My 857 ver 12.3(8r)Y14 doesn't use acl in for anything inbound from public side rather pat translations. This works for one port translation to a server on the trusted side but not for another port to the same server. When I add an inbound acl for public access outbound traffic for web doesn't work. Even with a specific acl to permit outbound ip traffic. What im trying to understand is if there is some virtual interface whereby content filtering is occuring. Note: no cbac (ip inspect) or any other acl's are working. ip virtual-assembly is applied to both private nat int and public nat int. stumped...
No filtering exists if you don't use an acl on your public interface and not using cbac. It's hard to tell what's going on without seeing your config, but if you have public addresses going to the same internal host, rather than specifying by port, I would do a one to one translation and then control access with an acl.
Agree that there shouldn't be any filtering- here's the relevant parts of the config, wanting to move to acl control but when I enable an acl outbound web traffic is blocked. You will see acl 101 allows for all traffic out. My thinking is now to debug ip nat port and see why 2222 isn't working. Can you reload acls without a restart? or once they are removed from an interface the int is clean?
ip address <###>
ip nat inside
no ip address
ip address negotiated
ip access-group 101 out
no ip redirects
no ip unreachables
ip nat outside
no ip route-cache cef
no ip route-cache
dialer pool 1
ppp pap sent-username <###>
ip nat inside source list 1 interface Dialer0 overload
Try taking the acl off completely and see if everything works. If you need an acl to block inside traffic going out, place your acl on the vlan1 interface in the inbound direction. Everything else looks "okay."
You can't "reload" acls per se. You just take them off of the interface and reapply, but that generally doesn't fix anything. =)
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...