Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
0
Helpful
1
Replies

Internal interface, DMZ interface and External Frame Relay, routing issues

millertimebjm
Level 1
Level 1

‎11-30-2011 03:35 PM - edited ‎03-07-2019 03:40 AM

I have an external interface (MFR0) that is connected to our ISP router using dual serial interfaces (WIC cards) as Frame relay and this is working.

I have an internal interface that is our internal network (FastEthernet0/0) and this is working.  I was able to get Dynamic NAT working and everything is fine here.

I have another external interface (FastEthernet0/1) that is connected to a switch with a few servers that are intended to be DMZ on our ISP-given IP range.  This is not working.  I can't get traffic to be routed from the ISP serial interfaces to this network.  I have gotten traffic routed to this external interface from our internal interface using a second 'ip nat inside source list...' but this was not necessary on our previous T1 setup so I'm not sure what's different. 

My main test is to try to get traffic from the outside to be able to see port 80 of #.#.156.120 and I can't figure out why nothing can get there.  I hope it's something simple like out instead of in or no ip nat outside.  Also, it's been a while since I took a cisco class so go easy on me.

I'm not sure of the policy on IP addresses so I tried blanking out the first two octets of the important ones. 

Using Cisco 1841 with version:

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

Thanks,

Brandon

interface MFR0

description Multi-Link Frame Circuit

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface MFR0.100 point-to-point

description Internet

bandwidth 3000

ip address #.#.197.146 255.255.255.252

ip access-group 105 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no cdp enable

frame-relay interface-dlci 100

!

interface FastEthernet0/0

description LAN$ETH-LAN$$FW_INSIDE$

ip address 192.168.5.2 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description WAN$ETH-LAN$$FW_OUTSIDE$

ip address #.#.156.113 255.255.255.240

ip access-group 104 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect SDM_LOW in

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0

no ip address

ip access-group 105 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation frame-relay MFR0

ip route-cache flow

no arp frame-relay

!

interface Serial0/1/0

description multilink 1 interface

no ip address

ip access-group 105 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation frame-relay MFR0

ip route-cache flow

no arp frame-relay

!

ip classless

ip route 0.0.0.0 0.0.0.0 #.#.197.145

ip route #.#.156.112 255.255.255.240 FastEthernet0/1

ip route 192.168.5.0 255.255.255.0 FastEthernet0/0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source list 3 interface MFR0.100 overload

!

logging trap debugging

access-list 1 remark NAT access list for PESI LAN

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.168.5.0 0.0.0.255

access-list 1 deny   any

access-list 2 remark HTTP Server access list

access-list 2 permit 192.168.5.0 0.0.0.255

access-list 2 deny   any

access-list 3 remark SDM_ACL Category=2

access-list 3 permit 192.168.5.0 0.0.0.255

access-list 100 permit ip any any

access-list 104 permit ip any any

access-list 105 permit udp any #.#.156.0 0.0.0.255 eq domain

access-list 105 permit tcp any #.#.156.0 0.0.0.255 eq domain

access-list 105 permit udp host 8.8.8.8 eq domain host #.#.197.145

access-list 105 permit udp host 4.2.2.2 eq domain host #.#.197.145

access-list 105 permit icmp any any echo-reply log

access-list 105 permit icmp any any time-exceeded log

access-list 105 permit icmp any any unreachable log

access-list 105 permit tcp any host #.#.156.115 eq smtp

access-list 105 permit tcp any host #.#.156.116 eq smtp

access-list 105 permit tcp any host #.#.156.116 eq 443

access-list 105 permit tcp any host #.#.156.120 eq www

access-list 105 permit tcp any host #.#.156.120 eq 443

access-list 105 permit tcp any host #.#.156.120 eq ftp

access-list 105 deny   ip host 255.255.255.255 any log

access-list 105 deny   ip host 0.0.0.0 any log

access-list 105 deny   ip any any log

no cdp run

Labels:
0 Helpful
1 Reply 1

millertimebjm
Level 1
Level 1

‎12-01-2011 08:57 AM

Replying to my own post.

The problem has to be in the routing between the two external interfaces because I found the access-list is correctly being hit for port 80 and icmp traffic but nothing was returned. 

Truncated result of 'show access-list'

80 permit tcp any host #.#.156.120 eq www (6 matches)

110 permit icmp any host #.#.156.120 (4 matches)

I changed the config around a little bit to remove the access-groups on serial interfaces and adding a few additional lines to access group 105.  The information above for access-list matches was taken after these changes to the config. 

Any help would be appreciated.

Thanks,

Brandon

interface MFR0

description Multi-Link Frame Circuit

no ip address

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface MFR0.100 point-to-point

description Internet

bandwidth 3000

ip address #.#.197.146 255.255.255.252

ip access-group 105 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

no cdp enable

frame-relay interface-dlci 100

!

interface FastEthernet0/0

description LAN$ETH-LAN$$FW_INSIDE$

ip address 192.168.5.2 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect SDM_LOW in

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description WAN$ETH-LAN$$FW_OUTSIDE$

ip address #.#.156.113 255.255.255.240

ip access-group 104 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect SDM_LOW in

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface Serial0/0/0

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation frame-relay MFR0

ip route-cache flow

no arp frame-relay

!

interface Serial0/1/0

description multilink 1 interface

no ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation frame-relay MFR0

ip route-cache flow

no arp frame-relay

!

ip classless

ip route 0.0.0.0 0.0.0.0 #.#.197.145

ip route #.#.156.112 255.255.255.240 FastEthernet0/1

ip route 192.168.5.0 255.255.255.0 FastEthernet0/0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source list 3 interface MFR0.100 overload

!

logging trap debugging

access-list 1 remark NAT access list for PESI LAN

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.168.5.0 0.0.0.255

access-list 1 deny   any

access-list 2 remark HTTP Server access list

access-list 2 permit 192.168.5.0 0.0.0.255

access-list 2 deny   any

access-list 3 remark SDM_ACL Category=2

access-list 3 permit 192.168.5.0 0.0.0.255

access-list 100 permit ip any any

access-list 104 permit ip any any

access-list 105 permit udp any #.#.156.0 0.0.0.255 eq domain

access-list 105 permit tcp any #.#.156.0 0.0.0.255 eq domain

access-list 105 permit udp host 8.8.8.8 eq domain host #.#.197.145

access-list 105 permit udp host 4.2.2.2 eq domain host #.#.197.145

access-list 105 permit tcp any host #.#.156.115 eq smtp

access-list 105 permit tcp any host #.#.156.116 eq smtp

access-list 105 permit tcp any host #.#.156.116 eq 443

access-list 105 permit tcp any host #.#.156.120 eq www

access-list 105 permit tcp any host #.#.156.120 eq 443

access-list 105 permit tcp any host #.#.156.120 eq ftp

access-list 105 permit icmp any host #.#.156.120

access-list 105 permit icmp host #.#.156.120 any

access-list 105 permit icmp any any

access-list 105 deny   ip host 255.255.255.255 any log

access-list 105 deny   ip host 0.0.0.0 any log

access-list 105 deny   ip any any log

no cdp run

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card