Extended ACL and Nat issues, could use expert help!!!!
I have been attempting to configure a Cisco 2621xm router with IOS 12.2(18) and have ran into issues that seem to be beyond my CCNA expertise. The symptoms of my config is that clients cannot access the internet, no browsing etc. It appears Nat translations work but when I apply access-list 101 then no browsing then occurs. Have trouble-shooted but cannot see the issue. Could really use some advice.
Please view my Running-Config, IP NAT Stat and Nat Translation and offer any advice. I am missing something or misconfigured something but cannot pinpoint. Advice will be appreciated!!!!!
Current configuration : 2666 bytes
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
xxxxx (moderator edit)
enable password xxxxx (moderator edit)
ip domain-name xxxxxxxxxxxx.com
ip name-server 65.xx.1.65
ip name-server 65.xx.1.70
description Private Interface
ip address 192.168.x.1 255.255.255.0
ip access-group 100 in
ip nat inside
no ip mroute-cache
no cdp enable
description Public Interface
ip address 65.xx.15.86 255.255.255.192 secondary
ip address 65.xx.15.87 255.255.255.192
ip access-group 101 in
ip nat outside
no ip mroute-cache
no cdp enable
ip nat pool ovrld 65.xx.15.87 65.xx.15.87 prefix-length 24
ip nat inside source list 7 pool ovrld overload
ip nat inside source static 192.168.x.159 65.xx.15.86
Re: Extended ACL and Nat issues, could use expert help!!!!
Let's take one line of ACL101 as an example:
> access-list 101 permit tcp any host 65.xx.15.87 eq www
This says to allow TCP packets FROM anywhere to 65.xx.15.87 with a DESTINATION port of 80. This only means that packets originating from the Internet towards your Web server will get through. WWW packets originating from your internal 192.168.x.x subnet to the Internet will have a destination port of 80, but on their return, the SOURCE port will be 80, not the destination port. These replies will be dropped by your access-list.
To allow return packets to come in, you need to add:
> access-list 101 permit tcp any eq www host 65.xx.15.87
This says the source port is 80, not the destination port. Keep in mind though that doing an inbound ACL like this is pretty messy, you'll continue to get complaints from users that certain protocols aren't getting in (actually all they'll complain about is that they can't do something, and you'll be left to figure it out). You'll probably also need to add:
> access-list 101 permit udp any eq domain host 65.xx.15.87
otherwise DNS lookups to these web sites won't work (assuming your DNS server is outside). An easy way to see what's being dropped is to add:
> access-list 101 deny any any log
to the end of your ACL. Then whenever a packet is denied you'll see a console message saying what it is, you can then add an ACL to allow it in.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...