05-22-2008 06:25 AM
Hi, I have replaced an ISP's ADSL Modem Router with a Cisco 857 with the config below.
Now incoming access seems to be blocked, I cannot ping the Vlan interface from the outside although I can ping the PPP side of the router OK.
Clients on the inside can still access the Internet successfully.
Does anyone have any ideas as to why this is?
Many Thanks,
Chris
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco857
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxx
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-xxxxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxxxxx
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383339 38313839 3236301E 170D3038 30353230 30363135
33335A17 0(truncated)
dot11 syslog
no ip source-route
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name xxxxxxxx
ip name-server xxx.xxx.32.1
ip name-server xxx.xxx.32.13
!
!
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxx
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address xxx.xxx.119.145 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxx@xxxxxxxx.co.uk
ppp chap password 7 xxxxxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit xxx.xxx.119.144 0.0.0.7
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
05-22-2008 06:34 AM
Hi, nat works so that you can ping from inside to outside, but not viceversa. Remember that inside address are private, that is not routable on the internet. That is also a good thing for security. All network activity should work normally however.
Hope this helps, please rate post if it does!
05-22-2008 06:41 AM
Thanks but NAT was set up on the old Modem Router and I could connect using SMTP, ICMP, HTTPS to servers on the inside without issues.
Behind this 857 is a PIX501 which has static NAT's set up for a couple of servers, these are now inaccessible.
05-22-2008 07:43 AM
You have configured nat on the router. If your inside address in the router are not private ones, remove nat statements.
05-22-2008 08:15 AM
Thanks, so NAT doesn't need to be enabled even though I need to share the PPP connection between the inside clients?
05-22-2008 01:10 PM
If your ISP has given you a range of public IP addresses to use on the LAN, NAT is not necessary.
hope this helps, please rate post if it does!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: