Re: Messing up Access Lists [7:54268]

2002-09-27 Thread CTM CTM 

I have 5 subnets:
172.29.10.x/24 in the U.S.
192.168.100.x/24 in the U.S.

I would like to eliminate the 192.x.x.x subnet as it is mostly redundant,
machines multihomed.

172.29.20.x/24 in Mexico
172.29.30.x/24 in Europe
172.29.40.x/24 in Mexico

Europe office has a 1720 router and E1 connection.
U.S. has 2621 and a T1 connection

Europe needs to pull email and files from servers in U.S., but connection is
terribly, terribly slow. At present I have them VPN out to the internet and
into our VPN that way. Would like them to VPN or direct connect directly
through internal subnets. Once that is fixed the learning experience should
allow me to tweak the Mexico routes.

The Europe sh int is as follows:

sh int
Ethernet0 is up, line protocol is up 
  Hardware is PQUICC Ethernet, address is 0004.dd0b.dcbf (bia 0004.dd0b.dcbf)
  Description: connected to Internet
  Internet address is 217.117.229.138/29
  MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 10BaseT
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of show interface counters 1d19h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 1000 bits/sec, 1 packets/sec
 778610 packets input, 355003767 bytes, 0 no buffer
 Received 2967 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 input packets with dribble condition detected
 676292 packets output, 134749411 bytes, 0 underruns(0/0/0)
 0 output errors, 0 collisions, 0 interface resets
 0 babbles, 0 late collision, 0 deferred
 --More--  0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out
 --More-- FastEthernet0 is up, line protocol is up 
  Hardware is PQUICC_FEC, address is 0002.1761.7d8a (bia 0002.1761.7d8a)
  Description: connected to EthernetLAN_1
  Internet address is 172.29.30.1/24
  MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of show interface counters 1d19h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 683511 packets input, 104715200 bytes
 Received 10511 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog
 0 input packets with dribble condition detected
 800932 packets output, 317811070 bytes, 0 underruns(63/415/0)
 165 output errors, 478 collisions, 0 interface resets
 --More--  0 babbles, 0 late collision, 0
deferred
 0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out
sc-ams-rtr-01enable
Password: 
sc-ams-rtr-01#sh config
Using 2357 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log datetime localtime
no service password-encryption
!
hostname sc-ams-rtr-01
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password 
!
memory-size iomem 25
clock timezone MET 1
clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip finger
ip name-server 217.117.224.93
ip name-server 217.117.224.94
!
 --More-- ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key  address x.171.120.11
!
!
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac 
no crypto engine accelerator
!
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp   
 set peer x.171.120.11
 set transform-set cm-transformset-1 
 match address 100
!
!
!
!
interface Ethernet0
 --More--  description connected to Internet
 ip address  255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 crypto map cm-cryptomap
!
interface FastEthernet0
 description connected to EthernetLAN_1
 ip address 172.29.30.1 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 speed auto
!
router rip
 version 2
 passive-interface Ethernet0
 network 172.29.0.0
 no auto-summary
!
ip nat inside source list 101 interface Ethernet0 overload
 --More-- ip kerberos source-interface any
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 217.117.229.137
ip route 172.29.10.0 255.255.255.0

RE: Messing up Access Lists [7:54268]

2002-09-26 Thread Nathan Nakao 

CTM,

  First of all, in my experience, writing down exactly what you want to
do really helps.  It gives you a visual map of what you want to go
through and what you don't.  Second of all (now correct me if I'm wrong)
you want all deny statements at the end.  That's how I've done it
anyways.  After you've figured out all of that, it's just a simple
rewording of the access list.  You may also want to keep in mind that
where you place the access list matters (ie if it's an in or out
access group).

-Nate

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, September 26, 2002 12:54 PM
To: [EMAIL PROTECTED]
Subject: Messing up Access Lists [7:54268]


I've been trying to optimize communications between two distant routers.
So
far I've managed to lock myself out of the far router three times, folks
over there are getting weary of my mistakes ;-)

I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the
latter
is physically the same devices multihomed as 192.168.100.0/24.

I realize my NAT is messed up and I'm wrapping my head around the
literature
pulled from Cisco (led to by links provided by you generous folks).
Looks like I also need to look in depth at access lists. I'm taking baby
steps but am slowly making progress.

Would love to solicit comments/advice on the following:

ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask
255.255.255.224
ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
ip nat inside source static 172.29.10.20 64.172.228.154
ip nat inside source static 192.168.100.20 64.172.228.132
ip nat inside source static 192.168.100.135 64.172.228.135
ip nat inside source static 172.29.20.20 64.172.228.133
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 172.29.20.0 255.255.255.0 Serial0/1.474
ip route 172.29.40.0 255.255.255.0 Serial0/1.474
!
logging history size 250
logging history errors
logging facility syslog
access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 172.29.10.0 0.0.0.255 any
route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54273t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Messing up Access Lists [7:54268]

2002-09-26 Thread Robert Edmonds 

You don't always want to put the deny at the end.  For example, if you want
to deny just one subnet, but permit everything else, putting the permit any
statement at the beginning would allow the subnet you intended to deny.  I
know, a lot of permitting and denying going on in that sentence.  :)-
Nathan Nakao  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 CTM,

   First of all, in my experience, writing down exactly what you want to
 do really helps.  It gives you a visual map of what you want to go
 through and what you don't.  Second of all (now correct me if I'm wrong)
 you want all deny statements at the end.  That's how I've done it
 anyways.  After you've figured out all of that, it's just a simple
 rewording of the access list.  You may also want to keep in mind that
 where you place the access list matters (ie if it's an in or out
 access group).

 -Nate

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, September 26, 2002 12:54 PM
 To: [EMAIL PROTECTED]
 Subject: Messing up Access Lists [7:54268]


 I've been trying to optimize communications between two distant routers.
 So
 far I've managed to lock myself out of the far router three times, folks
 over there are getting weary of my mistakes ;-)

 I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the
 latter
 is physically the same devices multihomed as 192.168.100.0/24.

 I realize my NAT is messed up and I'm wrapping my head around the
 literature
 pulled from Cisco (led to by links provided by you generous folks).
 Looks like I also need to look in depth at access lists. I'm taking baby
 steps but am slowly making progress.

 Would love to solicit comments/advice on the following:

 ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask
 255.255.255.224
 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
 ip nat inside source static 172.29.10.20 64.172.228.154
 ip nat inside source static 192.168.100.20 64.172.228.132
 ip nat inside source static 192.168.100.135 64.172.228.135
 ip nat inside source static 172.29.20.20 64.172.228.133
 ip classless
 ip route 0.0.0.0 0.0.0.0 Serial0/0.1
 ip route 172.29.20.0 255.255.255.0 Serial0/1.474
 ip route 172.29.40.0 255.255.255.0 Serial0/1.474
 !
 logging history size 250
 logging history errors
 logging facility syslog
 access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255
 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
 access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
 access-list 101 permit ip 192.168.100.0 0.0.0.255 any
 access-list 101 permit ip 172.29.10.0 0.0.0.255 any
 route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54274t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Messing up Access Lists [7:54268]

2002-09-26 Thread Daniel Cotts 

I sent you some comments on this last Fri.
First look up the reload in xx min command. There is a way to have the
router reboot in a given time interval unless you rescind the command. So if
you lock yourself out of the router it reboots and restores the startup
config which allows you back in. If your changes are not fatal then cancel
the reload command. Then do a copy run start.
My guess is that you are killing your VPN by removing the access list at the
far end. You are most likely telnetting to that router from your local PC.
Its traffic traverses the VPN. Instead bring up a console connection on your
local router and telnet to the remote router. That won't use the VPN. I
don't see an access list that would block that connection.
There is an issue if you have statically NATed addresses. People out on the
Internet can reach your local servers but folks on the far end of the VPN
cannot. There is a solution on CCO. Last time I looked you had to start on
the Documentation page and work towards it. The solution is not on the 707?
page. I don't have time to look it up. Sort of goes like: 
interface Loopback0
 ip address 2.2.2.1 255.255.255.0
interface FastEthernet0
(This is the interface where your servers are located.)
 ip route-cache policy
 ip policy route-map StaticNAT

ip access-list extended StaticNAT
 remark Allows statically mapped NAT addresses through IPSec tunnel
 permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
(USE YOUR OWN IP ADDRESSES)

route-map StaticNAT permit 10
 match ip address StaticNAT
 set ip next-hop 2.2.2.2
(Note the address is not the address of the loopback.)

To use a basketball analogy - a direct pass won't work because a blocker is
in the way. Instead use a bounce pass.

 -Original Message-
 From: CTM CTM [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, September 26, 2002 2:54 PM
 To: [EMAIL PROTECTED]
 Subject: Messing up Access Lists [7:54268]
 
 
 I've been trying to optimize communications between two 
 distant routers. So
 far I've managed to lock myself out of the far router three 
 times, folks
 over there are getting weary of my mistakes ;-)
 
 I have a subnet of 172.29.30.0/24 and a subnet of 
 172.29.10.0/24, the latter
 is physically the same devices multihomed as 192.168.100.0/24.
 
