09-27-2007 06:08 AM - edited 03-03-2019 06:56 PM
I am attempting to get a 1800 router to connect to the internet using a single external ip address to provide NAT for all client computers using the following relevant portions of the current config.
version 12.4
interface FastEthernet0/0
description Connected to LAN$ES_LAN$
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
description Connect to the Internet
ip address 144.223.10.150 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 144.223.10.149
!
ip nat pool inet_add 198.69.35.239 198.69.35.239 netmask 255.255.255.248
ip nat inside source list 10 pool inet_add overload
ip nat inside source static 192.168.1.101 198.69.35.237
ip nat inside source static 192.168.1.225 198.69.35.238
!
!
logging trap debugging
access-list 10 permit 192.168.1.0
access-list 101 permit tcp any host 144.223.10.150 eq telnet
access-list 101 permit tcp any host 198.69.35.237 eq 9833
access-list 101 permit tcp any host 198.69.35.237 eq 27015
access-list 101 permit tcp any host 198.69.35.237 eq 27016
access-list 101 permit tcp any host 198.69.35.238 eq 3000
access-list 101 permit tcp any host 198.69.35.238 eq 3001
access-list 101 permit tcp any host 198.69.35.238 eq 3003
access-list 101 permit tcp any host 198.69.35.238 eq 3007
access-list 101 permit tcp any host 198.69.35.238 eq 8800
access-list 101 permit tcp any host 198.69.35.238 eq www
access-list 101 deny ip any any
no cdp run
!
When I remove the 101 access-list everything works fine. Soon as I make the first entry however I loose all connectivity to the Internet. I know I am missing something, I just can't figure out what it is. Any help would be greatly appreciated.
Solved! Go to Solution.
09-27-2007 11:06 AM
Well you only have 3 options that I can think of right now with the base IOS image.
Option #1 - Do not use ACL just NAT
Option #2 - Use Extended ACL and specify specific return traffic for allowed outbound traffic. Example to permit return web traffic use - permit tcp any eq www any.
Option #3 - Use Reflexive Access List. Pay attention to application support limitations. See URL below.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm
09-27-2007 07:53 AM
You need to configure CBAC on the router if you want to use ACL 101. CBAC will inspect traffic outbound on Serial0/0/0 and allow legit return traffic (dynamically poking holes in ACL 101 as necessary).
09-27-2007 08:17 AM
I had come across something like this earlier, my problem is that when I enter global configuration mode and type in ip inspect I get an unrecognized command response. Is there a command I must issue before I can enable the CBAC?
09-27-2007 09:00 AM
Hi, you'll need to upgrade the IOS that supports the CBAC feature set.
09-27-2007 09:46 AM
Is there another way to accomplish what I am trying to do without upgrading the IOS version? As I currently don't have a service agreement with CISCO to get the image.
The only way I am coming up with is a really long access list which would define each individual protocol for each IP address. I don't think that would work well.
09-27-2007 09:49 AM
show us the output of "show version" and let's see what you have
09-27-2007 10:27 AM
You can find the version information below. Thank you in advance for any insight you can provide.
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(4)T7, RELEASE S
OFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 28-Nov-06 17:31 by kellythw
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
System returned to ROM by reload at 11:42:05 CDT Thu Sep 27 2007
System image file is "flash:c1841-ipbase-mz.124-4.T7.bin"
Cisco 1841 (revision 7.0) with 115712K/15360K bytes of memory.
Processor board ID FTX1132Y16P
2 FastEthernet interfaces
1 Serial interface
WIC T1-DSU
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
09-27-2007 11:06 AM
Well you only have 3 options that I can think of right now with the base IOS image.
Option #1 - Do not use ACL just NAT
Option #2 - Use Extended ACL and specify specific return traffic for allowed outbound traffic. Example to permit return web traffic use - permit tcp any eq www any.
Option #3 - Use Reflexive Access List. Pay attention to application support limitations. See URL below.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: