Solved: access-list and NAT

chuckk139 · ‎09-27-2007

I am attempting to get a 1800 router to connect to the internet using a single external ip address to provide NAT for all client computers using the following relevant portions of the current config.

version 12.4

interface FastEthernet0/0

description Connected to LAN$ES_LAN$

ip address 192.168.1.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0

description Connect to the Internet

ip address 144.223.10.150 255.255.255.252

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

!

ip classless

ip route 0.0.0.0 0.0.0.0 144.223.10.149

!

ip nat pool inet_add 198.69.35.239 198.69.35.239 netmask 255.255.255.248

ip nat inside source list 10 pool inet_add overload

ip nat inside source static 192.168.1.101 198.69.35.237

ip nat inside source static 192.168.1.225 198.69.35.238

!

logging trap debugging

access-list 10 permit 192.168.1.0

access-list 101 permit tcp any host 144.223.10.150 eq telnet

access-list 101 permit tcp any host 198.69.35.237 eq 9833

access-list 101 permit tcp any host 198.69.35.237 eq 27015

access-list 101 permit tcp any host 198.69.35.237 eq 27016

access-list 101 permit tcp any host 198.69.35.238 eq 3000

access-list 101 permit tcp any host 198.69.35.238 eq 3001

access-list 101 permit tcp any host 198.69.35.238 eq 3003

access-list 101 permit tcp any host 198.69.35.238 eq 3007

access-list 101 permit tcp any host 198.69.35.238 eq 8800

access-list 101 permit tcp any host 198.69.35.238 eq www

access-list 101 deny ip any any

no cdp run

!

When I remove the 101 access-list everything works fine. Soon as I make the first entry however I loose all connectivity to the Internet. I know I am missing something, I just can't figure out what it is. Any help would be greatly appreciated.

palomoj · ‎09-27-2007

Well you only have 3 options that I can think of right now with the base IOS image.

Option #1 - Do not use ACL just NAT

Option #2 - Use Extended ACL and specify specific return traffic for allowed outbound traffic. Example to permit return web traffic use - permit tcp any eq www any.

Option #3 - Use Reflexive Access List. Pay attention to application support limitations. See URL below.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm

View solution in original post

palomoj · ‎09-27-2007

You need to configure CBAC on the router if you want to use ACL 101. CBAC will inspect traffic outbound on Serial0/0/0 and allow legit return traffic (dynamically poking holes in ACL 101 as necessary).

chuckk139 · ‎09-27-2007

I had come across something like this earlier, my problem is that when I enter global configuration mode and type in ip inspect I get an unrecognized command response. Is there a command I must issue before I can enable the CBAC?

palomoj · ‎09-27-2007

Hi, you'll need to upgrade the IOS that supports the CBAC feature set.

chuckk139 · ‎09-27-2007

Is there another way to accomplish what I am trying to do without upgrading the IOS version? As I currently don't have a service agreement with CISCO to get the image.

The only way I am coming up with is a really long access list which would define each individual protocol for each IP address. I don't think that would work well.

palomoj · ‎09-27-2007

show us the output of "show version" and let's see what you have

chuckk139 · ‎09-27-2007

You can find the version information below. Thank you in advance for any insight you can provide.

Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(4)T7, RELEASE S

OFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Compiled Tue 28-Nov-06 17:31 by kellythw

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

System returned to ROM by reload at 11:42:05 CDT Thu Sep 27 2007

System image file is "flash:c1841-ipbase-mz.124-4.T7.bin"

Cisco 1841 (revision 7.0) with 115712K/15360K bytes of memory.

Processor board ID FTX1132Y16P

2 FastEthernet interfaces

1 Serial interface

WIC T1-DSU

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

palomoj · ‎09-27-2007

Well you only have 3 options that I can think of right now with the base IOS image.

Option #1 - Do not use ACL just NAT

Option #2 - Use Extended ACL and specify specific return traffic for allowed outbound traffic. Example to permit return web traffic use - permit tcp any eq www any.

Option #3 - Use Reflexive Access List. Pay attention to application support limitations. See URL below.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part15/schreflx.htm