froggy3132000 Tue, 07/24/2007 - 05:50
User Badges:
  • Bronze, 100 points or more

are you talking about the inbound ftp connection?

edgar-quintana Tue, 07/24/2007 - 07:37
User Badges:

Yes...


Well, there is only a ftp nat, but I need to configure a ftp (20, 21) web(80).. and more.


But I do not know why does not work

Hello,


The acl applied to the WAN interface to inbound direction (acl 101) filter out many things so that can be a problem but

The

access-list 101 permit tcp host xxxxxxxxx

access-list 101 permit tcp host xxxxxxxxx

access-list 101 permit tcp host xxxxxxxxxxxxxx

entries have to be something on the end as they are extended acl's.

You have two networks on the LAN and the acl 110 does cover only the 192.168.156.0/24.


Anyway the permanent ip route is not the best thing.

What does the "show ip nat trans" shows?



Krisztian

Hi,


Well from the nat translation it seems the 192.168.156.69 try to connect to 62.22.92.107 and 212.8.111.70 tcp 25 which is smtp, but it is not permitted in the acl. Your acl permits incoming ftp, www, icmp from any source and ssh, cmd, https, dns, from certain host and deny all other (access-list 101 deny ip any any).


So your nat works fine but the acl filter out the traffic coming back.

You can try it by simple remove the acl for a short time and will see...


Krisztian

froggy3132000 Tue, 07/24/2007 - 08:54
User Badges:
  • Bronze, 100 points or more

I would do a one-to-one NAT and then permit the ports via the acl.

Actions

This Discussion