837 won't pass traffic from eth0 to internet

Discussion in 'Cisco' started by X--Eliminator, Jul 4, 2005.

  1. I have an 837 that won't pass traffic from eth0 to the internet. The
    statically addressed hosts attached to the 1548M switch are in the
    same subnet as eth0, and there is a default route to pass eth0 traffic
    to atm0.1, but I seem to have brick wall between eth0 and atm0.

    When I set-up a logging access list permitting traffic in both
    directions on eth0 and atm0, I can see traffic hitting eth0 from the
    switch, and can see inbound traffic hitting atm0 from the internet.
    The speed & duplex on the switch and the router are the same (not
    autodetect).

    I can successfully ping out from atm0 to internet & see traffic coming
    back. I also see corresponding CDP neighbor adjacency on both the
    switch connected to eth0 and the 837. I can ping eth0 from a
    workstation attached to the switch, but cannot ping the internet from
    the same workstation.

    I have run the show tech thru the Cisco Output Intepreter and see no
    meaningful trouble, but I can find no real reason why I can't seem to
    pass traffic from eth0 to the internet. There's no reason for me to
    NAT in this scenario.

    I have used the SAME basic config on an 827 & 1720 (and it works), and
    the ONLY thing I need to pass traffic to the internet is the basic
    default route: ip route 0.0.0.0 0.0.0.0 ATM0.1

    Can anyone tell me why I can't pass traffic to the internet ?
    Am I missing something really basic here?
    ===========================================

    Current configuration : 1468 bytes
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname 837
    !
    boot-start-marker
    boot-end-marker
    !
    memory-size iomem 5
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    ip audit notify log
    ip audit po max-events 100
    ip ssh break-string
    no ftp-server write-enable
    !
    !
    no crypto isakmp enable
    !
    !
    interface Ethernet0
    description INSIDE INTERFACE
    ip address 10.10.10.1 255.0.0.0
    hold-queue 100 out
    !
    interface ATM0
    description OUTSIDE INTERFACE
    mac-address 0004.9a87.1bb8
    no ip address
    no ip unreachables
    no ip proxy-arp
    ip accounting access-violations
    no ip mroute-cache
    logging event subif-link-status
    no atm ilmi-keepalive
    bundle-enable
    dsl operating-mode ansi-dmt
    dsl enable-training-log
    hold-queue 224 in
    !
    interface ATM0.1 point-to-point
    description "EXTERNAL INTERFACE"
    ip address (not shown)
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    no ip mroute-cache
    timeout absolute 35790 0
    pvc 0/35
    protocol ip (not shown)
    !
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 ATM0.1
    no ip http server
    no ip http secure-server
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    transport preferred all
    transport output all
    line aux 0
    transport preferred all
    transport output all
    line vty 0 4
    login
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    !
    end

    ========================
    Here's the show CDP neighbor output...

    1548m#sho cdp neigh
    Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    Bridge
    S - Switch, P - Repeater, H - Host I - IGMP
    DeviceID IP Addr Local Port Capability Platform
    Remote Port
    837 10.10.10.1 fa 0/1 R Cisco C837
    Ethernet0



    837#sho cdp neigh
    Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    Bridge
    S - Switch, H - Host, I - IGMP, r - Repeater

    Device ID Local Intrfce Holdtme Capability Platform
    Port ID
    1548m MAC:0090F2 B13EF1
    Eth 0 179 T S 1548m
    Fas 0/1
     
    X--Eliminator, Jul 4, 2005
    #1
    1. Advertising

  2. X--Eliminator

    Uli Link Guest

    X--Eliminator schrieb:

    > !
    > interface Ethernet0
    > description INSIDE INTERFACE
    > ip address 10.10.10.1 255.0.0.0
    > hold-queue 100 out
    > !



    The route to internet from a client is through 10.10.10.1/8.
    Your Provider *must* drop such traffic.
    This is not a valid ip address in the internet. Only usefull with
    PAT/NAT or in LANs not connected to the internet.

    If you have valid IP addresses for the Ethernet side of the 837, the IP
    Address and netmask must be set to a routable address given to you by
    your ISP.

    --
    Uli
     
    Uli Link, Jul 4, 2005
    #2
    1. Advertising

  3. X--Eliminator

    Martin Kayes Guest

    As Uli Link says, your NAT is not setup correctly, you are missing 'ip nat
    inside' form your Ethernet0 interface and a nat statement. You will need
    the following lines:

    access-list 100 permit ip any any
    ip nat inside source list 100 interface Dialer0 overload
    !
    interface ethernet0
    ip nat inside


    Also, you may need these adjustments as your ISP may drop oversized packets
    (we have to do this here in the UK). Don't use them unless you have
    problems with large packets.

    interface Ethernet0
    ip tcp adjust-mss 1452
    !
    interface ATM0.1 point-to-point
    ip mtu 1492
    ip tcp adjust-mss 1452


    Regards,

    Martin


    "X--Eliminator" <> wrote in message
    news:...
    >
    > I have an 837 that won't pass traffic from eth0 to the internet. The
    > statically addressed hosts attached to the 1548M switch are in the
    > same subnet as eth0, and there is a default route to pass eth0 traffic
    > to atm0.1, but I seem to have brick wall between eth0 and atm0.
    >
    > When I set-up a logging access list permitting traffic in both
    > directions on eth0 and atm0, I can see traffic hitting eth0 from the
    > switch, and can see inbound traffic hitting atm0 from the internet.
    > The speed & duplex on the switch and the router are the same (not
    > autodetect).
    >
    > I can successfully ping out from atm0 to internet & see traffic coming
    > back. I also see corresponding CDP neighbor adjacency on both the
    > switch connected to eth0 and the 837. I can ping eth0 from a
    > workstation attached to the switch, but cannot ping the internet from
    > the same workstation.
    >
    > I have run the show tech thru the Cisco Output Intepreter and see no
    > meaningful trouble, but I can find no real reason why I can't seem to
    > pass traffic from eth0 to the internet. There's no reason for me to
    > NAT in this scenario.
    >
    > I have used the SAME basic config on an 827 & 1720 (and it works), and
    > the ONLY thing I need to pass traffic to the internet is the basic
    > default route: ip route 0.0.0.0 0.0.0.0 ATM0.1
    >
    > Can anyone tell me why I can't pass traffic to the internet ?
    > Am I missing something really basic here?
    > ===========================================
    >
    > Current configuration : 1468 bytes
    > !
    > version 12.3
    > no service pad
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > no service password-encryption
    > !
    > hostname 837
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > memory-size iomem 5
    > !
    > no aaa new-model
    > ip subnet-zero
    > !
    > !
    > ip audit notify log
    > ip audit po max-events 100
    > ip ssh break-string
    > no ftp-server write-enable
    > !
    > !
    > no crypto isakmp enable
    > !
    > !
    > interface Ethernet0
    > description INSIDE INTERFACE
    > ip address 10.10.10.1 255.0.0.0
    > hold-queue 100 out
    > !
    > interface ATM0
    > description OUTSIDE INTERFACE
    > mac-address 0004.9a87.1bb8
    > no ip address
    > no ip unreachables
    > no ip proxy-arp
    > ip accounting access-violations
    > no ip mroute-cache
    > logging event subif-link-status
    > no atm ilmi-keepalive
    > bundle-enable
    > dsl operating-mode ansi-dmt
    > dsl enable-training-log
    > hold-queue 224 in
    > !
    > interface ATM0.1 point-to-point
    > description "EXTERNAL INTERFACE"
    > ip address (not shown)
    > no ip unreachables
    > no ip proxy-arp
    > ip nat outside
    > no ip mroute-cache
    > timeout absolute 35790 0
    > pvc 0/35
    > protocol ip (not shown)
    > !
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 ATM0.1
    > no ip http server
    > no ip http secure-server
    > !
    > !
    > control-plane
    > !
    > !
    > line con 0
    > no modem enable
    > transport preferred all
    > transport output all
    > line aux 0
    > transport preferred all
    > transport output all
    > line vty 0 4
    > login
    > transport preferred all
    > transport input all
    > transport output all
    > !
    > scheduler max-task-time 5000
    > !
    > end
    >
    > ========================
    > Here's the show CDP neighbor output...
    >
    > 1548m#sho cdp neigh
    > Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    > Bridge
    > S - Switch, P - Repeater, H - Host I - IGMP
    > DeviceID IP Addr Local Port Capability Platform
    > Remote Port
    > 837 10.10.10.1 fa 0/1 R Cisco C837
    > Ethernet0
    >
    >
    >
    > 837#sho cdp neigh
    > Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    > Bridge
    > S - Switch, H - Host, I - IGMP, r - Repeater
    >
    > Device ID Local Intrfce Holdtme Capability Platform
    > Port ID
    > 1548m MAC:0090F2 B13EF1
    > Eth 0 179 T S 1548m
    > Fas 0/1
    >
     
    Martin Kayes, Jul 4, 2005
    #3
  4. OK thanks to Uli & Martin for both of those responses. After adding
    all of those configs, I then added the following logging access lists:

    access-list 100 permit icmp any any log
    access-list 100 permit tcp any any log
    access-list 100 permit udp any any log
    access-list 100 permit ip any any log
    access-list 101 permit icmp any any log
    access-list 101 permit tcp any any log
    access-list 101 permit udp any any log
    access-list 101 permit ip any any log

    ip access-group 101 in
    ip access-group 100 out

    I applied the ACL's inbound & outbound to the atm interface, and then
    in the router log I can see the outbound ping traffic to all internet
    address going out on atm0.1 but I get "destination host unreachable"
    on all 4 pings at the W2k workstation. In the router log it shows that
    "some" of the packets made it out, but no ping returns came back and I
    can't browse any websites using either Internet Explorer, Netscape, or
    Opera (I have connected the workstation to the router using both a
    regular cable & a crossover but the result is the same). I can ping
    out to the internet 100% of the time (from the 837) and I get 100%
    returns.

    *Mar 1 01:31:56.287: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    10.10.10.7 -> 198.6.1.142 (0/0), 1 packet
    *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    10.10.10.7 -> 198.6.1.122 (0/0), 3 packets
    *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    10.10.10.7 -> 198.6.1.146 (0/0), 3 packets
    *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    10.10.10.7 -> 198.6.1.4 (0/0), 3 packets

    Now if I connect my Cisco 1720 and ping the same 4 addresses as above
    I get good ping returns all the way to the W2k workstation.

    And I know that traffic is coming inbound to the 837 because I can see
    the hackers probing my IP address:

    *Mar 1 01:35:33.247: %SEC-6-IPACCESSLOGP: list 101 permitted udp
    83.24.162.126(0) -> ip address not shown(0), 1 packet
    *Mar 1 01:36:27.759: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    64.39.171.102(0) -> ip address not shown(0), 1 packet
    *Mar 1 01:36:56.955: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    212.114.230.64(0) -> ip address not shown(0), 1 packet

    If any has more suggestions. I would be very happy to hear them, as I
    have run out of ideas. Thanks in advance

    +++++++++++++++++++++++++++++++++++++++++
    On Mon, 4 Jul 2005 11:20:04 +0100, "Martin Kayes" <>
    wrote:

    >As Uli Link says, your NAT is not setup correctly, you are missing 'ip nat
    >inside' form your Ethernet0 interface and a nat statement. You will need
    >the following lines:
    >
    >access-list 100 permit ip any any
    >ip nat inside source list 100 interface Dialer0 overload
    >!
    >interface ethernet0
    > ip nat inside
    >
    >
    >Also, you may need these adjustments as your ISP may drop oversized packets
    >(we have to do this here in the UK). Don't use them unless you have
    >problems with large packets.
    >
    >interface Ethernet0
    > ip tcp adjust-mss 1452
    >!
    >interface ATM0.1 point-to-point
    > ip mtu 1492
    > ip tcp adjust-mss 1452
    >
    >
    >Regards,
    >
    >Martin
    >
    >
    >"X--Eliminator" <> wrote in message
    >news:...
    >>
    >> I have an 837 that won't pass traffic from eth0 to the internet. The
    >> statically addressed hosts attached to the 1548M switch are in the
    >> same subnet as eth0, and there is a default route to pass eth0 traffic
    >> to atm0.1, but I seem to have brick wall between eth0 and atm0.
    >>
    >> When I set-up a logging access list permitting traffic in both
    >> directions on eth0 and atm0, I can see traffic hitting eth0 from the
    >> switch, and can see inbound traffic hitting atm0 from the internet.
    >> The speed & duplex on the switch and the router are the same (not
    >> autodetect).
    >>
    >> I can successfully ping out from atm0 to internet & see traffic coming
    >> back. I also see corresponding CDP neighbor adjacency on both the
    >> switch connected to eth0 and the 837. I can ping eth0 from a
    >> workstation attached to the switch, but cannot ping the internet from
    >> the same workstation.
    >>
    >> I have run the show tech thru the Cisco Output Intepreter and see no
    >> meaningful trouble, but I can find no real reason why I can't seem to
    >> pass traffic from eth0 to the internet. There's no reason for me to
    >> NAT in this scenario.
    >>
    >> I have used the SAME basic config on an 827 & 1720 (and it works), and
    >> the ONLY thing I need to pass traffic to the internet is the basic
    >> default route: ip route 0.0.0.0 0.0.0.0 ATM0.1
    >>
    >> Can anyone tell me why I can't pass traffic to the internet ?
    >> Am I missing something really basic here?
    >> ===========================================
    >>
    >> Current configuration : 1468 bytes
    >> !
    >> version 12.3
    >> no service pad
    >> service timestamps debug datetime msec
    >> service timestamps log datetime msec
    >> no service password-encryption
    >> !
    >> hostname 837
    >> !
    >> boot-start-marker
    >> boot-end-marker
    >> !
    >> memory-size iomem 5
    >> !
    >> no aaa new-model
    >> ip subnet-zero
    >> !
    >> !
    >> ip audit notify log
    >> ip audit po max-events 100
    >> ip ssh break-string
    >> no ftp-server write-enable
    >> !
    >> !
    >> no crypto isakmp enable
    >> !
    >> !
    >> interface Ethernet0
    >> description INSIDE INTERFACE
    >> ip address 10.10.10.1 255.0.0.0
    >> hold-queue 100 out
    >> !
    >> interface ATM0
    >> description OUTSIDE INTERFACE
    >> mac-address 0004.9a87.1bb8
    >> no ip address
    >> no ip unreachables
    >> no ip proxy-arp
    >> ip accounting access-violations
    >> no ip mroute-cache
    >> logging event subif-link-status
    >> no atm ilmi-keepalive
    >> bundle-enable
    >> dsl operating-mode ansi-dmt
    >> dsl enable-training-log
    >> hold-queue 224 in
    >> !
    >> interface ATM0.1 point-to-point
    >> description "EXTERNAL INTERFACE"
    >> ip address (not shown)
    >> no ip unreachables
    >> no ip proxy-arp
    >> ip nat outside
    >> no ip mroute-cache
    >> timeout absolute 35790 0
    >> pvc 0/35
    >> protocol ip (not shown)
    >> !
    >> !
    >> ip classless
    >> ip route 0.0.0.0 0.0.0.0 ATM0.1
    >> no ip http server
    >> no ip http secure-server
    >> !
    >> !
    >> control-plane
    >> !
    >> !
    >> line con 0
    >> no modem enable
    >> transport preferred all
    >> transport output all
    >> line aux 0
    >> transport preferred all
    >> transport output all
    >> line vty 0 4
    >> login
    >> transport preferred all
    >> transport input all
    >> transport output all
    >> !
    >> scheduler max-task-time 5000
    >> !
    >> end
    >>
    >> ========================
    >> Here's the show CDP neighbor output...
    >>
    >> 1548m#sho cdp neigh
    >> Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    >> Bridge
    >> S - Switch, P - Repeater, H - Host I - IGMP
    >> DeviceID IP Addr Local Port Capability Platform
    >> Remote Port
    >> 837 10.10.10.1 fa 0/1 R Cisco C837
    >> Ethernet0
    >>
    >>
    >>
    >> 837#sho cdp neigh
    >> Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    >> Bridge
    >> S - Switch, H - Host, I - IGMP, r - Repeater
    >>
    >> Device ID Local Intrfce Holdtme Capability Platform
    >> Port ID
    >> 1548m MAC:0090F2 B13EF1
    >> Eth 0 179 T S 1548m
    >> Fas 0/1
    >>

    >
     
    X--Eliminator, Jul 4, 2005
    #4
  5. On Mon, 04 Jul 2005 11:20:04 +0100, Martin Kayes wrote:

    > As Uli Link says, your NAT is not setup correctly, you are missing 'ip nat
    > inside' form your Ethernet0 interface and a nat statement. You will need
    > the following lines:
    >
    > access-list 100 permit ip any any


    Better to use "access-list 100 permit 10.0.0.0 0.255.255.255 any".
    Using any any in a NAT ACL may lead to unintended consequences. The NAT
    ACL should match only the traffic you want to have natted. If it was ok
    to have any any in a NAT ACL, you wouldn't need one at all.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Jul 4, 2005
    #5
  6. X--Eliminator

    Martin Kayes Guest

    Did you notice the deliberate mistake in my last post, I left the following
    statement listing interface dialer0 from my config instead of changing it to
    ATM0.1 as per your config:

    It should be...

    'ip nat inside source list 100 interface ATM0.1 overload'

    That could be the problem. Let me know if that was it.

    Regards,

    Martin


    "X--Eliminator" <> wrote in message
    news:...
    > OK thanks to Uli & Martin for both of those responses. After adding
    > all of those configs, I then added the following logging access lists:
    >
    > access-list 100 permit icmp any any log
    > access-list 100 permit tcp any any log
    > access-list 100 permit udp any any log
    > access-list 100 permit ip any any log
    > access-list 101 permit icmp any any log
    > access-list 101 permit tcp any any log
    > access-list 101 permit udp any any log
    > access-list 101 permit ip any any log
    >
    > ip access-group 101 in
    > ip access-group 100 out
    >
    > I applied the ACL's inbound & outbound to the atm interface, and then
    > in the router log I can see the outbound ping traffic to all internet
    > address going out on atm0.1 but I get "destination host unreachable"
    > on all 4 pings at the W2k workstation. In the router log it shows that
    > "some" of the packets made it out, but no ping returns came back and I
    > can't browse any websites using either Internet Explorer, Netscape, or
    > Opera (I have connected the workstation to the router using both a
    > regular cable & a crossover but the result is the same). I can ping
    > out to the internet 100% of the time (from the 837) and I get 100%
    > returns.
    >
    > *Mar 1 01:31:56.287: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    > 10.10.10.7 -> 198.6.1.142 (0/0), 1 packet
    > *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    > 10.10.10.7 -> 198.6.1.122 (0/0), 3 packets
    > *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    > 10.10.10.7 -> 198.6.1.146 (0/0), 3 packets
    > *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    > 10.10.10.7 -> 198.6.1.4 (0/0), 3 packets
    >
    > Now if I connect my Cisco 1720 and ping the same 4 addresses as above
    > I get good ping returns all the way to the W2k workstation.
    >
    > And I know that traffic is coming inbound to the 837 because I can see
    > the hackers probing my IP address:
    >
    > *Mar 1 01:35:33.247: %SEC-6-IPACCESSLOGP: list 101 permitted udp
    > 83.24.162.126(0) -> ip address not shown(0), 1 packet
    > *Mar 1 01:36:27.759: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    > 64.39.171.102(0) -> ip address not shown(0), 1 packet
    > *Mar 1 01:36:56.955: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    > 212.114.230.64(0) -> ip address not shown(0), 1 packet
    >
    > If any has more suggestions. I would be very happy to hear them, as I
    > have run out of ideas. Thanks in advance
    >
    > +++++++++++++++++++++++++++++++++++++++++
    > On Mon, 4 Jul 2005 11:20:04 +0100, "Martin Kayes" <>
    > wrote:
    >
    >>As Uli Link says, your NAT is not setup correctly, you are missing 'ip nat
    >>inside' form your Ethernet0 interface and a nat statement. You will need
    >>the following lines:
    >>
    >>access-list 100 permit ip any any
    >>ip nat inside source list 100 interface Dialer0 overload
    >>!
    >>interface ethernet0
    >> ip nat inside
    >>
    >>
    >>Also, you may need these adjustments as your ISP may drop oversized
    >>packets
    >>(we have to do this here in the UK). Don't use them unless you have
    >>problems with large packets.
    >>
    >>interface Ethernet0
    >> ip tcp adjust-mss 1452
    >>!
    >>interface ATM0.1 point-to-point
    >> ip mtu 1492
    >> ip tcp adjust-mss 1452
    >>
    >>
    >>Regards,
    >>
    >>Martin
    >>
    >>
    >>"X--Eliminator" <> wrote in message
    >>news:...
    >>>
    >>> I have an 837 that won't pass traffic from eth0 to the internet. The
    >>> statically addressed hosts attached to the 1548M switch are in the
    >>> same subnet as eth0, and there is a default route to pass eth0 traffic
    >>> to atm0.1, but I seem to have brick wall between eth0 and atm0.
    >>>
    >>> When I set-up a logging access list permitting traffic in both
    >>> directions on eth0 and atm0, I can see traffic hitting eth0 from the
    >>> switch, and can see inbound traffic hitting atm0 from the internet.
    >>> The speed & duplex on the switch and the router are the same (not
    >>> autodetect).
    >>>
    >>> I can successfully ping out from atm0 to internet & see traffic coming
    >>> back. I also see corresponding CDP neighbor adjacency on both the
    >>> switch connected to eth0 and the 837. I can ping eth0 from a
    >>> workstation attached to the switch, but cannot ping the internet from
    >>> the same workstation.
    >>>
    >>> I have run the show tech thru the Cisco Output Intepreter and see no
    >>> meaningful trouble, but I can find no real reason why I can't seem to
    >>> pass traffic from eth0 to the internet. There's no reason for me to
    >>> NAT in this scenario.
    >>>
    >>> I have used the SAME basic config on an 827 & 1720 (and it works), and
    >>> the ONLY thing I need to pass traffic to the internet is the basic
    >>> default route: ip route 0.0.0.0 0.0.0.0 ATM0.1
    >>>
    >>> Can anyone tell me why I can't pass traffic to the internet ?
    >>> Am I missing something really basic here?
    >>> ===========================================
    >>>
    >>> Current configuration : 1468 bytes
    >>> !
    >>> version 12.3
    >>> no service pad
    >>> service timestamps debug datetime msec
    >>> service timestamps log datetime msec
    >>> no service password-encryption
    >>> !
    >>> hostname 837
    >>> !
    >>> boot-start-marker
    >>> boot-end-marker
    >>> !
    >>> memory-size iomem 5
    >>> !
    >>> no aaa new-model
    >>> ip subnet-zero
    >>> !
    >>> !
    >>> ip audit notify log
    >>> ip audit po max-events 100
    >>> ip ssh break-string
    >>> no ftp-server write-enable
    >>> !
    >>> !
    >>> no crypto isakmp enable
    >>> !
    >>> !
    >>> interface Ethernet0
    >>> description INSIDE INTERFACE
    >>> ip address 10.10.10.1 255.0.0.0
    >>> hold-queue 100 out
    >>> !
    >>> interface ATM0
    >>> description OUTSIDE INTERFACE
    >>> mac-address 0004.9a87.1bb8
    >>> no ip address
    >>> no ip unreachables
    >>> no ip proxy-arp
    >>> ip accounting access-violations
    >>> no ip mroute-cache
    >>> logging event subif-link-status
    >>> no atm ilmi-keepalive
    >>> bundle-enable
    >>> dsl operating-mode ansi-dmt
    >>> dsl enable-training-log
    >>> hold-queue 224 in
    >>> !
    >>> interface ATM0.1 point-to-point
    >>> description "EXTERNAL INTERFACE"
    >>> ip address (not shown)
    >>> no ip unreachables
    >>> no ip proxy-arp
    >>> ip nat outside
    >>> no ip mroute-cache
    >>> timeout absolute 35790 0
    >>> pvc 0/35
    >>> protocol ip (not shown)
    >>> !
    >>> !
    >>> ip classless
    >>> ip route 0.0.0.0 0.0.0.0 ATM0.1
    >>> no ip http server
    >>> no ip http secure-server
    >>> !
    >>> !
    >>> control-plane
    >>> !
    >>> !
    >>> line con 0
    >>> no modem enable
    >>> transport preferred all
    >>> transport output all
    >>> line aux 0
    >>> transport preferred all
    >>> transport output all
    >>> line vty 0 4
    >>> login
    >>> transport preferred all
    >>> transport input all
    >>> transport output all
    >>> !
    >>> scheduler max-task-time 5000
    >>> !
    >>> end
    >>>
    >>> ========================
    >>> Here's the show CDP neighbor output...
    >>>
    >>> 1548m#sho cdp neigh
    >>> Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    >>> Bridge
    >>> S - Switch, P - Repeater, H - Host I - IGMP
    >>> DeviceID IP Addr Local Port Capability Platform
    >>> Remote Port
    >>> 837 10.10.10.1 fa 0/1 R Cisco C837
    >>> Ethernet0
    >>>
    >>>
    >>>
    >>> 837#sho cdp neigh
    >>> Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    >>> Bridge
    >>> S - Switch, H - Host, I - IGMP, r - Repeater
    >>>
    >>> Device ID Local Intrfce Holdtme Capability Platform
    >>> Port ID
    >>> 1548m MAC:0090F2 B13EF1
    >>> Eth 0 179 T S 1548m
    >>> Fas 0/1
    >>>

    >>

    >
     
    Martin Kayes, Jul 4, 2005
    #6
  7. OK. PROBLEM SOLVED !!!!

    After I put that source list command to atm0.1, I started to see that
    when I ping from the workstation to the internet, the first (and ONLY
    the first) packet would go through and the next 3 packets would fail.
    If I would then quickly repeat the ping to the same address, all 4
    pings then fail.

    Just for giggles I decided to put a logging permit inbound & outbound
    ACL on eth0, and VOILA, all the pings go thru and now I can access the
    internet from my browser. After deleting and reapplying the individual
    inbound vs. outbound ACL's on eth0, I verified that I ONLY need the
    inbound permit on eth0 (to get ICMP echo reply and tcp/udp
    connectivity when I use the browser)...

    access-list 106 permit icmp any any log
    access-list 106 permit tcp any any log
    access-list 106 permit udp any any log
    access-list 106 permit ip any any log

    interface Ethernet0
    ip access-group 106 in

    If I don't have the above configuration, nothing works. I knew this
    intuitively since I could ping outbound to anywhere to the internet
    from the router, but not from the ethernet.

    This is a real bite in ass since I have an 8274v & 1720 and don't need
    to place any ACL's on the ethernet interface to have outbound internet
    access on those routers.

    Thank you to Martin & all who have replied to help me solve this
    problem.

    ============================================
    On Mon, 4 Jul 2005 20:45:02 +0100, "Martin Kayes" <>
    wrote:

