WRT300N: Class C routing & NAT

Similar Messages

• Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

  Hi,
  I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
  I have 3 web servers behind a router.
  Public interface: 3 public ip adresses
  Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
  I would to know the best way to redirect http traffic to the right server.
  My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
  So if you have some advise for this case, it would be really appreciated.
  Thank you.
  Chris.

  Hello Christophe,
  As I understand you want 1st that ; 
  if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
  That means, you need static mapping between your public @ip address and your local ip address. 
  for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
  that is the config for the Web Server1. You can do the same with the remaining servers:
  interface fa0/0.1 
  ip nat inside
  interface serial0/0
   ip nat outside
  ip nat inside source static 192.168.1.10 172.1.2.3 
  static mapping from local to public. 
  I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
  ip route 171.1.2.3 interface serial0/0 
  or 
  ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
  After these step for each web server, you will get the mapping. 
  Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
  like
  ip access-list extended ACL_WebServer1
  permit ip any 192.168.1.10 eq www
  deny ip any 192.168.1.10
  exit
  interface fa0/0.1
   ip acess-group ACL_WebServer1 in
  no shut
  exit
  That is the first step. 
  Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
  I am not sure that it is possible using cisco router with (ZBF + Regex).
  Check the first step and let us know ! 
  Please rate and mark as correct if it is the case. 
  Regards,

• WRT160N v2 Router NAT type

  I am attempting to set the NAT type to OPEN for xbox live, for the xbox 360, on my WRT160N v2 wireless router, however, my xbox is hardwired to the router (since I dont have a wireless adapter for the 360). I cannot figure out how to change the NAT type in the online wireless setup (I was able to enable UPnP, but couldnt find the NAT type).

  Open an Internet Explorer browser page.In the address bar type - 192.168.1.1
  Leave username blank & in password use admin in lower case...
  Click on "Applications and Gaming" tab and then click on "Port Range Forwarding" subtab...
  1) On the first line in Application box type in ABC, in the start box type in 88 and End box type in 88, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box...
  2) On the second line in Application box type in PQR, in the start box type in 3074 and End box type in 3074, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box...
  3) On the third line in Application box type in XYZ, in the start box type in 53 and End box type in 53, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box and click on Save Settings...
  3) Once you return to the set up page click on the Security tab and uncheck Block Anonymous Internet Requests and click on Save Settings...
  4) Click on set-up and change the MTU Size to 1452 and click Save Settings...
  5) Goto the XBox Network Settings and IP Address Settings and select manual IP Settings and assign the following on your Xbox
  IP Address :- 192.168.1.20, Subnet Mask :- 255.255.255.0, Default Gateway :- 192.168.1.1...
  6) Also assign the DNS Addresses on the Xbox
  Primary dns :- 4.2.2.2...Secondary dns :- 192.168.1.1
  7) Turn off your modem, router, and Xbox...Wait for a minute...
  8) Plug the modem power first, wait for another minute and plug the router power cable, wait another minute and turn on the Xbox and test it...it will connect...

• Need firewall/ router / nat / vpn recommendation

  As the title states, I'm looking for an all-in-one hardware solution (not software) that will work seemlessly with our xserve. Right now we are using a consumer grade Linksys vpn/router as a temporary solution. We also have a business series linksys 24-port switch, so I don't need the router to handle any of that.
  We have about 15 users in the office. The vpn will need to support about 3-5 users at any one time, both Mac and Windows clients. We would like to utilize PPTP since it is easier to setup. The internet is provided via Cox cable and sits around 5MB of bandwidth.
  Any recommendations would be greatly appreciated. I would prefer to base this purchase on those who use a solution in a production environment as opposed to hearsay.
  Thanks in advance.

  We use a SonicWALL TZ 170 for that, and it works fine. The current product is the TZ 180, its replacement, which is a bit faster. The TZ 180 can handle 5 MB bandwidth with Intrusion Prevention Services on (signature watching on packet inspection); about 6 MB is the real limit for the TZ 170 with IPS (don't believe the marketing sheets that say faster). With 15 users in your office, you might want the PRO 2040 rather than the TZ 180 for increased processor power. Avoid the 1260, which is essentially just a TZ 170 with a switch on the back end.
  Supports the major VPN protocols. If you want to use IKE, you will need the Equinux VPN Tracker client for the Macs (SonicWALL doesn't have a Mac VPN client). Note that their Vista VPN client is now in beta, people are having mixed results with it. No Vista 64 bit VPN client is even announced.
  We have used it for several years with Mac VPN (VPN Tracker) from iMacs at our homes to our Xserve G5 and LAN, works fine. SonicWALL support is Mac hostile, they claim it doesn't work with Macs. Hogwash. Be prepared for Bob from Bangalor for the Level 1 and Level 2 support people, who seem untrained on the product line. The Level 3 support people are good, except when you get the anti-Macintosh bigots.
  If you need to do NAPT (NAT with port translation), you will have to get the SonicOS Enhanced OS. SonicOS Standard can do NAT but not port translation. The learning curve on SonicOS Standard is not that bad; SonicOS Enhanced is a very different animal - more powerful and featured but more difficult to set up.
  Sonic's business model is to pretty much give the hardware away and make it up on support contracts/licenses for firmware/hardware support, IPS, Anti-Spyware, Anti-Virus licensing, etc. The hardware is reliable.
  Hope that helps,
  Russ
  Xserve G5 2.0 GHz 2 GB RAM   Mac OS X (10.4.8)   Apple Hardware RAID, ATTO UL4D, Exabyte VXA-2 1x10 1u

• Routes, NAT & Sec IP Address lost at reboot

  Hi
  I don't know if this is the correct forum but I have BM installed
  I have a NW 6.5sp1 Bordermanager 3.8. Everytime I reboot the server I
  loose the configuration of one of my entries on the static routing table.
  The NAT is set up to dynamic and it is lost just sometimes. The secondary
  ipaddress are commented on the autoexec.ncf (I dont want them anymore)and
  they are configured after each reboot even if I comment them.
  tcpcfg.nlm Version 6.50.24
  inetcfg Version 6.50.19
  Any HELP would be really appreciated
  Best Regards
  Mariandrea

  > In article <U7Qhc.870$[email protected]>, wrote:
  > > But I still don't know what to do with the problem of my route, it
  keeps
  > > disappearing every time I boot my server. All other route are OK is
  just
  > > one that I configure last week
  > >
  > Do you have rip or ospf enabled?
  >
  > Are you setting routes with TCPCON (which does not make permanent
  changes)?
  > Use INETCFG, Protocols, TCPIP, LAN Static Routing instead.
  >
  > Craig Johnson
  > Novell Support Connection SysOp
  > *** For a current patch list, tips, handy files and books on
  > BorderManager, go to http://www.craigjconsulting.com ***
  >
  RIP is disabled
  OSPF is disabled
  I am alwasy using INETCFG to configure the routes and some of the routes
  get saved but the one I configured lately don't stay
  Thanks
  Mariandrea

• Load Program to Assign Class to Routing Operation

  Hello Experts,
     I used the standard batch direct input program to load Routings/operations/bom component allocation etc.
  We also have a requirement to assign Class(for class type 018) to each of these operations.
  Please suggest a standard load program to assign classification to a routing operation.
  Thanks
  Kishore

  Found the answer

• WRT310n - Routing/NAT stopped working

  Hello Cisco Forums,
  I'll try to make this as detailed as I can, tell me if I've missed anything.
  I've been on vacation for 2 weeks (all computers were OFF, but the WRT310N stayed ON) and when I came back none of my computers could access the internet. I have Linux, Vista and Windows 7 computers on this network, so this is not OS-related.
  Every computer gets an IP from the router's DHCP server, they each can ping the router but they can't ping outside addresses. I've tried the "Diagnostic" utility in the router administrator interface and I can ping google from the router, but not from any other computer.
  I've tried pigning my ISP gateway and Google using their IPs (bypassing the DNS) but to no avail.
  Setting a static IP and ISP DNSes on a computer doesn't work either.
  I've rebooted the router, rebooted the cable-modem, renewed the IPs, rebooted the computers and restarted the network intefaces. Nothing works. Wireless works fine, but no external access.
  So, the router sees the internet but the NATted computers do not!
  This was working fine 2 weeks ago.
  What else could I try? I'm at a loss here...
  Thanks for your help!
  Solved!
  Go to Solution.

