Basic Routing issue

Discussion in 'Cisco' started by bdw@wbai.com, Aug 1, 2006.

  1. Guest

    My configuration follows. I've got a Cisco 1700 router that is
    servicing between 2 networks - one is public - Ethernet0 and one is
    internal/private - fastethernet. I am trying to allow mail to go
    through the firewall. I am having problems getting any traffic to flow
    - inside or out.
    I was hoping that someone could look at this and give me some guidence.

    Thanks!!

    Using 1605 out of 29688 bytes
    !
    version 12.1
    no service single-slot-reload-enable
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname owh-inc
    !
    boot bootstrap flash:c1700-o3sy756i-mz.121-5.YB1.bin
    boot system rom
    logging rate-limit console 10 except errors
    enable secret 5 $1$VkT3$IkEHnWrgFGgkJt2I4vj8Y1
    enable password *****
    !
    memory-size iomem 25
    ip subnet-zero
    !
    !
    no ip finger
    ip name-server 65.106.1.196
    ip name-server 65.106.7.196
    ip audit notify log
    ip audit po max-events 100
    no ip dhcp-client network-discovery
    !
    !
    !
    !
    !
    interface Ethernet0
    description outside
    ip address 64.221.206.163 255.255.255.0
    ip access-group 100 in
    ip nat outside
    no ip mroute-cache
    full-duplex
    !
    interface FastEthernet0
    description inside
    ip address 192.168.100.1 255.255.255.0
    ip nat inside
    no ip mroute-cache
    speed auto
    !
    interface Serial0
    no ip address
    no ip mroute-cache
    shutdown
    !
    router rip
    network 64.0.0.0
    network 192.168.100.0
    !
    ip nat inside source static tcp 192.168.100.1 23 interface Ethernet0 23
    ip nat inside source static tcp 192.168.100.113 25 64.221.206.163 25
    extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 64.221.206.161
    no ip http server
    !
    access-list 1 permit 192.168.100.0 0.0.0.255
    access-list 100 permit tcp any 192.168.100.0 0.0.0.255 established
    access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq telnet
    access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq smtp
    dialer-list 1 protocol ip permit
    dialer-list 1 protocol ipx permit
    !
    !
    line con 0
    transport input none
    line aux 0
    line vty 0 4
    password wbai001
    login
    !
    end
     
    , Aug 1, 2006
    #1
    1. Advertising

  2. chris Guest

    <> wrote in message
    news:...
    > My configuration follows. I've got a Cisco 1700 router that is
    > servicing between 2 networks - one is public - Ethernet0 and one is
    > internal/private - fastethernet. I am trying to allow mail to go
    > through the firewall. I am having problems getting any traffic to flow
    > - inside or out.
    > I was hoping that someone could look at this and give me some guidence.
    >
    > Thanks!!
    >
    > Using 1605 out of 29688 bytes
    > !
    > version 12.1
    > no service single-slot-reload-enable
    > service timestamps debug uptime
    > service timestamps log uptime
    > no service password-encryption
    > !
    > hostname owh-inc
    > !
    > boot bootstrap flash:c1700-o3sy756i-mz.121-5.YB1.bin
    > boot system rom
    > logging rate-limit console 10 except errors
    > enable secret 5 $1$VkT3$IkEHnWrgFGgkJt2I4vj8Y1
    > enable password *****
    > !
    > memory-size iomem 25
    > ip subnet-zero
    > !
    > !
    > no ip finger
    > ip name-server 65.106.1.196
    > ip name-server 65.106.7.196
    > ip audit notify log
    > ip audit po max-events 100
    > no ip dhcp-client network-discovery
    > !
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > description outside
    > ip address 64.221.206.163 255.255.255.0
    > ip access-group 100 in
    > ip nat outside
    > no ip mroute-cache
    > full-duplex
    > !
    > interface FastEthernet0
    > description inside
    > ip address 192.168.100.1 255.255.255.0
    > ip nat inside
    > no ip mroute-cache
    > speed auto
    > !
    > interface Serial0
    > no ip address
    > no ip mroute-cache
    > shutdown
    > !
    > router rip
    > network 64.0.0.0
    > network 192.168.100.0
    > !
    > ip nat inside source static tcp 192.168.100.1 23 interface Ethernet0 23
    > ip nat inside source static tcp 192.168.100.113 25 64.221.206.163 25
    > extendable
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 64.221.206.161
    > no ip http server
    > !
    > access-list 1 permit 192.168.100.0 0.0.0.255
    > access-list 100 permit tcp any 192.168.100.0 0.0.0.255 established
    > access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq telnet
    > access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq smtp
    > dialer-list 1 protocol ip permit
    > dialer-list 1 protocol ipx permit
    > !
    > !
    > line con 0
    > transport input none
    > line aux 0
    > line vty 0 4
    > password wbai001
    > login
    > !
    > end
    >


