Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT/Access list problem

Hello, I have a cisco 1800 which I'm trying to get nat working on. See running config and software info below. I have 1 public (internet) and I have a couple of subnets on the inside, of which one is directly connected; 192.168.1.x. My pc from where im testing is in this 192.168.1.x network and has 192.168.1.11. Now I believe I have the configuration right but It does not work as expected. Now I do have internet connectivity since I can ping 8.8.8.8 from my test pc. However no other traffic is allowed. I know that icmp works because of the permit icmp any any rule in the access list Internet_To_Lan which I added for testing purposes. Now the only way I can get it to work is when I add another rule to this same access list; 1 permit ip any host 90.95.150.85. Now this last addition to the access list is one I'm not to happy about. It sounds risky. I don't understand why it's needed. I always thought that when using natting there was no need to specify a permit rule for returning traffic. IS this assumption correct or am I completely lost here? Please help?

Software:

Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1)

ROM: System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)

System image file is "flash:c181x-adventerprisek9-mz.124-6.T.bin"

Running config:

Router#sh run
Building configuration...

Current configuration : 3294 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$mwBtxxxGWcHoxxI5Trxxxqv.da.
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
ip name-server 10.41.0.1
ip name-server 10.41.0.2
ip name-server 10.42.0.100
!
!
!
username xxxxxxxx privilege 15 secret 5 $1$ukNP$Zxxxx8eyF.BkxxxxHdJbI.
!
!
!
!
!
!
interface FastEthernet0
description Inside Lan
ip address 192.168.0.10 255.255.255.248
ip access-group Lan_To_Internet in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Outside Internet
ip address 90.95.150.85 255.255.255.248
ip access-group Internet_To_Lan in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
no ip address
!
interface Async1
no ip address
encapsulation slip
!
ip route 0.0.0.0 0.0.0.0 90.95.150.81
ip route 10.41.0.0 255.255.254.0 192.168.0.9
ip route 10.42.0.0 255.255.255.0 10.41.0.254
ip route 10.45.1.0 255.255.255.248 192.168.0.9
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT_To_Outside interface FastEthernet1 overload
ip nat inside source static tcp 192.168.0.11 21 interface FastEthernet1 21
ip nat inside source static tcp 10.41.0.5 25 interface FastEthernet1 25
ip nat inside source static tcp 10.41.0.5 587 interface FastEthernet1 587
ip nat inside source static tcp 10.41.0.5 993 interface FastEthernet1 993
ip nat inside source static tcp 10.451.0.7 3101 interface FastEthernet1 3101
ip nat inside source static tcp 10.45.1.2 50 interface FastEthernet1 50
ip nat inside source static tcp 10.45.1.2 51 interface FastEthernet1 51
ip nat inside source static tcp 10.45.1.2 500 interface FastEthernet1 500
ip nat inside source static tcp 10.45.1.2 4500 interface FastEthernet1 4500
ip nat inside source static tcp 192.168.0.11 20 interface FastEthernet1 20
!
ip access-list standard NAT_To_Outside
permit 10.41.0.0 0.0.1.255
permit 192.168.0.8 0.0.0.7
deny   any
!
ip access-list extended Internet_To_Lan
permit icmp any any
permit tcp any host 10.41.0.5 eq smtp
permit tcp any host 10.41.0.5 eq 587
permit tcp any host 10.41.0.5 eq 993
permit tcp any host 10.41.0.7 eq 3101
permit tcp any host 10.45.1.2 eq 50
permit tcp any host 10.45.1.2 eq 51
permit tcp any host 10.45.1.2 eq 500
permit tcp any host 10.45.1.2 eq 4500
permit tcp any host 192.168.0.11 eq ftp
ip access-list extended Lan_To_Internet
permit ip 10.41.0.0 0.0.1.255 any
permit ip 192.168.0.8 0.0.0.7 any
deny   ip any any
!
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
session-timeout 60
login local
length 0
line vty 5 15
session-timeout 60
login local
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Router#

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Purple

NAT/Access list problem

Hi,

you have to specify the public IP as destination not the private IP.

Don't forget to rate helpful posts.

Regards.

Alain

Don't forget to rate helpful posts.
4 REPLIES
Purple

NAT/Access list problem

Hi,

Michell Poulina a écrit:

ip access-list extended Internet_To_Lan

permit icmp any any

permit tcp any host 10.41.0.5 eq smtp

permit tcp any host 10.41.0.5 eq 587

permit tcp any host 10.41.0.5 eq 993

permit tcp any host 10.41.0.7 eq 3101

permit tcp any host 10.45.1.2 eq 50

permit tcp any host 10.45.1.2 eq 51

permit tcp any host 10.45.1.2 eq 500

permit tcp any host 10.45.1.2 eq 4500

permit tcp any host 192.168.0.11 eq ftp

ip access-list extended Lan_To_Internet

permit ip 10.41.0.0 0.0.1.255 any

permit ip 192.168.0.8 0.0.0.7 any

deny   ip any any

The problem is with

ip access-list extended Internet_To_Lan

return traffic is dropped by the implicit deny at the end

just try this :

ip access-list extended Internet_To_Lan
15 permit udp any eq 53 any
16 permit tcp any any established
110 deny ip any any log

Regards.

Alain

Don't forget to rate helpful posts.
New Member

NAT/Access list problem

Hello Alain,

Thanks for your reply. This works and solves the issue from traffic going from inside to outside. Now the 2nd part is incoming traffic from the internet destined for certain ports. I tested it with FTP. So I have this rule in the same access-list, ip access-list extended Internet_To_Lan; permit tcp any host 192.168.0.11 eq ftp and the nat entry; ip nat inside source static tcp 192.168.0.11 21 interface FastEthernet1 21

Interface fa1 is the outside interface with the public ip. (I prefer not to talk in the cisco terms global, inside, outside, it's confusing) So I believe this to be correct, no? Again if I add the rule permit ip any host 90.95.150.85 it works, but without it gets filtered, see debug log:

*May 23 09:50:06.323: %SEC-6-IPACCESSLOGP: list Internet_To_Lan denied tcp 91.125.26.162(58468) -> 90.95.150.85(21), 1 packet

Why is this? Or is the ip nat config just plain wrong?

Purple

NAT/Access list problem

Hi,

you have to specify the public IP as destination not the private IP.

Don't forget to rate helpful posts.

Regards.

Alain

Don't forget to rate helpful posts.
New Member

NAT/Access list problem

thanks for your help Alain.

I've rated your answers.

Regards,

Michell

1958
Views
4
Helpful
4
Replies