    >Did you notice the deliberate mistake in my last post, I left the following
    >statement listing interface dialer0 from my config instead of changing it to
    >ATM0.1 as per your config:
    >
    >It should be...
    >
    >'ip nat inside source list 100 interface ATM0.1 overload'
    >
    >That could be the problem. Let me know if that was it.
    >
    >Regards,
    >
    >Martin
    >
    >
    >"X--Eliminator" <> wrote in message
    >news:...
    >> OK thanks to Uli & Martin for both of those responses. After adding
    >> all of those configs, I then added the following logging access lists:
    >>
    >> access-list 100 permit icmp any any log
    >> access-list 100 permit tcp any any log
    >> access-list 100 permit udp any any log
    >> access-list 100 permit ip any any log
    >> access-list 101 permit icmp any any log
    >> access-list 101 permit tcp any any log
    >> access-list 101 permit udp any any log
    >> access-list 101 permit ip any any log
    >>
    >> ip access-group 101 in
    >> ip access-group 100 out
    >>
    >> I applied the ACL's inbound & outbound to the atm interface, and then
    >> in the router log I can see the outbound ping traffic to all internet
    >> address going out on atm0.1 but I get "destination host unreachable"
    >> on all 4 pings at the W2k workstation. In the router log it shows that
    >> "some" of the packets made it out, but no ping returns came back and I
    >> can't browse any websites using either Internet Explorer, Netscape, or
    >> Opera (I have connected the workstation to the router using both a
    >> regular cable & a crossover but the result is the same). I can ping
    >> out to the internet 100% of the time (from the 837) and I get 100%
    >> returns.
    >>
    >> *Mar 1 01:31:56.287: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    >> 10.10.10.7 -> 198.6.1.142 (0/0), 1 packet
    >> *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    >> 10.10.10.7 -> 198.6.1.122 (0/0), 3 packets
    >> *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    >> 10.10.10.7 -> 198.6.1.146 (0/0), 3 packets
    >> *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp
    >> 10.10.10.7 -> 198.6.1.4 (0/0), 3 packets
    >>
    >> Now if I connect my Cisco 1720 and ping the same 4 addresses as above
    >> I get good ping returns all the way to the W2k workstation.
    >>
    >> And I know that traffic is coming inbound to the 837 because I can see
    >> the hackers probing my IP address:
    >>
    >> *Mar 1 01:35:33.247: %SEC-6-IPACCESSLOGP: list 101 permitted udp
    >> 83.24.162.126(0) -> ip address not shown(0), 1 packet
    >> *Mar 1 01:36:27.759: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    >> 64.39.171.102(0) -> ip address not shown(0), 1 packet
    >> *Mar 1 01:36:56.955: %SEC-6-IPACCESSLOGP: list 101 permitted tcp
    >> 212.114.230.64(0) -> ip address not shown(0), 1 packet
    >>
    >> If any has more suggestions. I would be very happy to hear them, as I
    >> have run out of ideas. Thanks in advance
    >>
    >> +++++++++++++++++++++++++++++++++++++++++
    >> On Mon, 4 Jul 2005 11:20:04 +0100, "Martin Kayes" <>
    >> wrote:
    >>
    >>>As Uli Link says, your NAT is not setup correctly, you are missing 'ip nat
    >>>inside' form your Ethernet0 interface and a nat statement. You will need
    >>>the following lines:
    >>>
    >>>access-list 100 permit ip any any
    >>>ip nat inside source list 100 interface Dialer0 overload
    >>>!
    >>>interface ethernet0
    >>> ip nat inside
    >>>
    >>>
    >>>Also, you may need these adjustments as your ISP may drop oversized
    >>>packets
    >>>(we have to do this here in the UK). Don't use them unless you have
    >>>problems with large packets.
    >>>
    >>>interface Ethernet0
    >>> ip tcp adjust-mss 1452
    >>>!
    >>>interface ATM0.1 point-to-point
    >>> ip mtu 1492
    >>> ip tcp adjust-mss 1452
    >>>
    >>>
    >>>Regards,
    >>>
    >>>Martin
    >>>
    >>>
    >>>"X--Eliminator" <> wrote in message
    >>>news:...
    >>>>
    >>>> I have an 837 that won't pass traffic from eth0 to the internet. The
    >>>> statically addressed hosts attached to the 1548M switch are in the
    >>>> same subnet as eth0, and there is a default route to pass eth0 traffic
    >>>> to atm0.1, but I seem to have brick wall between eth0 and atm0.
    >>>>
    >>>> When I set-up a logging access list permitting traffic in both
    >>>> directions on eth0 and atm0, I can see traffic hitting eth0 from the
    >>>> switch, and can see inbound traffic hitting atm0 from the internet.
    >>>> The speed & duplex on the switch and the router are the same (not
    >>>> autodetect).
