Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Out of box...no web browsing?

Unanswered Question

I've got a 501, with nat(inside) and global(outside). Something is preventing web browsing, ftp and icmp traffic. with netstat I can see the connections established(telnet to port 80 of external web server, ftp) but never see banners or login prompts. I've tried some with access lists and get icmp back and forth but nothing else. Even tried ( in a browser with no luck. Anyone have ideas why?

this is my config:

nat (inside) 5 0 0

global (outside) 5 interface

-with no access-lists i get nothing in or out

but with permit any tcp,udp,icmp,ip i get the symptoms above.

I've seen something in an article about needing to have a ptr record for the external int.

Any help is appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srittenberg Thu, 03/28/2002 - 21:35
User Badges:

did you add your default route? things can't work without the default route.

dean_holroyd Mon, 04/01/2002 - 04:58
User Badges:

never seen that type of global command option before. the syntax is:

global (if_name) nat_id global_ip-global_ip

global (outside) 5

using PAT it should be something like

nat (inside) 5 0 0

global (outside) 5

ptr's are only an issue with apps like ftp when you are running PAT (if you are running it as PAT you should have reverse dns entries so servers do not get confused with client port mappings)

The global command actually works every time for me. We're only using 1 ip externally, so when you try to define the global with the ip address you get an error. The global(outside) interface works nicely. The ptr's have also proven to be a neccesity with both cable and dsl. Without it we cannot get to the web(with 1 or 2 exceptions). The problem now is this:

-We're replacing a RED firewall with the delightful 501. Pat is being used, similar to the config shown above. The clients can all get out and surf perfectly after clearing the arp cache on each. The Novell server cannot. It can ping the 501 internal interface but not the external. I've cleared the cache, checked the routes, etc on the server but to no avail. Any ideas why?

BTW...Thanks for the input on the previous question.


This Discussion