Recent content by t00r

Imagefree, OK. So the only thing left is ssh. By default https uses port 443. I would check check which port your application uses and remove redundant one. Regards, t00r

For ftp you need to add tcp port 20 rule into your acl 110 like in my earlier post. Let's try to use some debugs to find out what happens with ssh. Could you make the following acl access-list 160 permit tcp any eq 22 any access-list 160 permit tcp any any eq 22 then temporary turn off cef no...

One more thing - you need to add access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 20 any access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 21 any to enable ftp through T1 (and make sure you've removed your deny tcp 21 line). t00r

Hi Imagefree, ftp actually uses 2 ports: 21 - control port 20 - data port you need to have them both for ftp to work just for the record: tcp/20 - ftp data tcp/21 - ftp control tcp/22 - ssh tcp/80 - http tcp/443 - https Could you post your current config, do clear access-list counters 110...

Hi Minue, Hmm... Maybe the modem was deactivating it's Ethernet interfaces when DSL connectivity was lost? If that is the case you I agree there is no need in object tracking. The problem with inbound redundancy is that ISP has configured static routing for 200.100.49.56/29 to go to...

Hi Imagefree, I would change ACL 1 to access-list 1 permit 200.100.49.56 0.0.0.7 since the original one includes more that your addresses. Technically it doesn't matter in this case, just misleading. As for redundancy right now your outgoing connections that normally through T1 should be...

I think we've cross-posted. Are you talking about my earlier posts? Because I didn't receive anything through email yet. Anyway it's good to know that your problem is solved :) P.S.: I've received your config when I was just about to post So far I've found 3 places that I would change: 1...

You still have acl 1 in your nat config (Id: 4 line) You need to clear ip nat translation * no ip nat inside source list 1 interface FastEthernet0/1 overload to get rid of that. I'll work on your config when I receive one. t00r

Hi imagefree, Could you check check that you've actually got rif of your nat acl 1? You can do that by show ip nat statistics and look into dynamic mappings section of the output. 200.100.49.56 0.0.0.7 in acl includes all addresses from 200.100.49.56 to 200.100.49.63. It covers the whole...

Hi Imagefree, I think Minue is right - there is a PBR issue. You'll need to send your ssh and http(s) traffic to s0/0 too, not just udp. acl 110 should look like: access-list 110 permit udp any any access-list 110 permit tcp 200.100.49.56 0.0.0.7 eq 22 any access-list 110 permit tcp...

Hi Imagefree, If you want your web and ssh traffic to use your T1 line you shouldn't include that traffic in your acl called from route-map NO_NAT - acl 120. Your acl should look like: access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 22 any access-list 120 deny tcp 200.100.49.56 0.0.0.7 eq 80...

Hi Imagefree, Those tracking commands would be helpful if you have static IPs since you'd need to know your local and gateway IPs. In later versions of IOS you can do that with dynamic IPs referencing to interfaces instead of IPs. Regards, t00r

You have 2 VCIs configured on your modem. Which one do you use - PPPoA or bridging? Here is how you can do your tracking config: 1. Define your SLAs: rtr 1 type echo protocol ipIcmpEcho <Remote-ip-address> source-ipaddr <Your-local-IP> timeout...

One more thing - if you have more than one web-server you'll be able to put only of them on actual port 80 when NATting, just like in ssh config. t00r

Sure you can specify which addresses to NAT. But for the addresses that belong to your T1 line your return traffic will always go through T1 line. When you NAT the traffic then for the rest of the world all packets look like they sent from the IP address of the interface that were specified in...