Problem when configuring access lists on Cisco 1841 router

dedan · ‎10-23-2010

am adding access list to allow http, VNC , Pop3, SMTP Telnet, ftp, however it doesnt work the router blocks all traffic. i need help

below is the router current configuration

Router_HQ#sh run
Building configuration...

Current configuration : 8818 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router_HQ
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
ip domain name yourdomain.com
ip name-server 212.165.130.9
!
username kim privilege 15 password 7 0832595E191617033200080A

!
!
!
interface FastEthernet0/0
description Link To LAN
ip address 192.168.20.254 255.255.255.0 secondary
ip address 192.168.50.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.300
description Link To ISP
encapsulation dot1Q 300
ip address 192.168.168.2 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1.1424
description WATER KAYOLE
encapsulation dot1Q 1424
ip address 172.16.30.49 255.255.255.248
no snmp trap link-status
!
interface FastEthernet0/1.1427
description Link to AAR Sites
encapsulation dot1Q 1427
ip address 172.16.25.201 255.255.255.252 secondary
ip address 172.16.25.205 255.255.255.252 secondary
ip address 172.16.25.213 255.255.255.252 secondary
ip address 172.16.25.217 255.255.255.252 secondary
ip address 172.16.25.209 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1.1436
description Link To Wifi Sites
encapsulation dot1Q 1436
ip address 172.16.25.89 255.255.255.252 secondary
ip address 172.16.25.97 255.255.255.252 secondary
ip address 172.16.25.105 255.255.255.252 secondary
ip address 172.16.25.93 255.255.255.252 secondary
ip address 172.16.25.77 255.255.255.252 secondary
ip address 172.16.25.85 255.255.255.252 secondary
ip address 172.16.25.101 255.255.255.252 secondary
ip address 172.16.25.81 255.255.255.252 secondary
ip address 192.168.161.254 255.255.255.0
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/1.1437
description Link to BBB Sites
encapsulation dot1Q 1437
ip address 172.16.25.173 255.255.255.252 secondary
ip address 172.16.25.177 255.255.255.248 secondary
ip address 172.16.25.193 255.255.255.252 secondary
ip address 192.168.162.1 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1.1441
description Link to KM Sites
encapsulation dot1Q 1441
ip address 172.16.25.165 255.255.255.252 secondary
ip address 172.16.25.169 255.255.255.252 secondary
ip address 172.16.25.153 255.255.255.252 secondary
ip address 172.16.25.197 255.255.255.252 secondary
ip address 192.168.162.5 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1.1442
description Link to Bakers Inn sites
encapsulation dot1Q 1442
ip address 172.16.25.113 255.255.255.252 secondary
ip address 172.16.25.133 255.255.255.252 secondary
ip address 172.16.25.137 255.255.255.252 secondary
ip address 172.16.25.141 255.255.255.252 secondary
ip address 172.16.25.117 255.255.255.252 secondary
ip address 172.16.25.121 255.255.255.252 secondary
ip address 172.16.25.125 255.255.255.252 secondary
ip address 172.16.25.73 255.255.255.252 secondary
ip address 172.16.25.129 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1.1468
description Liik to Kula Corner
encapsulation dot1Q 1468
ip address 172.16.25.229 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1.1481
description link to Fox Theaters
encapsulation dot1Q 1481
ip address 172.16.25.145 255.255.255.252 secondary
ip address 172.16.25.225 255.255.255.252 secondary
ip address 172.16.25.149 255.255.255.252
no snmp trap link-status
!
interface FastEthernet0/1.1484
description Link to Good_Brand
encapsulation dot1Q 1484
ip address 172.16.25.241 255.255.255.240
no snmp trap link-status
!
interface FastEthernet0/1.1783
description Link To Internet
encapsulation dot1Q 1783
ip address 192.168.190.254 255.255.255.224 secondary
ip address 39.220.239.211 255.255.255.252
ip nat outside
rate-limit input 512000 8000 8000 conform-action transmit exceed-action drop
rate-limit output 512000 8000 8000 conform-action transmit exceed-action drop
no snmp trap link-status
!
interface FastEthernet0/1.1930
description Link to Ministry of Health
encapsulation dot1Q 1930
ip address 172.16.30.73 255.255.255.252
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/1.1983
description Link to _BRANCHES
encapsulation dot1Q 1983
ip address 172.16.20.49 255.255.255.240 secondary
ip address 172.16.20.97 255.255.255.240 secondary
ip address 172.16.25.33 255.255.255.240 secondary
ip address 172.16.25.17 255.255.255.240 secondary
ip address 172.16.20.17 255.255.255.240 secondary
ip address 172.16.20.81 255.255.255.240 secondary
ip address 172.16.20.33 255.255.255.240 secondary
ip address 172.16.20.225 255.255.255.224 secondary
ip address 172.16.25.49 255.255.255.240 secondary
ip address 172.16.20.113 255.255.255.240 secondary
ip address 172.16.20.1 255.255.255.240 secondary
ip address 172.16.20.209 255.255.255.240 secondary
ip address 172.16.25.157 255.255.255.252 secondary
ip address 172.16.30.41 255.255.255.248 secondary
ip address 172.16.30.1 255.255.255.248 secondary
ip address 172.16.30.57 255.255.255.248 secondary
ip address 172.16.30.33 255.255.255.248 secondary
ip address 172.16.30.81 255.255.255.248 secondary
ip address 172.16.30.65 255.255.255.248 secondary
ip address 172.16.25.65 255.255.255.248
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/1.2999
description Shared_Vlan_Western/Nyanza
encapsulation dot1Q 2999
ip address 172.16.20.177 255.255.255.240 secondary
ip address 172.16.20.129 255.255.255.240 secondary
ip address 172.16.20.161 255.255.255.240 secondary
ip address 172.16.30.9 255.255.255.248 secondary
ip address 172.16.30.17 255.255.255.248 secondary
ip address 172.16.20.145 255.255.255.240
ip nat inside
no snmp trap link-status
!
interface FastEthernet0/1.3002
description _coast
encapsulation dot1Q 3002
ip address 172.16.20.65 255.255.255.240 secondary
ip address 192.168.162.13 255.255.255.252 secondary
ip address 172.16.25.185 255.255.255.248 secondary
ip address 172.16.20.193 255.255.255.240 secondary
ip address 172.16.20.201 255.255.255.248 secondary
ip address 172.16.25.233 255.255.255.252 secondary
ip address 172.16.25.221 255.255.255.252 secondary
ip address 172.16.25.1 255.255.255.240 secondary
ip address 172.16.30.25 255.255.255.248 secondary
ip address 172.16.25.161 255.255.255.252
ip nat inside
no snmp trap link-status
!
ip classless
ip route 0.0.0.0 0.0.0.0 39.220.239.212
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 50 interface FastEthernet0/1.1783 overload

ip nat inside source static tcp 192.168.20.210 22 39.220.239.211 22 extendable
ip nat inside source static tcp 192.168.20.210 25 39.220.239.211 25 extendable
ip nat inside source static tcp 192.168.20.210 80 39.220.239.211 80 extendable
ip nat inside source static tcp 192.168.20.210 110 39.220.239.211 110 extendable
ip nat inside source static tcp 192.168.20.210 443 39.220.239.211 443 extendable
ip nat inside source static tcp 192.168.20.230 3389 39.220.239.211 3389 extendab
le
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 50 permit 192.168.50.0 0.0.0.255
access-list 50 permit 192.168.20.0 0.0.0.255
snmp-server community kdn-kdn RO
snmp-server chassis-id 189377483875
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps config
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport preferred telnet
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
end

bjornarsb · ‎10-24-2010

Hi.

Can you post a sh ip nat statistics and a sh ip nat translations ?

br

Bjornarsb

dedan · ‎10-25-2010

Router_HQ#sh ip nat statistics
Total active translations: 1378 (13 static, 1365 dynamic; 1378 extended)
Outside interfaces:
FastEthernet0/1.1783
Inside interfaces:
FastEthernet0/0, FastEthernet0/1.1436, FastEthernet0/1.1930
FastEthernet0/1.1983, FastEthernet0/1.2999, FastEthernet0/1.3002
Hits: 344149155 Misses: 10668795
CEF Translated packets: 346825494, CEF Punted packets: 15005580
Expired translations: 13872928
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 50 interface FastEthernet0/1.1783 refcount 1357
Queued Packets: 1

Router_HQ#sh ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
tcp 39.220.239.211:21 192.168.20.2:21    ---                ---
tcp 39.220.239.211:3389 192.168.20.2:3389 ---                ---
tcp 39.220.239.211:22 192.168.20.210:22 ---                ---
tcp 39.220.239.211:25 192.168.20.210:25 ---                ---
tcp 39.220.239.211:80 192.168.20.210:80 ---                ---

bjornarsb · ‎10-25-2010

sridsdale is right, your IP is not routed on public Internett.

sridsdale · ‎10-24-2010

39.0.0.0/8 is a bogon prefix.

Not sure if you've changed your public address to mask the real one but the one in the config will not be routed across the public internet.

http://www.team-cymru.org/Services/Bogons/

dedan · ‎10-25-2010

i have changed the public IP, the real one is 41.220.xxx.xxx