Cisco 837 - CBAC Bug.

Discussion in 'Cisco' started by Knutts, Nov 22, 2005.

  1. Knutts

    Knutts Guest

    Hi there,

    I have just installed a cisco 837 which I have done many times before
    but this time things are not working.
    The router has been configured using the CRWS utility and setup with
    PAT for various services such as smtp, http etc. Everything worked
    execept the port address translations. After many hours and a lot of
    hair pulling I found the case below suggesting there is a known bug
    with IOS 12.3 and all that was needed was to remove the inspect
    statements. Inspect statements removed and PAT started to work. BUT now
    there is no internet access from the LAN. Pings and trace routes to
    external domains all work fine. Any help is most appreciated.

    http://www.ciscotaccc.com/security/showcase?case=K95154935

    Current configuration : 4336 bytes
    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname Router
    !
    logging buffered informational
    !
    username CRWS_Gayatri privilege 15 password 7
    username CRWS_Venky privilege 15 password 7
    username CRWS_Kannan privilege 15 password 7
    username CRWS_Santhosh privilege 15 password 7
    username CRWS_Ritesh privilege 15 password 7
    no aaa new-model
    ip subnet-zero
    ip name-server 80.68.34.6
    ip name-server 80.68.34.8
    ip dhcp excluded-address 10.0.0.1
    !
    !

    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0
    description CRWS Generated text. Please do not delete
    this:10.0.0.254-255.255.255.0
    ip address 10.0.0.254 255.255.255.0 secondary
    ip address 10.10.10.1 255.255.255.0
    ip nat inside
    ip tcp adjust-mss 1452
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    pppoe-client dial-pool-number 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer1
    ip address negotiated
    ip access-group 111 in
    ip mtu 1492
    ip nat outside

    encapsulation ppp
    ip tcp adjust-mss 1452
    dialer pool 1
    dialer remote-name redback
    dialer-group 1
    ppp authentication pap chap callin
    ppp chap hostname xxxxxxxxxxxxxxxx
    ppp chap password 7 xxxxxxxxxxxxxxxxx
    ppp pap sent-username xxxxxxxxxxxx password 7 xxxxxxxxxxxxxxx
    !
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 10.0.0.1 3389 interface Dialer1 3389
    ip nat inside source static tcp 10.0.0.1 443 interface Dialer1 443
    ip nat inside source static tcp 10.0.0.1 110 interface Dialer1 110
    ip nat inside source static tcp 10.0.0.1 25 interface Dialer1 25
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    ip http server
    no ip http secure-server
    !
    access-list 23 permit 10.0.0.0 0.0.0.255
    access-list 23 permit 10.10.10.0 0.0.0.255
    access-list 102 permit ip 10.0.0.0 0.0.0.255 any
    access-list 111 permit tcp any any eq 3389
    access-list 111 permit tcp any any eq 443
    access-list 111 permit tcp any any eq pop3
    access-list 111 permit tcp any any eq smtp
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 139
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 deny ip any any log
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    !
    scheduler max-task-time 5000
    !
    end
     
    Knutts, Nov 22, 2005
    #1
    1. Advertising

  2. On Tue, 22 Nov 2005 01:58:26 -0800, Knutts wrote:

    > !
    > interface Dialer1
    > ip address negotiated
    > ip access-group 111 in
    > ip mtu 1492
    > ip nat outside
    >


    When you turn off ip inspect the router stops making holes in ACL 111 to
    allow for return traffic from the internet to your hosts.

    This should help a bit:

    conf t
    ip access-list extended 111
    2 permit tcp any any established
    end

    That should add the extra line at the top of ACL 111 and permit
    responses to TCP connection made by you.

    --
    Rgds,
    Martin
     
    Martin Gallagher, Nov 22, 2005
    #2
    1. Advertising

  3. Knutts

    Knutts Guest

    Martin, you're a star. Worked a treat.

    Cheers
    Knutts
     
    Knutts, Nov 23, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,731
    Confused
    Jul 9, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,635
  3. Replies:
    4
    Views:
    4,174
  4. Mark Knight

    Cisco 837 Noise Margin bug?

    Mark Knight, Apr 10, 2006, in forum: Cisco
    Replies:
    10
    Views:
    14,830
    some1
    May 29, 2006
  5. Jim Willsher
    Replies:
    1
    Views:
    7,688
Loading...

Share This Page