 I realize my NAT is messed up and I'm wrapping my head around 
 the literature
 pulled from Cisco (led to by links provided by you generous folks).
 Looks like I also need to look in depth at access lists. I'm 
 taking baby
 steps but am slowly making progress.
 
 Would love to solicit comments/advice on the following:
 
 ip nat pool SCISANRTR001-natpool-1 64.172.228.155 
 64.172.228.158 netmask
 255.255.255.224
 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
 ip nat inside source static 172.29.10.20 64.172.228.154
 ip nat inside source static 192.168.100.20 64.172.228.132
 ip nat inside source static 192.168.100.135 64.172.228.135
 ip nat inside source static 172.29.20.20 64.172.228.133
 ip classless
 ip route 0.0.0.0 0.0.0.0 Serial0/0.1
 ip route 172.29.20.0 255.255.255.0 Serial0/1.474
 ip route 172.29.40.0 255.255.255.0 Serial0/1.474
 !
 logging history size 250
 logging history errors
 logging facility syslog
 access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 
 0.0.0.255
 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 
 0.0.0.255
 access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 
 0.0.0.255
 access-list 101 permit ip 192.168.100.0 0.0.0.255 any
 access-list 101 permit ip 172.29.10.0 0.0.0.255 any
 route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54275t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Messing up Access Lists [7:54268]

2002-09-26 Thread CTM CTM 

Hi,

You did indeed send me comments, and most appreciated. You even bailed me
out when I misapplied the advice, and again much appreciated.
I'm taking baby steps with the wisdom offered, and seem to get deeper than
intended, ultimately confused, then reach out for a breather.

Thanks, as always, for your generous help, I will digest the latest.

Daniel Cotts wrote:
 
 I sent you some comments on this last Fri.
 First look up the reload in xx min command. There is a way to
 have the
 router reboot in a given time interval unless you rescind the
 command. So if
 you lock yourself out of the router it reboots and restores the
 startup
 config which allows you back in. If your changes are not fatal
 then cancel
 the reload command. Then do a copy run start.
 My guess is that you are killing your VPN by removing the
 access list at the
 far end. You are most likely telnetting to that router from
 your local PC.
 Its traffic traverses the VPN. Instead bring up a console
 connection on your
 local router and telnet to the remote router. That won't use
 the VPN. I
 don't see an access list that would block that connection.
 There is an issue if you have statically NATed addresses.
 People out on the
 Internet can reach your local servers but folks on the far end
 of the VPN
 cannot. There is a solution on CCO. Last time I looked you had
 to start on
 the Documentation page and work towards it. The solution is not
 on the 707?
 page. I don't have time to look it up. Sort of goes like: 
 interface Loopback0
  ip address 2.2.2.1 255.255.255.0
 interface FastEthernet0
 (This is the interface where your servers are located.)
  ip route-cache policy
  ip policy route-map StaticNAT
 
 ip access-list extended StaticNAT
  remark Allows statically mapped NAT addresses through IPSec
 tunnel
  permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
 (USE YOUR OWN IP ADDRESSES)
 
 route-map StaticNAT permit 10
  match ip address StaticNAT
  set ip next-hop 2.2.2.2
 (Note the address is not the address of the loopback.)
 
 To use a basketball analogy - a direct pass won't work because
 a blocker is
 in the way. Instead use a bounce pass.
 
  -Original Message-
  From: CTM CTM [mailto:[EMAIL PROTECTED]]
  Sent: Thursday, September 26, 2002 2:54 PM
  To: [EMAIL PROTECTED]
  Subject: Messing up Access Lists [7:54268]
  
  
  I've been trying to optimize communications between two 
  distant routers. So
  far I've managed to lock myself out of the far router three 
  times, folks
  over there are getting weary of my mistakes ;-)
  
  I have a subnet of 172.29.30.0/24 and a subnet of 
  172.29.10.0/24, the latter
  is physically the same devices multihomed as 192.168.100.0/24.
  
  I realize my NAT is messed up and I'm wrapping my head around 
  the literature
  pulled from Cisco (led to by links provided by you generous
 folks).
  Looks like I also need to look in depth at access lists. I'm 
  taking baby
  steps but am slowly making progress.
  
