps but am slowly making progress. > > > > > > Would love to solicit comments/advice on the following: > > > > > > ip nat pool SCISANRTR001-natpool-1 64.172.228.155 > > > 64.172.228.158 netmask > > > 255.255.255.224 > > > ip nat inside source list 101 pool SCISANRTR001-natpool-1 > > overload > > > ip nat inside source static 172.29.10.20 64.172.228.154 > > > ip nat inside source static 192.168.100.20 64.172.228.132 > > > ip nat inside source static 192.168.100.135 64.172.228.135 > > > ip nat inside source static 172.29.20.20 64.172.228.133 > > > ip classless > > > ip route 0.0.0.0 0.0.0.0 Serial0/0.1 > > > ip route 172.29.20.0 255.255.255.0 Serial0/1.474 > > > ip route 172.29.40.0 255.255.255.0 Serial0/1.474 > > > ! > > > logging history size 250 > > > logging history errors > > > logging facility syslog > > > access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 > > > 0.0.0.255 > > > access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 > > > 0.0.0.255 > > > access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 > > > 0.0.0.255 > > > access-list 101 permit ip 192.168.100.0 0.0.0.255 any > > > access-list 101 permit ip 172.29.10.0 0.0.0.255 any > > > route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54294&t=54268 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