    >>>>
    >>>> I can successfully ping out from atm0 to internet & see traffic coming
    >>>> back. I also see corresponding CDP neighbor adjacency on both the
    >>>> switch connected to eth0 and the 837. I can ping eth0 from a
    >>>> workstation attached to the switch, but cannot ping the internet from
    >>>> the same workstation.
    >>>>
    >>>> I have run the show tech thru the Cisco Output Intepreter and see no
    >>>> meaningful trouble, but I can find no real reason why I can't seem to
    >>>> pass traffic from eth0 to the internet. There's no reason for me to
    >>>> NAT in this scenario.
    >>>>
    >>>> I have used the SAME basic config on an 827 & 1720 (and it works), and
    >>>> the ONLY thing I need to pass traffic to the internet is the basic
    >>>> default route: ip route 0.0.0.0 0.0.0.0 ATM0.1
    >>>>
    >>>> Can anyone tell me why I can't pass traffic to the internet ?
    >>>> Am I missing something really basic here?
    >>>> ===========================================
    >>>>
    >>>> Current configuration : 1468 bytes
    >>>> !
    >>>> version 12.3
    >>>> no service pad
    >>>> service timestamps debug datetime msec
    >>>> service timestamps log datetime msec
    >>>> no service password-encryption
    >>>> !
    >>>> hostname 837
    >>>> !
    >>>> boot-start-marker
    >>>> boot-end-marker
    >>>> !
    >>>> memory-size iomem 5
    >>>> !
    >>>> no aaa new-model
    >>>> ip subnet-zero
    >>>> !
    >>>> !
    >>>> ip audit notify log
    >>>> ip audit po max-events 100
    >>>> ip ssh break-string
    >>>> no ftp-server write-enable
    >>>> !
    >>>> !
    >>>> no crypto isakmp enable
    >>>> !
    >>>> !
    >>>> interface Ethernet0
    >>>> description INSIDE INTERFACE
    >>>> ip address 10.10.10.1 255.0.0.0
    >>>> hold-queue 100 out
    >>>> !
    >>>> interface ATM0
    >>>> description OUTSIDE INTERFACE
    >>>> mac-address 0004.9a87.1bb8
    >>>> no ip address
    >>>> no ip unreachables
    >>>> no ip proxy-arp
    >>>> ip accounting access-violations
    >>>> no ip mroute-cache
    >>>> logging event subif-link-status
    >>>> no atm ilmi-keepalive
    >>>> bundle-enable
    >>>> dsl operating-mode ansi-dmt
    >>>> dsl enable-training-log
    >>>> hold-queue 224 in
    >>>> !
    >>>> interface ATM0.1 point-to-point
    >>>> description "EXTERNAL INTERFACE"
    >>>> ip address (not shown)
    >>>> no ip unreachables
    >>>> no ip proxy-arp
    >>>> ip nat outside
    >>>> no ip mroute-cache
    >>>> timeout absolute 35790 0
    >>>> pvc 0/35
    >>>> protocol ip (not shown)
    >>>> !
    >>>> !
    >>>> ip classless
    >>>> ip route 0.0.0.0 0.0.0.0 ATM0.1
    >>>> no ip http server
    >>>> no ip http secure-server
    >>>> !
    >>>> !
    >>>> control-plane
    >>>> !
    >>>> !
    >>>> line con 0
    >>>> no modem enable
    >>>> transport preferred all
    >>>> transport output all
    >>>> line aux 0
    >>>> transport preferred all
    >>>> transport output all
    >>>> line vty 0 4
    >>>> login
    >>>> transport preferred all
    >>>> transport input all
    >>>> transport output all
    >>>> !
    >>>> scheduler max-task-time 5000
    >>>> !
    >>>> end
    >>>>
    >>>> ========================
    >>>> Here's the show CDP neighbor output...
    >>>>
    >>>> 1548m#sho cdp neigh
    >>>> Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    >>>> Bridge
    >>>> S - Switch, P - Repeater, H - Host I - IGMP
    >>>> DeviceID IP Addr Local Port Capability Platform
    >>>> Remote Port
    >>>> 837 10.10.10.1 fa 0/1 R Cisco C837
    >>>> Ethernet0
    >>>>
    >>>>
    >>>>
    >>>> 837#sho cdp neigh
    >>>> Capability Codes: R - Router, T - Trans Bridge, B - Source Route
    >>>> Bridge
    >>>> S - Switch, H - Host, I - IGMP, r - Repeater
    >>>>
    >>>> Device ID Local Intrfce Holdtme Capability Platform
    >>>> Port ID
    >>>> 1548m MAC:0090F2 B13EF1
    >>>> Eth 0 179 T S 1548m
    >>>> Fas 0/1
    >>>>
    >>>

    >>

    >
     
    X--Eliminator, Jul 5, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Richard Antony Burton
    Replies:
    0
    Views:
    6,332
    Richard Antony Burton
    Jan 5, 2004
  2. Yvick Miossec
    Replies:
    2
    Views:
    895
    Hansang Bae
    Feb 5, 2004
  3. Urban_legend

    LOAD BALANCING ON ETH0 n ETH1

    Urban_legend, Apr 28, 2004, in forum: Cisco
    Replies:
    4
    Views:
    634
  4. Helmut Wollmersdorfer.at

    Performance tuning and diagnosis of eth0?

    Helmut Wollmersdorfer.at, Feb 23, 2005, in forum: Cisco
    Replies:
    1
    Views:
    479
    Phillip Remaker
    Feb 24, 2005
  5. Replies:
    2
    Views:
    678
    aservin
    Jul 4, 2005
Loading...

Share This Page