Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > 12.3 PAT not working

Reply
Thread Tools

12.3 PAT not working

 
 
Jason
Guest
Posts: n/a
 
      06-30-2004

I have an 837 as 192.168.1.2 (Ethernet0) and ADSL (Dialer1). Trying to make
available to the internet a server on 192.168.1.1, but after lots of reading
and adjustments to IOS config I can't get it to work. I have watched packets
on the .1 server and confirmed that nothing is being sent to it from the
837. WOudl appreciate if someone could take a look at my running-config and
see where I've gone wrong, or what I've missed. Thanks.


!
! Last configuration change at 23:55:22 EST Wed Jun 30 2004 by router
! NVRAM config last updated at 23:55:26 EST Wed Jun 30 2004 by router
!
version 12.3
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco837
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 warnings
enable secret 5 xxxxx
!
username Router password 7 xxxxx
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
no aaa new-model
ip subnet-zero
no ip source-route
ip wccp version 1
ip wccp outbound-acl-check
ip wccp web-cache redirect-list 50
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.9
!
ip dhcp pool CLIENT
network 192.168.1.0 255.255.255.0
default-router 192.168.1.2
dns-server 192.168.1.1 210.15.254.240 210.15.254.241
netbios-name-server 192.168.1.1
domain-name netspace.net.au
update arp
!
!
ip domain name netspace.net.au
ip host openbsd 192.168.1.1
ip name-server 192.168.1.1
ip name-server 210.15.254.240
ip name-server 210.15.254.241
ip cef
ip inspect audit-trail
ip inspect tcp max-incomplete host 50 block-time 2
ip inspect name OUTBOUND cuseeme
ip inspect name OUTBOUND ftp
ip inspect name OUTBOUND h323
ip inspect name OUTBOUND netshow
ip inspect name OUTBOUND rcmd
ip inspect name OUTBOUND realaudio
ip inspect name OUTBOUND rtsp
ip inspect name OUTBOUND smtp
ip inspect name OUTBOUND sqlnet
ip inspect name OUTBOUND streamworks
ip inspect name OUTBOUND tftp
ip inspect name OUTBOUND tcp
ip inspect name OUTBOUND udp
ip inspect name OUTBOUND vdolive
ip inspect name OUTBOUND icmp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.1.2 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip route-cache flow
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
ip route-cache flow
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
no ip address
!
interface Dialer1
description $FW_OUTSIDE$512K/128K ADSL to Netspace.net.au
ip address negotiated
ip access-group 101 in
no ip proxy-arp
ip wccp web-cache redirect out
ip nat outside
ip inspect OUTBOUND out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 xxxxx
ppp pap sent-username xxxxx password 7 xxxxx
hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http access-class 1
ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static 192.168.1.1 interface Dialer0
ip nat inside source static tcp 192.168.1.1 22 interface Dialer1 22
ip nat inside source static tcp 192.168.1.1 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.1 25 interface Dialer1 25
!
!
logging 192.168.1.1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 50 deny 192.168.1.1
access-list 50 permit any
access-list 100 permit ip any any
access-list 101 permit udp host 210.15.254.242 eq ntp any eq ntp
access-list 101 permit tcp any eq smtp any eq smtp
access-list 101 permit tcp any eq www any eq www
access-list 101 permit tcp any eq ftp any eq ftp
access-list 101 permit tcp any eq 22 any eq 22
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community cisco837 RO
snmp-server enable traps tty
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
transport preferred all
transport input ssh
transport output all
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 210.15.254.242
end



--
Cheers,
Jason

Note: Use ROT13 to decipher my email address



 
Reply With Quote
 
 
 
 
PES
Guest
Posts: n/a
 
      06-30-2004
Check your access-list. See below

access-list 101 permit tcp any eq smtp any eq smtp
access-list 101 permit tcp any eq www any eq www
access-list 101 permit tcp any eq ftp any eq ftp
access-list 101 permit tcp any eq 22 any eq 22
This access-list is applied inbound on your external interface. So what it
says is
permit anything sourced from tcp port 25 destined to port 25
permit anything sourced from tcp port 80 destined to port 80
........

The typical tcp client will establish a session from a port greater than
1023. This is known as dynamic ports. There are a few applications that
use the same source and destination port but this is actually more prevelant
in udp. Try changing your access-list to the following


........
access-list 101 permit tcp any gt 1023 any eq smtp
access-list 101 permit tcp any gt 1023 any eq www
access-list 101 permit tcp any gt 1023 any eq ftp (also note this will only
work for passive ftp)
access-list 101 permit tcp any gt 1023 any eq 22
.........





"Jason" <(E-Mail Removed)> wrote in message
news:cbvgme$1hgf$(E-Mail Removed)...
>
> I have an 837 as 192.168.1.2 (Ethernet0) and ADSL (Dialer1). Trying to

make
> available to the internet a server on 192.168.1.1, but after lots of

reading
> and adjustments to IOS config I can't get it to work. I have watched

packets
> on the .1 server and confirmed that nothing is being sent to it from the
> 837. WOudl appreciate if someone could take a look at my running-config

and
> see where I've gone wrong, or what I've missed. Thanks.
>
>
> !
> ! Last configuration change at 23:55:22 EST Wed Jun 30 2004 by router
> ! NVRAM config last updated at 23:55:26 EST Wed Jun 30 2004 by router
> !
> version 12.3
> service nagle
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname cisco837
> !
> boot-start-marker
> boot-end-marker
> !
> security authentication failure rate 3 log
> logging buffered 51200 warnings
> enable secret 5 xxxxx
> !
> username Router password 7 xxxxx
> clock timezone EST 10
> clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
> no aaa new-model
> ip subnet-zero
> no ip source-route
> ip wccp version 1
> ip wccp outbound-acl-check
> ip wccp web-cache redirect-list 50
> !
> !
> ip dhcp excluded-address 192.168.1.1 192.168.1.9
> !
> ip dhcp pool CLIENT
> network 192.168.1.0 255.255.255.0
> default-router 192.168.1.2
> dns-server 192.168.1.1 210.15.254.240 210.15.254.241
> netbios-name-server 192.168.1.1
> domain-name netspace.net.au
> update arp
> !
> !
> ip domain name netspace.net.au
> ip host openbsd 192.168.1.1
> ip name-server 192.168.1.1
> ip name-server 210.15.254.240
> ip name-server 210.15.254.241
> ip cef
> ip inspect audit-trail
> ip inspect tcp max-incomplete host 50 block-time 2
> ip inspect name OUTBOUND cuseeme
> ip inspect name OUTBOUND ftp
> ip inspect name OUTBOUND h323
> ip inspect name OUTBOUND netshow
> ip inspect name OUTBOUND rcmd
> ip inspect name OUTBOUND realaudio
> ip inspect name OUTBOUND rtsp
> ip inspect name OUTBOUND smtp
> ip inspect name OUTBOUND sqlnet
> ip inspect name OUTBOUND streamworks
> ip inspect name OUTBOUND tftp
> ip inspect name OUTBOUND tcp
> ip inspect name OUTBOUND udp
> ip inspect name OUTBOUND vdolive
> ip inspect name OUTBOUND icmp
> ip ips po max-events 100
> no ftp-server write-enable
> !
> !
> !
> !
> !
> !
> !
> interface Ethernet0
> description $FW_INSIDE$$ETH-LAN$
> ip address 192.168.1.2 255.255.255.0
> ip access-group 100 in
> ip nat inside
> ip virtual-reassembly
> ip route-cache flow
> no ip mroute-cache
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> ip route-cache flow
> no ip mroute-cache
> atm vc-per-vp 64
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 8/35
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> !
> interface FastEthernet1
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet2
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet3
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet4
> no ip address
> duplex auto
> speed auto
> !
> interface Dialer0
> no ip address
> !
> interface Dialer1
> description $FW_OUTSIDE$512K/128K ADSL to Netspace.net.au
> ip address negotiated
> ip access-group 101 in
> no ip proxy-arp
> ip wccp web-cache redirect out
> ip nat outside
> ip inspect OUTBOUND out
> ip virtual-reassembly
> encapsulation ppp
> ip route-cache flow
> dialer pool 1
> dialer-group 1
> no cdp enable
> ppp authentication chap pap callin
> ppp chap hostname xxxxx
> ppp chap password 7 xxxxx
> ppp pap sent-username xxxxx password 7 xxxxx
> hold-queue 224 in
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> !
> ip http server
> ip http access-class 1
> ip http secure-server
> ip nat inside source list 102 interface Dialer1 overload
> ip nat inside source static 192.168.1.1 interface Dialer0
> ip nat inside source static tcp 192.168.1.1 22 interface Dialer1 22
> ip nat inside source static tcp 192.168.1.1 80 interface Dialer1 80
> ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
> ip nat inside source static tcp 192.168.1.1 25 interface Dialer1 25
> !
> !
> logging 192.168.1.1
> access-list 1 permit 192.168.1.0 0.0.0.255
> access-list 1 deny any
> access-list 23 permit 192.168.1.0 0.0.0.255
> access-list 50 deny 192.168.1.1
> access-list 50 permit any
> access-list 100 permit ip any any
> access-list 101 permit udp host 210.15.254.242 eq ntp any eq ntp
> access-list 101 permit tcp any eq smtp any eq smtp
> access-list 101 permit tcp any eq www any eq www
> access-list 101 permit tcp any eq ftp any eq ftp
> access-list 101 permit tcp any eq 22 any eq 22
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any time-exceeded
> access-list 101 permit icmp any any unreachable
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny ip 172.16.0.0 0.15.255.255 any
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny ip host 255.255.255.255 any
> access-list 101 deny ip host 0.0.0.0 any
> access-list 101 deny ip any any log
> access-list 102 permit ip 192.168.1.0 0.0.0.255 any
> dialer-list 1 protocol ip permit
> snmp-server community cisco837 RO
> snmp-server enable traps tty
> !
> control-plane
> !
> !
> line con 0
> exec-timeout 120 0
> no modem enable
> transport preferred all
> transport output all
> stopbits 1
> line aux 0
> transport preferred all
> transport output all
> line vty 0 4
> access-class 23 in
> exec-timeout 120 0
> login local
> length 0
> transport preferred all
> transport input ssh
> transport output all
> !
> scheduler max-task-time 5000
> scheduler interval 500
> sntp server 210.15.254.242
> end
>
>
>
> --
> Cheers,
> Jason
>
> Note: Use ROT13 to decipher my email address
>
>
>



 
Reply With Quote
 
 
 
 
Jason
Guest
Posts: n/a
 
      07-01-2004

Thanks. That did it. Much appreciated.


--
Cheers,
Jason

Note: Use ROT13 to decipher my email address


"PES" <NO*SPAMpestewartREMOVE*(E-Mail Removed)*SUCK S> wrote in message
news:(E-Mail Removed)...
> Check your access-list. See below
>
> access-list 101 permit tcp any eq smtp any eq smtp
> access-list 101 permit tcp any eq www any eq www
> access-list 101 permit tcp any eq ftp any eq ftp
> access-list 101 permit tcp any eq 22 any eq 22
> This access-list is applied inbound on your external interface. So what

it
> says is
> permit anything sourced from tcp port 25 destined to port 25
> permit anything sourced from tcp port 80 destined to port 80
> .......
>
> The typical tcp client will establish a session from a port greater than
> 1023. This is known as dynamic ports. There are a few applications that
> use the same source and destination port but this is actually more

prevelant
> in udp. Try changing your access-list to the following
>
>
> .......
> access-list 101 permit tcp any gt 1023 any eq smtp
> access-list 101 permit tcp any gt 1023 any eq www
> access-list 101 permit tcp any gt 1023 any eq ftp (also note this will

only
> work for passive ftp)
> access-list 101 permit tcp any gt 1023 any eq 22
> ........
>
>
>
>
>
> "Jason" <(E-Mail Removed)> wrote in message
> news:cbvgme$1hgf$(E-Mail Removed)...
> >
> > I have an 837 as 192.168.1.2 (Ethernet0) and ADSL (Dialer1). Trying to

