Problem with nat and port forwarding with Cisco 877W

Discussion in 'Cisco' started by Galerio, Mar 5, 2009.

  1. Galerio

    Galerio Guest

    Hi!!
    I have just finished my personal configuration, everything works
    pretty, but the nat does not forward any port... so that emule or voip
    doesn't work.
    Can you check my config and tell me what is wrong? I have a Cisco 877W
    with IOS 12-24.15T6.

    My config:
    ********************************************
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot system flash c870-advipservicesk9-mz.124-15.T6.bin
    boot-end-marker
    !
    logging buffered 4096
    !
    no aaa new-model
    clock timezone MET 1
    clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    !
    crypto pki trustpoint TP-self-signed-36xxxxxxxxx
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-36xxxxxxxxx
    revocation-check none
    rsakeypair TP-self-signed-36xxxxxxx
    !
    !
    crypto pki certificate chain TP-self-signed-36xxxxxxxxx
    certificate self-signed 01 nvram:IOS-Self-Sig#E.cer
    dot11 syslog
    !
    dot11 ssid wifiReti
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 passw
    !
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.12
    !
    ip dhcp pool sdm-pool1
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 195.186.1.111 195.186.4.111
    lease infinite
    !
    ip dhcp pool STATIC-1
    host 192.168.1.2 255.255.255.0
    client-identifier 0100.12dc.5c47.6b
    client-name AladinoVoip
    !
    ip dhcp pool STATIC-2
    host 192.168.1.3 255.255.255.0
    client-identifier 0100.0129.d1a5.83
    client-name Armor
    !
    ip dhcp pool STATIC-3
    host 192.168.1.4 255.255.255.0
    client-identifier 0100.14bf.62ca.d9
    client-name NSLU2
    !
    ip dhcp pool STATIC-4
    host 192.168.1.5 255.255.255.0
    client-identifier 0100.1731.c2ee.97
    client-name Amelia
    !
    ip dhcp pool STATIC-5
    host 192.168.1.6 255.255.255.0
    client-identifier 0108.1073.0dcd.b0
    client-name Vale
    !
    ip dhcp pool STATIC-6
    host 192.168.1.7 255.255.255.0
    client-identifier 0100.2100.6593.7f
    client-name Maggi
    !
    ip dhcp pool STATIC-7
    host 192.168.1.8 255.255.255.0
    client-identifier 0100.16fe.7b43.70
    client-name HP-rw6815
    !
    ip dhcp pool STATIC-8
    host 192.168.1.9 255.255.255.0
    client-identifier 0100.1d0f.b59d.5f
    client-name Crema-wifi
    !
    ip dhcp pool STATIC-9
    host 192.168.1.11 255.255.255.0
    client-identifier 0100.0c6e.a800.62
    client-name Crema-eth
    !
    !
    ip name-server 195.186.1.111
    ip name-server 195.186.4.111
    ip inspect log drop-pkt
    ip inspect name Firewall cuseeme
    ip inspect name Firewall dns
    ip inspect name Firewall ftp
    ip inspect name Firewall h323
    ip inspect name Firewall https
    ip inspect name Firewall icmp
    ip inspect name Firewall imap
    ip inspect name Firewall pop3
    ip inspect name Firewall rcmd
    ip inspect name Firewall realaudio
    ip inspect name Firewall rtsp
    ip inspect name Firewall esmtp
    ip inspect name Firewall sqlnet
    ip inspect name Firewall streamworks
    ip inspect name Firewall tftp
    ip inspect name Firewall tcp
    ip inspect name Firewall udp
    ip inspect name Firewall vdolive
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    ip ddns update method sdm_ddns1
    HTTP
    add
    http://xxx:/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
    remove
    http://xxx:/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
    !
    !
    multilink bundle-name authenticated
    !
    !
    username xxxxxxxxxx privilege 15 password 0 xxxxxxxx
    !
    !
    archive
    log config
    hidekeys
    !
    !
    !
    bridge irb
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode adsl2+
    !
    interface ATM0.1 point-to-point
    description $ES_WAN$
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Dot11Radio0
    no ip address
    !
    encryption vlan 1 mode ciphers tkip
    !
    ssid ArmorReti
    !
    speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    world-mode dot11d country IT both
    !
    interface Dot11Radio0.1
    encapsulation dot1Q 1 native
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    !
    interface Vlan1
    no ip address
    ip tcp adjust-mss 1452
    bridge-group 1
    !
    interface Dialer0
    ip ddns update hostname xxxxxx.gotdns.com
    ip ddns update sdm_ddns1
    ip address negotiated
    ip access-group 101 in
    ip mtu 1492
    ip nat outside
    ip inspect Firewall out
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname
    ppp chap password 0 xxxxxxxxxx
    !
    interface BVI1
    ip address 192.168.1.1 255.255.255.0
    ip access-group 102 in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static udp 192.168.1.2 5060 interface Dialer0 5060
    ip nat inside source static tcp 192.168.1.2 5060 interface Dialer0 5060
    ip nat inside source static udp 192.168.1.3 9 interface Dialer0 9
    ip nat inside source static tcp 192.168.1.3 4711 interface Dialer0 4711
    ip nat inside source static tcp 192.168.1.3 7395 interface Dialer0 7395
    ip nat inside source static udp 192.168.1.3 8457 interface Dialer0 8457
    ip nat inside source static udp 192.168.1.3 35238 interface Dialer0
    35238
    ip nat inside source static tcp 192.168.1.3 35238 interface Dialer0
    35238
    ip nat inside source static tcp 192.168.1.3 81 interface Dialer0 81
    ip nat inside source static tcp 192.168.1.3 5900 interface Dialer0 5900
    ip nat inside source static tcp 192.168.1.3 6346 interface Dialer0 6346
    ip nat inside source static udp 192.168.1.3 6346 interface Dialer0 6346
    ip nat inside source static tcp 192.168.1.4 4712 interface Dialer0 4712
    ip nat inside source static udp 192.168.1.4 5672 interface Dialer0 5672
    ip nat inside source static udp 192.168.1.4 4665 interface Dialer0 4665
    ip nat inside source static tcp 192.168.1.3 5800 interface Dialer0 5800
    ip nat inside source static tcp 192.168.1.3 36433 interface Dialer0
    36433
    ip nat inside source static tcp 192.168.1.3 6348 interface Dialer0 6348
    ip nat inside source static udp 192.168.1.3 6348 interface Dialer0 6348
    ip nat inside source static tcp 192.168.1.3 15698 interface Dialer0
    15698
    ip nat inside source static udp 192.168.1.3 15698 interface Dialer0
    15698
    ip nat inside source static tcp 192.168.1.3 6347 interface Dialer0 6347
    ip nat inside source static udp 192.168.1.3 6347 interface Dialer0 6347
    ip nat inside source static tcp 192.168.1.4 5662 interface Dialer0 5662
    !
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip 169.254.0.0 0.0.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.0.2.0 0.0.0.255 any
    access-list 101 permit tcp host 63.208.196.96 eq www any log
    access-list 101 permit udp host 207.46.232.42 eq ntp any
    access-list 101 permit udp host 192.43.244.18 eq ntp any
    access-list 101 remark Traffico abilitato ad entrare nel router da
    internet
    access-list 101 deny ip 0.0.0.0 0.255.255.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 198.18.0.0 0.1.255.255 any
    access-list 101 deny ip 224.0.0.0 0.15.255.255 any
    access-list 101 deny ip any host 255.255.255.255
    access-list 101 permit udp host 195.186.1.111 eq domain any
    access-list 101 permit gre any any
    access-list 101 deny icmp any any echo
    access-list 101 deny ip any any log
    access-list 101 permit udp host 195.186.4.111 eq domain any
    access-list 102 deny udp any any eq 135 log
    access-list 102 deny tcp any any eq 135 log
    access-list 102 deny udp any any eq netbios-ns log
    access-list 102 deny udp any any eq netbios-dgm log
    access-list 102 deny tcp any any eq 445 log
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 102 remark Traffico abilitato ad entrare nel router dalla
    ethernet
    access-list 102 permit ip any host 192.168.1.1
    access-list 102 deny ip any host 192.168.1.255
    access-list 102 deny udp any any eq tftp log
    access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
    access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
    access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
    access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
    access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
    access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
    access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
    access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
    access-list 102 permit ip any host 255.255.255.255
    access-list 102 deny ip any any log
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    sntp server 207.46.197.32
    sntp server 192.43.244.18
    end

