Ip tcp adjust-mss unidirection or bidirectional?

If i configure this command on my cisco CPE with a value of 1440, why do i still have packets who has a mss of 1460, while i clearly see the TCP three-way handshake? I'm no wireshark expert, but maybe you guys can tell me what i am doing wrong? I have made a capture between two hosts who are communicating with each other.
Here is the direct link for a more clearer picture http://s16.postimg.org/4vyeqpg91/syn_bit.png

Hi there,
Correct me if i m wrong, is the capture taken from a PC connected to Cisco?
The default MSS is 1460 which MTU 1500 - 40 Header = 1460 which is announced by the PC in syn and as you can see from the second packet which is syn ack received on the PC through the router the MSS is set to 1440, which means the MSS was modified / adjusted by the router.
Please refer below link for more information and testing MSS.
http://www.cisco.com/c/en/us/td/docs/ios/12_2sb/12_2sba/feature/guide/sb_admss.pdf
HTH
Hitesh

Similar Messages

Ip tcp adjust-mss on LAN and BVI

hi all,
just a quick question, we got routers configured with LAN interface and bridged to a BVI interface.
i want to set the ip tcp adjust-mss 1420 but which port will take precedence?
my question, which port do i configure this command?
interface FastEthernet0/0.2
description ### Corp LAN ###
encapsulation dot1Q 2
no ip redirects
ip accounting output-packets
ip nbar protocol-discovery
ip tcp adjust-mss 1420 <<<
interface BVI2
description ### Corp VLAN ###
ip address 192.168.231.1 255.255.255.0
ip flow ingress

Since this command works at the IP layer, you will need to apply it to the routed interface. That will be BVI2 in this case.
Regards,
Mike

IP TCP Adjust MSS

Hi
We have a network setup where the customers comes via internet to 7600 and from there we for ward this to mpls-vpn cloud
CE -----Internet cloud -------Internet Access router --- 7600-----IP VPN cloud
we use ipsec tunnel from ce to 7600 .Sometimes customer complains of email/other Application not working etc.
Most of the issue are resolved when we put the ip tcp adjust mss command on lan from a higher value to lower value like from 1452 to 1350 etc.
Can somebody clarify abt the working of ip tcp adjust mss and its effect.
Thanks in Advance
Tarun

When a host initiates a TCP session with a server, it negotiates the IP segment size by using the MSS option field in the TCP SYN packet. The value of the MSS field is determined by the maximum transmission unit (MTU) configuration on the host. The default MSS value for a PC is 1500 bytes
Links for Reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ft_admss.htm
http://cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a0080093f1f.shtml
http://cisco.com/en/US/products/hw/routers/ps4081/products_tech_note09186a0080094268.shtml
But the actual MSS between two end points is derived as below.
MSS = MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen = 20 - 20 = MTU - 40.
Now for GRE = GRE header + GRE IP HEader = 4 + 20 = 24
IPSEC = 60 to 72 approx depedning on the encryption used.
Since your internet routers wont be supporting more than 1500 bytes as an MTU, effectively the MSS available for
you host to server session is the actual MTU on the path minus the overhead mentioned above.
which is MinPathMTU - MinTCLHeadrLen - MinIP HeadrLen - (GRE header + GRE IP HEader) - IPSEC overhead
1500 - (40+24+60~72) = 1376~1364.
So a TCP MSS value of 1360 would be safe for your end-to-end TCP sessions over a GRE-IPSEC Tunnel.
If you were not doing a GRE-IPSEC till the 7600 and had a leased circuit to the 7600 then a MSS value of 1460 fits well.
1500-40.
HTH-Cheers,
Swaroop

"ip tcp adjust-mss " command

Hello Everyone,
I wonder "ip tcp adjust-mss " command useage. Basicaly, should i apply this command on routers that are communicating point-to-point ? or there is not must to apply this command on both end ?
I have a IPsec configured router and i can not be sure if i should apply this command on LAN interface or WAN interface ? and Do i have to apply this command on other end ?

Hi,
You can use following configuration instead of former command:
#interface tunnel 0
-if)#mtu 1600
-if)#ip access-group DLP in
-if)#ip address <><>
#ip access-list extended DLP
-acl)#statistics per-entry
-acl)#deny ip any any packet-length gt <adjust value>
-acl)#permit ip any any
I think, it may helps you.
Houtan

Unidirectional vs bidirectional association

Hi,
I've read lots of examples and it seems to me that, in reality, these are bidirectional associations:
Employee and Department (given an employee, you can find out what department(s) s/he belongs to; given a department, you can find out which employees are in it)
Parent and Child (given a parent, you can find out who are his/her children; given a child, you can find out who his/her parent(s) are)
Bid and Item (given a bid, you should be able to tell which item it is for; given an item, you can tell which bids were made on it).
To show unidirectional, the author just omitted the reference to the other in one class. In my opinion, all of the above should be bidirectional (in real life, they would be, I think).
Can someone give me some real life examples of a unidirectional association?
Are most associations bidirectional?
Thanks,
C

Hi,
I've read lots of examples and it seems to me that,
in reality, these are bidirectional associations:
Employee and Department (given an employee, you can
find out what department(s) s/he belongs to; given a
department, you can find out which employees are in
it)
Parent and Child (given a parent, you can find out
who are his/her children; given a child, you can find
out who his/her parent(s) are)
Bid and Item (given a bid, you should be able to tell
which item it is for; given an item, you can tell
which bids were made on it).
To show unidirectional, the author just omitted the
reference to the other in one class. In my opinion,
all of the above should be bidirectional (in real
life, they would be, I think).
Can someone give me some real life examples of a
unidirectional association?
Are most associations bidirectional?You're quite correct - in "real" life, relationships like the ones you cite are bidirectional.
However, that does not mean that every software representation of real life situation require the bidirectional relationship. If the model you've derived has no need of the many-to-one inverse relationship, it's possible to leave it out. Why do it? If the model doesn't require it, looser coupling.
If I'm modeling a parent-child relationship in a financial application, the parent has to know about child dependents, but there might not be any reason for the child object to know who their parent is. I only navigate to children objects by accessing the parent first.
%

Unidirectional and Bidirectional association

Can someone explain the difference between Unidirection association and Bidirectional association.
An example will be a great help....
Thanx to all of you.
Satya

montefusco,
I believe you are correct in stating that in an information system (implementation) often there is a unidirectional association between two objects where in the Real World (conceptual) there is a bidirectional association.
When I mentioned callbacks I was exclusively thinking of an actual callback impelementation.
In an observer pattern implementation, for example, the Observer object has a reference to the Observable object so that the Observer can register itself to the Observable object. The Observable object has a reference to the Observer object for notifications. (of course there are other ways of implementing this pattern, but you get the point, I hope)
So, I don't think we contradict each other here. There was just a confusion with coneptual-level class diagrams and implementation-level class diagrams.

Block Traffic under two VLAN's : Unidirectional OR Bidirectional ???

I have a Ciso L3 switch with 4 VLANs and all host computer connected to rest of 8 cisco 2960 switch's:
VLAN 1 : 192.168.1.0/24
VLAN 10: 192.168.10.0/24
VLAN 20: 192.168.20.0/24
VLAN 50: 192.168.30.0/24
There are list of my some Questions about Extended ACL serialwise :
1. For Restrict traffic from VLAN 10 to VLAN 20, I am using only one ACL is : Access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255.
    What will happen in this scenerio if we talk about traffic from VLAN 20 to VLAN 10. Will it communicate or not ???
2.   How to Block the traffic from VLAN 10 to VLAN 20 but allow the traffic from VLAN 20 to VLAN 10 ? Plz tell access list command for this.
      Question # 2 Depends on Question# 1...................
Plz find here My cisco 3560 switch configuration in Blog below :
Regards
Kuldeep

Hi Richard,
                  See this cisco 3560 switch Configuration, and tell me answers accordingly:
CORE_3560#sh run
Building configuration...
Current configuration : 5299 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname CORE_3560
enable secret 5 $1$d6GO$No/vGsChZP5O.5ANOYI2m/
no aaa new-model
ip subnet-zero
ip routing
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface Port-channel1
description *** CONNECTING TO CISCO-2960 SWITCH-1 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface Port-channel2
description *** CONNECTING TO CISCO-2960 SWITCH-2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/1
description *** CONNECTING TO CISCO-2960 SWITCH-1 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/2
description *** CONNECTING TO CISCO-2960 SWITCH-1 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet0/3
description *** CONNECTING TO CISCO-2960 SWITCH-2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on
interface GigabitEthernet0/4
description *** CONNECTING TO CISCO-2960 SWITCH-2 ***
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 2 mode on
interface GigabitEthernet0/5
description *** CONNECTING TO CISCO-2960 SWITCH-3 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/6
interface GigabitEthernet0/7
description *** CONNECTING TO CISCO-2960 SWITCH-4 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/8
interface GigabitEthernet0/9
description *** CONNECTING TO CISCO-2960 SWITCH-5 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/10
interface GigabitEthernet0/11
description *** CONNECTING TO CISCO-2960 SWITCH-6 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/12
interface GigabitEthernet0/13
description *** CONNECTING TO CISCO-2960 SWITCH-7 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/14
description *** CONNECTING TO CISCO-2960 SWITCH-8 ***
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/15
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
interface GigabitEthernet0/24
description Connecting to Cisco-1800 Router
switchport access vlan 50
switchport mode access
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface GigabitEthernet0/27
interface GigabitEthernet0/28
interface Vlan1                                     ***** L2 switch's Vlans
ip address 192.168.1.1 255.255.255.0
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 101 in
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group 101 in
interface Vlan50
ip address 192.168.30.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.30.10
ip http server
access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip any any
access-list 101 permit icmp any any
control-plane
line con 0
line vty 0 4
password cisco
no login
line vty 5 15
no login
end

Advice required on optimal MTU and MSS settings for GRE and IPSEC connections

Hi,
We have 2 remote sites (Site A and Site B) which connect to our datacentres (DC) over IPSEC VPN and connect to each other over GRE tunnels.
We had some issues recently which we believe were MTU/MSS related (browsing web servers at one location not appearing correctly etc)
We got some advice from our Cisco partner and tweaked some settings but I'm still not convinced we have the optimal configuration - and we still have some problems I suspect may be MTU related. For example, from our DC (connected to Site A by IPSEC), we CANNOT browse to the webpage of the phone system hosted at Site A. Yet, we CAN browse to the webpage of the Site A phone system from Site B (connected over GRE)
Site A and Site B have two WAN internet circuits each - and each provider presents their circuit to us as ethernet.
Here are the relevant interface settings showing the currently configured MTU and MSS (both routers are configured the same way)
Can someone advise on what the optimal settings should be for our MTU and MSS values on the various interfaces or how we might best determine the values?
interface Tunnel1
description *** GRE Tunnel 1 to SiteB***
ip address [removed]
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source [removed]
tunnel destination [removed]
interface Tunnel2
description *** GRE Tunnel2 to SiteB***
ip address [removed]
ip mtu 1400
ip tcp adjust-mss 1360
keepalive 30 3
tunnel source [removed]
tunnel destination [removed]
interface GigabitEthernet0/0
description "WAN Connection to Provider1"
ip address [removed]
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect cbac out
ip virtual-reassembly in
crypto map cryptomap
interface GigabitEthernet0/1
description "Connection to LAN"
no ip address
ip flow ingress
ip flow egress
duplex auto
speed auto
interface GigabitEthernet0/1.1
description DATA VLAN
encapsulation dot1Q 20
ip address [removed]
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1320
interface GigabitEthernet0/1.2
description VOICE VLAN
encapsulation dot1Q 25
ip address [removed]
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1320
interface GigabitEthernet0/2
description "Connection to Provider2"
ip address [removed]
ip access-group firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect cbac out
ip virtual-reassembly in
duplex auto
speed auto
crypto map grecrypto
Thanks.

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html

MTU vs MSS

I have been reading up on DMVPN and noticed the tunnel configuration had the following:
iinterface Tunnel0
ip mtu 1408
ip tcp adjust-mss 574
Would someone be able to explain to me why the mss is so much lower than the MTU.
I thought the MSS was 28 less than the MTU.

From same doc, I think this is valid
"The goal is to select an optimum value for ip tcp adjust-mss that minimizes both the IPSec padding and
ATM adaption layer (AAL) 5 padding."
Is that your objective in live network?
For the rest it's pretty self explanatory.
IP MTU of transport network > IP MTU overlay network > TCP MSS set on overlay

Optimize mtu and mss

Dear all,
It is about a IPSEC/GRE over WAN...
Would you please confirm or comment the following in terms of MTU:
1. On GRE tunnel interfaces "ip mtu" and "ip tcp adjust-mss" is mandatory. "tunnel path-mtu-discovery" is good to have and will allow DF bit to be set in the outer header. If "tunnel path-mtu-discovery" is to be applied, ICMP should not be blocked between routers.
2. On inside router interfaces "ip tcp adjust-mss" is mandatory and will be the same value as on the tunnel interfaces. This will make sure TCP traffic from inside hosts is OK.
3. It is mandatory that ICMP messages are not blocked between inside hosts and WAN routers in order for PMTUD for hosts to be working.
Thanks in advance,
Mladen

No you have not mis-read the document - maybe just been lead down a path a little, my answers are based on experiance.
I have found that tunnel path-mtu-discovery/PMTUD/BlackHole MTUD do not work in 99.999% of the cases where I have had mtu issues - Windows OS has been where the issues lie. I have never encounted a time where the Windows OS has actually taken any notice of the ICMP fragmentation needed message has been recevied.
Some Cisco platforms cannot use the tcp mss adjust command on transient packets, only packets sourced from the deivce are effected.
Cisco firewalls, have default configuration in regards to fragementation - the packets will be fragemented prior to encrypting the packet and they copy the DF bit = the packet will be dropped due to being oversized.
What I do when dealing with GRE/IPSEC tunnels is either:-
1) Change the MTU of the workstations/servers - works in small enviroments, does not scale.
2) You do not have to worry about MTU/MSS sizes on internet sites generally, as the remote servers wil 99% negotiate a small MSS.
3) Use where possible tcp mss adjust on routers and firewalls (this is a great place, especially when you are not using GRE tunnels)
4) Perform packet captures to determine if an application will send ALL packets with the DF bit set, or as normal just the TCP handshake.
Below is a good example:-
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008081e621.shtml
HTH>

Getting huge number tcp-retransmissions 7& TCP Dup ACK packets.