> make
> > available to the internet a server on 192.168.1.1, but after lots of

> reading
> > and adjustments to IOS config I can't get it to work. I have watched

> packets
> > on the .1 server and confirmed that nothing is being sent to it from the
> > 837. WOudl appreciate if someone could take a look at my running-config

> and
> > see where I've gone wrong, or what I've missed. Thanks.
> >
> >
> > !
> > ! Last configuration change at 23:55:22 EST Wed Jun 30 2004 by router
> > ! NVRAM config last updated at 23:55:26 EST Wed Jun 30 2004 by router
> > !
> > version 12.3
> > service nagle
> > no service pad
> > service tcp-keepalives-in
> > service tcp-keepalives-out
> > service timestamps debug datetime msec localtime show-timezone
> > service timestamps log datetime msec localtime show-timezone
> > service password-encryption
> > service sequence-numbers
> > !
> > hostname cisco837
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > security authentication failure rate 3 log
> > logging buffered 51200 warnings
> > enable secret 5 xxxxx
> > !
> > username Router password 7 xxxxx
> > clock timezone EST 10
> > clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
> > no aaa new-model
> > ip subnet-zero
> > no ip source-route
> > ip wccp version 1
> > ip wccp outbound-acl-check
> > ip wccp web-cache redirect-list 50
> > !
> > !
> > ip dhcp excluded-address 192.168.1.1 192.168.1.9
> > !
> > ip dhcp pool CLIENT
> > network 192.168.1.0 255.255.255.0
> > default-router 192.168.1.2
> > dns-server 192.168.1.1 210.15.254.240 210.15.254.241
> > netbios-name-server 192.168.1.1
> > domain-name netspace.net.au
> > update arp
> > !
> > !
> > ip domain name netspace.net.au
> > ip host openbsd 192.168.1.1
> > ip name-server 192.168.1.1
> > ip name-server 210.15.254.240
> > ip name-server 210.15.254.241
> > ip cef
> > ip inspect audit-trail
> > ip inspect tcp max-incomplete host 50 block-time 2
> > ip inspect name OUTBOUND cuseeme
> > ip inspect name OUTBOUND ftp
> > ip inspect name OUTBOUND h323
> > ip inspect name OUTBOUND netshow
> > ip inspect name OUTBOUND rcmd
> > ip inspect name OUTBOUND realaudio
> > ip inspect name OUTBOUND rtsp
> > ip inspect name OUTBOUND smtp
> > ip inspect name OUTBOUND sqlnet
> > ip inspect name OUTBOUND streamworks
> > ip inspect name OUTBOUND tftp
> > ip inspect name OUTBOUND tcp
> > ip inspect name OUTBOUND udp
> > ip inspect name OUTBOUND vdolive
> > ip inspect name OUTBOUND icmp
> > ip ips po max-events 100
> > no ftp-server write-enable
> > !
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Ethernet0
> > description $FW_INSIDE$$ETH-LAN$
> > ip address 192.168.1.2 255.255.255.0
> > ip access-group 100 in
> > ip nat inside
> > ip virtual-reassembly
> > ip route-cache flow
> > no ip mroute-cache
> > hold-queue 100 out
> > !
> > interface ATM0
> > no ip address
> > ip route-cache flow
> > no ip mroute-cache
> > atm vc-per-vp 64
> > no atm ilmi-keepalive
> > dsl operating-mode auto
> > pvc 8/35
> > encapsulation aal5mux ppp dialer
> > dialer pool-member 1
> > !
> > !
> > interface FastEthernet1
> > no ip address
> > duplex auto
> > speed auto
> > !
> > interface FastEthernet2
> > no ip address
> > duplex auto
> > speed auto
> > !
> > interface FastEthernet3
> > no ip address
> > duplex auto
> > speed auto
> > !
> > interface FastEthernet4
> > no ip address
> > duplex auto
> > speed auto
> > !
> > interface Dialer0