  Would love to solicit comments/advice on the following:
  
  ip nat pool SCISANRTR001-natpool-1 64.172.228.155 
  64.172.228.158 netmask
  255.255.255.224
  ip nat inside source list 101 pool SCISANRTR001-natpool-1
 overload
  ip nat inside source static 172.29.10.20 64.172.228.154
  ip nat inside source static 192.168.100.20 64.172.228.132
  ip nat inside source static 192.168.100.135 64.172.228.135
  ip nat inside source static 172.29.20.20 64.172.228.133
  ip classless
  ip route 0.0.0.0 0.0.0.0 Serial0/0.1
  ip route 172.29.20.0 255.255.255.0 Serial0/1.474
  ip route 172.29.40.0 255.255.255.0 Serial0/1.474
  !
  logging history size 250
  logging history errors
  logging facility syslog
  access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 
  0.0.0.255
  access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 
  0.0.0.255
  access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 
  0.0.0.255
  access-list 101 permit ip 192.168.100.0 0.0.0.255 any
  access-list 101 permit ip 172.29.10.0 0.0.0.255 any
  route-map nonat permit 10
 
 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54277t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Messing up Access Lists [7:54268]

2002-09-26 Thread John Huston 

How about posting the complete config with a brief explaination?  We don't
need
the passwords or the actual IP addresses.




CTM CTM  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi,

 You did indeed send me comments, and most appreciated. You even bailed me
 out when I misapplied the advice, and again much appreciated.
 I'm taking baby steps with the wisdom offered, and seem to get deeper than
 intended, ultimately confused, then reach out for a breather.

 Thanks, as always, for your generous help, I will digest the latest.

 Daniel Cotts wrote:
 
  I sent you some comments on this last Fri.
  First look up the reload in xx min command. There is a way to
  have the
  router reboot in a given time interval unless you rescind the
  command. So if
  you lock yourself out of the router it reboots and restores the
  startup
  config which allows you back in. If your changes are not fatal
  then cancel
  the reload command. Then do a copy run start.
  My guess is that you are killing your VPN by removing the
  access list at the
  far end. You are most likely telnetting to that router from
  your local PC.
  Its traffic traverses the VPN. Instead bring up a console
  connection on your
  local router and telnet to the remote router. That won't use
  the VPN. I
  don't see an access list that would block that connection.
  There is an issue if you have statically NATed addresses.
  People out on the
  Internet can reach your local servers but folks on the far end
  of the VPN
  cannot. There is a solution on CCO. Last time I looked you had
  to start on
  the Documentation page and work towards it. The solution is not
  on the 707?
  page. I don't have time to look it up. Sort of goes like:
  interface Loopback0
   ip address 2.2.2.1 255.255.255.0
  interface FastEthernet0
  (This is the interface where your servers are located.)
   ip route-cache policy
   ip policy route-map StaticNAT
 
  ip access-list extended StaticNAT
   remark Allows statically mapped NAT addresses through IPSec
  tunnel
   permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
  (USE YOUR OWN IP ADDRESSES)
 
  route-map StaticNAT permit 10
   match ip address StaticNAT
   set ip next-hop 2.2.2.2
  (Note the address is not the address of the loopback.)
 
  To use a basketball analogy - a direct pass won't work because
  a blocker is
  in the way. Instead use a bounce pass.
 
   -Original Message-
   From: CTM CTM [mailto:[EMAIL PROTECTED]]
   Sent: Thursday, September 26, 2002 2:54 PM
   To: [EMAIL PROTECTED]
   Subject: Messing up Access Lists [7:54268]
  
  
   I've been trying to optimize communications between two
   distant routers. So
   far I've managed to lock myself out of the far router three
   times, folks
   over there are getting weary of my mistakes ;-)
  
   I have a subnet of 172.29.30.0/24 and a subnet of
   172.29.10.0/24, the latter
   is physically the same devices multihomed as 192.168.100.0/24.
  
   I realize my NAT is messed up and I'm wrapping my head around
   the literature
   pulled from Cisco (led to by links provided by you generous
  folks).
   Looks like I also need to look in depth at access lists. I'm
   taking baby
   steps but am slowly making progress.
  
   Would love to solicit comments/advice on the following:
  
   ip nat pool SCISANRTR001-natpool-1 64.172.228.155
   64.172.228.158 netmask
   255.255.255.224
   ip nat inside source list 101 pool SCISANRTR001-natpool-1
  overload
   ip nat inside source static 172.29.10.20 64.172.228.154
   ip nat inside source static 192.168.100.20 64.172.228.132
   ip nat inside source static 192.168.100.135 64.172.228.135
   ip nat inside source static 172.29.20.20 64.172.228.133
   ip classless
   ip route 0.0.0.0 0.0.0.0 Serial0/0.1
   ip route 172.29.20.0 255.255.255.0 Serial0/1.474
   ip route 172.29.40.0 255.255.255.0 Serial0/1.474
   !
   logging history size 250
   logging history errors
   logging facility syslog
   access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0
   0.0.0.255
   access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0
   0.0.0.255
   access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0
   0.0.0.255
   access-list 101 permit ip 192.168.100.0 0.0.0.255 any
   access-list 101 permit ip 172.29.10.0 0.0.0.255 any
   route-map nonat permit 10




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54294t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]