Re: Extended ACL and Nat issues, could use expert help!!!!

squinn2000 · ‎02-09-2003

I have been attempting to configure a Cisco 2621xm router with IOS 12.2(18) and have ran into issues that seem to be beyond my CCNA expertise. The symptoms of my config is that clients cannot access the internet, no browsing etc. It appears Nat translations work but when I apply access-list 101 then no browsing then occurs. Have trouble-shooted but cannot see the issue. Could really use some advice.

Please view my Running-Config, IP NAT Stat and Nat Translation and offer any advice. I am missing something or misconfigured something but cannot pinpoint. Advice will be appreciated!!!!!

Current configuration : 2666 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xxxxxrtr

!

xxxxx (moderator edit)

enable password xxxxx (moderator edit)

!

ip subnet-zero

ip domain-name xxxxxxxxxxxx.com

ip name-server 65.xx.1.65

ip name-server 65.xx.1.70

!

interface FastEthernet0/0

description Private Interface

ip address 192.168.x.1 255.255.255.0

ip access-group 100 in

ip nat inside

no ip mroute-cache

speed 100

full-duplex

no cdp enable

!

interface FastEthernet0/1

description Public Interface

ip address 65.xx.15.86 255.255.255.192 secondary

ip address 65.xx.15.87 255.255.255.192

ip access-group 101 in

ip nat outside

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

ip nat pool ovrld 65.xx.15.87 65.xx.15.87 prefix-length 24

ip nat inside source list 7 pool ovrld overload

ip nat inside source static 192.168.x.159 65.xx.15.86

ip nat inside source static tcp 192.168.x.11 20 65.xx.15.87 20 extendable

ip nat inside source static tcp 192.168.x.11 21 65.xx.15.87 21 extendable

ip nat inside source static tcp 192.168.x.11 80 65.xx.15.87 80 extendable

ip nat inside source static tcp 192.168.x.11 16893 65.xx.15.87 16893 extendable

ip nat inside source static tcp 192.168.x.13 16894 65.xx.15.87 16894 extendable

ip nat inside source static tcp 192.168.x.12 16895 65.xx.15.87 16895 extendable

ip nat inside source static tcp 192.168.x.11 24176 65.xx.15.87 24176 extendable

ip nat inside source static tcp 192.168.x.13 24177 65.xx.15.87 24177 extendable

ip nat inside source static tcp 192.168.x.12 24178 65.xx.15.87 24178 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 65.xx.15.65 permanent

no ip http server

!

access-list 7 permit 192.168.x.0 0.0.0.255

access-list 100 permit ip any any

access-list 101 permit gre any host 65.xx.15.86

access-list 101 permit ip 192.168.x.0 0.0.0.255 any

access-list 101 permit tcp any host 65.xx.15.87 eq www

access-list 101 permit tcp any host 65.xx.15.87 eq 16893

access-list 101 permit ip 192.168.x.0 0.0.0.255 any

access-list 101 permit tcp any host 65.xx.15.87 eq www

access-list 101 permit tcp any host 65.xx.15.87 eq 16893

access-list 101 permit tcp any host 65.xx.15.87 eq 16894

access-list 101 permit tcp any host 65.xx.15.87 eq 16895

access-list 101 permit tcp any host 65.xx.15.87 eq 24176

access-list 101 permit tcp any host 65.xx.15.87 eq 24177

access-list 101 permit tcp any host 65.xx.15.87 eq 24178

access-list 101 permit tcp any host 65.xx.15.87 eq ftp

access-list 101 permit tcp any host 65.xx.15.87 eq ftp-data

access-list 101 permit tcp any host 65.xx.15.86 eq 1723

access-list 101 permit tcp any host 65.xx.15.86

no cdp run

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

password 7 141222195D1E2709753C303D

login

!

end

xxxxxrtr#show ip nat statistics

Total active translations: 10 (10 static, 0 dynamic; 9 extended)

Outside interfaces:

FastEthernet0/1

Inside interfaces:

FastEthernet0/0

Hits: 305100 Misses: 1237

Expired translations: 1282

Dynamic mappings:

-- Inside Source

access-list 7 pool ovrld refcount 0

pool ovrld: netmask 255.255.255.0

start 65.xx.15.87 end 65.xx.15.87

type generic, total addresses 1, allocated 0 (0%), misses 4

xxxxxrtr#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 65.xx.15.86 192.168.x.159 --- ---

tcp 65.xx.15.87:20 192.168.x.11:20 --- ---

tcp 65.xx.15.87:21 192.168.x.11:21 --- ---

tcp 65.xx.15.87:80 192.168.x.11:80 --- ---

tcp 65.xx.15.87:16893 192.168.x.11:16893 --- ---

tcp 65.xx.15.87:16894 192.168.x.13:16894 --- ---

tcp 65.xx.15.87:16895 192.168.x.12:16895 --- ---

tcp 65.xx.15.87:24176 192.168.x.11:24176 --- ---

tcp 65.xx.15.87:24177 192.168.x.13:24177 --- ---

tcp 65.xx.15.87:24178 192.168.x.12:24178 --- ---

exxxxxrtr#

gfullage · ‎02-09-2003

Let's take one line of ACL101 as an example:

> access-list 101 permit tcp any host 65.xx.15.87 eq www

This says to allow TCP packets FROM anywhere to 65.xx.15.87 with a DESTINATION port of 80. This only means that packets originating from the Internet towards your Web server will get through. WWW packets originating from your internal 192.168.x.x subnet to the Internet will have a destination port of 80, but on their return, the SOURCE port will be 80, not the destination port. These replies will be dropped by your access-list.

To allow return packets to come in, you need to add:

> access-list 101 permit tcp any eq www host 65.xx.15.87

This says the source port is 80, not the destination port. Keep in mind though that doing an inbound ACL like this is pretty messy, you'll continue to get complaints from users that certain protocols aren't getting in (actually all they'll complain about is that they can't do something, and you'll be left to figure it out). You'll probably also need to add:

> access-list 101 permit udp any eq domain host 65.xx.15.87

otherwise DNS lookups to these web sites won't work (assuming your DNS server is outside). An easy way to see what's being dropped is to add:

> access-list 101 deny any any log

to the end of your ACL. Then whenever a packet is denied you'll see a console message saying what it is, you can then add an ACL to allow it in.