Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Basic Routing issue

Reply
Thread Tools

Basic Routing issue

 
 
bdw@wbai.com
Guest
Posts: n/a
 
      08-01-2006
My configuration follows. I've got a Cisco 1700 router that is
servicing between 2 networks - one is public - Ethernet0 and one is
internal/private - fastethernet. I am trying to allow mail to go
through the firewall. I am having problems getting any traffic to flow
- inside or out.
I was hoping that someone could look at this and give me some guidence.

Thanks!!

Using 1605 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname owh-inc
!
boot bootstrap flash:c1700-o3sy756i-mz.121-5.YB1.bin
boot system rom
logging rate-limit console 10 except errors
enable secret 5 $1$VkT3$IkEHnWrgFGgkJt2I4vj8Y1
enable password *****
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
ip name-server 65.106.1.196
ip name-server 65.106.7.196
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
!
!
!
!
!
interface Ethernet0
description outside
ip address 64.221.206.163 255.255.255.0
ip access-group 100 in
ip nat outside
no ip mroute-cache
full-duplex
!
interface FastEthernet0
description inside
ip address 192.168.100.1 255.255.255.0
ip nat inside
no ip mroute-cache
speed auto
!
interface Serial0
no ip address
no ip mroute-cache
shutdown
!
router rip
network 64.0.0.0
network 192.168.100.0
!
ip nat inside source static tcp 192.168.100.1 23 interface Ethernet0 23
ip nat inside source static tcp 192.168.100.113 25 64.221.206.163 25
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 64.221.206.161
no ip http server
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 permit tcp any 192.168.100.0 0.0.0.255 established
access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq telnet
access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq smtp
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password wbai001
login
!
end

 
Reply With Quote
 
 
 
 
chris
Guest
Posts: n/a
 
      08-01-2006

<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) ups.com...
> My configuration follows. I've got a Cisco 1700 router that is
> servicing between 2 networks - one is public - Ethernet0 and one is
> internal/private - fastethernet. I am trying to allow mail to go
> through the firewall. I am having problems getting any traffic to flow
> - inside or out.
> I was hoping that someone could look at this and give me some guidence.
>
> Thanks!!
>
> Using 1605 out of 29688 bytes
> !
> version 12.1
> no service single-slot-reload-enable
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname owh-inc
> !
> boot bootstrap flash:c1700-o3sy756i-mz.121-5.YB1.bin
> boot system rom
> logging rate-limit console 10 except errors
> enable secret 5 $1$VkT3$IkEHnWrgFGgkJt2I4vj8Y1
> enable password *****
> !
> memory-size iomem 25
> ip subnet-zero
> !
> !
> no ip finger
> ip name-server 65.106.1.196
> ip name-server 65.106.7.196
> ip audit notify log
> ip audit po max-events 100
> no ip dhcp-client network-discovery
> !
> !
> !
> !
> !
> interface Ethernet0
> description outside
> ip address 64.221.206.163 255.255.255.0
> ip access-group 100 in
> ip nat outside
> no ip mroute-cache
> full-duplex
> !
> interface FastEthernet0
> description inside
> ip address 192.168.100.1 255.255.255.0
> ip nat inside
> no ip mroute-cache
> speed auto
> !
> interface Serial0
> no ip address
> no ip mroute-cache
> shutdown
> !
> router rip
> network 64.0.0.0
> network 192.168.100.0
> !
> ip nat inside source static tcp 192.168.100.1 23 interface Ethernet0 23
> ip nat inside source static tcp 192.168.100.113 25 64.221.206.163 25
> extendable
> ip classless
> ip route 0.0.0.0 0.0.0.0 64.221.206.161
> no ip http server
> !
> access-list 1 permit 192.168.100.0 0.0.0.255
> access-list 100 permit tcp any 192.168.100.0 0.0.0.255 established
> access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq telnet
> access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq smtp
> dialer-list 1 protocol ip permit
> dialer-list 1 protocol ipx permit
> !
> !
> line con 0
> transport input none
> line aux 0
> line vty 0 4
> password wbai001
> login
> !
> end
>


Access-list 100 ... why is it allowing access from the internet to private
IP addresses? Traffic coming into that interface will be destined for the
global IP, not the private one.

Also, because of that acl any client on the inside sending out a DNS query
will not get a reply as your acl will block the reply from the server.

Chris.



 
Reply With Quote
 
 
 
 
anybody43@hotmail.com
Guest
Posts: n/a
 
      08-01-2006

chris wrote:
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) ups.com...
> > My configuration follows. I've got a Cisco 1700 router that is
> > servicing between 2 networks - one is public - Ethernet0 and one is
> > internal/private - fastethernet. I am trying to allow mail to go
> > through the firewall. I am having problems getting any traffic to flow
> > - inside or out.
> > I was hoping that someone could look at this and give me some guidence.

>
> Access-list 100 ... why is it allowing access from the internet to private
> IP addresses? Traffic coming into that interface will be destined for the
> global IP, not the private one.
>
> Also, because of that acl any client on the inside sending out a DNS query
> will not get a reply as your acl will block the reply from the server.


As Chris says:-
(I had already written following)

!
! RELPACE THIS
!
ip nat inside source static tcp 192.168.100.1 23 interface Ethernet0 23

ip nat inside source static tcp 192.168.100.113 25 64.221.206.163 25
extendable

!
access-list 1 permit 192.168.100.0 0.0.0.255

access-list 100 permit tcp any 192.168.100.0 0.0.0.255 established
access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq telnet
access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq smtp

dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit


###########################################

! WITH THIS

logging buffered 50000
logging buffered debug
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
no logg con ! console logging can adversely affect CPU
! but is OK for testing.


ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source static tcp 192.168.100.1 23 interface Ethernet0 23

ip nat inside source static tcp 192.168.100.113 25 64.221.206.163 25

route-map nonat permit 10
match ip address 110

access-list 100 permit tcp any host 64.221.206.163 established
access-list 100 permit tcp any host 64.221.206.163 eq telnet
access-list 100 permit tcp any host 64.221.206.163 eq smtp
!! Adding next 3 lines gives you better diagnostics - for
troubleshooting
!! if there is too much in the logs for you, you can
!! always take it out later
access-list 100 deny tcp any any log
access-list 100 deny tcp any any log
access-list 100 deny ip any any log


!! You may need the next 2 lines I am not sure
access-list 110 deny ip host 192.168.100.1 eq 23 any eq 23
access-list 110 deny ip host 192.168.100.113 eq 25 any eq 25
!!
access-list 110 permit ip 192.168.100.0 0.0.0.255 any


########################################

Look on cisco site for "nat order of operations"

Fix up DNS yourself

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Data Storage Issue (Basic Issue) Srini Java 11 06-01-2008 01:17 AM
intervlan routing and policy routing C3750 or C 4948 Sied@r Cisco 3 10-20-2005 08:42 PM
integrating new 3550 with routing into existing routing structure? joeblow Cisco 3 03-14-2005 08:50 AM
exchange routes between global IP routing table and VRF routing table zher Cisco 2 11-04-2004 11:28 PM
cisco1711 & vlans: basic routing issue... Captain Cisco 6 07-27-2004 11:25 PM



Advertisments