Cisco Router Configuration Help

0 pts.
Tags:
Firewalls
Forensics
Hardware
Incident response
Intrusion management
Network security
Routers
Software
VPN
Wireless
I have Cisco 2811 router in a local office and in a remote office. I am attempting to configure this routers to support the following: a) Site to Site VPN connectivity between two routers b) Local office router to support web server, email server and ftp server. I have subscribed to SBC's DSL service with 5 Static IP. The global public IP is let us say AAA.AAA.AAA.AAA. All servers are point to Public IP BBB.BBB.BBB.BBB. VPN Connectivity: It is up. Local host (PC) can map a remote host's C drive as a network drive. However, cannot see the contents of this network drive. Any suggestions why this could be happening? Servers: Let us ftp server. It can receive the user information and it furnishes the data however, the data never make it to the user. This is true for all other servers as well. Any suggestions for this? Thanks in advance for any help that you could provide me in resolving this. Regards, -ketan
ASKED: January 25, 2006  5:35 PM
UPDATED: January 30, 2006  12:23 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Ketan

I see you are trying to be specific, but could you be a little more specific? Particularly with regards to the second part of your question.

If you are saying you can MAP a network drive across the VPN tunnel, but then when someone opens the drive they can’t see any contents, it is possible your link is slow and with the added encapsulation of the encryted wrapper, you may not be giving it enough time for all the contents of the folder to come across the connection.

That is one possibility.

How fast is the circuit?

Discuss This Question: 16  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Dcamp9
    What happens when you map to a share on the remote PC or you can try remotepcname or x.x.x.x (input the ip of the remote pc) in the address bar to view shares on that PC. On a different note does your DSL require PPPoe? I am trying to setup a similar setup but haven't found the config info for the PPPoe config on the router. can you forward me a copy of one of your router-DSL configs?
    0 pointsBadges:
    report
  • Richl01
    if you have the routers under Smart net just go to the cisco tac site and ask they usually get back pretty fast. otherwise I think you start at the Config t and then crypto from there I am not sure her is the ifo I recieved from them for a normal VPN connection Create a group that will be used to specify the Windows Internet Naming Service (WINS) and Domain Naming Service (DNS) server addresses to the client, along with the pre-shared key for authentication. Example: crypto isakmp client configuration group 3000client key cisco123 dns 14.1.1.10 wins 14.1.1.20 domain cisco.com pool ippool You can used the current ip pool that you have for the current VPN group. I did notice that you dont typ the whole line its just up toclient configuration and then you add the domain and dns through the command lines hope this helps alittle
    0 pointsBadges:
    report
  • KetanVS
    1. Router is not under smartnet contract. I therefore will have to figure this out myself and if not then end up purchasing one. 2. When I map a network drive, it does show up in windows explorer as a drive. However, when this drive is clicked to show its content, it keeps spinning wheel and finally comes back with a message that drive is not accessible or something like that. I have to believe that many must have implemented this solution and it works for them. I need help with a pointer as to what possibly wrong I could be doing. 4. Regarding the servers. I can access the web site behing the router just fine. However, when trying to access the web site from outside it is not sending the data out. Is there some access-list that needs to be setup to allow this? 5. The following configuration for DSL connectivity was produced with SDM that comes with the IOS with the router. interface Dialer0 description $FW_OUTSIDE$ ip address xx.xx.xx.xx xx.xx.xx.xx ip access-group 104 in no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip inspect SDM_LOW out ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username XXXXX crypto map SDM_CMAP_1 Regards, -ketan
    0 pointsBadges:
    report
  • Layer9
    Your question - Is there some access-list that needs to be setup to allow this? - demonstrats clearly you need some help. I am not saying this in a mean way, I am saying this because it is a fact. If you are not familiar with Access Lists, and knowing to open port 80 on an inbound ACL bound to the outside interface of the router, then you clearly do not want to be configuring someones network by yourself. That being said, keep in mind that if you can connect via the VPN and see the mapped drive, and there is no disconnect icon on it, then you don't need to worry about connectivity issues. Even name resolution as has been mentioned must already be functioning for you to map the drive in the first place. It sounds like sharing may be incorrectly set, or a timeout issue is occuring, but seriously, you need a consultant. Good luck Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • KetanVS
    Let me post my Cisco's router configuration file, if anyone can notice something unusual or wrong: !version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname xxxxxxx ! boot-start-marker boot system flash c2800nm-advipservicesk9-mz.123-8.T8.bin boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 xxxxxxx ! username xxxx privilege 15 secret 5 xxxx clock timezone PCTime -8 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 no network-clock-participate aim 0 no network-clock-participate aim 1 no aaa new-model ip subnet-zero no ip source-route ip tcp synwait-time 10 ! ! ip cef ip dhcp excluded-address 192.168.1.1 192.168.1.99 ! ip dhcp pool sdm-pool1 import all network 192.168.1.0 255.255.255.0 dns-server SBC_DNS1_Address SBC_DNS2_Address default-router 192.168.1.1 ! ! no ip bootp server ip domain name yourdomain.com ip name-server SBC_DNS1_Address ip name-server SBC_DNS2_Address ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key PreShared_KEY address RemoteSITEAddress ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toRemoteSITEAddress set peer RemoteSITEAddress set security-association lifetime seconds 86340 set security-association idle-time 86340 set transform-set ESP-3DES-SHA match address 100 ! ! ! ! interface FastEthernet0/0 ip address 192.168.1.1 255.255.255.0 ip access-group 103 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 duplex auto speed auto no cdp enable no mop enabled ! interface FastEthernet0/1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto no cdp enable no mop enabled ! interface ATM0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0/0/0.1 point-to-point pvc 0/35 pppoe-client dial-pool-number 1 ! ! interface Dialer0 description $FW_OUTSIDE$ ip address SBC_PROVIDED_GATEWAY_IP_ADD 255.255.255.248 ip access-group 104 in no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip inspect SDM_LOW out ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 ppp authentication pap callin ppp pap sent-username xx password 7 xx crypto map SDM_CMAP_1 ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip nat inside source static 192.168.1.4 PUBLIC_IP_FOR_SERVER route-map nonat ! ! logging trap debugging access-list 1 remark INSIDE_IF=FastEthernet0/0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 remark SDM_ACL Category=2 access-list 101 remark IPSec Rule access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 any access-list 102 deny ip host 192.168.1.4 192.168.0.0 0.0.0.255 access-list 102 permit ip host 192.168.1.4 any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 deny ip SBC_PROVIDED_PUBLIC_IP_ADDR 0.0.0.7 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 permit ip any any access-list 104 remark auto generated by SDM firewall configuration access-list 104 remark SDM_ACL Category=1 access-list 104 permit udp any host PUBLIC_IP_FOR_SERVER access-list 104 permit tcp any host PUBLIC_IP_FOR_SERVER access-list 104 permit udp host SBC_DNS1 eq domain host SBC_PROVIDED_GATEWAY_IP_ADDRESS access-list 104 permit udp host SBC_DNS2 eq domain host SBC_PROVIDED_GATEWAY_IP_ADDRESS access-list 104 permit ahp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS access-list 104 permit esp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS access-list 104 permit udp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS eq isakmp access-list 104 permit udp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS eq non500-isakmp access-list 104 remark IPSec Rule access-list 104 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 104 deny ip 192.168.1.0 0.0.0.255 any access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS echo-reply access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS time-exceeded access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS unreachable access-list 104 deny ip 10.0.0.0 0.255.255.255 any access-list 104 deny ip 172.16.0.0 0.15.255.255 any access-list 104 deny ip 192.168.0.0 0.0.255.255 any access-list 104 deny ip 127.0.0.0 0.255.255.255 any access-list 104 deny ip host 255.255.255.255 any access-list 104 deny ip host 0.0.0.0 any access-list 104 deny ip any any log dialer-list 1 protocol ip permit no cdp run ! route-map SDM_RMAP_1 permit 1 match ip address 101 ! route-map nonat permit 1 match ip address 102 ! ! ! ! control-plane ! ! ! ! ! Some commands for VTY (Not relevant for the issue) ! scheduler allocate 20000 1000 ! end
    0 pointsBadges:
    report
  • Dcamp9
    Network local to this router is 192.168.1.1 255.255.255.0 Traffic to encrypt and pass across the VPN Tunnel = match address 100 access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 (what subnet is this going to? You should define the subnet if possible) Traffic to filter with access-list 103 interface FastEthernet0/0 ip access-group 103 in (This will filter traffic from the private 192.168.1.0 network to the router) Is this needed? You mainly want to filter inbound at the dialer 0 interface. access-list 103 deny ip SBC_PROVIDED_PUBLIC_IP_ADDR 0.0.0.7 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 permit ip any any Traffic to filter with access-list 104 interface Dialer0 ip access-group 104 in access-list 104 permit udp any host PUBLIC_IP_FOR_SERVER access-list 104 permit tcp any host PUBLIC_IP_FOR_SERVER eq http *need to add http if it is a website server otherwise all ports to the server will be open* access-list 104 permit tcp