> > no ip address
> > !
> > interface Dialer1
> > description $FW_OUTSIDE$512K/128K ADSL to Netspace.net.au
> > ip address negotiated
> > ip access-group 101 in
> > no ip proxy-arp
> > ip wccp web-cache redirect out
> > ip nat outside
> > ip inspect OUTBOUND out
> > ip virtual-reassembly
> > encapsulation ppp
> > ip route-cache flow
> > dialer pool 1
> > dialer-group 1
> > no cdp enable
> > ppp authentication chap pap callin
> > ppp chap hostname xxxxx
> > ppp chap password 7 xxxxx
> > ppp pap sent-username xxxxx password 7 xxxxx
> > hold-queue 224 in
> > !
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Dialer1
> > !
> > ip http server
> > ip http access-class 1
> > ip http secure-server
> > ip nat inside source list 102 interface Dialer1 overload
> > ip nat inside source static 192.168.1.1 interface Dialer0
> > ip nat inside source static tcp 192.168.1.1 22 interface Dialer1 22
> > ip nat inside source static tcp 192.168.1.1 80 interface Dialer1 80
> > ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
> > ip nat inside source static tcp 192.168.1.1 25 interface Dialer1 25
> > !
> > !
> > logging 192.168.1.1
> > access-list 1 permit 192.168.1.0 0.0.0.255
> > access-list 1 deny any
> > access-list 23 permit 192.168.1.0 0.0.0.255
> > access-list 50 deny 192.168.1.1
> > access-list 50 permit any
> > access-list 100 permit ip any any
> > access-list 101 permit udp host 210.15.254.242 eq ntp any eq ntp
> > access-list 101 permit tcp any eq smtp any eq smtp
> > access-list 101 permit tcp any eq www any eq www
> > access-list 101 permit tcp any eq ftp any eq ftp
> > access-list 101 permit tcp any eq 22 any eq 22
> > access-list 101 permit icmp any any echo-reply
> > access-list 101 permit icmp any any time-exceeded
> > access-list 101 permit icmp any any unreachable
> > access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> > access-list 101 deny ip 172.16.0.0 0.15.255.255 any
> > access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> > access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> > access-list 101 deny ip host 255.255.255.255 any
> > access-list 101 deny ip host 0.0.0.0 any
> > access-list 101 deny ip any any log
> > access-list 102 permit ip 192.168.1.0 0.0.0.255 any
> > dialer-list 1 protocol ip permit
> > snmp-server community cisco837 RO
> > snmp-server enable traps tty
> > !
> > control-plane
> > !
> > !
> > line con 0
> > exec-timeout 120 0
> > no modem enable
> > transport preferred all
> > transport output all
> > stopbits 1
> > line aux 0
> > transport preferred all
> > transport output all
> > line vty 0 4
> > access-class 23 in
> > exec-timeout 120 0
> > login local
> > length 0
> > transport preferred all
> > transport input ssh
> > transport output all
> > !
> > scheduler max-task-time 5000
> > scheduler interval 500
> > sntp server 210.15.254.242
> > end
> >
> >
> >
> > --
> > Cheers,
> > Jason
> >
> > Note: Use ROT13 to decipher my email address
> >
> >
> >

>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NAT and PAT on Cisco 1721 Not Working opietexas Cisco 0 07-06-2006 06:01 PM
NAT and PAT on Cisco 1721 Not Working opietexas Cisco 0 07-06-2006 05:14 PM
Cisco 837 - PAT not working when Firewall is on eprice01 Cisco 0 05-08-2006 12:12 PM
NAT/PAT not working in PIX 515 Natan Cisco 3 04-28-2006 01:53 PM
Static PAT overrides Dynamic Pat - Pix 515e BinSur Cisco 4 01-13-2006 09:44 AM



Advertisments