The router configuration that i made with a colleageu. Is a configuration with a adsl connection, shdsl connection.
The configuration has a Local Lan IP and a DMZ IP. Further you can use this configuration by your own and create a new config for your own solution. If you have any question about it do not hessistate toe contact.
You will find some dutch words ( Like naar, this word means TO )
Building configuration…
Current configuration : 21094 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname < Hostname >
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 notifications
enable password < password >
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login CVPN group radius
aaa authentication ppp default local
aaa authorization network default local
!
!
aaa session-id common
clock timezone GMT+1 1
clock summer-time GMT+1 recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-1719397329
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1719397329
revocation-check none
rsakeypair TP-self-signed-1719397329
!
!
crypto pki certificate chain TP-self-signed-1719397329
certificate self-signed 01
< Will be created on its own >
quit
crypto pki certificate storage flash:/certificat/
!
!
ip cef
!
!
ip domain name < domain name >
ip name-server < dns server 1 >
ip name-server < dns server 2 >
ip inspect name FW_Dialer10_IN tcp
ip inspect name FW_Dialer10_IN udp
ip inspect name FW_Dialer10_IN icmp
ip inspect name FW_Dialer10_IN ftp
ip inspect name FW_Dialer10_IN ssh
ip inspect name FW_Dialer10_IN ntp
ip inspect name FW_Dialer10_IN isakmp
ip inspect name FW_Dialer10_IN fragment maximum 256 timeout 1
ip inspect name FW_Dialer10_OUT icmp
ip inspect name FW_Dialer10_OUT ftp
ip inspect name FW_Dialer10_OUT rtsp
ip inspect name FW_Dialer10_OUT fragment maximum 256 timeout 1
ip inspect name FW_Dialer10_OUT tcp router-traffic
ip inspect name FW_Dialer10_OUT udp router-traffic
ip inspect name FW_Dialer11_IN tcp
ip inspect name FW_Dialer11_IN udp
ip inspect name FW_Dialer11_IN icmp
ip inspect name FW_Dialer11_IN ftp
ip inspect name FW_Dialer11_IN ssh
ip inspect name FW_Dialer11_IN ntp
ip inspect name FW_Dialer11_IN isakmp
ip inspect name FW_Dialer11_IN fragment maximum 256 timeout 1
ip inspect name FW_Dialer11_OUT icmp
ip inspect name FW_Dialer11_OUT rtsp
ip inspect name FW_Dialer11_OUT fragment maximum 256 timeout 1
ip inspect name FW_Dialer11_OUT tcp router-traffic
ip inspect name FW_Dialer11_OUT udp router-traffic
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips notify SDEE
ip ips name IPS_Dialer10_OUT
ip ips name IPS_Dialer10_IN
ip ips name IPS_Dialer11_OUT
ip ips name IPS_Dialer11_IN
!
multilink bundle-name authenticated
!
async-bootp dns-server < internal dns server >
async-bootp nbns-server < internal nbns server >
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username < name > password < password >
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 15
!
crypto isakmp client configuration group < Group Name >
key < key name >
dns < internal dns server >
wins < internal wins server >
domain < domain name >
pool VPNCLIENT
acl ACL_VPN
save-password
split-dns < domain name >
backup-gateway < backup gateway >
netmask 255.255.255.0
crypto isakmp profile CIP_CVPN_CLIENT
match identity group < Group Name >
client authentication list CVPN
isakmp authorization list CVPN
client configuration address respond
!
!
crypto ipsec transform-set CIT_CVPN_CLIENT esp-aes 256 esp-sha-hmac
!
crypto dynamic-map CDM_CVPN_CLIENT 10
set transform-set CIT_CVPN_CLIENT
set isakmp-profile CIP_CVPN_CLIENT
!
!
crypto map CMP_CVPN_CLIENT 10 ipsec-isakmp dynamic CDM_CVPN_CLIENT
!
archive
log config
hidekeys
!
!
controller DSL 0/1/0
mode atm
line-term cpe
line-mode auto enhanced
dsl-mode shdsl symmetric annex B
description < Description line >
!
ip ssh rsa keypair-name RSA_SSH
!
track 10 rtr 10 reachability
!
track 12 rtr 12 reachability
!
!
!
