INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

Cisco 2801

Cisco 2801

(OP)
the Goal i'm trying to achieve is having a Cisco outer 2801 (which is the internet ip: 75.150.67.105) open a port 3001 tcp to give internet to another cisco device with a IP of 172.16.8.240

interface FastEthernet0/0
ip address 75.150.67.105 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security public
duplex auto
speed auto
crypto map vpn

I've try doing NAT, below is what i've try so far:


ip nat inside source static tcp 172.16.8.240 3001 FastEthernet0/0 3001


access-list 7 permit 172.16.8.0 0.0.0.255


thanks

RE: Cisco 2801

....
you have zone security setup but dont provide the ACL on that.. yet you provide ACL7 which is not referenced in your config.

what is your 'inside' interface that is connected to 172.16.8.x network ?
what is the configuration on second Cisco Router ? does it have a default route out with the 'inside' of the 2801 as the gateway ?


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Cisco 2801

(OP)
this is the router cisco 2801 config

match access-group 110
class-map type inspect match-all vpn-traffic
match access-group 111
!
!
policy-map type inspect priv-pub-pmap
class type inspect all-private
inspect
class class-default
drop
policy-map type inspect pub-priv-pmap
class type inspect vpn-traffic
inspect
class class-default
drop
!
zone security private
zone security public
zone-pair security priv-pub source private destination public
service-policy type inspect priv-pub-pmap
zone-pair security pub-priv source public destination private
service-policy type inspect pub-priv-pmap
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
lifetime 84600
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
lifetime 84600
!
crypto isakmp client configuration group BFvpn
key vPnBr1TT@ny9687!
dns 192.168.2.10
pool vpn_ip
acl remotevpn
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set aes-256-sha esp-aes 256 esp-sha-hmac
!
crypto dynamic-map vpn 65535
set transform-set ESP-3DES-MD5
!
!
crypto map vpn client authentication list AAA-VPN
crypto map vpn isakmp authorization list AAA-VPN
crypto map vpn client configuration address respond
crypto map vpn 65535 ipsec-isakmp dynamic vpn
!
!
!
!
!
interface FastEthernet0/0
ip address 75.150.67.105 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security public
duplex auto
speed auto
crypto map vpn
!
interface FastEthernet0/1
ip address 172.16.250.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security private
speed 100
full-duplex
!
interface FastEthernet0/3/0
switchport mode trunk
no ip address
!
interface FastEthernet0/3/1
no ip address
!
interface FastEthernet0/3/2
no ip address
!
interface FastEthernet0/3/3
no ip address
!
interface Vlan1
no ip address
!
interface Vlan413
ip address 170.163.128.202 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
zone-member security public
!
!
router eigrp 1
network 172.16.0.0
!
ip local policy route-map LocalPBR
ip local pool vpn_ip 172.16.251.10 172.16.251.20
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 172.16.8.40 3001 FastEthernet0/0 3001
ip nat inside source route-map NAT-HFC interface FastEthernet0/0 overload
ip nat inside source route-map NAT-OPT interface Vlan413 overload
ip route 0.0.0.0 0.0.0.0 75.150.67.106 track 3
ip route 0.0.0.0 0.0.0.0 170.163.128.201 5
!
ip access-list standard remotevpn
permit 172.16.0.0 0.15.255.255
!
ip sla 1
icmp-echo 75.150.67.106 source-interface FastEthernet0/0
frequency 30
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 170.163.128.201 source-interface Vlan413
frequency 30
ip sla schedule 2 life forever start-time now
access-list 1 permit 170.163.0.0 0.0.255.255
access-list 1 remark for Telnet & SNMP Restrictions
access-list 1 permit 172.16.8.0 0.0.3.255
access-list 7 permit 172.16.8.0 0.0.0.255
access-list 10 permit 75.150.67.105
access-list 20 permit 170.163.128.202
access-list 102 deny ip any 10.0.0.0 0.255.255.255
access-list 102 deny ip any 172.16.0.0 0.15.255.255
access-list 102 deny ip any 192.168.0.0 0.0.255.255
access-list 102 permit ip 172.16.0.0 0.0.15.255 any
access-list 102 permit ip 172.16.0.0 0.15.255.255 any
access-list 110 permit ip any any
access-list 111 permit ip 172.16.251.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 111 deny ip any any
!
!
!
route-map LocalPBR permit 10
match ip address 10
set ip default next-hop 75.150.67.106
!
route-map LocalPBR permit 20
match ip address 20
set ip default next-hop 170.163.128.201
!
route-map NAT-HFC permit 10
match ip address 102
match interface FastEthernet0/0
!
route-map NAT-OPT permit 10
match ip address 102
match interface Vlan413
!
snmp-server community chimenet#3000 RO 1
snmp-server enable traps tty
!
tacacs-server host 170.163.248.63
tacacs-server host 170.163.248.64
tacacs-server directed-request
tacacs-server key 7 06050728414B071C1154405B5C54

RE: Cisco 2801

sh ip route on the second cisco router please.
i reckon you dont have routes..
i see your eigrp statement i'm assuming it is neighboured with cisco router,

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Cisco 2801

(OP)
The second device its a Cisco switch

RE: Cisco 2801

YOU SAID :
internet to another cisco device with a IP of 172.16.8.240

now you are saying :
The second device its a Cisco switch

whatever the case the second device needs to know how to get out..
furthermore looking at your two statements now , nothing from your config matches what you are asking.
your fa0/1 has an IP address that is NOT part of the same subnet as 'IP address 172.16.8.240'

you aren't telling me where the second cisco device is pointing for a default route / default gateway ..

either provide enough information or start googling.

what are the routes on the second device?
how is it connected.

We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

RE: Cisco 2801

(OP)
I'm trying to open a port in a Cisco 2801, the port 3001 to give internet access for a cisco switch which IP is 172.16.8.40, whatt i've tried so far is ip nat inside source static tcp 172.16.8.40 3001 172.16.250.1 3001

Cisco switch configuration

User Access Verification

Password:
BF-3508-Main>en
Password:
BF-3508-Main#sh run
Building configuration...

Current configuration:
!
version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname BF-3508-Main
!
enable secret 5 $1$DWIK$MGm.rL6qLu1qDKbDDCG0C0
!
!
!
!
!
!
ip subnet-zero
!
!
!
interface GigabitEthernet0/1
duplex full
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
duplex full
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/3
duplex full
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/4
duplex full
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/5
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface VLAN1
no ip address
no ip directed-broadcast
no ip route-cache
shutdown
!
interface VLAN8
ip address 172.16.8.240 255.255.252.0
no ip directed-broadcast
no ip route-cache
!
ip default-gateway 172.16.8.1
snmp-server engineID local 0000000902000004DD5EEE80
snmp-server community private RW
snmp-server community public RO
!
line con 0
password 7 013213165419075E60
transport input none
stopbits 1
line vty 0 4
password 7 002506140B490A574E
login
line vty 5 15
password 7 002506140B490A574E
login
!
end

BF-3508-Main#

RE: Cisco 2801

Since you aren't answering my questions about connectivity / subnets/ etc, I am going with a simple question for you that should be fairly easy to answer:
can the 'switch' ping the FA0/0 of your 2801 router?

in your original post you mentioned:

Quote (---)

ip nat inside source static tcp 172.16.8.240 3001 FastEthernet0/0 3001

in your last post you mention :

Quote (----)

ip nat inside source static tcp 172.16.8.40 3001 172.16.250.1 3001

I am not really sure what you are trying to do here.. you dont do nat until you are at the perimeter / exit point.
So take out the second NAT statement (wherever you have put that ... )

So assuming that there is real connectivity between the switch and the router, THEN all you need to do is pick the correct Ip address (as you can see both the parts i've quoted have DIFFERENT Ip address as the source of the NAT) and use the first statement to make it go .

if you can't ping from switch to Router's FA0/0 then fix your routing.
As I've said above several times now your interfaces, or what you claim are your configurations in your previous posts are not in the same subnet, so unless there is another router in between your switch and the 2801 your IP subnetting is BAD.


We must go always forward, not backward
always up, not down and always twirling twirling towards infinity.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close