    **********************************************************

    Thanks ;-)

    --
    Contest(abile) !!!! Partecipate numerosi!!
    http://www.1e2.it/contest-abile

    --------------------------------------------------------
    http://www.flickr.com/photos/galerio/
    ogni commento e critica son graditi!!!
    -------------------------------------------------------
    Iscriviti anche tu al gruppo Facebook di
    appassionati di fotografia digitale:
    http://www.facebook.com/group.php?gid=28645424291
    ---------------------------------------------------------------
     
    Galerio, Mar 5, 2009
    #1
    1. Advertising

  2. Galerio

    Galerio Guest

    Problema in parte risolto:
    dal log del firewall vedevo che i pacchetti eran bloccati dalla
    "Access-list 101" che contiene un po' di regole per bloccare/abilitare
    il traffico abilitato a entrare nel router da internet (varie regole
    anti spoofing).
    E avendo questa config:

    interface Dialer0
    ip access-group 101 in

    che risponde a questa lista di accessi:

    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip 169.254.0.0 0.0.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.0.2.0 0.0.0.255 any
    access-list 101 permit tcp host 63.208.196.96 eq www any log
    access-list 101 permit udp host 207.46.232.42 eq ntp any
    access-list 101 permit udp host 192.43.244.18 eq ntp any
    access-list 101 remark Traffico abilitato ad entrare nel router da
    internet
    access-list 101 deny ip 0.0.0.0 0.255.255.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 198.18.0.0 0.1.255.255 any
    access-list 101 deny ip 224.0.0.0 0.15.255.255 any
    access-list 101 deny ip any host 255.255.255.255
    access-list 101 permit udp host 195.186.1.111 eq domain any
    access-list 101 permit gre any any
    access-list 101 deny icmp any any echo
    access-list 101 deny ip any any log
    access-list 101 permit udp host 195.186.4.111 eq domain any


    il traffico internet veniva impedito e non dirottato nella giusta
    porta, mentre se elimino la riga
    ip access-group 101 in
    allora tutto funziona perfettamente.

    ma allora cosa devo mettere fra le regole della access-list 101 per
    permettere al traffico internet di esser forwardato sulla giusta porta
    del giusto ip senza che sia bloccato e senza rinunciare alle regole
    anti-spoofing?

    --
    Contest(abile) !!!! Partecipate numerosi!!
    http://www.1e2.it/contest-abile

    --------------------------------------------------------
    http://www.flickr.com/photos/galerio/
    ogni commento e critica son graditi!!!
    -------------------------------------------------------
    Iscriviti anche tu al gruppo Facebook di
    appassionati di fotografia digitale:
    http://www.facebook.com/group.php?gid=28645424291
    ---------------------------------------------------------------
     
    Galerio, Mar 5, 2009
    #2
    1. Advertising

  3. Galerio

    bod43 Guest

    On 5 Mar, 16:32, Galerio <> wrote:


    ip nat inside source static tcp 192.168.1.3 5900 interface Dialer0
    5900

    Presumably this is to facilitate VNC inbound to 192.168.1.3.


    You will need to also allow this traffic in
    access-list 101 otherwise it will not work.

    Secondly - as answer you have not asked for:)
    Unless you are *hosting* a dns server you do not need

    access-list 101 permit udp host 195.186.1.111 eq domain any

    interface Dialer0
    ip inspect Firewall out

    The Inspect operation will allow the traffic to
    return without the explicit ACL.

    ip inspect name Firewall dns


    Also -
    access-list 101 deny ip any any log
    access-list 101 permit udp host 195.186.4.111 eq domain any

    The latter will never be checked.
     
