WRT300N: Class C routing & NAT
Hi,
I've just been brought in to as a network admin to manage the network of small 'net cafe. The network the admin before had setup really turned out to be a disaster.
Okay, here's the breakdown of the equipment I have available:
30 hosts
3 switches (10 hosts each)
1 WRT300N broadband router
Note: Wireless services are not being used
The ISP over here has assigned us five IP addresses, but since we have 30 hosts we obviously need to use NAT.
What I would like to do is implement some sort of Class C subnetting for the three groups of hosts connected into the switches.
I'd like to use subnets of either 192.168.1.0-192.168.3.0 (255.255.255.0) or even a mask of 255.255.255.240 since a block size of 16 on each subnet will be sufficient. (Each switch is connected into a port of the WRT300N).
My questions are: Can I accomplish this using just the WRT300N and still be able to use NAT to enable my hosts to access the 'net through ADSL? And if so, how? And if this is not possible, then do I need to get another Linksys router so that I can get my network up and running smoothly by connecting the WRT300N to the new router and then connecting the switches to the new router as well? If this is the case, which wireless router would all of you recommend I get?
The name of the game here is to optimize speed, so I'd really like to break down the broadcast domains by subnetting.
Thanks in advance.
- T.
Yes you can use the router WRT350N for using the NAT settings on the router ....
You can connect the router in between Modem & Switch ...
Similar Messages
-
Hi,
I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
I have 3 web servers behind a router.
Public interface: 3 public ip adresses
Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
I would to know the best way to redirect http traffic to the right server.
My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration. I could also redirect via Policy-map and filter by url content.
So if you have some advise for this case, it would be really appreciated.
Thank you.
Chris.Hello Christophe,
As I understand you want 1st that ;
if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network.
That means, you need static mapping between your public @ip address and your local ip address.
for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface.
that is the config for the Web Server1. You can do the same with the remaining servers:
interface fa0/0.1
ip nat inside
interface serial0/0
ip nat outside
ip nat inside source static 192.168.1.10 172.1.2.3
static mapping from local to public.
I suppose you have done the dns mapping in your network and the ISP have done the same in his network.
ip route 171.1.2.3 interface serial0/0
or
ip route 0.0.0.0 0.0.0.0 interface serial0/0.
After these step for each web server, you will get the mapping.
Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network
like
ip access-list extended ACL_WebServer1
permit ip any 192.168.1.10 eq www
deny ip any 192.168.1.10
exit
interface fa0/0.1
ip acess-group ACL_WebServer1 in
no shut
exit
That is the first step.
Second step : you want to filter traffic by url, that means layer 5 to 7 filtering.
I am not sure that it is possible using cisco router with (ZBF + Regex).
Check the first step and let us know !
Please rate and mark as correct if it is the case.
Regards, -
I am attempting to set the NAT type to OPEN for xbox live, for the xbox 360, on my WRT160N v2 wireless router, however, my xbox is hardwired to the router (since I dont have a wireless adapter for the 360). I cannot figure out how to change the NAT type in the online wireless setup (I was able to enable UPnP, but couldnt find the NAT type).
Open an Internet Explorer browser page.In the address bar type - 192.168.1.1
Leave username blank & in password use admin in lower case...
Click on "Applications and Gaming" tab and then click on "Port Range Forwarding" subtab...
1) On the first line in Application box type in ABC, in the start box type in 88 and End box type in 88, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box...
2) On the second line in Application box type in PQR, in the start box type in 3074 and End box type in 3074, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box...
3) On the third line in Application box type in XYZ, in the start box type in 53 and End box type in 53, leave the protocol as both and under ip address type in 192.168.1.20 and check the enable box and click on Save Settings...
3) Once you return to the set up page click on the Security tab and uncheck Block Anonymous Internet Requests and click on Save Settings...
4) Click on set-up and change the MTU Size to 1452 and click Save Settings...
5) Goto the XBox Network Settings and IP Address Settings and select manual IP Settings and assign the following on your Xbox
IP Address :- 192.168.1.20, Subnet Mask :- 255.255.255.0, Default Gateway :- 192.168.1.1...
6) Also assign the DNS Addresses on the Xbox
Primary dns :- 4.2.2.2...Secondary dns :- 192.168.1.1
7) Turn off your modem, router, and Xbox...Wait for a minute...
8) Plug the modem power first, wait for another minute and plug the router power cable, wait another minute and turn on the Xbox and test it...it will connect... -
Need firewall/ router / nat / vpn recommendation
As the title states, I'm looking for an all-in-one hardware solution (not software) that will work seemlessly with our xserve. Right now we are using a consumer grade Linksys vpn/router as a temporary solution. We also have a business series linksys 24-port switch, so I don't need the router to handle any of that.
We have about 15 users in the office. The vpn will need to support about 3-5 users at any one time, both Mac and Windows clients. We would like to utilize PPTP since it is easier to setup. The internet is provided via Cox cable and sits around 5MB of bandwidth.
Any recommendations would be greatly appreciated. I would prefer to base this purchase on those who use a solution in a production environment as opposed to hearsay.
Thanks in advance.We use a SonicWALL TZ 170 for that, and it works fine. The current product is the TZ 180, its replacement, which is a bit faster. The TZ 180 can handle 5 MB bandwidth with Intrusion Prevention Services on (signature watching on packet inspection); about 6 MB is the real limit for the TZ 170 with IPS (don't believe the marketing sheets that say faster). With 15 users in your office, you might want the PRO 2040 rather than the TZ 180 for increased processor power. Avoid the 1260, which is essentially just a TZ 170 with a switch on the back end.
Supports the major VPN protocols. If you want to use IKE, you will need the Equinux VPN Tracker client for the Macs (SonicWALL doesn't have a Mac VPN client). Note that their Vista VPN client is now in beta, people are having mixed results with it. No Vista 64 bit VPN client is even announced.
We have used it for several years with Mac VPN (VPN Tracker) from iMacs at our homes to our Xserve G5 and LAN, works fine. SonicWALL support is Mac hostile, they claim it doesn't work with Macs. Hogwash. Be prepared for Bob from Bangalor for the Level 1 and Level 2 support people, who seem untrained on the product line. The Level 3 support people are good, except when you get the anti-Macintosh bigots.
If you need to do NAPT (NAT with port translation), you will have to get the SonicOS Enhanced OS. SonicOS Standard can do NAT but not port translation. The learning curve on SonicOS Standard is not that bad; SonicOS Enhanced is a very different animal - more powerful and featured but more difficult to set up.
Sonic's business model is to pretty much give the hardware away and make it up on support contracts/licenses for firmware/hardware support, IPS, Anti-Spyware, Anti-Virus licensing, etc. The hardware is reliable.
Hope that helps,
Russ
Xserve G5 2.0 GHz 2 GB RAM Mac OS X (10.4.8) Apple Hardware RAID, ATTO UL4D, Exabyte VXA-2 1x10 1u -
Routes, NAT & Sec IP Address lost at reboot
Hi
I don't know if this is the correct forum but I have BM installed
I have a NW 6.5sp1 Bordermanager 3.8. Everytime I reboot the server I
loose the configuration of one of my entries on the static routing table.
The NAT is set up to dynamic and it is lost just sometimes. The secondary
ipaddress are commented on the autoexec.ncf (I dont want them anymore)and
they are configured after each reboot even if I comment them.
tcpcfg.nlm Version 6.50.24
inetcfg Version 6.50.19
Any HELP would be really appreciated
Best Regards
Mariandrea> In article <U7Qhc.870$[email protected]>, wrote:
> > But I still don't know what to do with the problem of my route, it
keeps
> > disappearing every time I boot my server. All other route are OK is
just
> > one that I configure last week
> >
> Do you have rip or ospf enabled?
>
> Are you setting routes with TCPCON (which does not make permanent
changes)?
> Use INETCFG, Protocols, TCPIP, LAN Static Routing instead.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
>
RIP is disabled
OSPF is disabled
I am alwasy using INETCFG to configure the routes and some of the routes
get saved but the one I configured lately don't stay
Thanks
Mariandrea -
Load Program to Assign Class to Routing Operation
Hello Experts,
I used the standard batch direct input program to load Routings/operations/bom component allocation etc.
We also have a requirement to assign Class(for class type 018) to each of these operations.
Please suggest a standard load program to assign classification to a routing operation.
Thanks
KishoreFound the answer
-
WRT310n - Routing/NAT stopped working
Hello Cisco Forums,
I'll try to make this as detailed as I can, tell me if I've missed anything.
I've been on vacation for 2 weeks (all computers were OFF, but the WRT310N stayed ON) and when I came back none of my computers could access the internet. I have Linux, Vista and Windows 7 computers on this network, so this is not OS-related.
Every computer gets an IP from the router's DHCP server, they each can ping the router but they can't ping outside addresses. I've tried the "Diagnostic" utility in the router administrator interface and I can ping google from the router, but not from any other computer.
I've tried pigning my ISP gateway and Google using their IPs (bypassing the DNS) but to no avail.
Setting a static IP and ISP DNSes on a computer doesn't work either.
I've rebooted the router, rebooted the cable-modem, renewed the IPs, rebooted the computers and restarted the network intefaces. Nothing works. Wireless works fine, but no external access.
So, the router sees the internet but the NATted computers do not!
This was working fine 2 weeks ago.
What else could I try? I'm at a loss here...
Thanks for your help!
Solved!
Go to Solution.Try to verify the following:
if the router can ping hosts on the internet like this ip address 4.2.2.2
if the gateway's IP address on your computers is set to the router IP address.
if the NAT on the router is enabled
if you've configured a policy to restrict internet access.
if you do not want to use your ISP's dns server, then fill the dns fields in the DHCP section (in the setup screen) with values: 4.2.2.1 and 4.2.2.2.
hope this help!
Linksys router setup -
Hi,
I have a pc behind a nat router with ip 192.168.1.2.
Setting virtual server on my router configuration, when a request arrive on my router on 1099 port, router send this request to my pc.
So clients can connect to rmiregistry running on my pc.
Rmi Server Object is registered with option
-Djava.rmi.server.hostname=82.xx.xx.xx (public ip of router)
so clients connect to this public ip to find rmi object.
My problem is this: when I run rmi server object with this option, after 25second the object falls.
If I run it without this option, it doesn't fall but it is registered with local ip and clients can't connect to it.
RmiRegistry and RmiServerObject run on the same local pc behind router.
Thanks.
ByeIf I know why it falls I could resolve it.
There isn't an exception error.
This is the main function of MyServerImpl that extends UnicastRemoteObject and implements MyServer interface.
public static void main(String args[]) {
String rmiregistry_host="localhost";
// String rmiregistry_host="192.168.1.5";
//String rmiregistry_host="82.51.85.191";
String URL="jdbc:odbc:DBExAllievi";
String driver="sun.jdbc.odbc.JdbcOdbcDriver";
if(args.length==1){
rmiregistry_host = args[0];
}else if(args.length==3){
rmiregistry_host = args[0];
driver=args[1];
URL=args[2];
System.setSecurityManager(new RMISecurityManager());
try {
GestioneDatiExAllievi_IMPL istanza = new GestioneDatiExAllievi_IMPL();
istanza.settaggi(driver,URL);
Naming.rebind("//"+rmiregistry_host+"/GestioneDatiExAllievi", istanza);
System.out.println("Registrazione oggetto remoto effettuata");
catch (Exception e) {
System.out.println(e.getMessage());
This is the output:
http://www.cplusplus.it/file/output.jpg
The String "Registrazione oggetto remoto effettuata" is shown so there isn't exception, but after 24 seconds the application exits.
Instead if I run without -Djava.rmi.server.hostname=82.51.85.191 it's all ok, but my rmi object is registered with local ip, so I can't use it over the internet but only in lan.
I hope now I explained better the problem.
Sorry. -
Router NAT IP block using Access List
Hi All
Strange issue we have here. First time I've come across this.
Question: Is it possible to use an access-list on a NAT IP address on a Cisco router? For example, say we have our internal mail server 192.168.1.5 and it's NATed to the outside on port 25 say to 222.1.1.5. Is there a way to apply an access list to this external IP so that only certain outside users can get to this server using port 25??
Thanks all!Anyone?
-
Problem with Cisco 831 router NAT translation or routing
Hello,
I’ve reviewed several post on this forum, very useful, and I think this 831 router config should allow for NAT'ng port 8080 to the ‘inside’ ip address, per this statement below. but my efforts have not been successful, no responses get back to outside client (xx.24.40). clients on inside can communicate outbound fine. The iis server at .10.3 is definitely up and running on port 8080. I know this is probably a duplicate of other posts but if anyone can pinpoint my error I would really appreciate it!!
ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080
Here is some debug ip nat output when attemping to connect on port 8080, do not get response back from server to external client (xx.24.40)….
Feb 03 13:22:49 10.10.10.1 297472: *Mar 2 00:09:31.894: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21674]
Feb 03 13:22:49 10.10.10.1 297473: *Mar 2 00:09:31.894: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21674]
Feb 03 13:22:52 10.10.10.1 297474: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21678]
Feb 03 13:22:52 10.10.10.1 297475: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21678]
Feb 03 13:22:52 10.10.10.1 297476: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21679]
Feb 03 13:22:52 10.10.10.1 297477: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21679]
Feb 03 13:22:58 10.10.10.1 297478: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21684]
Feb 03 13:22:58 10.10.10.1 297479: *Mar 2 00:09:40.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21684]
Feb 03 13:22:58 10.10.10.1 297480: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21685]
Feb 03 13:22:58 10.10.10.1 297481: *Mar 2 00:09:40.910: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21685]
Feb 03 13:23:10 10.10.10.1 297482: *Mar 2 00:09:52.922: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21698]
Feb 03 13:23:10 10.10.10.1 297483: *Mar 2 00:09:52.922: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21698]
Feb 03 13:23:13 10.10.10.1 297484: *Mar 2 00:09:55.930: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21702]
Feb 03 13:23:13 10.10.10.1 297485: *Mar 2 00:09:55.930: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21702]
Feb 03 13:23:19 10.10.10.1 297486: *Mar 2 00:10:01.934: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21709]
Feb 03 13:23:19 10.10.10.1 297487: *Mar 2 00:10:01.934: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21709]
Feb 03 13:23:58 10.10.10.1 297489: *Mar 2 00:10:41.306: NAT: expiring xx.xx.254.128 (10.10.10.3) tcp 8080 (8080)
538-R1023-C830#sh running-config full
Building configuration...
Current configuration : 4329 bytes
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname 538-R1023-C830
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
no logging console
no aaa new-model
resource policy
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.1.18.152
lease 0 2
ip cef
ip domain list sd.cox.net
ip domain name sd.cox.net
no ip ips deny-action ips-interface
no ftp-server write-enable
crypto pki trustpoint TP-self-signed-75609932
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-75609932
revocation-check none
rsakeypair TP-self-signed-75609932
crypto pki certificate chain TP-self-signed-75609932
certificate self-signed 01
<snip>
interface Ethernet0
description inside
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Ethernet1
description outside
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
interface Ethernet2
no ip address
shutdown
interface FastEthernet1
no ip address
duplex auto
speed auto
interface FastEthernet2
no ip address
duplex auto
speed auto
interface FastEthernet3
no ip address
duplex auto
speed auto
interface FastEthernet4
no ip address
duplex auto
speed auto
no ip classless
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Ethernet1 overload
ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080
logging trap debugging
logging 10.10.10.3
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip any any
control-plane
banner login ^C
^C
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
endHi Alain,
yes, the client i was testing with is on the same subnet as public router ip. Good thought on the firewall, I will disable any firewall on iis machine (my laptop) and re-test. will reply with those results on Monday. ultimately i'm needing to test nat for port 9100 to a printer, I'll add that and test as well, firewall shouldn't be a factor with printer.
thank you.
Grant -
Hello,
I have only 1 public IP on my router outside interface which is connected to ISP,
I wanna just confirm the below from u experts,
I want to create a site -to site VPN with other branches i have a proper IOS ------- I hope i can do it
The public IP on router outside interface,, can i use the same IP for static natting of web server (one to one) ????? If suppose i use in static natting and if i ping from internet to the public IP it will ping to router interface or it will ping to server IP ????-------- I hope we can't do it.
IF i m not wrong then,, i hope i can use service distrbution with that same public IP but not static natting (one to one).
i hope there is no concept of firewall that if we do natting we need a access-list, On router without an access-list also users from internet can access the inside servers only natting should be provided.
TxHello Estela,
1- Yes you can configure a VPN site to site as long as the router supports it
2-You cannot do a static one to one with the outside interface of the asa that will be used for other host to go to the internet., instead of that you can configure port-forwarding that will work for inbound connections ( Just TCP and UDP as these protocols use ports)
3-Yes, you can do it as I explained on previus answer
4-That is correct, without ACL everything is allowed.
Regards,
Julio
Rate helpful posts! -
I am trying to remote administrate a Mac Mini running Mac 10.8 server but couldn't figure out which port to use.
Tried the following but still woudn't connect unless DMZ is opened.
Remote Login (SSH) - 22
Screen Sharing Service (VNC) - 5900
Web Service - 80, 443
VPN Service (L2TP) - 500, 1701, 4500
VPN Service (PPTP) - 1723
Any clue?When you say administer, do you mean something like control your parent's Mac remotely, or do you mean officially adminster a classroom full of Macs? If a classroom full of Macs, then you are most likely taking about using the Apple Remote Desktop software which you pay for.
If, as I suspect, you just want to control your own or a family member's Mac remotely, then you do not need to pay for anything.
If you need Screen Sharing, you open port 5900 (the VNC port)
If you need File Sharing, you open port 548 (AFP)
If you need access to the Unix command line, or you want to use the ssh 'scp' or 'sftp' file transfer commands, then you need to open port 22.
Visit <http://PortForward.com>, they will provide port forwarding instructions for just about every home router out there.
I would also suggest you get a free dynamic DNS name so you can address the remote Mac by a constant name instead of having to know the current IP address assigned to the home router, which the ISP can change anytime they want. No-IP.com or DynDNS.org offer free dynamic DNS names. You run one of their dynamic DNS updating clients on the remote Mac to keep the dynamic DNS name updated with the current ISP assigned IP address.
Once you have the port forwarding working, you connect for screen sharing using
Finder -> Go -> Connect to Server -> vnc://address.of.remote.mac
and for file sharing
Finder -> Go -> Connect to Server -> afp://address.of.remote.mac
If you are going to use ssh, scp, or sftp, then from an Applications -> utilities -> Terminal session you would do something like:
ssh [email protected]
scp local.file [email protected]:/path/where/to/put/the/file
scp [email protected]:/path/of/file/to/get /local/place/to/put/the/file
There are also sftp GUI clients you can use to make this part easier.
If you really cannot get this working, then consider using something like TeamViewer.com which deals with all the messy home router NAT navigation. -
Can't get my WRT300N router to work
I am new to wireless networking. I have followed the instructions on the user set up disk to install wireless connection for my new Linksys WRT300N. The router seems to be working but there is no internet connection and the message that pops up is "Windows was unable to find a certificate to log you on to the network".
I am able to use the wifi connection using my older router (not Linksys) for wireless-G but I need to upgrade to wireless N for better and faster connectivity.
What I am doing wrong?
Thanks,
dotechanThat's caused by improperly setting the encryption to WPA-RADIUS
Instead of WPA-PSK on the client. The router and the client are both
Trying to find a RADIUS server with which to authenticate. Since you
Don’t have one; Change the Encryption to WPA-PSK (pre-shared key) on both ends....
See if it works .... -
IpSec VPN and NAT don't work togheter on HP MSR 20 20
Hi People,
I'm getting several issues, let me explain:
I have a Router HP MSR with 2 ethernet interfaces, Eth 0/0 - WAN (186.177.159.98) and Eth 0/1 LAN (192.168.100.0 /24). I have configured a VPN site to site thru the internet, and it works really well. The other site has the subnet 10.10.10.0 and i can reache the network thru the VPN Ipsec. The issue is that the network 192.168.100.0 /24 needs to reach internet with the same public address, so I have set a basic NT configuration, when I put the nat configuration into Eth 0/0 all network 192.168.100.0 can go to internet, but the VPN goes down, when I remove the NAT from Eth 0/0 the VPN goes Up, but the network 192.168.100.0 Can't go to internet.
I'm missing something but i don't know what it is !!!!, See below the configuration.
Can anyone help me qith that, I need to send te traffic with target 10.10.10.0 thru the VPN, and all other traffic to internet, Basically I need that NAT and VPN work fine at same time.
Note: I just have only One public Ip address.
version 5.20, Release 2207P41, Standard
sysname HP
nat address-group 1 186.177.159.93 186.177.159.93
domain default enable system
dns proxy enable
telnet server enable
dar p2p signature-file cfa0:/p2p_default.mtd
port-security enable
acl number 2001
rule 0 permit source 192.168.100.0 0.0.0.255
rule 5 deny
acl number 3000
rule 0 permit ip source 192.168.100.0 0.0.0.255 destination 10.10.10.0 0.0.0.255
vlan 1
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
ike proposal 10
encryption-algorithm 3des-cbc
dh group2
ike peer vpn-test
proposal 1
pre-shared-key cipher wrWR2LZofLx6g26QyYjqBQ==
remote-address <Public Ip from VPN Peer>
local-address 186.177.159.93
nat traversal
ipsec proposal vpn-test
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy vpntest 30 isakmp
connection-name vpntest.30
security acl 3000
pfs dh-group2
ike-peer vpn-test
proposal vpn-test
dhcp server ip-pool vlan1 extended
network mask 255.255.255.0
user-group system
group-attribute allow-guest
local-user admin
password cipher .]@USE=B,53Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
service-type web
cwmp
undo cwmp enable
interface Aux0
async mode flow
link-protocol ppp
interface Cellular0/0
async mode protocol
link-protocol ppp
interface Ethernet0/0
port link-mode route
nat outbound 2001 address-group 1
nat server 1 protocol tcp global current-interface 3389 inside 192.168.100.20 3389
ip address dhcp-alloc
ipsec policy vpntest
interface Ethernet0/1
port link-mode route
ip address 192.168.100.1 255.255.255.0
interface NULL0
interface Vlan-interface1
undo dhcp select server global-pool
dhcp server apply ip-pool vlan1ewaller wrote:
What is under the switches tab?
Oh -- By the way, that picture is over the size limit defined in the forum rules in tems of pixels, but the file size is okay. I'll let it slide. Watch the bumping as well.
If you want to post the switches tab, upload it to someplace like http://img3.imageshack.us/, copy the thumbnail (which has the link to the original) back here, and you are golden.
I had a bear of a time getting the microphone working on my HP DV4, but it does work. I'll look at the set up when I get home tonight [USA-PDT].
Sorry for the picture and the "bumping"... I have asked in irc in arch and alsa channels and no luck yet... one guy from alsa said I had to wait for the alsa-driver-1.0.24 package (currently I have alsa-driver-1.0.23) but it is weird because the microphone worked some months ago...
So here is what it is under the switches tab -
How to configure multiple outgoing interfaces + NAT + PfR
Hello,
I have the following config running on Cisco2851.
Five interfaces (four ADSL and one LAN 10Mb/s) connected to Internet using pppoe.
Local policy is used to make working route tracking.
The PfR also configured to load balance traffic coming from LAN to Internet.
PAT is also configured with "oer" keyword at the end of string to not relocate working translations.
But the router is not performing good. :-(
After investigation I found that the selection of the exit interface and setting source ip for
NAT is not synchronized. The provider's router just drops the incoming packet due to uRPF check.
Also, the selection of the exit interface is not PFR aware (mode select-exit best) during
NAT session setup, and router selects one of the possible exit interfaces randomly.
I have two questions:
1. How to make synchronization of NAT and Routing to build matching pair of Out_IP=Out_Interface and make my setup working?
2. How to select the less loaded interface during setup of NAT phase and Routing phase and really involve PfR?
Actually, these two questions is just my one requirement: during setup of NAT session, I need
to find less loaded interface (PfR should check current rx/tx load), select it, and keep it untouched.
Thanks,
Sergey
Config:
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname bif
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M8.bin
boot-end-marker
enable secret 5 $1$3ggj$huERPVt0luOX6qo6
no aaa new-model
crypto pki token default removal timeout 0
dot11 syslog
no ip source-route
ip cef
no ip domain lookup
ip domain name zzz.mgm
no ipv6 cef
multilink bundle-name authenticated
key chain PFR
key 0
key-string 7 107E2F2B
voice-card 0
pfr master
logging
border 192.168.254.254 key-chain PFR
interface Dialer5 external
interface Dialer4 external
interface Dialer3 external
interface Dialer2 external
interface Dialer1 external
interface GigabitEthernet0/0 internal
mode select-exit best
pfr border
logging
local Loopback0
master 192.168.254.254 key-chain PFR
license udi pid CISCO2851 sn FCZ0929
username se privilege 15 secret 5 $1$DUbm$RuZKP8X.19uBtm21
username ru privilege 15 secret 5 $1$1V.h$iotp/bjhUg4ho93d
redundancy
ip ssh version 2
track 1 ip sla 1 reachability
delay down 30 up 15
track 2 ip sla 2 reachability
delay down 30 up 15
track 3 ip sla 3 reachability
delay down 30 up 15
track 4 ip sla 4 reachability
delay down 30 up 15
track 5 ip sla 5 reachability
delay down 30 up 15
interface Loopback0
ip address 192.168.254.254 255.255.255.255
interface GigabitEthernet0/0
description ### LAN ###
ip address 192.168.68.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description ### WDSL link to Dialer 5 ###
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 5
interface ATM0/0/0
description ### DSL link 1 to Dialer 1 ###
no ip address
no atm ilmi-keepalive
shutdown
pvc 1/32
pppoe-client dial-pool-number 1
interface ATM0/1/0
description ### DSL link 2 to Dialer 2 ###
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 2
interface ATM0/2/0
description ### DSL link 3 to Dialer 3 ###
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 3
interface ATM0/3/0
description ### DSL link 4 to Dialer 4 ###
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 4
interface GigabitEthernet1/0
description ### Virtual interface to NME-16ES-1G-P ###
ip address 192.168.254.253 255.255.255.254
interface Dialer1
description ### Dialer for line 1 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer2
description ### Dialer for line 2 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer3
description ### Dialer for line 3 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 3
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer4
description ### Dialer for line 4 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 4
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer5
description ### Dialer for WDSL line ###
bandwidth 10000
bandwidth receive 10001
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 5
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
ip local policy route-map LOCAL-PBR
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source route-map NAT1 interface Dialer1 overload oer
ip nat inside source route-map NAT2 interface Dialer2 overload oer
ip nat inside source route-map NAT3 interface Dialer3 overload oer
ip nat inside source route-map NAT4 interface Dialer4 overload oer
ip nat inside source route-map NAT5 interface Dialer5 overload oer
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer5-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer2-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer3-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer4-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.230 21 $$$Dialer1-IP$$$ 21 extendable
ip nat inside source static tcp 192.168.68.160 25 $$$Dialer1-IP$$$ 25 extendable
ip nat inside source static tcp 192.168.68.22 143 $$$Dialer1-IP$$$ 143 extendable
ip nat inside source static tcp 192.168.68.22 443 $$$Dialer1-IP$$$ 443 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer1-IP$$$ 2222 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 track 2
ip route 0.0.0.0 0.0.0.0 Dialer3 track 3
ip route 0.0.0.0 0.0.0.0 Dialer4 track 4
ip route 0.0.0.0 0.0.0.0 Dialer5 track 5
ip sla 1
icmp-echo 8.8.8.8 source-ip $$$Dialer1-IP$$$
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-ip $$$Dialer2-IP$$$
timeout 1000
frequency 5
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 8.8.8.8 source-ip $$$Dialer3-IP$$$
timeout 1000
frequency 5
ip sla schedule 3 life forever start-time now
ip sla 4
icmp-echo 8.8.8.8 source-ip $$$Dialer4-IP$$$
timeout 1000
frequency 5
ip sla schedule 4 life forever start-time now
ip sla 5
icmp-echo 8.8.8.8 source-ip $$$Dialer5-IP$$$
timeout 1000
frequency 5
ip sla schedule 5 life forever start-time now
access-list 100 permit ip any any
access-list 101 permit ip host $$$Dialer1-IP$$$ any
access-list 102 permit ip host $$$Dialer2-IP$$$ any
access-list 103 permit ip host $$$Dialer3-IP$$$ any
access-list 104 permit ip host $$$Dialer4-IP$$$ any
access-list 105 permit ip host $$$Dialer5-IP$$$ any
access-list 199 permit ip 192.168.68.0 0.0.0.255 any
route-map LOCAL-PBR permit 10
match ip address 101
set interface Dialer1
route-map LOCAL-PBR permit 20
match ip address 102
set interface Dialer2
route-map LOCAL-PBR permit 30
match ip address 103
set interface Dialer3
route-map LOCAL-PBR permit 40
match ip address 104
set interface Dialer4
route-map LOCAL-PBR permit 50
match ip address 105
set interface Dialer5
route-map LOCAL-PBR permit 100
match ip address 100
set global
route-map NAT3 permit 10
match ip address 199
match interface Dialer3
route-map NAT2 permit 10
match ip address 199
match interface Dialer2
route-map NAT1 permit 10
match ip address 199
match interface Dialer1
route-map NAT5 permit 10
match ip address 199
match interface Dialer5
route-map NAT4 permit 10
match ip address 199
match interface Dialer4
control-plane
mgcp profile default
line con 0
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
session-timeout 15
login local
transport input all
line vty 5 15
session-timeout 15
login local
transport input all
scheduler allocate 20000 1000
end
Show ip route:
sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0 (connected), candidate default path
Routing Descriptor Blocks:
directly connected, via Dialer5
Route metric is 0, traffic share count is 1
* directly connected, via Dialer3
Route metric is 0, traffic share count is 1
directly connected, via Dialer4
Route metric is 0, traffic share count is 1
directly connected, via Dialer2
Route metric is 0, traffic share count is 1
Log:
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Ingress-NetFlow(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, TCP Adjust MSS(82), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 192.168.68.2 dst 8.8.4.4
*Apr 16 07:04:18.103: FIBfwd-proc: Default:0.0.0.0/0 process level forwarding
*Apr 16 07:04:18.103: FIBfwd-proc: depth 0 first_idx 3 paths 4 long 0(0)
*Apr 16 07:04:18.103: FIBfwd-proc: try path 3 (of 4) v4-ap-Dialer5 first short ext 0(-1)
*Apr 16 07:04:18.103: FIBfwd-proc: v4-ap-Dialer5 valid
*Apr 16 07:04:18.103: FIBfwd-proc: Dialer5 no nh type 3 - deag
*Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none deag 1 chg_if 0 via fib 0 path type attached prefix
*Apr 16 07:04:18.103: FIBfwd-proc: packet routed to Dialer5 p2p(0)
*Apr 16 07:04:18.103: FIBipv4-packet-proc: packet routing succeeded
*Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 ttlexp 0
*Apr 16 07:04:18.103: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0
*Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, CCE Post NAT Classification(38), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, Firewall (firewall component)(39), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, TCP Adjust MSS(50), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, Post-Ingress-NetFlow(68), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, Dialer idle reset(84), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, Dialer idle reset(85), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), g=8.8.4.4, len 66, forward
*Apr 16 07:04:18.107: UDP src=61183, dst=53
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Virtual-Access3), len 66, sending full packet
*Apr 16 07:04:18.107: UDP src=61183, dst=53hi,is this question is ok?
if you forget do this config like below:
pfr master
learn
delay
throughput
periodic-interval 3
monitor-period 1
pfr master
delay threshold 200
jitter threshold 50
mode route control
mode monitor passive
mode select-exit best
i will do like this,four ADSL connect a switch ,this switch connect a router 2911(with data license)
at 2911 do four pppoe
i want to load balance at this four adsl.
Maybe you are looking for
-
Is there any way to create a mini Now Playing window that can "float?"
Hi, I've been reading the Help in iTunes, as well as searching the Net, but I'm not finding the functionality I want. Basically, I want to have a mini Now Playing window that I can reposition so it's not covered up by other windows while I'm working.
-
How to map a complex XML message onto a flattened XSD for multi line insert
Hi Experts. I have a webservice in my composite that takes an xml message that contains repeating complex type elements. The XSD is as follows: <?xml version= '1.0' encoding= 'UTF-8' ?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:X
-
Hello, Vista and iPod shuffle second gen. Itunes will not sync. The iPod is found, iTunes reads sync in process, do not remove, but nothing syncs. Autofill works, I can copy playlists to the device, etc. Trying to sync only checked items. Both iPod a
-
I am generating the Idoc through F110. Few of the mandatory segments from the bank prospective are not populated. These are : E2IDT02 / E2EDKA1003 (Ordering Party) and EXTPAYM field of segment E2IDKU3002 Any idea what data should be maintained and w
-
Recording line-level input with Griffin iMic
I'm having trouble recording line-level input from a stereo system with a Griffin iMic. Even though all extraneous inputs have been deactivated, I'm still getting a slight feedback hum. There should be no extraneous noise whatsoever. I haven't done t