12-12-2007 06:47 PM
Hi there, all:
I'm a bit rusty on the IOS stuff and I'm setting up a small office of ours to share an internet connection for the client PC's and also forward outside connections to a few servers we have on the inside... (using a 2611 w/ IOS 12.3) I thought I did this right, but apparently since I haven't used anything since 12.0, I've screwed the pooch. Can you guys and gals have a look at my config and tell me what I've done wrong?
Current configuration : 2075 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname REMAX
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$rD#############yh8e/
enable password 7 1#############35
!
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp timestamp
ip tcp path-mtu-discovery
!
!
ip name-server 68.87.64.146
ip name-server 68.87.75.194
ip dhcp excluded-address 10.1.10.150 10.1.10.255
ip dhcp excluded-address 10.1.10.0 10.1.10.50
!
ip dhcp pool 0
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
dns-server 68.87.64.146
!
no ip bootp server
ip cef
!
!
interface Ethernet0/0
description LAN
ip address 10.1.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
full-duplex
no cdp enable
no mop enabled
!
interface Ethernet0/1
description WAN
ip address 70.91.###.157 255.255.255.252
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat outside
full-duplex
no cdp enable
!
ip nat inside source list 100 interface Ethernet0/1 overload
ip nat inside source static tcp 10.1.10.11 21 interface Ethernet0/1 21
ip nat inside source static tcp 10.1.10.11 22 interface Ethernet0/1 22
ip nat inside source static tcp 10.1.10.11 80 interface Ethernet0/1 80
ip nat inside source static tcp 10.1.10.250 3389 interface Ethernet0/1 3389
ip nat inside source static udp 10.1.10.250 3389 interface Ethernet0/1 3389
ip nat inside source static tcp 10.1.10.21 3306 interface Ethernet0/1 3306
no ip http server
ip classless
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
ip route 0.0.0.0 0.0.0.0 70.91.###.158
!
!
access-list 100 permit ip 10.1.10.0 0.0.0.255 any
access-list 101 deny tcp any any range 0 ftp-data
access-list 101 deny tcp any any range telnet 24
access-list 101 deny tcp any any range 26 finger
access-list 101 deny tcp any any range 81 pop2
access-list 101 permit ip any any
no cdp run
!
line con 0
line aux 0
line vty 0 4
password ############
login
!
!
end
12-13-2007 05:38 AM
Justin
I have looked through the configuration focusing especially on the address translation and find only one obvious issue, you have this translation:
ip nat inside source static tcp 10.1.10.11 21 interface Ethernet0/1 21
which will forward the FTP control port to an inside device. But since your inbound access list is denying FTP data, then FTP will not work
access-list 101 deny tcp any any range 0 ftp-data
Without knowing more about your network we can not tell if 10.1.10.11 is the right device to get SSH and HTTP etc.
Perhaps you can clarify a bit about what is not working? If we understood the symptoms better we might be able to make better suggestions about a solution.
HTH
Rick
12-13-2007 09:53 AM
Hi, Rick:
I appreciate your help... and yes, that range in 101 shouldn't include FTP... But that's not the issue. The issue is that there isn't ANY forwarding happening, FTP, SSH, HTTP, or otherwise... All of the inside clients get out to the internet ok, and I can access the router from the inside and outside fine, but outside requests are not getting forwarded through the router. Yes, I've checked my servers to make sure they're awake and accepting requests ;)
Any further ideas?
Thanks!
-Justin K.
12-13-2007 10:55 AM
Justin
Thanks for the additional explanation. My next suggestion would be to change ACL 100 which currently permits everything to be translated dynamically. How about putting statements into ACL 100 which will deny the ports that you want to statically translate?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide