Clarification needed PLEASE

From: oluwaseyi ojo (sameoj@gmail.com)
Date: Sun Jun 08 2008 - 10:13:16 ART

• Next message: oluwaseyi ojo: "Re: Brian Dennis x 5CCIE"
• Previous message: oluwaseyi ojo: "Re: Story of 1st Journey"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hello all,
i need your help,i have 3 sites,
am have problem connecting to the from sites 2 and 3 to site 1 webserver via
dmz,there is a tunnel btw site 2 to site 1 and site 3 to site 1,when i did a
traceroute from site 2 to site 1,i discovered that i called get to the end
of the tunnel and thats all,the traceroute can`t go further,but i can ping
host in the LAN in both sites 2 and 3 from the ASA,i also ping the webserver
from the router in site 1,it was successful, all other
things are working fine expect that hosts from sites 2 and 3,can`t access
the webserver,below is the config on the ASA and router(site 1),router (site
2)
and router (site 3).
ASA (Site 1):
# show run
: Saved
:
ASA Version 7.2(2)
!
hostname
domain-name
enable password xxxxxxxxxx encrypted
names
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 80.x.x.x 255.255.255.192 standby 80.x.x.x
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.x.x.x 255.255.255.0 standby 192.x.x.x
!
interface GigabitEthernet0/2
 nameif dmz
 security-level 80
 ip address 192.x.x.x 255.255.255.0 standby 192.x.x.x
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.x.x.x 255.255.255.0
 management-only
!
passwd xxxxxxxxxx encrypted
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 192.x.x.x
 domain-name
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list 103 extended permit ip host 192.x.x.x host 192.x.x.x
access-list 103 extended permit icmp any any
access-list 103 extended permit ip host 192.x.x.x any
access-list 104 extended permit tcp any host 80.x.x.x eq www
access-list 104 extended permit tcp any host 80.x.x.x eq https
access-list 105 extended permit ip 192.x.x.x 255.255.255.0 192.x.x.x 255.255
.255.0
access-list 105 extended permit ip 192.x.x.x 255.255.255.0 192.x.x.x 255.255
.255.0
access-list 105 extended permit ip 192.x.x.x 255.255.255.0 192.x.x.x 255.255
.255.0
access-list 105 extended permit ip 192.x.x.x 255.255.255.0 172.x.x.x
255.255.2
55.0
access-list 120 extended permit ip 192.x.x.x 255.255.255.0 any
access-list 120 extended permit ip 192.x.x.x 255.255.255.0 any
access-list 120 extended permit ip 192.x.x.x 255.255.255.0 any
access-list 120 extended permit ip 192.x.x.x 255.255.255.0 any
access-list 130 extended permit ip 192.x.x.x 255.255.255.0 10.x.x.x 255.255.
255.0
access-list ips extended permit ip any 192.x.x.x 255.255.255.0
access-list ips extended permit ip any 192.x.x.x 255.255.255.0
access-list ips extended permit ip any 192.x.x.x 255.255.255.0
access-list ips extended permit ip any 192.x.x.x 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list 130
nat (inside) 1 access-list 120
nat (dmz) 1 192.x.x.x 255.255.255.255
static (inside,dmz) 192.x.202.x 192.x.202.x netmask 255.255.255.0
static (dmz,inside) 192.x.x.x 192.x.x.x netmask 255.255.255.255
static (dmz,outside) 80.x.x.x 192.x.x.x netmask 255.255.255.255 dns
access-group 104 in interface outside
access-group 102 in interface inside
access-group 103 in interface dmz
route outside 0.0.0.0 0.0.0.0 80.x.x.x
route inside 192.x.x.x 255.255.255.0 192.x.x.x
route inside 192.x.x.x 255.255.255.0 192.x.x.x
route inside 172.x.x.x 255.255.255.0 192.x.x.x
route inside 192.x.x.x 255.255.255.0 192.x.x.x
Site 2 router:
interface Tunnel200
 ip address 172.x.x.x 255.255.255.0
 ip wccp 62 redirect in
 tunnel source 192.168.x.x
 tunnel destination 192.168.x.x

interface FastEthernet0/1
 ip address 192.x.x.x 255.255.255.0
 ip wccp 61 redirect in
 duplex auto
 speed auto
 auto qos voip
 service-policy output AutoQoS-Policy-UnTrust
!
interface Integrated-Service-Engine1/0
 ip address 200.x.x.x 255.255.255.252
 ip wccp redirect exclude in
 service-module ip address 200.x.x.x 255.255.255.252
 service-module ip default-gateway 200.x.x.x
 no keepalive
!
ip route 0.0.0.0 0.0.0.0 172.x.x.x
ip route 192.x.x.x 255.255.255.0 172.x.x.x
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended AutoQoS-VoIP-Control
 permit tcp any any eq 1720
 permit tcp any any range 11000 11999
 permit udp any any eq 2427
 permit tcp any any eq 2428
 permit tcp any any range 2000 2002
 permit udp any any eq 1719
 permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
 permit udp any any range 16384 32767
!
access-list 101 permit ip 172.x.x.x 0.0.0.255 any
access-list 109 permit gre host 192.x.x.x host 192.x.x.x

Site 3 router:
interface Tunnel100
 ip address 172.x.x.x 255.255.255.0
 ip wccp 62 redirect in
 tunnel source 172.x.x.x
 tunnel destination 192.x.x.x
!
interface FastEthernet0/0
 description LAN
 ip address 192.x.x.x 255.255.255.0
 ip wccp 61 redirect in
 duplex auto
 speed auto
 service-policy output AutoQoS-Policy-UnTrust
!
interface FastEthernet0/1
 description WAN
 ip address 172.x.x.x 255.255.255.0
 duplex auto
 speed auto
 auto qos voip
 crypto map test
 service-policy output AutoQoS-Policy-UnTrust
!
interface FastEthernet0/1/0
 switchport access vlan 20
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
 no ip address
!
interface Vlan20
 description CONNECTION_TO_WAAS
 ip address 200.x.x.x 255.255.255.252
 ip wccp redirect exclude in
!
ip route 0.0.0.0 0.0.0.0 172.x.x.x
ip route 192.x.x.x 255.255.255.255 172.x.x.x
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip access-list extended AutoQoS-VoIP-Control
 permit tcp any any eq 1720
 permit tcp any any range 11000 11999
 permit udp any any eq 2427
 permit tcp any any eq 2428
 permit tcp any any range 2000 2002
 permit udp any any eq 1719
 permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
 permit udp any any range 16384 32767
ip access-list extended in_access_out
 permit ip 192.x.x.x 0.0.0.255 192.x.x.x 0.0.0.255
 permit tcp 192.x.x.x 0.0.0.255 any eq www
 permit tcp 192.x.x.x 0.0.0.255 any eq smtp
 permit tcp 192.x.x.x 0.0.0.255 any eq pop3
 permit tcp 192.x.x.x 0.0.0.255 any eq ftp
 permit tcp 192.x.x.x 0.0.0.255 any eq ftp-data
 permit tcp 192.x.x.x 0.0.0.255 any eq 443
 permit udp 192.x.x.x 0.0.0.255 any eq domain
 deny tcp 192.x.x.x 0.0.0.255 any eq 135
 deny tcp 192.x.x.x 0.0.0.255 any eq 139
 deny tcp 192.x.x.x 0.0.0.255 any eq 138
 permit icmp 192.x.x.x 0.0.0.255 any
 permit tcp 192.x.x.x 0.0.0.255 any eq telnet
 permit ip 192.x.x.x 0.0.0.255 192.x.x.x 0.0.0.255
 permit tcp 192.x.x.x 0.0.0.255 any eq domain
 permit tcp 192.x.x.x 0.0.0.255 any eq domain
 permit tcp 192.x.x.x 0.0.0.255 any eq ftp-data
 permit tcp 192.x.x.x 0.0.0.255 any eq login
 deny ip any any
!
access-list 1 permit 192.x.x.x 0.0.0.255
access-list 101 permit gre host 172.x.x.x host 192.x.x.x

I will deeply appreciate all contributions,thanks.ASAP

• Next message: oluwaseyi ojo: "Re: Brian Dennis x 5CCIE"
• Previous message: oluwaseyi ojo: "Re: Story of 1st Journey"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Tue Jul 01 2008 - 06:23:21 ART