Hi, You did indeed send me comments, and most appreciated. You even bailed me out when I misapplied the advice, and again much appreciated. I'm taking baby steps with the wisdom offered, and seem to get deeper than intended, ultimately confused, then reach out for a breather.
Thanks, as always, for your generous help, I will digest the latest. Daniel Cotts wrote: > > I sent you some comments on this last Fri. > First look up the reload in xx min command. There is a way to > have the > router reboot in a given time interval unless you rescind the > command. So if > you lock yourself out of the router it reboots and restores the > startup > config which allows you back in. If your changes are not fatal > then cancel > the reload command. Then do a copy run start. > My guess is that you are killing your VPN by removing the > access list at the > far end. You are most likely telnetting to that router from > your local PC. > Its traffic traverses the VPN. Instead bring up a console > connection on your > local router and telnet to the remote router. That won't use > the VPN. I > don't see an access list that would block that connection. > There is an issue if you have statically NATed addresses. > People out on the > Internet can reach your local servers but folks on the far end > of the VPN > cannot. There is a solution on CCO. Last time I looked you had > to start on > the Documentation page and work towards it. The solution is not > on the 707? > page. I don't have time to look it up. Sort of goes like: > interface Loopback0 > ip address 2.2.2.1 255.255.255.0 > interface FastEthernet0 > (This is the interface where your servers are located.) > ip route-cache policy > ip policy route-map StaticNAT > > ip access-list extended StaticNAT > remark Allows statically mapped NAT addresses through IPSec > tunnel > permit ip host 192.168.250.19 172.16.1.0 0.0.0.255 > (USE YOUR OWN IP ADDRESSES) > > route-map StaticNAT permit 10 > match ip address StaticNAT > set ip next-hop 2.2.2.2 > (Note the address is not the address of the loopback.) > > To use a basketball analogy - a direct pass won't work because > a blocker is > in the way. Instead use a bounce pass. > > > -----Original Message----- > > From: CTM CTM [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, September 26, 2002 2:54 PM > > To: [EMAIL PROTECTED] > > Subject: Messing up Access Lists [7:54268] > > > > > > I've been trying to optimize communications between two > > distant routers. So > > far I've managed to lock myself out of the far router three > > times, folks > > over there are getting weary of my mistakes ;-) > > > > I have a subnet of 172.29.30.0/24 and a subnet of > > 172.29.10.0/24, the latter > > is physically the same devices multihomed as 192.168.100.0/24. > > > > I realize my NAT is messed up and I'm wrapping my head around > > the literature > > pulled from Cisco (led to by links provided by you generous > folks). > > Looks like I also need to look in depth at access lists. I'm > > taking baby > > steps but am slowly making progress. > > > > Would love to solicit comments/advice on the following: > > > > ip nat pool SCISANRTR001-natpool-1 64.172.228.155 > > 64.172.228.158 netmask > > 255.255.255.224 > > ip nat inside source list 101 pool SCISANRTR001-natpool-1 > overload > > ip nat inside source static 172.29.10.20 64.172.228.154 > > ip nat inside source static 192.168.100.20 64.172.228.132 > > ip nat inside source static 192.168.100.135 64.172.228.135 > > ip nat inside source static 172.29.20.20 64.172.228.133 > > ip classless > > ip route 0.0.0.0 0.0.0.0 Serial0/0.1 > > ip route 172.29.20.0 255.255.255.0 Serial0/1.474 > > ip route 172.29.40.0 255.255.255.0 Serial0/1.474 > > ! > > logging history size 250 > > logging history errors > > logging facility syslog > > access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 > > 0.0.0.255 > > access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 > > 0.0.0.255 > > access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 > > 0.0.0.255 > > access-list 101 permit ip 192.168.100.0 0.0.0.255 any > > access-list 101 permit ip 172.29.10.0 0.0.0.255 any > > route-map nonat permit 10 > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54277&t=54268 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
