02-09-2003 10:33 AM - edited 02-20-2020 09:20 PM
I have been attempting to configure a Cisco 2621xm router with IOS 12.2(18) and have ran into issues that seem to be beyond my CCNA expertise. The symptoms of my config is that clients cannot access the internet, no browsing etc. It appears Nat translations work but when I apply access-list 101 then no browsing then occurs. Have trouble-shooted but cannot see the issue. Could really use some advice.
Please view my Running-Config, IP NAT Stat and Nat Translation and offer any advice. I am missing something or misconfigured something but cannot pinpoint. Advice will be appreciated!!!!!
Current configuration : 2666 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxrtr
!
xxxxx (moderator edit)
enable password xxxxx (moderator edit)
!
!
!
!
!
ip subnet-zero
ip domain-name xxxxxxxxxxxx.com
ip name-server 65.xx.1.65
ip name-server 65.xx.1.70
!
!
!
!
interface FastEthernet0/0
description Private Interface
ip address 192.168.x.1 255.255.255.0
ip access-group 100 in
ip nat inside
no ip mroute-cache
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0/1
description Public Interface
ip address 65.xx.15.86 255.255.255.192 secondary
ip address 65.xx.15.87 255.255.255.192
ip access-group 101 in
ip nat outside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
ip nat pool ovrld 65.xx.15.87 65.xx.15.87 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip nat inside source static 192.168.x.159 65.xx.15.86
ip nat inside source static tcp 192.168.x.11 20 65.xx.15.87 20 extendable
ip nat inside source static tcp 192.168.x.11 21 65.xx.15.87 21 extendable
ip nat inside source static tcp 192.168.x.11 80 65.xx.15.87 80 extendable
ip nat inside source static tcp 192.168.x.11 16893 65.xx.15.87 16893 extendable
ip nat inside source static tcp 192.168.x.13 16894 65.xx.15.87 16894 extendable
ip nat inside source static tcp 192.168.x.12 16895 65.xx.15.87 16895 extendable
ip nat inside source static tcp 192.168.x.11 24176 65.xx.15.87 24176 extendable
ip nat inside source static tcp 192.168.x.13 24177 65.xx.15.87 24177 extendable
ip nat inside source static tcp 192.168.x.12 24178 65.xx.15.87 24178 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 65.xx.15.65 permanent
no ip http server
!
access-list 7 permit 192.168.x.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit gre any host 65.xx.15.86
access-list 101 permit ip 192.168.x.0 0.0.0.255 any
access-list 101 permit tcp any host 65.xx.15.87 eq www
access-list 101 permit tcp any host 65.xx.15.87 eq 16893
access-list 101 permit ip 192.168.x.0 0.0.0.255 any
access-list 101 permit tcp any host 65.xx.15.87 eq www
access-list 101 permit tcp any host 65.xx.15.87 eq 16893
access-list 101 permit tcp any host 65.xx.15.87 eq 16894
access-list 101 permit tcp any host 65.xx.15.87 eq 16895
access-list 101 permit tcp any host 65.xx.15.87 eq 24176
access-list 101 permit tcp any host 65.xx.15.87 eq 24177
access-list 101 permit tcp any host 65.xx.15.87 eq 24178
access-list 101 permit tcp any host 65.xx.15.87 eq ftp
access-list 101 permit tcp any host 65.xx.15.87 eq ftp-data
access-list 101 permit tcp any host 65.xx.15.86 eq 1723
access-list 101 permit tcp any host 65.xx.15.86
no cdp run
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password 7 141222195D1E2709753C303D
login
!
end
xxxxxrtr#show ip nat statistics
Total active translations: 10 (10 static, 0 dynamic; 9 extended)
Outside interfaces:
FastEthernet0/1
Inside interfaces:
FastEthernet0/0
Hits: 305100 Misses: 1237
Expired translations: 1282
Dynamic mappings:
-- Inside Source
access-list 7 pool ovrld refcount 0
pool ovrld: netmask 255.255.255.0
start 65.xx.15.87 end 65.xx.15.87
type generic, total addresses 1, allocated 0 (0%), misses 4
xxxxxrtr#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 65.xx.15.86 192.168.x.159 --- ---
tcp 65.xx.15.87:20 192.168.x.11:20 --- ---
tcp 65.xx.15.87:21 192.168.x.11:21 --- ---
tcp 65.xx.15.87:80 192.168.x.11:80 --- ---
tcp 65.xx.15.87:16893 192.168.x.11:16893 --- ---
tcp 65.xx.15.87:16894 192.168.x.13:16894 --- ---
tcp 65.xx.15.87:16895 192.168.x.12:16895 --- ---
tcp 65.xx.15.87:24176 192.168.x.11:24176 --- ---
tcp 65.xx.15.87:24177 192.168.x.13:24177 --- ---
tcp 65.xx.15.87:24178 192.168.x.12:24178 --- ---
exxxxxrtr#
02-09-2003 04:57 PM
Let's take one line of ACL101 as an example:
> access-list 101 permit tcp any host 65.xx.15.87 eq www
This says to allow TCP packets FROM anywhere to 65.xx.15.87 with a DESTINATION port of 80. This only means that packets originating from the Internet towards your Web server will get through. WWW packets originating from your internal 192.168.x.x subnet to the Internet will have a destination port of 80, but on their return, the SOURCE port will be 80, not the destination port. These replies will be dropped by your access-list.
To allow return packets to come in, you need to add:
> access-list 101 permit tcp any eq www host 65.xx.15.87
This says the source port is 80, not the destination port. Keep in mind though that doing an inbound ACL like this is pretty messy, you'll continue to get complaints from users that certain protocols aren't getting in (actually all they'll complain about is that they can't do something, and you'll be left to figure it out). You'll probably also need to add:
> access-list 101 permit udp any eq domain host 65.xx.15.87
otherwise DNS lookups to these web sites won't work (assuming your DNS server is outside). An easy way to see what's being dropped is to add:
> access-list 101 deny any any log
to the end of your ACL. Then whenever a packet is denied you'll see a console message saying what it is, you can then add an ACL to allow it in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide