Hi all My apologies if posting to the wrong group I have a Cisco 837 which I want to use as a backup internet link. What I hope to do is simply change the static route on my 3750 if the primary link goes down I have a Netscreen 25 configured in transparent mode
I have it configured as follows
Public IP, Cisco 837 Dialer i/f ---> Ethernet0 192.168.102.2 ---->
Netscreen25 Transparent ---> VLAN102 on the 3750 @ 192.168.102.1
The VLAN interface of the Netscreen is 192.168.102.7 and the management i/f is 192.168.102.5
I have configured the 837 router to perform NAT, as I only have 1 public IP, the Ethernet i/f of the 837 is configured with a private IP I am seeing the Cisco attempt to perform NAT
sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 203.161.86.134:1963 192.168.26.134:1963 202.154.92.59:80
202.154.92.59:80I have a one off static route on the 3750 for testing and this is the websiteI am trying to access via this route
ip route 202.154.92.59 255.255.255.255 192.168.102.2
I have a policy on the netscreen that says Source Any to Dest Any permit HTTP I am seeing on the log of the Netscreen the same thing
Date/Time Source Address/Port Destination Address/Port Duration Service
2008-03-25 15:39:06 192.168.26.134:1963 202.154.92.59:80 59 sec. HTTPThe Cisco config is pretty straight forward as shown
version 12.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug uptime service timestamps log uptime service password-encryption no service dhcp ! hostname aff_837 ! logging queue-limit 100 logging buffered 4096 debugging ! clock timezone AEST 8 ip subnet-zero no ip source-route ip domain name affoods.com.au ip name-server 203.161.127.1 ip name-server 203.153.224.42 ! no ip bootp server ip audit notify log ip audit po max-events 100 vpdn enable ! no ftp-server write-enable ! interface Null0 no ip unreachables ! interface Ethernet0 ip address 192.168.102.2 255.255.255.0 ip nat inside ip tcp adjust-mss 1452 hold-queue 100 out ! interface ATM0 no ip address no atm ilmi-keepalive pvc 8/35 pppoe-client dial-pool-number 1 ! dsl operating-mode auto ! ! interface Dialer1 description Amcom VPN mtu 1492 ip address negotiated no ip unreachables ip nat outside encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxx ppp chap password xxxxxxx ! ip nat inside source list 23 interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! access-list 5 permit any access-list 23 permit 192.168.102.0 0.0.0.255 access-list 23 permit 192.168.100.0 0.0.0.255 access-list 23 permit 192.168.26.0 0.0.0.255 dialer-list 1 protocol ip permit route-map clear-df permit 10 match ip address 5 set ip df 0 !
line con 0 exec-timeout 60 0 no modem enable stopbits 1 line aux 0 stopbits 1 line vty 0 4 exec-timeout 120 0 login local length 0 ! scheduler max-task-time 5000 ! end
Can anyone tell me what I am missing? Is it a policy problem on the netscreen or a config problem on the 837? I can ping the 192.168.102.5 & .7 from the router using an extended ping using the ethernet i/f as the source but cannot ping the VLAN102 i/f of the 3750, once again I believe this is an incomingpolicy issue. All I have is 4 outgoing policies from the trust to the untrust for FTP, DNS, HTTPS and HTTP
Cheers, Scott