Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Please help me out with the configuration

Hi All,

Configuration for Cisco 2611xm router. My ISP provided me with 16 public IP address block.

So here is the configuration.

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa session-id common

ip subnet-zero

no ip source-route

!

ip tcp synwait-time 10

!

ip cef

no ip bootp server

ip name-server 203.xxx.xxx.32

ip name-server 203.xxx.xxx.13

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

no crypto isakmp enable

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

description $FW_INSIDE$

ip address 122.xxx.xxx.1 255.255.255.240

ip access-group 101 in

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

interface FastEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$

ip address 122.xxx.xxx.154 255.255.255.252

ip access-group 103 in

ip verify unicast reverse-path

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect SDM_LOW out

ip route-cache flow

duplex auto

speed auto

no cdp enable

no mop enabled

!

ip classless

ip route 0.0.0.0 0.0.0.0 122.xxx.xxx.153

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

!

access-list 101 permit icmp any host 122.xxx.xxx.154 echo-reply

access-list 101 deny ip 122.xxx.xxx.152 0.0.0.3 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 103 permit udp host 203.xxx.xxx.13 eq domain host 122.xxx.xxx.154

access-list 103 permit udp host 203.xxx.xxx.32 eq domain host 122.xxx.xxx.154

access-list 103 permit udp host 64.52.111.11 eq ntp host 122.xxx.xxx.154 eq ntp

access-list 103 permit tcp any eq 443 any log

access-list 103 deny ip 122.xxx.xxx.0 0.0.0.15 any log

access-list 103 permit icmp any host 122.xxx.xxx.154 traceroute log

access-list 103 permit icmp any host 122.xxx.xxx.154 time-exceeded

access-list 103 permit icmp any host 122.xxx.xxx.154 unreachable

access-list 103 deny ip 10.0.0.0 0.255.255.255 any

access-list 103 deny ip 172.16.0.0 0.15.255.255 any

access-list 103 deny ip 192.168.0.0 0.0.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip host 0.0.0.0 any

access-list 103 deny ip any any log

!

control-plane

!

scheduler allocate 4000 1000

scheduler interval 500

ntp clock-period 17208632

ntp server 64.52.111.11

!

!

end

I'm having two servers and a office lan. I want to all services for each IP. Lets take Server A with 122.xxx.xxx.2 need to be allowed port 21,80, 443, Server B with 122.xxx.xxx.3 need to be allowed port 80. For Office lan i'm using 122.xxx.xxx.4 a D-link router for all these I'm able to access internet inside. And from outside I'm able to ping all the IP range but unable to assign the services to each ip address. Also unable to perform tracert also. Another main issue if I remove all the access-list I'm able to access normally but after continues usage of 4-5 hours router is getting hanged and unable to use internet.

Hope I'm clear with the query. Please correct me.

Regards,

ramsri

1 REPLY
Hall of Fame Super Silver

Re: Please help me out with the configuration

Hello Ramsri,

I don't see the ip nat command in global config.

However, the command that can help you is

ip nat inside source static local-address public-address

you need one line for each server

then you create a pool for the remaining public addresses to be used for internet access

ip nat pool xyz 122.x.x.4 122.x.x.4 netmask 255.255.255.240

ip nat inside source list 1 pool xyz

access-list 1 deny host server1-local-ip

access-list 1 deny host server2-local-ip

access-list 1 permit host D-link-router-ip-addr

Be aware that you have CBAC configured and also ACLs:

you need to enable access on global ip address on outside interface to the ports you need

So access-list 103 needs lines for

access-list 103 permit tcp any host 122.x.x.2 eq 21

access-list 103 permit tcp any host 122.x.x.2 eq 80

access-list 103 permit tcp any host 122.x.x.2 eq 443

and for the second server:

access-list 103 permit tcp any host 122.x.x.3 eq 80

Try with these changes but also the inspect can be a problem.

Hope to help

Giuseppe

110
Views
0
Helpful
1
Replies