  Try to verify the following:
  if the router can ping hosts on the internet like this ip address 4.2.2.2
  if the gateway's IP address on your computers is set to the router IP address.
  if the NAT on the router is enabled
  if you've configured a policy to restrict internet access.
  if you do not want to use your ISP's dns server, then fill the dns fields in the DHCP section (in the setup screen)  with values: 4.2.2.1 and 4.2.2.2.
  hope this help!
  Linksys router setup

• Router NAT Configuration

  Hi,
  I have a pc behind a nat router with ip 192.168.1.2.
  Setting virtual server on my router configuration, when a request arrive on my router on 1099 port, router send this request to my pc.
  So clients can connect to rmiregistry running on my pc.
  Rmi Server Object is registered with option
  -Djava.rmi.server.hostname=82.xx.xx.xx (public ip of router)
  so clients connect to this public ip to find rmi object.
  My problem is this: when I run rmi server object with this option, after 25second the object falls.
  If I run it without this option, it doesn't fall but it is registered with local ip and clients can't connect to it.
  RmiRegistry and RmiServerObject run on the same local pc behind router.
  Thanks.
  Bye

  If I know why it falls I could resolve it.
  There isn't an exception error.
  This is the main function of MyServerImpl that extends UnicastRemoteObject and implements MyServer interface.
  public static void main(String args[]) {
  String rmiregistry_host="localhost";
  // String rmiregistry_host="192.168.1.5";
  //String rmiregistry_host="82.51.85.191";
  String URL="jdbc:odbc:DBExAllievi";
  String driver="sun.jdbc.odbc.JdbcOdbcDriver";
  if(args.length==1){
  rmiregistry_host = args[0];
  }else if(args.length==3){
  rmiregistry_host = args[0];
  driver=args[1];
  URL=args[2];
  System.setSecurityManager(new RMISecurityManager());
  try {
  GestioneDatiExAllievi_IMPL istanza = new GestioneDatiExAllievi_IMPL();
  istanza.settaggi(driver,URL);
  Naming.rebind("//"+rmiregistry_host+"/GestioneDatiExAllievi", istanza);
  System.out.println("Registrazione oggetto remoto effettuata");
  catch (Exception e) {
  System.out.println(e.getMessage());
  This is the output:
  http://www.cplusplus.it/file/output.jpg
  The String "Registrazione oggetto remoto effettuata" is shown so there isn't exception, but after 24 seconds the application exits.
  Instead if I run without -Djava.rmi.server.hostname=82.51.85.191 it's all ok, but my rmi object is registered with local ip, so I can't use it over the internet but only in lan.
  I hope now I explained better the problem.
  Sorry.

• Router NAT IP block using Access List

  Hi All
     Strange issue we have here. First time I've come across this.
     Question: Is it possible to use an access-list on a NAT IP address on a Cisco router? For example, say we have our internal mail server 192.168.1.5 and it's NATed to the outside on port 25 say to 222.1.1.5. Is there a way to apply an access list to this external IP so that only certain outside users can get to this server using port 25??
  Thanks all!

  Anyone?

