Re: Messing up Access Lists [7:54268]

2002-09-27 Thread CTM CTM 

I have 5 subnets:
172.29.10.x/24 in the U.S.
192.168.100.x/24 in the U.S.

I would like to eliminate the 192.x.x.x subnet as it is mostly redundant,
machines multihomed.

172.29.20.x/24 in Mexico
172.29.30.x/24 in Europe
172.29.40.x/24 in Mexico

Europe office has a 1720 router and E1 connection.
U.S. has 2621 and a T1 connection

Europe needs to pull email and files from servers in U.S., but connection is
terribly, terribly slow. At present I have them VPN out to the internet and
into our VPN that way. Would like them to VPN or direct connect directly
through internal subnets. Once that is fixed the learning experience should
allow me to tweak the Mexico routes.

The Europe "sh int" is as follows:

sh int
Ethernet0 is up, line protocol is up 
  Hardware is PQUICC Ethernet, address is 0004.dd0b.dcbf (bia 0004.dd0b.dcbf)
  Description: connected to Internet
  Internet address is 217.117.229.138/29
  MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 10BaseT
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 1d19h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 1000 bits/sec, 1 packets/sec
 778610 packets input, 355003767 bytes, 0 no buffer
 Received 2967 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 input packets with dribble condition detected
 676292 packets output, 134749411 bytes, 0 underruns(0/0/0)
 0 output errors, 0 collisions, 0 interface resets
 0 babbles, 0 late collision, 0 deferred
 --More--  0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out
 --More-- FastEthernet0 is up, line protocol is up 
  Hardware is PQUICC_FEC, address is 0002.1761.7d8a (bia 0002.1761.7d8a)
  Description: connected to EthernetLAN_1
  Internet address is 172.29.30.1/24
  MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of "show interface" counters 1d19h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 683511 packets input, 104715200 bytes
 Received 10511 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog
 0 input packets with dribble condition detected
 800932 packets output, 317811070 bytes, 0 underruns(63/415/0)
 165 output errors, 478 collisions, 0 interface resets
 --More--  0 babbles, 0 late collision, 0
deferred
 0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out
sc-ams-rtr-01>enable
Password: 
sc-ams-rtr-01#sh config
Using 2357 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log datetime localtime
no service password-encryption
!
hostname sc-ams-rtr-01
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password 
!
memory-size iomem 25
clock timezone MET 1
clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip finger
ip name-server 217.117.224.93
ip name-server 217.117.224.94
!
 --More-- ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key  address x.171.120.11
!
!
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac 
no crypto engine accelerator
!
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp   
 set peer x.171.120.11
 set transform-set cm-transformset-1 
 match address 100
!
!
!
!
interface Ethernet0
 --More--  description connected to Internet
 ip address  255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 crypto map cm-cryptomap
!
interface FastEthernet0
 description connected to EthernetLAN_1
 ip address 172.29.30.1 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 speed auto
!
router rip
 version 2
 passive-interface Ethernet0
 network 172.29.0.0
 no auto-summary
!
ip nat inside source list 101 interface Ethernet0 overload
 --More-- ip kerberos source-interface any
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 217.117.229.137
ip route 172.29.10.0 255.255.

Re: Messing up Access Lists [7:54268]

2002-09-26 Thread John Huston 

How about posting the complete config with a brief explaination?  We don't
need
the passwords or the actual IP addresses.




""CTM CTM""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi,
>
> You did indeed send me comments, and most appreciated. You even bailed me
> out when I misapplied the advice, and again much appreciated.
> I'm taking baby steps with the wisdom offered, and seem to get deeper than
> intended, ultimately confused, then reach out for a breather.
>
> Thanks, as always, for your generous help, I will digest the latest.
>
> Daniel Cotts wrote:
> >
> > I sent you some comments on this last Fri.
> > First look up the reload in xx min command. There is a way to
> > have the
> > router reboot in a given time interval unless you rescind the
> > command. So if
> > you lock yourself out of the router it reboots and restores the
> > startup
> > config which allows you back in. If your changes are not fatal
> > then cancel
> > the reload command. Then do a copy run start.
> > My guess is that you are killing your VPN by removing the
> > access list at the
> > far end. You are most likely telnetting to that router from
> > your local PC.
> > Its traffic traverses the VPN. Instead bring up a console
> > connection on your
> > local router and telnet to the remote router. That won't use
> > the VPN. I
> > don't see an access list that would block that connection.
> > There is an issue if you have statically NATed addresses.
> > People out on the
> > Internet can reach your local servers but folks on the far end
> > of the VPN
> > cannot. There is a solution on CCO. Last time I looked you had
> > to start on
> > the Documentation page and work towards it. The solution is not
> > on the 707?
> > page. I don't have time to look it up. Sort of goes like:
> > interface Loopback0
> >  ip address 2.2.2.1 255.255.255.0
> > interface FastEthernet0
> > (This is the interface where your servers are located.)
> >  ip route-cache policy
> >  ip policy route-map StaticNAT
> >
> > ip access-list extended StaticNAT
> >  remark Allows statically mapped NAT addresses through IPSec
> > tunnel
> >  permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
> > (USE YOUR OWN IP ADDRESSES)
> >
> > route-map StaticNAT permit 10
> >  match ip address StaticNAT
> >  set ip next-hop 2.2.2.2
> > (Note the address is not the address of the loopback.)
> >
> > To use a basketball analogy - a direct pass won't work because
> > a blocker is
> > in the way. Instead use a bounce pass.
> >
> > > -Original Message-
> > > From: CTM CTM [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, September 26, 2002 2:54 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Messing up Access Lists [7:54268]
> > >
> > >
> > > I've been trying to optimize communications between two
> > > distant routers. So
> > > far I've managed to lock myself out of the far router three
> > > times, folks
> > > over there are getting weary of my mistakes ;-)
> > >
> > > I have a subnet of 172.29.30.0/24 and a subnet of
> > > 172.29.10.0/24, the latter
> > > is physically the same devices multihomed as 192.168.100.0/24.
> > >
> > > I realize my NAT is messed up and I'm wrapping my head around
> > > the literature
> > > pulled from Cisco (led to by links provided by you generous
> > folks).
> > > Looks like I also need to look in depth at access lists. I'm
> > > taking baby
> > > steps but am slowly making progress.
> > >
> > > Would love to solicit comments/advice on the following:
> > >
> > > ip nat pool SCISANRTR001-natpool-1 64.172.228.155
> > > 64.172.228.158 netmask
> > > 255.255.255.224
> > > ip nat inside source list 101 pool SCISANRTR001-natpool-1
> > overload
> > > ip nat inside source static 172.29.10.20 64.172.228.154
> > > ip nat inside source static 192.168.100.20 64.172.228.132
> > > ip nat inside source static 192.168.100.135 64.172.228.135
> > > ip nat inside source static 172.29.20.20 64.172.228.133
> > > ip classless
> > > ip route 0.0.0.0 0.0.0.0 Serial0/0.1
> > > ip route 172.29.20.0 255.255.255.0 Serial0/1.474
> > > ip route 172.29.40.0 255.255.255.0 Serial0/1.474
> > > !
> > > logging history size 250
> > > logging history errors
> > > logging facility syslog
> > > access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0
> > > 0.0.0.255
> > > access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0
> > > 0.0.0.255
> > > access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0
> > > 0.0.0.255
> > > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> > > access-list 101 permit ip 172.29.10.0 0.0.0.255 any
> > > route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54294&t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Messing up Access Lists [7:54268]

2002-09-26 Thread CTM CTM 

Hi,

You did indeed send me comments, and most appreciated. You even bailed me
out when I misapplied the advice, and again much appreciated.
I'm taking baby steps with the wisdom offered, and seem to get deeper than
intended, ultimately confused, then reach out for a breather.

Thanks, as always, for your generous help, I will digest the latest.

Daniel Cotts wrote:
> 
> I sent you some comments on this last Fri.
> First look up the reload in xx min command. There is a way to
> have the
> router reboot in a given time interval unless you rescind the
> command. So if
> you lock yourself out of the router it reboots and restores the
> startup
> config which allows you back in. If your changes are not fatal
> then cancel
> the reload command. Then do a copy run start.
> My guess is that you are killing your VPN by removing the
> access list at the
> far end. You are most likely telnetting to that router from
> your local PC.
> Its traffic traverses the VPN. Instead bring up a console
> connection on your
> local router and telnet to the remote router. That won't use
> the VPN. I
> don't see an access list that would block that connection.
> There is an issue if you have statically NATed addresses.
> People out on the
> Internet can reach your local servers but folks on the far end
> of the VPN
> cannot. There is a solution on CCO. Last time I looked you had
> to start on
> the Documentation page and work towards it. The solution is not
> on the 707?
> page. I don't have time to look it up. Sort of goes like: 
> interface Loopback0
>  ip address 2.2.2.1 255.255.255.0
> interface FastEthernet0
> (This is the interface where your servers are located.)
>  ip route-cache policy
>  ip policy route-map StaticNAT
> 
> ip access-list extended StaticNAT
>  remark Allows statically mapped NAT addresses through IPSec
> tunnel
>  permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
> (USE YOUR OWN IP ADDRESSES)
> 
> route-map StaticNAT permit 10
>  match ip address StaticNAT
>  set ip next-hop 2.2.2.2
> (Note the address is not the address of the loopback.)
> 
> To use a basketball analogy - a direct pass won't work because
> a blocker is
> in the way. Instead use a bounce pass.
> 
> > -Original Message-
> > From: CTM CTM [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, September 26, 2002 2:54 PM
> > To: [EMAIL PROTECTED]
> > Subject: Messing up Access Lists [7:54268]
> > 
> > 
> > I've been trying to optimize communications between two 
> > distant routers. So
> > far I've managed to lock myself out of the far router three 
> > times, folks
> > over there are getting weary of my mistakes ;-)
> > 
> > I have a subnet of 172.29.30.0/24 and a subnet of 
> > 172.29.10.0/24, the latter
> > is physically the same devices multihomed as 192.168.100.0/24.
> > 
> > I realize my NAT is messed up and I'm wrapping my head around 
> > the literature
> > pulled from Cisco (led to by links provided by you generous
> folks).
> > Looks like I also need to look in depth at access lists. I'm 
> > taking baby
> > steps but am slowly making progress.
> > 
> > Would love to solicit comments/advice on the following:
> > 
> > ip nat pool SCISANRTR001-natpool-1 64.172.228.155 
> > 64.172.228.158 netmask
> > 255.255.255.224
> > ip nat inside source list 101 pool SCISANRTR001-natpool-1
> overload
> > ip nat inside source static 172.29.10.20 64.172.228.154
> > ip nat inside source static 192.168.100.20 64.172.228.132
> > ip nat inside source static 192.168.100.135 64.172.228.135
> > ip nat inside source static 172.29.20.20 64.172.228.133
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Serial0/0.1
> > ip route 172.29.20.0 255.255.255.0 Serial0/1.474
> > ip route 172.29.40.0 255.255.255.0 Serial0/1.474
> > !
> > logging history size 250
> > logging history errors
> > logging facility syslog
> > access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 
> > 0.0.0.255
> > access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 
> > 0.0.0.255
> > access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 
> > 0.0.0.255
> > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> > access-list 101 permit ip 172.29.10.0 0.0.0.255 any
> > route-map nonat permit 10
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54277&t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Messing up Access Lists [7:54268]

2002-09-26 Thread Daniel Cotts 

I sent you some comments on this last Fri.
First look up the reload in xx min command. There is a way to have the
router reboot in a given time interval unless you rescind the command. So if
you lock yourself out of the router it reboots and restores the startup
config which allows you back in. If your changes are not fatal then cancel
the reload command. Then do a copy run start.
My guess is that you are killing your VPN by removing the access list at the
far end. You are most likely telnetting to that router from your local PC.
Its traffic traverses the VPN. Instead bring up a console connection on your
local router and telnet to the remote router. That won't use the VPN. I
don't see an access list that would block that connection.
There is an issue if you have statically NATed addresses. People out on the
Internet can reach your local servers but folks on the far end of the VPN
cannot. There is a solution on CCO. Last time I looked you had to start on
the Documentation page and work towards it. The solution is not on the 707?
page. I don't have time to look it up. Sort of goes like: 
interface Loopback0
 ip address 2.2.2.1 255.255.255.0
interface FastEthernet0
(This is the interface where your servers are located.)
 ip route-cache policy
 ip policy route-map StaticNAT

ip access-list extended StaticNAT
 remark Allows statically mapped NAT addresses through IPSec tunnel
 permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
(USE YOUR OWN IP ADDRESSES)

route-map StaticNAT permit 10
 match ip address StaticNAT
 set ip next-hop 2.2.2.2
(Note the address is not the address of the loopback.)

To use a basketball analogy - a direct pass won't work because a blocker is
in the way. Instead use a bounce pass.

> -Original Message-
> From: CTM CTM [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 26, 2002 2:54 PM
> To: [EMAIL PROTECTED]
> Subject: Messing up Access Lists [7:54268]
> 
> 
> I've been trying to optimize communications between two 
> distant routers. So
> far I've managed to lock myself out of the far router three 
> times, folks
> over there are getting weary of my mistakes ;-)
> 
> I have a subnet of 172.29.30.0/24 and a subnet of 
> 172.29.10.0/24, the latter
> is physically the same devices multihomed as 192.168.100.0/24.
> 
> I realize my NAT is messed up and I'm wrapping my head around 
> the literature
> pulled from Cisco (led to by links provided by you generous folks).
> Looks like I also need to look in depth at access lists. I'm 
> taking baby
> steps but am slowly making progress.
> 
> Would love to solicit comments/advice on the following:
> 
> ip nat pool SCISANRTR001-natpool-1 64.172.228.155 
> 64.172.228.158 netmask
> 255.255.255.224
> ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
> ip nat inside source static 172.29.10.20 64.172.228.154
> ip nat inside source static 192.168.100.20 64.172.228.132
> ip nat inside source static 192.168.100.135 64.172.228.135
> ip nat inside source static 172.29.20.20 64.172.228.133
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0/0.1
> ip route 172.29.20.0 255.255.255.0 Serial0/1.474
> ip route 172.29.40.0 255.255.255.0 Serial0/1.474
> !
> logging history size 250
> logging history errors
> logging facility syslog
> access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 
> 0.0.0.255
> access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 
> 0.0.0.255
> access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 
> 0.0.0.255
> access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> access-list 101 permit ip 172.29.10.0 0.0.0.255 any
> route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54275&t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Messing up Access Lists [7:54268]

2002-09-26 Thread Robert Edmonds 

You don't always want to put the deny at the end.  For example, if you want
to deny just one subnet, but permit everything else, putting the permit any
statement at the beginning would allow the subnet you intended to deny.  I
know, a lot of permitting and denying going on in that sentence.  :)-
""Nathan Nakao""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> CTM,
>
>   First of all, in my experience, writing down exactly what you want to
> do really helps.  It gives you a visual map of what you want to go
> through and what you don't.  Second of all (now correct me if I'm wrong)
> you want all "deny" statements at the end.  That's how I've done it
> anyways.  After you've figured out all of that, it's just a simple
> rewording of the access list.  You may also want to keep in mind that
> where you place the access list matters (ie if it's an "in" or "out"
> access group).
>
> -Nate
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, September 26, 2002 12:54 PM
> To: [EMAIL PROTECTED]
> Subject: Messing up Access Lists [7:54268]
>
>
> I've been trying to optimize communications between two distant routers.
> So
> far I've managed to lock myself out of the far router three times, folks
> over there are getting weary of my mistakes ;-)
>
> I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the
> latter
> is physically the same devices multihomed as 192.168.100.0/24.
>
> I realize my NAT is messed up and I'm wrapping my head around the
> literature
> pulled from Cisco (led to by links provided by you generous folks).
> Looks like I also need to look in depth at access lists. I'm taking baby
> steps but am slowly making progress.
>
> Would love to solicit comments/advice on the following:
>
> ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask
> 255.255.255.224
> ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
> ip nat inside source static 172.29.10.20 64.172.228.154
> ip nat inside source static 192.168.100.20 64.172.228.132
> ip nat inside source static 192.168.100.135 64.172.228.135
> ip nat inside source static 172.29.20.20 64.172.228.133
> ip classless
> ip route 0.0.0.0 0.0.0.0 Serial0/0.1
> ip route 172.29.20.0 255.255.255.0 Serial0/1.474
> ip route 172.29.40.0 255.255.255.0 Serial0/1.474
> !
> logging history size 250
> logging history errors
> logging facility syslog
> access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255
> access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
> access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
> access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> access-list 101 permit ip 172.29.10.0 0.0.0.255 any
> route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54274&t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Messing up Access Lists [7:54268]

2002-09-26 Thread Nathan Nakao 

CTM,

  First of all, in my experience, writing down exactly what you want to
do really helps.  It gives you a visual map of what you want to go
through and what you don't.  Second of all (now correct me if I'm wrong)
you want all "deny" statements at the end.  That's how I've done it
anyways.  After you've figured out all of that, it's just a simple
rewording of the access list.  You may also want to keep in mind that
where you place the access list matters (ie if it's an "in" or "out"
access group).

-Nate

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 26, 2002 12:54 PM
To: [EMAIL PROTECTED]
Subject: Messing up Access Lists [7:54268]


I've been trying to optimize communications between two distant routers.
So
far I've managed to lock myself out of the far router three times, folks
over there are getting weary of my mistakes ;-)

I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the
latter
is physically the same devices multihomed as 192.168.100.0/24.

I realize my NAT is messed up and I'm wrapping my head around the
literature
pulled from Cisco (led to by links provided by you generous folks).
Looks like I also need to look in depth at access lists. I'm taking baby
steps but am slowly making progress.

Would love to solicit comments/advice on the following:

ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask
255.255.255.224
ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
ip nat inside source static 172.29.10.20 64.172.228.154
ip nat inside source static 192.168.100.20 64.172.228.132
ip nat inside source static 192.168.100.135 64.172.228.135
ip nat inside source static 172.29.20.20 64.172.228.133
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 172.29.20.0 255.255.255.0 Serial0/1.474
ip route 172.29.40.0 255.255.255.0 Serial0/1.474
!
logging history size 250
logging history errors
logging facility syslog
access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 172.29.10.0 0.0.0.255 any
route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54273&t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Messing up Access Lists [7:54268]

2002-09-26 Thread CTM CTM 

I've been trying to optimize communications between two distant routers. So
far I've managed to lock myself out of the far router three times, folks
over there are getting weary of my mistakes ;-)

I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter
is physically the same devices multihomed as 192.168.100.0/24.

I realize my NAT is messed up and I'm wrapping my head around the literature
pulled from Cisco (led to by links provided by you generous folks).
Looks like I also need to look in depth at access lists. I'm taking baby
steps but am slowly making progress.

Would love to solicit comments/advice on the following:

ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask
255.255.255.224
ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
ip nat inside source static 172.29.10.20 64.172.228.154
ip nat inside source static 192.168.100.20 64.172.228.132
ip nat inside source static 192.168.100.135 64.172.228.135
ip nat inside source static 172.29.20.20 64.172.228.133
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 172.29.20.0 255.255.255.0 Serial0/1.474
ip route 172.29.40.0 255.255.255.0 Serial0/1.474
!
logging history size 250
logging history errors
logging facility syslog
access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 172.29.10.0 0.0.0.255 any
route-map nonat permit 10


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54268&t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]