    Access-list 100 ... why is it allowing access from the internet to private
    IP addresses? Traffic coming into that interface will be destined for the
    global IP, not the private one.

    Also, because of that acl any client on the inside sending out a DNS query
    will not get a reply as your acl will block the reply from the server.

    Chris.
     
    chris, Aug 1, 2006
    #2
    1. Advertising

  3. Guest

    chris wrote:
    > <> wrote in message
    > news:...
    > > My configuration follows. I've got a Cisco 1700 router that is
    > > servicing between 2 networks - one is public - Ethernet0 and one is
    > > internal/private - fastethernet. I am trying to allow mail to go
    > > through the firewall. I am having problems getting any traffic to flow
    > > - inside or out.
    > > I was hoping that someone could look at this and give me some guidence.

    >
    > Access-list 100 ... why is it allowing access from the internet to private
    > IP addresses? Traffic coming into that interface will be destined for the
    > global IP, not the private one.
    >
    > Also, because of that acl any client on the inside sending out a DNS query
    > will not get a reply as your acl will block the reply from the server.


    As Chris says:-
    (I had already written following)

    !
    ! RELPACE THIS
    !
    ip nat inside source static tcp 192.168.100.1 23 interface Ethernet0 23

    ip nat inside source static tcp 192.168.100.113 25 64.221.206.163 25
    extendable

    !
    access-list 1 permit 192.168.100.0 0.0.0.255

    access-list 100 permit tcp any 192.168.100.0 0.0.0.255 established
    access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq telnet
    access-list 100 permit tcp any 192.168.100.0 0.0.0.255 eq smtp

    dialer-list 1 protocol ip permit
    dialer-list 1 protocol ipx permit


    ###########################################

    ! WITH THIS

    logging buffered 50000
    logging buffered debug
    service timestamps debug datetime msec localtime
    service timestamps log datetime localtime
    no logg con ! console logging can adversely affect CPU
    ! but is OK for testing.


    ip nat inside source route-map nonat interface Ethernet0 overload
    ip nat inside source static tcp 192.168.100.1 23 interface Ethernet0 23

    ip nat inside source static tcp 192.168.100.113 25 64.221.206.163 25

    route-map nonat permit 10
    match ip address 110

    access-list 100 permit tcp any host 64.221.206.163 established
    access-list 100 permit tcp any host 64.221.206.163 eq telnet
    access-list 100 permit tcp any host 64.221.206.163 eq smtp
    !! Adding next 3 lines gives you better diagnostics - for
    troubleshooting
    !! if there is too much in the logs for you, you can
    !! always take it out later
    access-list 100 deny tcp any any log
    access-list 100 deny tcp any any log
    access-list 100 deny ip any any log


    !! You may need the next 2 lines I am not sure
    access-list 110 deny ip host 192.168.100.1 eq 23 any eq 23
    access-list 110 deny ip host 192.168.100.113 eq 25 any eq 25
    !!
    access-list 110 permit ip 192.168.100.0 0.0.0.255 any


    ########################################

    Look on cisco site for "nat order of operations"

    Fix up DNS yourself:)
     
    , Aug 1, 2006
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mgo
    Replies:
    4
    Views:
    768
  2. Captain
    Replies:
    6
    Views:
    515
    Solomon
    Jul 28, 2004
  3. Jaime
    Replies:
    2
    Views:
    571
    Jaime
    Sep 20, 2003
  4. Jimmy Dean
    Replies:
    3
    Views:
    1,156
    Duane Arnold
    Jul 25, 2005
  5. Sharp Dressed Man

    TurboTax Basic vs. Taxcut Basic?

    Sharp Dressed Man, Jan 10, 2009, in forum: Computer Support
    Replies:
    1
    Views:
    684
    Sharp Dressed Man
    Jan 12, 2009
Loading...

Share This Page