ACL Help - Two Interfaces and NAT

Discussion in 'Cisco' started by mike, Aug 22, 2006.

  1. mike

    mike Guest

    I have a network that is becoming more complicated than I am used to.

    It is a remote office that has asked me to provide wireless internet access
    for their guests. I initially told them no way, they'd have to get a second
    T1. But I finally compromised on a second ethernet WIC in their 1700 router
    running FW IOS.

    The two segments worked fine. 192.168.1.0/24 is the office network, and
    10.1.1.0/24 is the guest network.

    The public segment is using NAT/overload on the serial interface.

    Now they are asking that a vendor be allowed to put some device on their
    network. A web server than rusn some sort of weather monitoring station or
    something. I told them I would put it on the 10.1.1.0 network. But it
    require a public IP so the weather company can connect to it via port 80.

    So I added a static nat mapping: ip nat inside source static 10.1.1.5
    212.74.17.71. This seems to work as long as I don't use my ACL. The
    weather company was able to connect and configure the device.

    But when I apply my ACL, the weather station become unavailable. When the
    weather company tries to ping it, they get host unreachable.

    If I take the ACL off, I can ping the weather station all day long.

    When I put the ACL back on, I get destination host unreachable.

    I'm thinking this has something to do with the address translation, but I'm
    not sure what it is.

    10 permit tcp any any established --- WORKS !!!
    20 permit icmp any host 212.74.17.70 echo-reply --- WORKS!!!
    30 permit icmp any host 212.74.17.71 echo-reply --- DOESN'T WORK!!!

    212.74.17.70 is the ip of S0 interface
    212.74.17.71 is the ip of the weather station computer

    Thank you
    mike, Aug 22, 2006
    #1
    1. Advertising

  2. mike

    James Guest

    Under the outside interface have you will need to add the IP Inspect
    command. Normally the router creates a list called DEFAULT100. If it
    has then try:-

    int s0
    ip inspect default 100 in

    If this doesn't work then I will need to see the full config to help
    you any further.

    James

    mike wrote:
    > I have a network that is becoming more complicated than I am used to.
    >
    > It is a remote office that has asked me to provide wireless internet access
    > for their guests. I initially told them no way, they'd have to get a second
    > T1. But I finally compromised on a second ethernet WIC in their 1700 router
    > running FW IOS.
    >
    > The two segments worked fine. 192.168.1.0/24 is the office network, and
    > 10.1.1.0/24 is the guest network.
    >
    > The public segment is using NAT/overload on the serial interface.
    >
    > Now they are asking that a vendor be allowed to put some device on their
    > network. A web server than rusn some sort of weather monitoring station or
    > something. I told them I would put it on the 10.1.1.0 network. But it
    > require a public IP so the weather company can connect to it via port 80.
    >
    > So I added a static nat mapping: ip nat inside source static 10.1.1.5
    > 212.74.17.71. This seems to work as long as I don't use my ACL. The
    > weather company was able to connect and configure the device.
    >
    > But when I apply my ACL, the weather station become unavailable. When the
    > weather company tries to ping it, they get host unreachable.
    >
    > If I take the ACL off, I can ping the weather station all day long.
    >
    > When I put the ACL back on, I get destination host unreachable.
    >
    > I'm thinking this has something to do with the address translation, but I'm
    > not sure what it is.
    >
    > 10 permit tcp any any established --- WORKS !!!
    > 20 permit icmp any host 212.74.17.70 echo-reply --- WORKS!!!
    > 30 permit icmp any host 212.74.17.71 echo-reply --- DOESN'T WORK!!!
    >
    > 212.74.17.70 is the ip of S0 interface
    > 212.74.17.71 is the ip of the weather station computer
    >
    > Thank you
    James, Aug 23, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin
    Replies:
    4
    Views:
    4,840
    Martin Gallagher
    Nov 28, 2003
  2. Replies:
    2
    Views:
    890
    Martin Bilgrav
    Mar 4, 2005
  3. yadap

    acl+Static nat+Dynamic Nat

    yadap, Aug 31, 2006, in forum: Cisco
    Replies:
    0
    Views:
    661
    yadap
    Aug 31, 2006
  4. Vimokh
    Replies:
    3
    Views:
    5,670
    Vimokh
    Sep 6, 2006
  5. firecodex

    NAT on more than two interfaces

    firecodex, Jan 24, 2007, in forum: Cisco
    Replies:
    1
    Views:
    528
    Zakkas
    Jan 30, 2007
Loading...

Share This Page