Hi Jon,

Thanks for the quick reply

Sorry, yes, that is a typo, the mask is 0.0.0.255.

Also, I do have NAT set up for 192.168.2.0/24. My internet access works fine, until I start adding ACL's

Nick

Nick

Apologies but this is where i'm getting confused ie.

access-list 101 permit tcp any 192.168.2.0 0.0.0.255 established

this line is part of your inbound acl on dialer interface. But packets coming back would not be going to 192.168.2.0/24 - they would be coming back from the Internet to whatever you have Natted the 192.168.2.0/24 addresses to ?

So your acl should be

access-list 101 permit tcp any established

But you are saying this works without acl 102 ?

Am i making sense :)

Jon

Jon

I understand what you're saying - because of NAT, my returning packets won't have the destination address 192.168.2.0/24.

In my config, I have the following:

interface vlan1

ip nat inside

interface dialer0

ip nat outside

So I'm presuming my 192.168.2.0/24 address would be natted to my external IP provided by my isp - is that right? ie. 84.92.xxx.xxx

So I tried changing my acl to:

access-list 101 permit tcp any host 84.92.xxx.xxx established

but still I can't get an internet connection

Nick

Yes your acl 101 should refer to the natted address.

Also Giuseppe is right. Outbound packets on a vlan interface are packets going to machines on that vlan. Inbound packet on a vlan interface are packets coming from that vlan.

Don't think of inbound/outbound in terms of the machines think of it in terms of the interface.

Jon

Giuseppe

I'm not sure I understand. 102 is being applied out of vlan1 or 192.168.2.1. So I would expect my source address for out going packets to be 192.168.2.0 0.0.0.255 and destination to be any

Hello Nick,

here it is the point:

packets that exit Vlan1 are directed to what ?

users in vlan1

think of a routed interface

int f0/0

ip address 192.168.2.1 255.255.255.0

ip access-group 102 in

this matches

try to use ip accounting output packets

a packet for 192.168.2.112 will exit this f0/0 and will have destination 192.168.2.112 not source 192.168.2.112

here Vlan1 is used to have a gateway for the few lan ports associated to L2 Vlan1 (like 877) but it is the same concept

to test do the following:

apply your ACL 102 inbound instead of outbound and verify if you can access internet

Hope to help

Giuseppe

Guys,

Thanks for your help so far. I understand what you are saying. I was looking at vlan1 in terms of the router rather than the interface.

I have changed my ACL's as follows:

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP)

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP)

access-list 101 permit ip host 84.92.xxx.xxx any (remote site IP)

access-list 101 permit tcp any host 84.92.xxx.xxx established (local site IP)

int dialer0

ip access-group 101 in

access-list 102 permit ip host 84.92.xxx.xxx any (local site IP)

int dialer0

ip access-group 102 out

access-list 103 permit ip 192.168.2.0 0.0.0.255 any

int vlan1

ip access-group 103 in

However, I still cannot get internet access when using a pc on the 192.168.2.0 network

Nick

Can you remove from your config

int dialer0

no ip access-group 102 out

and then let me know how you get on

Jon

Nick

Sorry i'm having a moment !!. PLEASE IGNORE THIS POST.

Jon

Right - lets start again :)

If you want to allow incoming access to network 192.168.2.0 do you mean connections initiated from outside. If so you need to use static NAT to setup a one-to-one translation for the 192.168.2.x hosts you want to give access to ie. you cannot rely on the dynamic NAT as you go out. It got a bit confusing because we kept using 84.92.xxx.xxx so lets use some dummy public IP addresses.

Outside interface of your router =

84.72.31.10

int dialer0

ip nat outside

ip access-group 101 in

int vlan 1

ip nat inside

ip access-group 102 in

So easy access-list first.

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

then you need to make sure all 192.168.2.x hosts are natted so

access-list 103 permit ip 192.168.2.0 0.0.0.255 any

ip nat inside source list 103 interface dialer0 overload

the above allows all IP to be initiated from the 192.168.2.0 network to the internet and NAT's it to the outside interface.

Now for the harder bit

access-list 101 permit tcp any host 84.72.31.10 established

** this line allows return traffic for TCP connections to be allowed back in.

The established keyword only works for TCP so if you needed udp to be allowed back in then you need to add that in for each port you want eg.

access-list 101 permit udp any 84.72.31.10

Notice the way round this is. This is because the source UDP port coming back will the service and it will be in response to a connection initiated from inside eg.

if 192.168.2.15 initiates a DNS request to a DNS server then this will be allowed out because of acl 102 on vlan 1 interface. The destination port would be UDP 53 but the source port could be anything. When the packet returns the source port is now 53 because it is a response back from a DNS server.

Now the rest of your acl 101 is dependant what you want to give access to and how many spare public IP addresses you have. Lets say you have 1 spare public IP

84.72.31.11

and you wanted to give access to host 192.168.2.20 using http

you would need to add the following line to your config

ip nat inside source static 84.72.31.11 192.168.2.20

and then update your acl

access-list 101 permit tcp any host 84.72.31.11 eq www

Key thing is when traffic is initiated from 192.168.2.x network to internet you can hide all the 192.168.2.x addresses behind the one public IP of your outside interface. But when traffic is initiated from outside you need to tell the router which 192.168.2.x private IP the public IP is attached to.

Really sorry if i have confused you.

Jon

Thanks. I will go and test this and let you know how I get on.

I'll give you a bit more information about what I am trying to acheive.

The router is at a main office. There are two other offices that are permanently connected to the main office by IPsec VPN.

There is another office which occasionally connects to the main office via a VPN connection, then uses the software VNC to give remote support.

I don't mind what traffic is allowed out of the main office, but I want to restrict the incoming VPN so that only specified sites can make the connection.

Jon,

I'm having some problems still.

When should I apply this command:

ip nat inside source list 103 interface dialer0 overload

I have tried

int vlan1

ip nat inside source list 103 interface dialer0 overload

and I get a message saying 'Configuration failed'