Hi,
I was working with a issue, in which we were observing that the citrix application page is freezing intermittently for 5-10secs and again working without any discosnnections.
On troubleshooting I did nt observe any abnormal latency or packet loss on the GRE tunnel from source vlan till server destiantions.
The citrix traffic flows via a GRE tunnel to remote location then via plain internet flows to a internet facing citrix server behind a firewall.
On analyzing the traffic using Ethereal I have observed huge number of duplicate ACK packets and TCP retransmissions, hence i derived it has some thing to do with packet fragmentations.Hence I modified that TCP MSS size to 1400 from 1412.
Hence I modified the GRE tunnel configs as below
Router#sh run int tu 691
interface Tunnel691
description XXXX
ip address X.X.X.41 255.255.255.252
ip mtu 1500
ip tcp adjust-mss 1400
tunnel source Loopback69
tunnel destination X.X.X.X
end
Still there is intermittent issue.Can you pls help me to find out where excatly the issue can lie.

We had a similar issue and issued the following commands and everything is working well.
ip mtu 1476
ip tcp adjust-mss 1436

MTU MSS DF Bit and Fragmentation

I am running an encrypted link and want to check for and if necessary, remedy fragmentation.
I'm using two connected 6500's with VPN modules.
Using the NAM I sniffed the outbound physical interface and I see packets of various sizes but the biggest is 128bytes even during a massive file transfer. I'm assuming fragmentation but need to be sure.
Using ping I see the biggest packet allowed without fragmentation is 1472.
My primary intent is to first determine if there is a fragmentation issue. If there is I'll probably follow up with questions on which command to use and where to put it. I assume that I would use either the physical outgoing interface(currently MTU=1500) or the inside crypto interface(current MTU=4500)
1. How do I determine if there is a fragmentation issue
2. Which command to use and where?
Any help would be appreciated.

Issue with large packets that have the don't fragment bit set that become too large with the additional overhead of ipsec.
use command "ip tcp adjust-mss ",TCP MSS (Maximum segment size) sufficiently low enough that the packet isn't fragmented.
you may need to clear the df-bit entirely (it's a less efficient method, but it works). For the router, you can do so via "crypto ipsec df-bit clear".
Try these links for more info:
http://cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a00804247fc.html
http://www.cisco.com/warp/public/105/pmtud_ipfrag.html
http://www.cisco.com/warp/public/105/38.shtml

ZBFW Intra zone traffic not working

I am having an issue on one of our 2811 routers where I can't get traffic between interfaces within the same zone to flow. I know this should happen by default and that's why it is so confusing.
One of the interfaces is fastethernet0/0.1 which is internal LAN And the others are tunnel interfaces using IPSEC tunnel protection back to the main datacenter. By design one tunnel is preferred over the other by using OSPF costing. Due to this there doesn't seem to be any asymmetric routing.
I inter zone traffic working just fine by defining the policy and zone pair. It is just when I enable another zone on our internal LAN interfaces it stops passing traffic. Just to note I do have this working on our LAB 2811 router running the same IOS version.
Any recommendations would be helpful. I have a case open with TAC but they aren't figuring it out. So now I'm calling the experts.
Thanks in advance. Elton
Sent from Cisco Technical Support iPhone App

Here is the sanitized configuration. The zone that I am trying to apply is "LAN".
I would like to apply it to all of the tunnel interfaces along with the fastethernet0/0.1 interface. This is working on another 2811 router.
Thanks again for the assistance.
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
hostname ****************
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 16384 informational
enable secret 5 ******************************
aaa new-model
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa session-id common
clock timezone est -5
clock summer-time SummerTime recurring
dot11 syslog
ip source-route
ip traffic-export profile CAPTURE mode capture
bidirectional
incoming access-list CAPTURE_IN
outgoing access-list CAPTURE_OUT
length 512
ip cef
ip dhcp excluded-address 192.168.43.33 192.168.43.37
ip dhcp pool CREDIT_CARD_SCANNERS
   network 192.168.43.32 255.255.255.224
   default-router 192.168.43.33
   dns-server 4.2.2.2 8.8.4.4
   lease 2
no ip domain lookup
ip multicast-routing
ip inspect log drop-pkt
ip inspect name incoming tcp router-traffic
ip inspect name incoming udp router-traffic
login on-failure log every 3
no ipv6 cef
ntp server 10.69.16.1
multilink bundle-name authenticated
isdn switch-type basic-ni
voice-card 0
crypto pki trustpoint TP-self-signed-218647659
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-218647659
revocation-check none
rsakeypair TP-self-signed-218647659
crypto pki certificate chain TP-self-signed-218647659
certificate self-signed 03
30820242 308201AB A0030201 02020103 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313836 34373635 39301E17 0D313130 36303831 38303833
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3231 38363437
36353930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
F9FF373A F00F58CF F4C6E6B1 C7676D6E EBD0D2D1 E239FAAA 42BD4335 B779D873
A2D654FA 04F47F90 CCC79596 B3D5B719 D3994E6E 43B05D4D 4419D92C F8EC6149
5094F9AB 7CB11EFA 5E72B723 A04D2999 BB43A8B8 11314E45 CA26BA77 909A63AA
64A95D75 411C5141 026AA11A EA27724F A6832EBF A0C5DD7B A1E48803 4B8C0585
02030100 01A36C30 6A300F06 03551D13 0101FF04 05300301 01FF3017 0603551D
11041030 0E820C42 524B2D43 32383131 2D543130 1F060355 1D230418 30168014
CA02D9F0 3B1772EE BECCFD40 888CD35B 4BF00440 301D0603 551D0E04 160414CA
02D9F03B 1772EEBE CCFD4088 8CD35B4B F0044030 0D06092A 864886F7 0D010104
05000381 810077C0 3260CF10 8652CE8D 6B0DE3F8 9BD87870 51087020 E00CC56B
F01EBC1C F6DE78D9 D309E3D6 B63B713C 80FEE77B CEA7AD0D 3CA587B3 26912CC8
EADA52D9 74698936 B8196FE0 120071EA B9F4CF3C 14D9E67C 34A0EA61 192BF856
F77B5034 D45834CE D38D241A B1B08694 C786FAAF 9833D6DD DDF00562 F4839A51
7ECEE3C1 BC06
        quit
username ************************** privilege 15 secret 5 ***********************************
archive
log config
hidekeys
crypto isakmp policy 1
authentication pre-share
crypto isakmp key ***************** address *****************
crypto isakmp key **************** address *********************
crypto isakmp key ************* address **********************
crypto isakmp key ******************* address *********************
crypto isakmp keepalive 120 periodic
crypto ipsec transform-set TRANSFORM-AES esp-aes esp-sha-hmac
crypto ipsec transform-set TRANSFORM-AES-TRAN esp-aes esp-sha-hmac
mode transport require
crypto ipsec profile PROFILE-DMVPN
set transform-set TRANSFORM-AES
crypto ipsec profile PROFILE-DMVPN-TRAN
set transform-set TRANSFORM-AES-TRAN
track 1 ip sla 1 reachability
track 10 interface FastEthernet0/1 line-protocol
class-map type inspect match-any CC_SCAN_TRAFFIC_CLASS
match access-group name CC_SCAN_OUT
class-map type inspect match-all BBDBU-CMAP
match access-group name BBDBU
policy-map type inspect CC_SCAN_TRAFFIC_POLICY
class type inspect CC_SCAN_TRAFFIC_CLASS
inspect
class class-default
drop log
policy-map type inspect BBDBU-PMAP
class type inspect BBDBU-CMAP
pass
class class-default
drop log
zone security internet
zone security CC_SCAN_LAN
zone security LAN
zone-pair security self-to-internet source self destination internet
service-policy type inspect BBDBU-PMAP
zone-pair security internet-to-self source internet destination self
service-policy type inspect BBDBU-PMAP
zone-pair security CC_SCAN-TO-INTERNET source CC_SCAN_LAN destination internet
service-policy type inspect CC_SCAN_TRAFFIC_POLICY
interface Tunnel1
description Broadband backup circuit
bandwidth 256
ip address 10.69.7.111 255.255.255.0
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication ****************
ip nhrp map 10.69.7.1 *********************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.7.1
ip nhrp server-only
ip ospf authentication-key 7 *******************
ip ospf network broadcast
ip ospf cost 130
ip ospf priority 0
tunnel source FastEthernet0/1
tunnel destination ********************
tunnel key ********************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel2
description Backup Tunne2
bandwidth 512
ip address 10.69.10.111 255.255.255.0
ip mtu 1400
ip pim sparse-mode
ip nhrp authentication **************
ip nhrp map 10.69.10.1 ********************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.10.1
ip nhrp server-only
ip ospf authentication-key 7 ********************
ip ospf network broadcast
ip ospf priority 0
tunnel source FastEthernet0/1
tunnel destination ********************
tunnel key *********************
tunnel path-mtu-discovery
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel16
description mGRE TUNNEL FOR NYe0008981
bandwidth 1500
ip address 10.69.4.111 255.255.255.0
ip mtu 1400
ip flow ingress
ip pim sparse-mode
ip nat outside
ip nhrp authentication ****************
ip nhrp map 10.69.4.1 *********************
ip nhrp network-id ***************
ip nhrp holdtime 300
ip nhrp nhs 10.69.4.1
ip nhrp server-only
ip virtual-reassembly
ip ospf network broadcast
ip ospf cost 120
ip ospf priority 0
tunnel source Serial0/0/0
tunnel destination ******************
tunnel key ******************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface Tunnel17
description mGRE TUNNEL FOR NYe0008981
bandwidth 1450
ip address 10.69.8.111 255.255.255.0
ip mtu 1400
ip flow ingress
ip pim sparse-mode
ip nhrp authentication *******************
ip nhrp map 10.69.8.1 ****************
ip nhrp network-id **************
ip nhrp holdtime 300
ip nhrp nhs 10.69.8.1
ip nhrp server-only
ip ospf network broadcast
ip ospf cost 125
ip ospf priority 0
tunnel source Serial0/0/0
tunnel destination *****************
tunnel key ****************
tunnel protection ipsec profile PROFILE-DMVPN-TRAN
interface FastEthernet0/0
description PARENT INTERFACE
no ip address
ip flow ingress
ip traffic-export apply CAPTURE size 10000000
duplex auto
speed auto
interface FastEthernet0/0.1
description DEFAULT VLAN
encapsulation dot1Q 1 native
ip address 10.27.19.1 255.255.255.0
ip helper-address 10.69.16.7
ip pim sparse-mode
ip tcp adjust-mss 1344
ip traffic-export apply CAPTURE size 10000000
ip policy route-map PBR
ip ospf priority 0
interface FastEthernet0/0.10
description INITIAL VLAN
encapsulation dot1Q 10
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.20
description AUTH-FAIL VLAN
encapsulation dot1Q 20
ip traffic-export apply CAPTURE size 10000000
shutdown
interface FastEthernet0/0.43
description CREDIT_CARD_SCANNERS