any host PUBLIC_IP_FOR_SERVER eq https *need to add https if it is a website server otherwise all ports to the server will be open* access-list 104 permit ahp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS access-list 104 permit esp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS access-list 104 permit udp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS eq isakmp access-list 104 permit udp host REMOTESITE_IP host SBC_PROVIDED_GATEWAY_IP_ADDRESS eq non500-isakmp access-list 104 permit ip 192.168.0.0 0.0.0.255 *The remote private subnet should be defined here 192.168.1.0 0.0.0.255 access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS echo-reply access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS time-exceeded access-list 104 permit icmp any host SBC_PROVIDED_GATEWAY_IP_ADDRESS unreachable Is this required by SBC? access-list 104 permit udp host SBC_DNS1 eq domain host SBC_PROVIDED_GATEWAY_IP_ADDRESS access-list 104 permit udp host SBC_DNS2 eq domain host SBC_PROVIDED_GATEWAY_IP_ADDRESS These are private IP networks they wouldn?t be on the public side of the router which is what access-list 104 applies to access-list 104 deny ip 192.168.1.0 0.0.0.255 any access-list 104 deny ip 10.0.0.0 0.255.255.255 any access-list 104 deny ip 172.16.0.0 0.15.255.255 any access-list 104 deny ip 192.168.0.0 0.0.255.255 any ? access-list 104 deny ip 127.0.0.0 0.255.255.255 any access-list 104 deny ip host 255.255.255.255 any access-list 104 deny ip host 0.0.0.0 any access-list 104 deny ip any any log ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload route-map SDM_RMAP_1 permit 1 match ip address 101 access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 access-list 101 permit ip 192.168.1.0 0.0.0.255 any ip nat inside source static 192.168.1.4 PUBLIC_IP_FOR_SERVER route-map nonat route-map nonat permit 1 match ip address 102 access-list 102 deny ip host 192.168.1.4 192.168.0.0 0.0.0.255 access-list 102 permit ip host 192.168.1.4 any Don?t see a reference for this Access-list access-list 1 permit 192.168.1.0 0.0.0.255
    0 pointsBadges:
    report
  • Sonyfreek
    Ketan, Can you do a little ASCII art to display what the network looks like. In particular, I'm wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall. You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn't be sending the packets back to the correct router... Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it's ADSL, it would explain our problem since the upload speeds are much lower than the download speeds. Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site. If everything there is correct, put a sniffer on the link to see what's going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm If you have 12.1.6 and higher, you can use one of the solutions in this artcile: http://www.cisco.com/warp/public/105/56.html Two other potentially helpful starting points: POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html Easy VPN setup on 2811: http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html Hope this helps, Wayne
    0 pointsBadges:
    report
  • KetanVS
    Thanks for analyzing the configuration file. 1. Traffic to encrypt and pass across the VPN Tunnel = match address 100 access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 (what subnet is this going to? You should define the subnet if possible) I believe 192.168.1.0 0.0.0.255 translates to local = 192.168.1.0 255.255.255.0 and 192.168.0.0 0.0.0.255 translates to remote = 192.168.0.0 255.255.255.0 2. Don?t see a reference for this Access-list access-list 1 permit 192.168.1.0 0.0.0.255 This access list is not used and I probably should take it out. 3. Briefly, the access-list's overall objective is as follows: access-list 1 - Not assigned and not used. I should take it out access-list 100 - Allowing VPN Traffic with "crypto map SDM_CMAP_1" access-list 101 - For Dynamic NAT access-list 102 - For Static NAT to support servers such as web server etc access-list 103 - Firewall for inward bound traffic access-list 104 - Firewall for outward bound traffic The behaviour is identical even if I drop access-list 103 and 104 entirely i.e. remove the firewall for keeping the problem defination simple. I thank you again for taking the time to look at my issue. Regards, -ketan
    0 pointsBadges:
    report
  • KetanVS
    Thanks for analyzing the configuration file. 1. Traffic to encrypt and pass across the VPN Tunnel = match address 100 access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255 (what subnet is this going to? You should define the subnet if possible) I believe 192.168.1.0 0.0.0.255 translates to local = 192.168.1.0 255.255.255.0 and 192.168.0.0 0.0.0.255 translates to remote = 192.168.0.0 255.255.255.0 2. Don?t see a reference for this Access-list access-list 1 permit 192.168.1.0 0.0.0.255 This access list is not used and I probably should take it out. 3. Briefly, the access-list's overall objective is as follows: access-list 1 - Not assigned and not used. I should take it out access-list 100 - Allowing VPN Traffic with "crypto map SDM_CMAP_1" access-list 101 - For Dynamic NAT access-list 102 - For Static NAT to support servers such as web server etc access-list 103 - Firewall for inward bound traffic access-list 104 - Firewall for outward bound traffic The behaviour is identical even if I drop access-list 103 and 104 entirely i.e. remove the firewall for keeping the problem defination simple. I thank you again for taking the time to look at my issue. Regards, -ketan
    0 pointsBadges:
    report
  • KetanVS
    Thanks Wayne. Can you do a little ASCII art to display what the network looks like. In particular, I'm wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall. a) Local Web Server/Email Server/FTP Server 192.168.1.4 | Local LAN--------Router----------- ------Router-----------Remote LAN | | | | 192.168.1.0/24 AA.AA.AA.AA/29 BB.BB.BB.BB/32 192.168.0.0/24 b) I believe we do not have proxy server at the moment. c) I could remove the firewall and the behaviour remains the same. (the firewall is through access-list 103 and 104 and both can be dropped) You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn't be sending the packets back to the correct router... a) The Public IP range assigned to us is: AA.AA.AA.144-AA.AA.AA.151. The .144 and .151 are not usable. The Gateway IP is .150 The Public IP for the servers is - .145 Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it's ADSL, it would explain our problem since the upload speeds are much lower than the download speeds. a) The connection is ADSL (384Kb Up/1.5Mb Down). Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site. a) I am using dynamic routing for all the PC's except the one that is for web server/email server/ftp server for which I am using static routing. If everything there is correct, put a sniffer on the link to see what's going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm If you have 12.1.6 and higher, you can use one of the solutions in this artcile: http://www.cisco.com/warp/public/105/56.html Two other potentially helpful starting points: POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html Easy VPN setup on 2811: http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html a) I will review this pointers. However, how do we do sniffer? Thank you very much again, Wayne. Regards, -ketan
    0 pointsBadges:
    report
  • KetanVS
    Thanks Wayne. Can you do a little ASCII art to display what the network looks like. In particular, I'm wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall. a) Local Web Server/Email Server/FTP Server 192.168.1.4 | Local LAN--------Router----------- ------Router-----------Remote LAN | | | | 192.168.1.0/24 AA.AA.AA.AA/29 BB.BB.BB.BB/32 192.168.0.0/24 b) I believe we do not have proxy server at the moment. c) I could remove the firewall and the behaviour remains the same. (the firewall is through access-list 103 and 104 and both can be dropped) You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn't be sending the packets back to the correct router... a) The Public IP range assigned to us is: AA.AA.AA.144-AA.AA.AA.151. The .144 and .151 are not usable. The Gateway IP is .150 The Public IP for the servers is - .145 Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it's ADSL, it would explain our problem since the upload speeds are much lower than the download speeds. a) The connection is ADSL (384Kb Up/1.5Mb Down). Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site. a) I am using dynamic routing for all the PC's except the one that is for web server/email server/ftp server for which I am using static routing. If everything there is correct, put a sniffer on the link to see what's going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm If you have 12.1.6 and higher, you can use one of the solutions in this artcile: http://www.cisco.com/warp/public/105/56.html Two other potentially helpful starting points: POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html Easy VPN setup on 2811: http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html a) I will review this pointers. However, how do we do sniffer? Thank you very much again, Wayne. Regards, -ketan
    0 pointsBadges:
    report
  • KetanVS
    Thanks Wayne. Can you do a little ASCII art to display what the network looks like. In particular, I'm wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall. a) Local Web Server/Email Server/FTP Server 192.168.1.4 | Local LAN--------Router----------- ------Router-----------Remote LAN | | | | 192.168.1.0/24 AA.AA.AA.AA/29 BB.BB.BB.BB/32 192.168.0.0/24 b) I believe we do not have proxy server at the moment. c) I could remove the firewall and the behaviour remains the same. (the firewall is through access-list 103 and 104 and both can be dropped) You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn't be sending the packets back to the correct router... a) The Public IP range assigned to us is: AA.AA.AA.144-AA.AA.AA.151. The .144 and .151 are not usable. The Gateway IP is .150 The Public IP for the servers is - .145 Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it's ADSL, it would explain our problem since the upload speeds are much lower than the download speeds. a) The connection is ADSL (384Kb Up/1.5Mb Down). Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site. a) I am using dynamic routing for all the PC's except the one that is for web server/email server/ftp server for which I am using static routing. If everything there is correct, put a sniffer on the link to see what's going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm If you have 12.1.6 and higher, you can use one of the solutions in this artcile: http://www.cisco.com/warp/public/105/56.html Two other potentially helpful starting points: POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html Easy VPN setup on 2811: http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html a) I will review this pointers. However, how do we do sniffer? Thank you very much again, Wayne. Regards, -ketan
    0 pointsBadges:
    report
  • KetanVS
    Thanks Wayne. Can you do a little ASCII art to display what the network looks like. In particular, I'm wondering how your network is subnetted on either side of the DSL link. If you have a proxy server, someone may have forgotten to add the new subnet to the allowed range or possibly forgot to add a route back to it on the inside interface of the firewall. a) Local Web Server/Email Server/FTP Server 192.168.1.4 | Local LAN--------Router----------- ------Router-----------Remote LAN | | | | 192.168.1.0/24 AA.AA.AA.AA/29 BB.BB.BB.BB/32 192.168.0.0/24 b) I believe we do not have proxy server at the moment. c) I could remove the firewall and the behaviour remains the same. (the firewall is through access-list 103 and 104 and both can be dropped) You say that your servers point to the Public IP Address. Are you referring to their gateway address? That would certainly cause a problem as it wouldn't be sending the packets back to the correct router... a) The Public IP range assigned to us is: AA.AA.AA.144-AA.AA.AA.151. The .144 and .151 are not usable. The Gateway IP is .150 The Public IP for the servers is - .145 Are you using an SDSL connection (up and down speeds are equivalent) on both ends of the connection? If it's ADSL, it would explain our problem since the upload speeds are much lower than the download speeds. a) The connection is ADSL (384Kb Up/1.5Mb Down). Are you using static or dynamic routing on the routers? The network seems simple enough that you could use static routes. Make sure they are setup properly and that you can ping/traceroute to the main site from the remote site. a) I am using dynamic routing for all the PC's except the one that is for web server/email server/ftp server for which I am using static routing. If everything there is correct, put a sniffer on the link to see what's going across it. If you run into the DF bit being set, look at this article as a means to solve that if you have IOS Version 12.2 or later: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ftdfipsc.htm If you have 12.1.6 and higher, you can use one of the solutions in this artcile: http://www.cisco.com/warp/public/105/56.html Two other potentially helpful starting points: POPPoE: http://www.cisco.com/en/US/tech/tk175/tk819/tsd_technology_support_protocol_home.html Easy VPN setup on 2811: http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c3270.html a) I will review this pointers. However, how do we do sniffer? Thank you very much again, Wayne. Regards, -ketan
    0 pointsBadges:
    report
  • Layer9
    It looks really odd for just a little SDSL config I just skimmed over it but it looks like your default gateway is a Dial on Demand routing, you are NATTING on the outside instead of the inside and apparently according to your remark statments on your ACLs you have another Firewall on your perimeter. Also you seem to be running CBAC, which is a mess to begin with. I never did like the CBAC configs on the 2600 series routers. They were never powerful enough to deal with the massive inspection lists and there was always problems with it. Personally, and this is just a personal opinion and others will vary, but the PIX or your Firewall is a much better place to build your IPSEC Tunnel and perform your NAT translations. If I get time I will look at your config closer. Chris Weber Layer9corp.com
    0 pointsBadges:
    report
  • Bobkberg
    I suspect you may be barking up the wrong tree. A mapped drive under windows will often show blank when the share permissions and the file system permissions don't match, or there is an authentication issue on the server end. Bob
    1,070 pointsBadges:
    report
  • Layer9
    Ketan I got your private message however it kinda made the configuration seem more odd. If indeed you are using Netopias and Linksys to terminate the tunnel ends then the config of the Cisco does not seem to make sense. It is possible that this is a timeout issue as I suggested, but I would also pay real close attention to Bob's suggestion. He is exactly right about mismatched permissions, and this could also be your problem. I assumed you have permissions set correctly since you were focusing on the routing, and my answers are geared towards your connectivity and filtering concerns, but check out Bobs suggestion as well. You also may want to pull out the Cisco device and try making the connections without the Tunnel. Just open IP all the way to the two systems on each side, and see if the problem is still there. There is a lot in this picture that does not make sense however, like the ATM, DDR and Inverse NAT on the 2811, etc. Try it without a tunnel first, that will let you know if its a tunnel config or an authentication or permissions issue. Chris Weber Layer9corp.com
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following