!
interface Loopback10
description Bypass NAT for IPsec traffic
ip address 1.1.192.1 255.255.255.0
!
interface Loopback252
description Cisco SSL VPN Client for WebVPN
ip address < loopback address >
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface GigabitEthernet0/0
description < LAN Description >
ip address < Lan IP Address >
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
ip policy route-map RMP_GigabitEthernet0/0_NO_NAT
duplex auto
speed auto
hold-queue 100 in
hold-queue 100 out
!
interface GigabitEthernet0/1
description DMZ to Webserver
ip address < DMZ IP address >
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache policy
ip route-cache flow
ip policy route-map RMP_GigabitEthernet0/1_NO_NAT
duplex auto
speed auto
hold-queue 100 in
hold-queue 100 out
!
interface ATM0/0/0
description < Adsl description >
no ip address
no ip route-cache cef
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/48 < can be various of your ISP >
encapsulation aal5mux ppp dialer
dialer pool-member 10
!
!
interface ATM0/1/0
description < shdsl description >
no ip address
no ip route-cache cef
no ip route-cache
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
pvc 0 0/35 < can be various of your ISP >
encapsulation aal5mux ppp dialer
dialer pool-member 11
!
!
interface Dialer10
description connected to ATM0 – ADSL over Pots –
ip address negotiated
ip access-group ACL_Dialer10_IN in
ip access-group ACL_Dialer10_OUT out
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect FW_Dialer10_IN in
ip inspect FW_Dialer10_OUT out
ip ips IPS_Dialer10_IN in
ip ips IPS_Dialer10_OUT out
ip virtual-reassembly
encapsulation ppp
dialer pool 10
dialer idle-timeout 0
dialer persistent
dialer-group 10
no cdp enable
ppp authentication pap callin
ppp pap sent-username < username@ISP.xxx password < password >
crypto map CMP_CVPN_CLIENT
!
interface Dialer11
description connected to ATM0 – SDSL
ip address negotiated
ip access-group ACL_Dialer11_IN in
ip access-group ACL_Dialer11_OUT out
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect FW_Dialer11_IN in
ip inspect FW_Dialer11_OUT out
ip ips IPS_Dialer11_IN in
ip ips IPS_Dialer11_OUT out
ip virtual-reassembly
encapsulation ppp
dialer pool 11
dialer idle-timeout 0
dialer persistent
dialer-group 11
no cdp enable
ppp authentication pap callin
ppp pap sent-username < username@ISP.xxx password < password >
crypto map CMP_CVPN_CLIENT
!
ip local policy route-map RMP_LOCAL_POLICY
ip local pool VPNCLIENT < VPN IP Range DHCP Pool >
ip local pool ILP_WVPN_CLIENT < WebVPN IP Range DHCP Pool >
no ip forward-protocol nd
ip route < VPN IP Range with subnetmask > Dialer11 track 10
ip route 0.0.0.0 0.0.0.0 Dialer10 track 12
ip route 0.0.0.0 0.0.0.0 Dialer11 200
ip route 10.0.0.0 255.0.0.0 Null0
ip route 172.16.0.0 255.240.0.0 Null0
ip route < VPN IP Range with subnetmask > Dialer10 200
ip route 192.168.0.0 255.255.0.0 Null0
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat translation timeout 300
ip nat inside source route-map RMP_Dialer10_OVERLOAD interface Dialer10 overload
ip nat inside source route-map RMP_Dialer11_OVERLOAD interface Dialer11 overload
ip nat inside source static tcp < local IP > 3389 < external IP > 3389 extendable
!
ip access-list standard ACL_VTY04_IN
permit < ip range who has access for telnet >
!
ip access-list extended ACL_Dailer10_IN
remark VPN
permit udp any any eq isakmp
permit esp any any
permit gre any any
permit tcp any any eq 1723
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit ip < VPN IP Range to Local LAN ip with both wild cards >
permit ip < VPN IP Range to Local DMZ ip with both wild cards >
remark router poorten
permit tcp any any eq 22
permit udp any any eq ntp
permit udp any any eq snmp
remark < servername >
permit tcp any any eq 3389
remark < servername >
permit tcp any any eq www
permit tcp any any eq 443
remark < servername >
permit tcp any any eq smtp
remark ABN-AMRO OfficeNet Extra
permit tcp host 193.172.44.45 any
permit tcp host 193.172.44.78 any
permit tcp host 194.151.107.44 any
permit tcp host 194.151.107.76 any
remark Anti-spoofing
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
remark ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_Dialer10_OUT
remark VPN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit esp any any
permit gre any any
permit tcp any any eq 1723
remark Standard WWW services
permit tcp any any eq www
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq smtp
permit tcp any any eq 443
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq pop3
permit tcp any any eq nntp
permit tcp any any eq 22
permit tcp any any eq telnet
permit udp any any eq ntp
remark Belastingdienst
permit tcp any any eq 143
permit tcp any any eq 587
remark LDAP
permit tcp any any eq 389
remark HDN Lite
permit tcp any any eq 1150
remark Rabobank Telebankieren Extra
permit tcp any any eq 2901
remark Citrix ICA
permit tcp any any eq 1494
permit tcp any any eq 2598
remark Windows Media
permit tcp any any eq 1755
remark Windows Messenger
permit tcp any any eq 1863
permit udp any any range 1024 65535
permit tcp any any range 6891 6900
remark Microsoft RDP
permit tcp any any eq 3389
permit icmp any any
remark Mcafee
permit tcp any any eq 8801
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_Dialer10_OVERLOAD
deny ip < local LAN IP Range to VPN IP Range with wildcards >
deny ip < local DMZ IP Range to VPN IP Range with wildcards >
permit ip < Local LAN IP Range with wildcard > any
permit ip < Local DMZ IP Range with wildcard > any
ip access-list extended ACL_Dialer11_IN
remark VPN
permit udp any any eq isakmp
permit esp any any
permit gre any any
permit tcp any any eq 1723
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit ip < VPN IP Range to Local LAN ip with both wild cards >
permit ip < VPN IP Range to Local DMZ ip with both wild cards >
remark router poorten
permit tcp any any eq 22
permit udp any any eq snmp
remark SSL VPN
permit tcp any host < SSL VPN IP ADDRESS > eq www
permit tcp any host < SSL VPN IP ADDRESS > eq 443
remark < servername >
permit tcp any host < 2nd External IP > eq 3389
remark XCH01
permit tcp any host < 1st External IP > eq 3389
remark < servername >
permit tcp any host < 3rd External IP > eq www
permit tcp any host < 3rd External IP > eq 443
permit tcp any host < 3rd External IP > eq 3389
remark < servername >
permit tcp any host < 4th External IP > eq 3389
remark Anti-spoofing
deny ip host 0.0.0.0 any
deny ip host 255.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 224.0.0.0 15.255.255.255 any
remark ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
deny icmp any any
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_Dialer11_OUT
remark VPN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq non500-isakmp any
permit esp any any
permit gre any any
permit tcp any any eq 1723
remark Standard WWW services
permit tcp any any eq www
permit udp any any eq domain
permit tcp any any eq domain
permit tcp any any eq smtp
permit tcp any any eq 443
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit tcp any any eq pop3
permit tcp any any eq nntp
permit tcp any any eq 22
permit tcp any any eq telnet
permit udp any any eq ntp
remark Belastingdienst
permit tcp any any eq 143
permit tcp any any eq 587
remark LDAP
permit tcp any any eq 389
remark HDN Lite
permit tcp any any eq 1150
remark Rabobank Telebankieren Extra
permit tcp any any eq 2901
remark Citrix ICA
permit tcp any any eq 1494
permit tcp any any eq 2598
remark Windows Media
permit tcp any any eq 1755
remark Windows Messenger
permit tcp any any eq 1863
permit udp any any range 1024 65535
permit tcp any any range 6891 6900
remark Microsoft RDP
permit tcp any any eq 3389
permit icmp any any
remark Mcafee
permit tcp any any eq 8801
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip any any
ip access-list extended ACL_Dialer11_OVERLOAD
deny ip < local LAN IP Range to VPN IP Range with wildcards >
deny ip < local DMZ IP Range to VPN IP Range with wildcards >
permit ip < Local LAN IP Range with wildcard > any
permit ip < Local DMZ IP Range with wildcard > any
ip access-list extended ACL_GigabitEthernet0/0_NO_NAT
permit ip < local LAN IP Range to VPN IP Range with wildcards >
ip access-list extended ACL_GigabitEthernet0/1_NO_NAT
permit ip < local DMZ IP Range to VPN IP Range with wildcards >
ip access-list extended ACL_NAAR_ISP
remark Ping dns
permit icmp any host < ISP dns > echo
ip access-list extended ACL_SDSL_REDIRECT
remark VPN
deny ip any < VPN IP Range with wild card >
remark < servername > (< domain name application >)
permit tcp host < DMZ IP address > eq www any
permit tcp host < DMZ IP address > eq 443 any
permit tcp host < DMZ IP address > eq 3389 any
remark < servername > (servername.domain name)
permit tcp host < LAN IP Exchange server > eq 3389 any
remark < servername > (servername.domain name)
permit tcp host < LAN IP server > eq 3389 any
remark < servername > (remote.domain name)
permit tcp host < LAN IP Terminal server > eq 3389 any
ip access-list extended ACL_VPN
permit ip < local LAN IP Range to VPN IP Range with wildcards >
permit ip < local DMZ IP Range to VPN IP Range with wildcards >
!
ip sla 10
icmp-echo < first hop > source-interface Dialer11
ip sla schedule 10 life forever start-time now
ip sla 12
icmp-echo < first hop > source-interface Dialer10
ip sla schedule 12 life forever start-time now
ip sla 80
http get http://www.google.nl/ name-server < dns server 1 > cache disable
threshold 500
tag Google
frequency 300
ip sla schedule 80 life forever start-time now
no logging trap
access-list 21 remark ———————————————————-
access-list 21 remark SNMP
access-list 21 remark ———————————————————
access-list 21 permit < IP address >
access-list 21 permit < IP Range external >
access-list 21 permit < IP Range Local LAN >
access-list 21 permit < IP Range Local DMZ >
access-list 110 remark ———————————————————
access-list 110 remark Dialer-list 10, Dialer10
access-list 110 remark ——————————————————–
access-list 110 permit ip any any
access-list 120 remark ———————————————————
access-list 120 remark Dialer-list 11
access-list 120 remark ——————————————————–
access-list 120 permit ip any any
dialer-list 10 protocol ip list 110
dialer-list 11 protocol ip list 120
snmp-server community mrtg RO 21
snmp-server location < Location Name >
snmp-server contact < Contact information >
snmp-server enable traps tty
snmp-server enable traps frame-relay multilink bundle-mismatch
!
!
!
route-map RMP_LOCAL_POLICY permit 10
match ip address ACL_NAAR_ISP
set ip next-hop < First hop see tracert / Traceroute >
set interface Null0
!
route-map RMP_GigabitEthernet0/1_NO_NAT permit 10
match ip address ACL_GigabitEthernet0/1_NO_NAT
set ip next-hop 1.1.192.2
!
route-map RMP_GigabitEthernet0/1_NO_NAT permit 12
match ip address ACL_SDSL_REDIRECT
set interface Dialer11
!
route-map RMP_GigabitEthernet0/0_NO_NAT permit 10
match ip address ACL_GigabitEthernet0/0_NO_NAT
set ip next-hop 1.1.192.2
!
route-map RMP_GigabitEthernet0/0_NO_NAT permit 12
match ip address ACL_SDSL_REDIRECT
set interface Dialer11
!
route-map RMP_Dialer11_OVERLOAD permit 10
match ip address ACL_Dialer11_OVERLOAD
match interface Dialer11
!
route-map RMP_Dialer10_OVERLOAD permit 10
match ip address ACL_Dialer10_OVERLOAD
match interface Dialer10
!
!
!
radius-server host < Radius server IP Address> auth-port 1645 acct-port 1646 key < Password >
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd #
*************************************************************
This system is restricted to authorized users for legitimate
purposes and is subject to audit. The unauthorized access,
use or modification of computer systems or the data contained
therein or in transit to/from, may be illegal.
*************************************************************
#
!
line con 0
line aux 0
line vty 0 4
exec-timeout 1800 0
timeout login response 200
privilege level 15
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 20000 1000
ntp clock-period 17179872
ntp update-calendar
sntp server 145.24.129.6
sntp server 213.239.154.12
sntp server 193.79.237.14
sntp broadcast client
!
end
hello,
i read your configuration but i don’t understand where is the track for ip sla 80
thanks
Hello,
The Ip sla 80 is a track to meassure. the connection to a DNS server of your IPS.
even you could use this track for using a fallback on 2 dsl lines.
so you track one DNS server of connection one. so if that line fail it would track the ping to line 2 so you could continue with internet.
may you i hope this will bring you further.
hello,
sorry if i disturd you but i have a big problem.
i have a cisco 2621xm with 128mb ram and 32mb flash i installed a wic-1shdsl-v3 on my router but don’t work do you know which ios i must u use ?
thanks very much
Hello,
Well i don’t know which IOS you use right now. but. You should at least use one of the 12.4 versions ( i know those are not compatible with your hardware configuration )
ADVANCED IP SERVICES
c2600-advipservicesk9-mz.124-15.T9.bin
Release Date: 29/Apr/2009
Size: 32396.16 KB (33173660 bytes)
Minimum Memory: DRAM:192 MB Flash:48 MB
I know that this one should work. I work normal at my work with advanced IP Services IOS.
may be you can say which IOS version you currently use?
hello,
i test this ios but don’t works:
c2600-ipbase-mz.124-15.T9.bin
c2600-advsecurityk9-mz.124-15.T9.bin
c2600-adventerprisek9-mz.124-25a.bin
thanks
Hmm.
i should be working. like i checked it at the site of Cisco. how every. you don’t see it in your show version. probably?
You are not able to test the IOS version i sugested?
c2600-advipservicesk9-mz.124-15.T9.bin
it’s different than the onces you used. and if you are able to create a tac request at the site of cisco. i would like to say you could ask them They will look for the best IOS version you need if you have troubles with it.
i can not test your ios because i have only 128 mb ram 32 mb flash not 256mb ram snd 48 flash
if i do show ver i see a dsl controller but if i do show ip int brief, i see only 2 fast ethernet, i can’t a tac request at the site of cisco.
thanks
The DSL controller is the SHDSL wic.
you could look at one of the other configurations if you i have some dsl controllers if i’m right 😉
controller dsl 0
mode atm
no shut
i hope this works out =)
i have a another cisco 2621xm with a wic adsl and i see a controller dsl but i see also a atm interface. tomorrow i test your command
thanks
I think this would work now
below a controller configuration of a cisco router 878 i think the settings are not that much different for sure.
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
hello,
thanks; now it work
i must insert “no shut”
controller DSL 0/1
mode atm
line-term cpe
line-mode 4-wire standard
dsl-mode shdsl symmetric annex B
line-rate 4096
no shutdown
i test this ip sla but don’t work
ip sla monitor 80
type http operation get url http://www.google.it/ name-server 217.22.224.51 cache disable
threshold 500
frequency 120
ip sla monitor schedule 80 life forever start-time now
With the IP SLA monitor. you need to use your won ISP DNS.
may be the IOS version does not support this command.
It is not necessary to use this ip sla
hello,
i don’t know good “ip sla”. can you tell me a title book or site ?
how i can use 2 o more ip sla in a track command ?
sorry if i distrurb you.
thanks
hello,
Here is documentation about the IP SLA for the 12.4 http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsla_c.html
Here is documentation about the IP SLA for the 12.4T http://www.cisco.com/en/US/docs/ios/ipsla/configuration/guide/12_4t/sla_12_4t_book.html
the 2 other ip sla triggers in the configuration is to use to see if a line is up or down. that is the way a track is used to get a failback solution. on you router / configuration. you use at that moment the fist hop if you use traceroute 194.134.5.5
For Example ( the bold ) ip address is my next hop to the internet. from my router
Tracing route to 192.134.5.5 over a maximum of 30 hops
1 1 ms 1 ms 1 ms 192.168.21.20
2 13 ms 12 ms 12 ms 195.190.249.51
3 14 ms 14 ms 14 ms iawxsrt-rt2-bb21-ge-1-1-0.wxs.nl [213.75.64.137]
4 15 ms 15 ms 14 ms 213.75.64.166
5 16 ms 17 ms 16 ms amsix.xcr1.amd.cw.net [195.69.145.144]
thanks,
i have a router with a primary line shdsl and a backup line adsl
i must create a vpn site-to-site with remote router.
i create a loopback with pubblic ip address /32 and vpn is ok because i insert:
int lo10
ip address pubblic ip 255.255.255.255
crypto map pluto
but don’t route the traffic on remote site
how can i route the traffic on remote site ?
thanks very much
hello,
i resolve this problem with
crypto map pluto local-address Loopback10and remove crypto map to loopback 10
Good to hear you resolved your problem.
hello,
can i configure a loopback with ip address 192.168.0.1 255.255.255.255 how dns address for my lan?
if yes how ?
p.s.
this loopback is under nat
thanks
niger
Hello,
You could configue the loopback address with the address above how ever I thought it wasn’t recommended.
The loopback address is for the no nat routing traffic for VPN etc.
The dns for your lan.
Do you mean the:
ip name-server server
ip domain-lookup ( this is for the icmp ping http://www.google.com for example )
or the following
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.x.0 192.168.x.x
!
ip dhcp pool CLIENT
import all
network 192.168.x.x 255.255.255.0
default-router 192.168.x.x
dns-server 192.168.x.x ( router ip address )
domain-name xxx.local
lease 32
ip name-server
ip dns view default
logging
ip dns server ( this command make your router a dns server )
ip access-list extende ACL_OUTSIDEINTERFACE_IN
remark Standard WWW services
permit udp any any eq domain
permit udp any eq domain any
ip sla 80
http get http://www.google.com/ name-server cache disable
threshold 500
tag Google
frequency 300
ip sla schedule 80 life forever start-time now
Fred
i have 80 pc with dns ip address 192.168.0.1 but i change configuration lan. i have a cisco 2621xm with switch module nm-16esw with 16 fastethernet so i create a trunk etherchannel layer 2 with a cisco 3550 but i must use this address for dns in my router because i can’t change configuration pc so i think a loopback on my router. do you have any idea? all subnet have a gateway in a vlan interface (6 vlan interface).
can i create a etherchannel layer 3 ?
thanks
niger
Hi,
If i’m correct you have a now a new subnet range different than the 192.168.0.x ip address which has the DNS 192.168.0.1 right now? So i guess you want to make a vlan configuration. I think the best way / idea is to let the Cisco Catalyst 3550 do the routing. check if you have the correct IOS for Layer 3 swtiching.
You can’t use the look back for the dns configuration. best way is to set a route to the dns server. which is in a different lan segment.
On the nm-16esw layer 3 switching wasn’t available. I have actually not been able to use such card before. But i found on the net that layer 3 switching wasn’t available on that card. http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aca3e.html
Above is was thinking yesterday. But probabaly i know situation like you.
Router > switch configuration Router has one connection Switch serveral vlan configurations.
route than you can use the router as dns for the others
I have certain configuration with an cisco 1841 router and a catalyst switch 3560 probably
Fred
thank very much
i found a method for “etherchannel l2/l3”
on router:
int range fa1/0 – 7
switchport access vlan 7
channel-group 1 mode on
int vlan 7
ip address 192.168.0.5 255.255.255.252
ip nat inside
on switch cisco 3550:
int range fa0/0 – 7
switchport access vlan 7
switchport mode access
channel-group 1 mode on
int vlan 7
ip address 192.168.0.6 255.255.255.252
but i not understand because if don’t do NAT of 192.168.0.4/30 all my lan don’t go on internet
thanks
I think it’s because your dns server need to access internet for requesting his dns settings. which will be used for your clients. it sends a request on port 53 ( domain )
I’m glad you found a workaround for the situation. =)
hi, sorry if i disturb you again but i have a problem:
i have this configuration:
ip nat inside source static tcp 192.168.1.20 20 xxx.yyy.zzz.34 20 extendable
ip nat inside source static tcp 192.168.1.20 21 xxx.yyy.zzz.34 21 extendable
ip nat inside source static tcp 192.168.1.20 22 xxx.yyy.zzz.34 22 extendable
ip nat inside source static tcp 192.168.1.20 80 xxx.yyy.zzz.34 80 extendable
ip nat inside source static tcp 192.168.1.20 10000 xxx.yyy.zzz.34 10000 extendable
and i must bind with this acees-list:
access-list 161 deny ip host 192.168.1.20 192.168.50.0 0.0.0.255
access-list 161 deny ip host 192.168.1.20 192.168.40.0 0.0.0.3
access-list 161 permit tcp host 192.168.1.20 eq 22 85.18.119.120 0.0.0.7
access-list 161 permit tcp host 192.168.1.20 eq 10000 85.18.119.120 0.0.0.7
access-list 161 permit tcp host 192.168.1.20 eq ftp-data any
access-list 161 permit tcp host 192.168.1.20 eq ftp any
access-list 161 permit tcp host 192.168.1.20 eq www any
i have also a nat OVERLOAR FOR ALL TARIIFIC FOR THE SUBNET 192.168.1.0/22
CAN YOU HELP ME ?