encapsulation dot1Q 43
ip address 192.168.43.33 255.255.255.224
ip nat inside
ip virtual-reassembly
zone-member security CC_SCAN_LAN
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.98
description Remediation Vlan
encapsulation dot1Q 98
ip address 10.69.243.1 255.255.255.248
ip access-group Remediation in
ip helper-address 10.69.252.7
ip inspect incoming out
ip traffic-export apply CAPTURE size 10000000
ip ospf priority 0
interface FastEthernet0/0.99
description GUEST VLAN
encapsulation dot1Q 99
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/0.666
description VENDOR VLAN
encapsulation dot1Q 666
ip traffic-export apply CAPTURE size 10000000
interface FastEthernet0/1
mtu 1492
ip address 192.168.1.47 255.255.255.0 secondary
ip address ************************** ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security internet
duplex auto
speed auto
interface Serial0/0/0
ip address **************************
ip flow ingress
encapsulation ppp
no fair-queue
service-module t1 remote-alarm-enable
service-module t1 fdl both
no cdp enable
interface BRI0/2/0
no ip address
encapsulation ppp
shutdown
dialer pool-member 1
isdn switch-type basic-ni
isdn point-to-point-setup
isdn spid1 71878317920101 7831792
isdn spid2 71878340300101 7834030
no cdp enable
interface Async0/1/0
no ip address
encapsulation slip
interface Dialer1
description T-1 Site ISDN Backup
ip address 192.168.103.38 255.255.255.0
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
dialer idle-timeout 120 either
dialer load-threshold 32 either
dialer-group 1
no peer default ip address
no cdp enable
ppp multilink
router ospf 1
router-id 10.27.19.1
log-adjacency-changes
area 48 stub
network 10.27.19.0 0.0.0.255 area 48
network 10.69.4.0 0.0.0.255 area 48
network 10.69.7.0 0.0.0.255 area 48
network 10.69.8.0 0.0.0.255 area 48
network 10.69.10.0 0.0.0.255 area 48
network 10.69.243.0 0.0.0.7 area 48
ip forward-protocol nd
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip forward-protocol udp bootpc
ip route 198.203.191.83 255.255.255.255 ******************** track 1
ip route 198.203.192.245 255.255.255.255 *************** track 1
ip route 198.203.192.20 255.255.255.255 ****************** track 1
ip route 8.8.4.4 255.255.255.255 ***************** track 1
ip route 4.2.2.2 255.255.255.255 ******************* track 1
ip route 8.8.8.8 255.255.255.255 ********************** track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 10.48.9.254 255.255.255.255 *****************
ip route 10.48.32.101 255.255.255.255 *****************
ip route 10.48.32.102 255.255.255.255 *****************
ip route 161.11.124.78 255.255.255.255 ******************
ip route 173.226.250.130 255.255.255.255 **************
ip route 204.89.170.126 255.255.255.255 ****************
no ip http server
no ip http secure-server
ip pim rp-address 10.69.31.1
ip nat pool CC_DMV_POOL 10.27.19.253 10.27.19.253 prefix-length 24
ip nat inside source route-map CC_BB_NAT interface FastEthernet0/1 overload
ip nat inside source route-map CC_DMV_NAT pool CC_DMV_POOL overload
ip tacacs source-interface FastEthernet0/0.1
ip access-list extended BBDBU
permit esp host *****************************
permit udp host **************************
permit gre host *******************************
permit udp host ****************************
permit gre host **************************
permit esp host ***********************
permit ip host **************************
permit ip host *****************************
permit icmp any host 8.8.8.8 echo
permit icmp host 8.8.8.8 any echo-reply
ip access-list extended BRK
permit ip 10.27.19.0 0.0.0.255 host 10.69.31.128
ip access-list extended CAPTURE_IN
permit ip host 10.27.19.10 host 10.69.66.108
ip access-list extended CAPTURE_OUT
permit ip host 10.69.66.108 host 10.27.19.10
ip access-list extended CC_SCAN_OUT
permit icmp 192.168.43.32 0.0.0.31 host 8.8.8.8
permit udp 192.168.43.32 0.0.0.31 host 8.8.8.8 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 8.8.8.8 eq domain
permit tcp 192.168.43.32 0.0.0.31 host *************************
permit tcp 192.168.43.32 0.0.0.31 host **************************
permit tcp 192.168.43.32 0.0.0.31 host **************************
permit udp 192.168.43.32 0.0.0.31 host 4.2.2.2 eq domain
permit udp 192.168.43.32 0.0.0.31 host 8.8.4.4 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 4.2.2.2 eq domain
permit tcp 192.168.43.32 0.0.0.31 host 8.8.4.4 eq domain
ip access-list extended Remediation
permit ip 10.69.240.0 0.0.15.255 host 10.69.252.7 log
permit icmp 10.69.240.0 0.0.15.255 10.69.66.0 0.0.0.255 log
permit tcp any host 10.69.16.182 eq 443 log
permit tcp any host 10.69.17.38 eq 8444 log
permit udp any any eq bootps
deny   ip any any
ip access-list extended VTY
permit tcp 10.69.66.0 0.0.0.255 any eq telnet log
permit tcp 10.69.66.0 0.0.0.255 any eq 22 log
permit tcp 10.69.31.0 0.0.0.255 any eq 22 log
permit tcp 10.69.31.0 0.0.0.255 any eq telnet log
permit tcp 10.48.32.96 0.0.0.7 any eq telnet log
permit tcp 10.48.32.96 0.0.0.7 any eq 22 log
permit tcp 1.11.1.0 0.0.0.255 any eq telnet log
permit tcp 1.11.1.0 0.0.0.255 any eq 22 log
deny   ip any any
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0/1
timeout 7000
threshold 7000
frequency 10
ip sla schedule 1 life forever start-time now
logging 10.69.27.129
access-list 1 permit 10.69.66.11
access-list 1 remark SNMP Managers
access-list 1 permit 10.69.31.97
access-list 1 permit 10.69.31.100
access-list 1 permit 10.69.31.101
access-list 1 permit 10.69.66.59
access-list 1 permit 10.69.66.108
access-list 1 permit 10.69.16.223
access-list 1 permit 10.69.30.242
access-list 1 permit 10.69.16.250
access-list 1 permit 10.69.19.229
access-list 1 permit 10.69.16.150
access-list 1 permit 10.69.27.129
access-list 4 permit 10.69.31.148
access-list 4 permit 10.69.31.149
access-list 4 permit 10.69.31.150
access-list 4 permit 10.69.31.151
access-list 101 deny   ospf any any
access-list 101 permit ip any any
dialer-list 1 protocol ip list 101
route-map CC_DMV_NAT permit 10
match ip address CC_SCAN_OUT
match interface Tunnel16
route-map PBR permit 10
description BRK
match ip address BRK
set ip next-hop 10.69.7.1
route-map CC_BB_NAT permit 10
match ip address CC_SCAN_OUT
match interface FastEthernet0/1
snmp-server community ******************
snmp-server community *****************
snmp-server community ******************
snmp-server location **********************
snmp-server enable traps snmp coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon
snmp-server enable traps config
snmp-server enable traps syslog
tacacs-server host 10.69.31.18 timeout 10
tacacs-server host 10.69.31.17
tacacs-server directed-request
tacacs-server key 7 ********************
control-plane
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
banner login ^C************************************
Unauthorized Entry To This Device Is
        STRICTLY PROHIBITED
************************************^C
line con 0
exec-timeout 30 0
logging synchronous
line aux 0
line 0/1/0
exec-timeout 60 0
modem InOut
modem autoconfigure discovery
transport input all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
access-class VTY in
exec-timeout 30 0
password 7 *********************
logging synchronous
transport input ssh
scheduler allocate 20000 1000
end

Fetch TV & Cisco 877 IGMP/Streaming

Hi Guys,
Hoping someone could help me, I'm trying to configure my Cisco 877 ADSL border. It uses the ATM interface to talk to the ADSL. The fetch TV uses Multicast IP streams for the "on demand" TV
Here is my config:
version 15.1
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
hostname modem
boot-start-marker
boot system flash c870-advipservicesk9-mz.151-1.T.bin
boot-end-marker
logging buffered 65535
logging console informational
enable secret 5 $1$..Bq$NExIrcIg236vxFoCKMjOC1
aaa new-model
aaa authorization exec default local
aaa session-id common
clock timezone EST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 2:00
clock save interval 8
dot11 syslog
ip source-route
ip cef
no ip bootp server
ip domain name tehintartubes.net
ip name-server 203.0.178.191
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 1
bridge irb
interface ATM0
description --- Internode ADSL ---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
interface ATM0.1 point-to-point
description IPTV-PVC
ip pim sparse-dense-mode
ip igmp unidirectional-link
atm route-bridged ip
interface ATM0.2 point-to-point
ip pim sparse-dense-mode
ip igmp unidirectional-link
ip igmp proxy-service
bridge-group 1
bridge-group 1 spanning-disabled
pvc iptv-vc 0/35
encapsulation aal5snap
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description --- Ethernet LAN ---$FW_INSIDE$
no ip address
ip virtual-reassembly
bridge-group 1
interface Vlan2
no ip address
shutdown
interface Dialer0
description --- Internode ADSL ---$FW_OUTSIDE$
ip address negotiated
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly max-reassemblies 1024
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap refuse
ppp pap sent-username << TOP SEKRETS >>
no cdp enable
interface BVI1
ip address << TOP SEKRETS >> 255.255.255.252 secondary
ip address << TOP SEKRETS >>3 255.255.255.0
ip pim sparse-dense-mode
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip igmp helper-address udl ATM0.2
ip igmp mroute-proxy ATM0.2
ip igmp proxy-service
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip static nat entries for my ports are here
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
logging trap debugging
logging 192.168.12.250
access-list 1 permit 192.168.12.0 0.0.0.255
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
password << TOP SEKRETS >>
no modem enable
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp source Dialer0
ntp master
ntp server 211.31.132.130
ntp server 192.231.203.132
ntp server 211.31.132.139
sntp server 192.231.203.132
end
Any help would be appriciated as I can't get the IP Multicast to work across the ATM interface?
Thanks
Jeff

Here is an updated config that I've added together.
version 15.1
no service pad
service timestamps debug datetime
service timestamps log datetime
service password-encryption
hostname modem
boot-start-marker
boot system flash c870-advipservicesk9-mz.151-1.T.bin
boot-end-marker
logging buffered 65535
logging console informational
enable secret 5 <>
aaa new-model
aaa authorization exec default local
aaa session-id common
clock timezone EST 10
clock summer-time AEST recurring last Sun Oct 2:00 last Sun Mar 2:00
clock save interval 8
<>
dot11 syslog
ip source-route
ip cef
no ip bootp server
ip domain name tehintartubes.net
ip name-server 203.0.178.191
ip multicast-routing
ip multicast auto-enable
no ipv6 cef
multilink bundle-name authenticated
archive
log config
hidekeys
ip ssh time-out 90
ip ssh authentication-retries 2
ip ssh version 1
bridge irb
interface ATM0
description --- ADSL IF ---
no ip address
ip pim nbma-mode
ip pim version 1
ip pim bsr-border
ip pim sparse-dense-mode
ip igmp version 3
ip igmp limit 64000
ip igmp unidirectional-link
ip igmp proxy-service
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
interface ATM0.1 point-to-point
description IPTV-PVC
ip pim sparse-dense-mode
ip igmp unidirectional-link
atm route-bridged ip
interface ATM0.2 point-to-point
ip pim sparse-dense-mode
ip multicast boundary 101 in
ip multicast boundary 101 out
ip multicast boundary 101 filter-autorp
ip igmp unidirectional-link
ip igmp mroute-proxy ATM0
ip igmp proxy-service
atm route-bridged ip
bridge-group 1
bridge-group 1 spanning-disabled
pvc iptv-vc 0/35
encapsulation aal5snap
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
description ---AUTHLAN---
no ip address
ip virtual-reassembly
bridge-group 1
interface Vlan2
no ip address
shutdown
interface Dialer0
description ---PPPDialler---
ip address negotiated
ip nat outside
ip virtual-reassembly max-reassemblies 1024
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap refuse
ppp pap sent-username <> password 7 <>
no cdp enable
interface BVI1
ip address 124.148.137.118 255.255.255.252 secondary
ip address 192.168.12.253 255.255.255.0
ip pim sparse-dense-mode
ip multicast boundary 101 in
ip multicast boundary 101 out
ip multicast boundary 101 filter-autorp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip igmp helper-address 202.58.240.35
ip igmp version 3
ip igmp mroute-proxy ATM0
ip igmp proxy-service
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat translation tcp-timeout 500
ip nat translation udp-timeout 30
ip nat translation finrst-timeout 30
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
<< static translations omitted >>
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
map-class atm iptv
logging trap debugging
logging 192.168.12.250
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 101 permit ip 224.0.0.0 31.255.255.255 any
snmp-server community public RW
snmp-server ifindex persist
snmp-server trap link ietf
snmp-server trap-source ATM0
snmp-server location RACK1
snmp-server contact Jeffy
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server community public RW
snmp-server ifindex persist
snmp-server trap link ietf
snmp-server trap-source ATM0
snmp-server location RACK1
snmp-server contact Jeffy
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
password 7 <>
no modem enable
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp source Dialer0
ntp master
ntp server 211.31.132.130
ntp server 192.231.203.132
ntp server 211.31.132.139
sntp server 192.231.203.132
end

Port Forwarding for RDP 3389 is not working

Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny   ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny   ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny   ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny   ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny   ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny   ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny   ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny   ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny   ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny   ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny   ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
   functions svc-enabled
   svc address-pool "sat-ipsec-vpn-pool"
   svc default-domain "domain.com"
   svc keep-client-installed
   svc split dns "domain.com"
   svc split include 10.0.0.0 255.0.0.0
   svc split include 192.168.0.0 255.255.0.0
   svc split include 172.16.0.0 255.240.0.0
   svc dns-server primary 10.20.30.20
   svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
end

Hi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni

Ip tcp adjust-mss unidirection or bidirectional?

Similar Messages

Maybe you are looking for