• Problem with Cisco 831 router NAT translation or routing

  Hello,
  I’ve reviewed several post on this forum, very useful, and I think this 831 router config should allow for NAT'ng port 8080 to the ‘inside’ ip address, per this statement below. but my efforts have not been successful, no responses get back to outside client (xx.24.40).   clients on inside can communicate outbound fine. The iis server at .10.3 is definitely up and running on port 8080. I know this is probably a duplicate of other posts but if anyone can pinpoint my error I would really appreciate it!!  
  ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080
  Here is some debug ip nat output when attemping to connect on port 8080, do not get response back from server to external client (xx.24.40)….
  Feb 03 13:22:49 10.10.10.1 297472: *Mar 2 00:09:31.894: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21674]    
  Feb 03 13:22:49 10.10.10.1 297473: *Mar 2 00:09:31.894: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21674]
  Feb 03 13:22:52 10.10.10.1 297474: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21678]    
  Feb 03 13:22:52 10.10.10.1 297475: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21678]
  Feb 03 13:22:52 10.10.10.1 297476: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21679]    
  Feb 03 13:22:52 10.10.10.1 297477: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21679]
  Feb 03 13:22:58 10.10.10.1 297478: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21684]    
  Feb 03 13:22:58 10.10.10.1 297479: *Mar 2 00:09:40.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21684]
  Feb 03 13:22:58 10.10.10.1 297480: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21685]    
  Feb 03 13:22:58 10.10.10.1 297481: *Mar 2 00:09:40.910: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21685]
  Feb 03 13:23:10 10.10.10.1 297482: *Mar 2 00:09:52.922: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21698]    
  Feb 03 13:23:10 10.10.10.1 297483: *Mar 2 00:09:52.922: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21698]
  Feb 03 13:23:13 10.10.10.1 297484: *Mar 2 00:09:55.930: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21702]    
  Feb 03 13:23:13 10.10.10.1 297485: *Mar 2 00:09:55.930: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21702]
  Feb 03 13:23:19 10.10.10.1 297486: *Mar 2 00:10:01.934: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21709]    
  Feb 03 13:23:19 10.10.10.1 297487: *Mar 2 00:10:01.934: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21709]
  Feb 03 13:23:58 10.10.10.1 297489: *Mar 2 00:10:41.306: NAT: expiring xx.xx.254.128 (10.10.10.3) tcp 8080 (8080)
  538-R1023-C830#sh running-config full
  Building configuration...
  Current configuration : 4329 bytes
  version 12.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname 538-R1023-C830
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  no logging console
  no aaa new-model
  resource policy
  ip subnet-zero
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1
  ip dhcp pool sdm-pool
     import all
     network 10.10.10.0 255.255.255.0
     default-router 10.10.10.1
     dns-server 10.1.18.152
     lease 0 2
  ip cef
  ip domain list sd.cox.net
  ip domain name sd.cox.net
  no ip ips deny-action ips-interface
  no ftp-server write-enable
  crypto pki trustpoint TP-self-signed-75609932
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-75609932
  revocation-check none
  rsakeypair TP-self-signed-75609932
  crypto pki certificate chain TP-self-signed-75609932
  certificate self-signed 01
  <snip>
  interface Ethernet0
  description inside
  ip address 10.10.10.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  interface Ethernet1
  description outside
  ip address dhcp
  ip access-group 101 in
  ip nat outside
  ip virtual-reassembly
  duplex auto
  interface Ethernet2
  no ip address
  shutdown
  interface FastEthernet1
  no ip address
  duplex auto
  speed auto
  interface FastEthernet2
  no ip address
  duplex auto
  speed auto
  interface FastEthernet3
  no ip address
  duplex auto
  speed auto
  interface FastEthernet4
  no ip address
  duplex auto
  speed auto
  no ip classless
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 1 interface Ethernet1 overload
  ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080
  logging trap debugging
  logging 10.10.10.3
  access-list 1 permit 10.10.10.0 0.0.0.255
  access-list 101 permit ip any any
  control-plane
  banner login ^C
  ^C
  line con 0
  login local
  no modem enable
  line aux 0
  line vty 0 4
  privilege level 15
  login local
  transport input telnet ssh
  scheduler max-task-time 5000
  end

  Hi Alain,
  yes, the client i was testing with is on the same subnet as public router ip.  Good thought on the firewall, I will disable any firewall on iis machine (my laptop) and re-test.  will reply with those results on Monday.   ultimately i'm needing to test nat for port 9100 to a printer, I'll add that and test as well, firewall shouldn't be a factor with printer.
  thank you.
  Grant

• Router Natting

  Hello,
  I have only 1 public IP on my router outside interface which is connected to ISP,
  I wanna just confirm the below from u experts,
  I want to create a site -to site VPN with other branches i have a proper IOS ------- I hope i can do it
  The public IP on router outside interface,, can i use the same IP for static natting of web server (one to one) ????? If suppose i use in static natting and if i ping from internet to the public IP it will ping to router interface or it will ping to server IP ????-------- I hope we can't do it.
  IF i m not wrong then,, i hope i can use service distrbution with that same public IP  but not static natting (one to one).
  i hope there is no concept of firewall that if we do natting we need a access-list, On router without an access-list also users from internet can access the inside servers only natting should be provided.
  Tx

  Hello Estela,
  1- Yes you can configure a VPN site to site as long as the router supports it
  2-You cannot do a static one to one with the outside interface of the asa that will be used for other host to go to the internet., instead of that you can configure port-forwarding that will work for inbound connections ( Just TCP and UDP as these protocols use ports)
  3-Yes, you can do it as I explained on previus answer
  4-That is correct, without ACL everything is allowed.
  Regards,
  Julio
  Rate helpful posts!

• HT5390 What port should i forward in the router if I'm to connect to the mac server behind NAT?

  I am trying to remote administrate a Mac Mini running Mac 10.8 server but couldn't figure out which port to use.
  Tried the following but still woudn't connect unless DMZ is opened.
  Remote Login (SSH) - 22
  Screen Sharing Service (VNC) - 5900
  Web Service - 80, 443
  VPN Service (L2TP) - 500, 1701, 4500
  VPN Service (PPTP) - 1723
  Any clue?

  When you say administer, do you mean something like control your parent's Mac remotely, or do you mean officially adminster a classroom full of Macs?  If a classroom full of Macs, then you are most likely taking about using the Apple Remote Desktop software which you pay for.
  If, as I suspect, you just want to control your own or a family member's Mac remotely, then you do not need to pay for anything.
  If you need Screen Sharing, you open port 5900 (the VNC port)
  If you need File Sharing, you open port 548 (AFP)
  If you need access to the Unix command line, or you want to use the ssh 'scp' or 'sftp' file transfer commands, then you need to open port 22.
  Visit <http://PortForward.com>, they will provide port forwarding instructions for just about every home router out there.
  I would also suggest you get a free dynamic DNS name so you can address the remote Mac by a constant name instead of having to know the current IP address assigned to the home router, which the ISP can change anytime they want.  No-IP.com or DynDNS.org offer free dynamic DNS names.  You run one of their dynamic DNS updating clients on the remote Mac to keep the dynamic DNS name updated with the current ISP assigned IP address.
  Once you have the port forwarding working, you connect for screen sharing using
  Finder -> Go -> Connect to Server -> vnc://address.of.remote.mac
  and for file sharing
  Finder -> Go -> Connect to Server -> afp://address.of.remote.mac
  If you are going to use ssh, scp, or sftp, then from an Applications -> utilities -> Terminal session you would do something like:
  ssh [email protected]
  scp local.file [email protected]:/path/where/to/put/the/file
  scp [email protected]:/path/of/file/to/get   /local/place/to/put/the/file
  There are also sftp GUI clients you can use to make this part easier.
  If you really cannot get this working, then consider using something like TeamViewer.com which deals with all the messy home router NAT navigation.

• Can't get my WRT300N router to work

  I am new to wireless networking. I have followed the instructions on the user set up disk to install wireless connection for my new Linksys WRT300N. The router seems to be working but there is no internet connection and the message that pops up is "Windows was unable to find a certificate to log you on to the network".
  I am able to use the wifi connection using my older router (not Linksys) for wireless-G but I need to upgrade to wireless N for better and faster connectivity.
  What I am doing wrong? 
  Thanks,
  dotechan 

  That's caused by improperly setting the encryption to WPA-RADIUS
  Instead of WPA-PSK on the client. The router and the client are both
  Trying to find a RADIUS server with which to authenticate. Since you
  Don’t have one; Change the Encryption to WPA-PSK (pre-shared key) on both ends....
  See if it works ....

• IpSec VPN and NAT don't work togheter on HP MSR 20 20

  Hi People,
  I'm getting several issues, let me explain:
  I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
  I'm missing something but i don't know what it is !!!!, See below the configuration.
  Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
  Note: I just have only One public Ip address.
  version 5.20, Release 2207P41, Standard
  sysname HP
  nat address-group 1 186.177.159.93 186.177.159.93
  domain default enable system
  dns proxy enable
  telnet server enable
  dar p2p signature-file cfa0:/p2p_default.mtd
  port-security enable
  acl number 2001
  rule 0 permit source 192.168.100.0 0.0.0.255
  rule 5 deny
  acl number 3000
  rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
  vlan 1
  domain system
  access-limit disable
  state active
  idle-cut disable
  self-service-url disable
  ike proposal 1
  encryption-algorithm 3des-cbc
  dh group2
  ike proposal 10
  encryption-algorithm 3des-cbc
  dh group2
  ike peer vpn-test
  proposal 1
  pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
  remote-address <Public Ip from VPN Peer>
  local-address 186.177.159.93
  nat traversal
  ipsec proposal vpn-test
  esp authentication-algorithm sha1
  esp encryption-algorithm 3des
  ipsec policy vpntest 30 isakmp
  connection-name vpntest.30
  security acl 3000
  pfs dh-group2
  ike-peer vpn-test
  proposal vpn-test
  dhcp server ip-pool vlan1 extended
  network mask 255.255.255.0
  user-group system
  group-attribute allow-guest
  local-user admin
  password cipher .]@USE=B,53Q=^Q`MAF4<1!!
  authorization-attribute level 3
  service-type telnet
  service-type web
  cwmp
  undo cwmp enable
  interface Aux0
  async mode flow
  link-protocol ppp
  interface Cellular0/0
  async mode protocol
  link-protocol ppp
  interface Ethernet0/0
  port link-mode route
  nat outbound 2001 address-group 1
  nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
  ip address dhcp-alloc
  ipsec policy vpntest
  interface Ethernet0/1
  port link-mode route
  ip address 192.168.100.1 255.255.255.0
  interface NULL0
  interface Vlan-interface1
  undo dhcp select server global-pool
  dhcp server apply ip-pool vlan1

  ewaller wrote:
  What is under the switches tab?
  Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay.  I'll let it slide.  Watch the bumping as well.
  If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original)  back here, and you are golden.
  I had a bear of a time getting the microphone working on my HP DV4, but it does work.  I'll look at the set up when I get home tonight [USA-PDT].
  Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
  So here is what it is under the switches tab