192.168.1.20 IS A SERVER
THANKS
Hello,
The configuration seems normal to mee what does it not? Is the access-list 161 an outside to inside access-list or from inside to outside?
May be you could use ip access-list extended It coud make your configuration bit orgenized and to see where the problem is located.
However did you configure your internet interface with the following command? access-group 161 out
Fred
if i use this access-list on wan interface block NAT OVERLOARD FOR ALL TRAFFIC FOR THE SUBNET 192.168.1.0/22
Hello
the probleem seems in the last rule of the access-list. it blocks http traffic from other ip adresses. if it’s the outbound access-list than would there some problem with the configuration?
If you have further questions don’t hesitate to contact
Fred
my problem is that subet 192.168.1.0/22 must have a full access to internet type: “permit ip any any” and i don’t know how bind this rule with access-list 161
thanks
Lets see,
if you type access-list 161 permit ip any any this should bind it to the access-list you want to have
access-list 161 deny ip host 192.168.1.20 192.168.50.0 0.0.0.255
access-list 161 deny ip host 192.168.1.20 192.168.40.0 0.0.0.3
access-list 161 permit tcp host 192.168.1.20 eq 22 85.18.119.120 0.0.0.7
access-list 161 permit tcp host 192.168.1.20 eq 10000 85.18.119.120 0.0.0.7
access-list 161 permit tcp host 192.168.1.20 eq ftp-data any
access-list 161 permit tcp host 192.168.1.20 eq ftp
>>> remove >>> access-list 161 permit tcp host 192.168.1.20 eq www any
access-list 161 permit ip any any
so actually it seems that the following access-list rules are unneeded.
—————————————————————————————————-
access-list 161 permit tcp host 192.168.1.20 eq 22 85.18.119.120 0.0.0.7
access-list 161 permit tcp host 192.168.1.20 eq 10000 85.18.119.120 0.0.0.7
access-list 161 permit tcp host 192.168.1.20 eq ftp-data any
access-list 161 permit tcp host 192.168.1.20 eq ftp any
access-list 161 permit tcp host 192.168.1.20 eq www any
—————————————————————————————————-
The access-list would be as follow:
int |outside interface|
ip access-group 161 out
access-list 161 deny ip host 192.168.1.20 192.168.50.0 0.0.0.255
access-list 161 deny ip host 192.168.1.20 192.168.40.0 0.0.0.3
access-list 161 permit gre any any
access-list 161 permit esp any any
access-list 161 permit ahp any any
access-list 161 permit ip any any
The rules below are for VPN usage this i expliciet add to the access-list
because you could have some problems with it when you don’t add these to your access-list
access-list 161 permit gre any any
access-list 161 permit esp any any
access-list 161 permit ahp any any
Try if this will work.
thanks but so i have a “deny of service” attack or illegal access on the ports: 22 – 10000 of pubblic server xxx.yyy.zzz.34
Are these public servers inside the 192.168.1x range or on an other location. otherwise you have to create an inboun access-list. where you permit ports to.
but if you only want to have such access to ssh ( port 22 ) or port 10000 than you create indeed the the lines of
access-list 161 permit tcp host 192.168.1.20 eq 22 85.18.119.120 0.0.0.7
access-list 161 permit tcp host 192.168.1.20 eq 10000 85.18.119.120 0.0.0.7
But those externalip address are not on the location where you have the ssh / port 10000?
if the webserver is on your own netwerk xxx.yyy.zzz.34 than you should create an access-list
access-list 162 deny tcp any external ip address eq 22
access-list 162 deny tcp any external ip dddress eq 10000
or am i wrong?