• How to configure multiple outgoing interfaces + NAT + PfR

  Hello,
  I have the following config running on Cisco2851.
  Five interfaces (four ADSL and one LAN 10Mb/s) connected to Internet using pppoe.
  Local policy is used to make working route tracking.
  The PfR also configured to load balance traffic coming from LAN to Internet.
  PAT is also configured with "oer" keyword at the end of string to not relocate working translations.
  But the router is not performing good. :-(
  After investigation I found that the selection of the exit interface and setting source ip for
  NAT is not synchronized. The provider's router just drops the incoming packet due to uRPF check.
  Also, the selection of the exit interface is not PFR aware (mode select-exit best) during
  NAT session setup, and router selects one of the possible exit interfaces randomly.
  I have two questions:
  1. How to make synchronization of NAT and Routing to build matching pair of Out_IP=Out_Interface and make my setup working?
  2. How to select the less loaded interface during setup of NAT phase and Routing phase and really involve PfR?
  Actually, these two questions is just my one requirement: during setup of NAT session, I need
  to find less loaded interface (PfR should check current rx/tx load), select it, and keep it untouched.
  Thanks,
  Sergey
  Config:
  version 15.1
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname bif
  boot-start-marker
  boot system flash:c2800nm-adventerprisek9-mz.151-4.M8.bin
  boot-end-marker
  enable secret 5 $1$3ggj$huERPVt0luOX6qo6
  no aaa new-model
  crypto pki token default removal timeout 0
  dot11 syslog
  no ip source-route
  ip cef
  no ip domain lookup
  ip domain name zzz.mgm
  no ipv6 cef
  multilink bundle-name authenticated
  key chain PFR
   key 0
    key-string 7 107E2F2B
  voice-card 0
  pfr master
   logging
   border 192.168.254.254 key-chain PFR
    interface Dialer5 external
    interface Dialer4 external
    interface Dialer3 external
    interface Dialer2 external
    interface Dialer1 external
    interface GigabitEthernet0/0 internal
   mode select-exit best
  pfr border
   logging
   local Loopback0
   master 192.168.254.254 key-chain PFR
  license udi pid CISCO2851 sn FCZ0929
  username se privilege 15 secret 5 $1$DUbm$RuZKP8X.19uBtm21
  username ru privilege 15 secret 5 $1$1V.h$iotp/bjhUg4ho93d
  redundancy
  ip ssh version 2
  track 1 ip sla 1 reachability
   delay down 30 up 15
  track 2 ip sla 2 reachability
   delay down 30 up 15
  track 3 ip sla 3 reachability
   delay down 30 up 15
  track 4 ip sla 4 reachability
   delay down 30 up 15
  track 5 ip sla 5 reachability
   delay down 30 up 15
  interface Loopback0
   ip address 192.168.254.254 255.255.255.255
  interface GigabitEthernet0/0
   description ### LAN ###
   ip address 192.168.68.1 255.255.255.0
   no ip redirects
   no ip proxy-arp
   ip flow ingress
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   description ### WDSL link to Dialer 5 ###
   no ip address
   duplex auto
   speed auto
   pppoe enable group global
   pppoe-client dial-pool-number 5
  interface ATM0/0/0
   description ### DSL link 1 to Dialer 1 ###
   no ip address
   no atm ilmi-keepalive
   shutdown
   pvc 1/32
    pppoe-client dial-pool-number 1
  interface ATM0/1/0
   description ### DSL link 2 to Dialer 2 ###
   no ip address
   no atm ilmi-keepalive
   pvc 1/32
    pppoe-client dial-pool-number 2
  interface ATM0/2/0
   description ### DSL link 3 to Dialer 3 ###
   no ip address
   no atm ilmi-keepalive
   pvc 1/32
    pppoe-client dial-pool-number 3
  interface ATM0/3/0
   description ### DSL link 4 to Dialer 4 ###
   no ip address
   no atm ilmi-keepalive
   pvc 1/32
    pppoe-client dial-pool-number 4
  interface GigabitEthernet1/0
   description ### Virtual interface to NME-16ES-1G-P ###
   ip address 192.168.254.253 255.255.255.254
  interface Dialer1
   description ### Dialer for line 1 ###
   bandwidth 224
   bandwidth receive 1728
   ip address negotiated
   ip mtu 1492
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   load-interval 30
   dialer pool 1
   ppp authentication chap callin
   ppp chap hostname
   ppp chap password
   no cdp enable
  interface Dialer2
   description ### Dialer for line 2 ###
   bandwidth 224
   bandwidth receive 1728
   ip address negotiated
   ip mtu 1492
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 2
   ppp authentication chap callin
   ppp chap hostname
   ppp chap password
   no cdp enable
  interface Dialer3
   description ### Dialer for line 3 ###
   bandwidth 224
   bandwidth receive 1728
   ip address negotiated
   ip mtu 1492
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 3
   ppp authentication chap callin
   ppp chap hostname
   ppp chap password
   no cdp enable
  interface Dialer4
   description ### Dialer for line 4 ###
   bandwidth 224
   bandwidth receive 1728
   ip address negotiated
   ip mtu 1492
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   dialer pool 4
   ppp authentication chap callin
   ppp chap hostname
   ppp chap password
   no cdp enable
  interface Dialer5
   description ### Dialer for WDSL line ###
   bandwidth 10000
   bandwidth receive 10001
   ip address negotiated
   ip mtu 1492
   ip flow ingress
   ip nat outside
   ip virtual-reassembly in
   encapsulation ppp
   ip tcp adjust-mss 1452
   load-interval 30
   dialer pool 5
   ppp authentication chap callin
   ppp chap hostname
   ppp chap password
   no cdp enable
  ip local policy route-map LOCAL-PBR
  no ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat inside source route-map NAT1 interface Dialer1 overload oer
  ip nat inside source route-map NAT2 interface Dialer2 overload oer
  ip nat inside source route-map NAT3 interface Dialer3 overload oer
  ip nat inside source route-map NAT4 interface Dialer4 overload oer
  ip nat inside source route-map NAT5 interface Dialer5 overload oer
  ip nat inside source static tcp 192.168.68.160 22 $$$Dialer5-IP$$$ 2222 extendable
  ip nat inside source static tcp 192.168.68.160 22 $$$Dialer2-IP$$$ 2222 extendable
  ip nat inside source static tcp 192.168.68.160 22 $$$Dialer3-IP$$$ 2222 extendable
  ip nat inside source static tcp 192.168.68.160 22 $$$Dialer4-IP$$$ 2222 extendable
  ip nat inside source static tcp 192.168.68.230 21 $$$Dialer1-IP$$$ 21 extendable
  ip nat inside source static tcp 192.168.68.160 25 $$$Dialer1-IP$$$ 25 extendable
  ip nat inside source static tcp 192.168.68.22 143 $$$Dialer1-IP$$$ 143 extendable
  ip nat inside source static tcp 192.168.68.22 443 $$$Dialer1-IP$$$ 443 extendable
  ip nat inside source static tcp 192.168.68.160 22 $$$Dialer1-IP$$$ 2222 extendable
  ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
  ip route 0.0.0.0 0.0.0.0 Dialer2 track 2
  ip route 0.0.0.0 0.0.0.0 Dialer3 track 3
  ip route 0.0.0.0 0.0.0.0 Dialer4 track 4
  ip route 0.0.0.0 0.0.0.0 Dialer5 track 5
  ip sla 1
   icmp-echo 8.8.8.8 source-ip $$$Dialer1-IP$$$
   timeout 1000
   frequency 5
  ip sla schedule 1 life forever start-time now
  ip sla 2
   icmp-echo 8.8.8.8 source-ip $$$Dialer2-IP$$$
   timeout 1000
   frequency 5
  ip sla schedule 2 life forever start-time now
  ip sla 3
   icmp-echo 8.8.8.8 source-ip $$$Dialer3-IP$$$
   timeout 1000
   frequency 5
  ip sla schedule 3 life forever start-time now
  ip sla 4
   icmp-echo 8.8.8.8 source-ip $$$Dialer4-IP$$$
   timeout 1000
   frequency 5
  ip sla schedule 4 life forever start-time now
  ip sla 5
   icmp-echo 8.8.8.8 source-ip $$$Dialer5-IP$$$
   timeout 1000
   frequency 5
  ip sla schedule 5 life forever start-time now
  access-list 100 permit ip any any
  access-list 101 permit ip host $$$Dialer1-IP$$$ any
  access-list 102 permit ip host $$$Dialer2-IP$$$ any
  access-list 103 permit ip host $$$Dialer3-IP$$$ any
  access-list 104 permit ip host $$$Dialer4-IP$$$ any
  access-list 105 permit ip host $$$Dialer5-IP$$$ any
  access-list 199 permit ip 192.168.68.0 0.0.0.255 any
  route-map LOCAL-PBR permit 10
   match ip address 101
   set interface Dialer1
  route-map LOCAL-PBR permit 20
   match ip address 102
   set interface Dialer2
  route-map LOCAL-PBR permit 30
   match ip address 103
   set interface Dialer3
  route-map LOCAL-PBR permit 40
   match ip address 104
   set interface Dialer4
  route-map LOCAL-PBR permit 50
   match ip address 105
   set interface Dialer5
  route-map LOCAL-PBR permit 100
   match ip address 100
   set global
  route-map NAT3 permit 10
   match ip address 199
   match interface Dialer3
  route-map NAT2 permit 10
   match ip address 199
   match interface Dialer2
  route-map NAT1 permit 10
   match ip address 199
   match interface Dialer1
  route-map NAT5 permit 10
   match ip address 199
   match interface Dialer5
  route-map NAT4 permit 10
   match ip address 199
   match interface Dialer4
  control-plane
  mgcp profile default
  line con 0
  line aux 0
  line 66
   no activation-character
   no exec
   transport preferred none
   transport input all
   transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
  line vty 0 4
   session-timeout 15
   login local
   transport input all
  line vty 5 15
   session-timeout 15
   login local
   transport input all
  scheduler allocate 20000 1000
  end
  Show ip route:
  sh ip route 0.0.0.0
  Routing entry for 0.0.0.0/0, supernet
    Known via "static", distance 1, metric 0 (connected), candidate default path
    Routing Descriptor Blocks:
      directly connected, via Dialer5
        Route metric is 0, traffic share count is 1
    * directly connected, via Dialer3
        Route metric is 0, traffic share count is 1
      directly connected, via Dialer4
        Route metric is 0, traffic share count is 1
      directly connected, via Dialer2
        Route metric is 0, traffic share count is 1
  Log:
  *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Ingress-NetFlow(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, TCP Adjust MSS(82), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.103: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 192.168.68.2 dst 8.8.4.4
  *Apr 16 07:04:18.103: FIBfwd-proc: Default:0.0.0.0/0 process level forwarding
  *Apr 16 07:04:18.103: FIBfwd-proc: depth 0 first_idx 3 paths 4 long 0(0)
  *Apr 16 07:04:18.103: FIBfwd-proc: try path 3 (of 4) v4-ap-Dialer5 first short ext 0(-1)
  *Apr 16 07:04:18.103: FIBfwd-proc: v4-ap-Dialer5 valid
  *Apr 16 07:04:18.103: FIBfwd-proc: Dialer5 no nh type 3  - deag
  *Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none deag 1 chg_if 0 via fib 0 path type attached prefix
  *Apr 16 07:04:18.103: FIBfwd-proc: packet routed to Dialer5 p2p(0)
  *Apr 16 07:04:18.103: FIBipv4-packet-proc: packet routing succeeded
  *Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 ttlexp 0
  *Apr 16 07:04:18.103: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0
  *Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
  *Apr 16 07:04:18.103:     UDP src=61183, dst=53, CCE Post NAT Classification(38), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
  *Apr 16 07:04:18.107:     UDP src=61183, dst=53, Firewall (firewall component)(39), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
  *Apr 16 07:04:18.107:     UDP src=61183, dst=53, TCP Adjust MSS(50), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
  *Apr 16 07:04:18.107:     UDP src=61183, dst=53, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
  *Apr 16 07:04:18.107:     UDP src=61183, dst=53, Post-Ingress-NetFlow(68), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
  *Apr 16 07:04:18.107:     UDP src=61183, dst=53, Dialer idle reset(84), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
  *Apr 16 07:04:18.107:     UDP src=61183, dst=53, Dialer idle reset(85), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
  *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), g=8.8.4.4, len 66, forward
  *Apr 16 07:04:18.107:     UDP src=61183, dst=53
  *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Virtual-Access3), len 66, sending full packet
  *Apr 16 07:04:18.107:     UDP src=61183, dst=53

  hi,is this question is ok?
  if you forget do this config like below:
  pfr master
  learn
  delay
  throughput
  periodic-interval 3
  monitor-period 1
  pfr master
  delay threshold 200
  jitter threshold 50 
  mode route control 
  mode monitor passive
  mode select-exit best 
  i will do like this,four ADSL connect a switch ,this switch connect a router 2911(with data license)
  at 2911 do four  pppoe
  i want to load balance at this four adsl.