    bod43, Mar 5, 2009
    #3
  4. Galerio

    Guest

    On Mar 5, 9:36 am, Galerio <> wrote:
    > Hi!!
    > I have just finished my personal configuration, everything works
    > pretty, but the nat does not forward any port... so that emule or voip
    > doesn't work.
    > Can you check my config and tell me what is wrong? I have a Cisco 877W
    > with IOS 12-24.15T6.
    >
    > My config:
    > ********************************************
    > no service pad
    > service timestamps debug datetime msec
    > service timestamps log datetime msec
    > no service password-encryption
    > !
    > hostname Router
    > !
    > boot-start-marker
    > boot system flash c870-advipservicesk9-mz.124-15.T6.bin
    > boot-end-marker
    > !
    > logging buffered 4096
    > !
    > no aaa new-model
    > clock timezone MET 1
    > clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
    > !
    > crypto pki trustpoint TP-self-signed-36xxxxxxxxx
    >  enrollment selfsigned
    >  subject-name cn=IOS-Self-Signed-Certificate-36xxxxxxxxx
    >  revocation-check none
    >  rsakeypair TP-self-signed-36xxxxxxx
    > !
    > !
    > crypto pki certificate chain TP-self-signed-36xxxxxxxxx
    >  certificate self-signed 01 nvram:IOS-Self-Sig#E.cer
    > dot11 syslog
    > !
    > dot11 ssid wifiReti
    >    vlan 1
    >    authentication open
    >    authentication key-management wpa
    >    guest-mode
    >    wpa-psk ascii 0 passw
    > !
    > ip cef
    > !
    > !
    > no ip dhcp use vrf connected
    > ip dhcp excluded-address 192.168.1.1 192.168.1.12
    > !
    > ip dhcp pool sdm-pool1
    >    network 192.168.1.0 255.255.255.0
    >    default-router 192.168.1.1
    >    dns-server 195.186.1.111 195.186.4.111
    >    lease infinite
    > !
    > ip dhcp pool STATIC-1
    >    host 192.168.1.2 255.255.255.0
    >    client-identifier 0100.12dc.5c47.6b
    >    client-name AladinoVoip
    > !
    > ip dhcp pool STATIC-2
    >    host 192.168.1.3 255.255.255.0
    >    client-identifier 0100.0129.d1a5.83
    >    client-name Armor
    > !
    > ip dhcp pool STATIC-3
    >    host 192.168.1.4 255.255.255.0
    >    client-identifier 0100.14bf.62ca.d9
    >    client-name NSLU2
    > !
    > ip dhcp pool STATIC-4
    >    host 192.168.1.5 255.255.255.0
    >    client-identifier 0100.1731.c2ee.97
    >    client-name Amelia
    > !
    > ip dhcp pool STATIC-5
    >    host 192.168.1.6 255.255.255.0
    >    client-identifier 0108.1073.0dcd.b0
    >    client-name Vale
    > !
    > ip dhcp pool STATIC-6
    >    host 192.168.1.7 255.255.255.0
    >    client-identifier 0100.2100.6593.7f
    >    client-name Maggi
    > !
    > ip dhcp pool STATIC-7
    >    host 192.168.1.8 255.255.255.0
    >    client-identifier 0100.16fe.7b43.70
    >    client-name HP-rw6815
    > !
    > ip dhcp pool STATIC-8
    >    host 192.168.1.9 255.255.255.0
    >    client-identifier 0100.1d0f.b59d.5f
    >    client-name Crema-wifi
    > !
    > ip dhcp pool STATIC-9
    >    host 192.168.1.11 255.255.255.0
    >    client-identifier 0100.0c6e.a800.62
    >    client-name Crema-eth
    > !
    > !
    > ip name-server 195.186.1.111
    > ip name-server 195.186.4.111
    > ip inspect log drop-pkt
    > ip inspect name Firewall cuseeme
    > ip inspect name Firewall dns
    > ip inspect name Firewall ftp
    > ip inspect name Firewall h323
    > ip inspect name Firewall https
    > ip inspect name Firewall icmp
    > ip inspect name Firewall imap
    > ip inspect name Firewall pop3
    > ip inspect name Firewall rcmd
    > ip inspect name Firewall realaudio
    > ip inspect name Firewall rtsp
    > ip inspect name Firewall esmtp
    > ip inspect name Firewall sqlnet
    > ip inspect name Firewall streamworks
    > ip inspect name Firewall tftp
    > ip inspect name Firewall tcp
    > ip inspect name Firewall udp
    > ip inspect name Firewall vdolive
    > ip auth-proxy max-nodata-conns 3
    > ip admission max-nodata-conns 3
    > ip ddns update method sdm_ddns1
    >  HTTP
    >   add
    > http://xxx:/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
    >   remove
    > http://xxx:/nic/updatesystem=dyndns&hostname=<h>&myip=<a>
    > !
    > !
    > multilink bundle-name authenticated
    > !
    > !
    > username xxxxxxxxxx privilege 15 password 0 xxxxxxxx
    > !
    > !
    > archive
    >  log config
    >   hidekeys
    > !
    > !
    > !
    > bridge irb
    > !
    > !
    > interface ATM0
    >  no ip address
    >  no atm ilmi-keepalive
    >  dsl operating-mode adsl2+
    > !
    > interface ATM0.1 point-to-point
    >  description $ES_WAN$
    >  pvc 8/35
    >   encapsulation aal5mux ppp dialer
    >   dialer pool-member 1
    >  !
    > !
    > interface FastEthernet0
    > !
    > interface FastEthernet1
    > !
    > interface FastEthernet2
    > !
    > interface FastEthernet3
    > !
    > interface Dot11Radio0
    >  no ip address
    >  !
    >  encryption vlan 1 mode ciphers tkip
    >  !
    >  ssid ArmorReti
    >  !
    >  speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
    >  station-role root
    >  world-mode dot11d country IT both
    > !
    > interface Dot11Radio0.1
    >  encapsulation dot1Q 1 native
    >  bridge-group 1
    >  bridge-group 1 subscriber-loop-control
    >  bridge-group 1 spanning-disabled
    >  bridge-group 1 block-unknown-source
    >  no bridge-group 1 source-learning
    >  no bridge-group 1 unicast-flooding
    > !
    > interface Vlan1
    >  no ip address
    >  ip tcp adjust-mss 1452
    >  bridge-group 1
    > !
    > interface Dialer0
    >  ip ddns update hostname xxxxxx.gotdns.com
    >  ip ddns update sdm_ddns1
    >  ip address negotiated
    >  ip access-group 101 in
    >  ip mtu 1492
    >  ip nat outside
    >  ip inspect Firewall out
    >  ip virtual-reassembly
    >  encapsulation ppp
    >  dialer pool 1
    >  dialer-group 1
    >  ppp authentication chap callin
    >  ppp chap hostname
    >  ppp chap password 0 xxxxxxxxxx
    > !
    > interface BVI1
    >  ip address 192.168.1.1 255.255.255.0
    >  ip access-group 102 in
    >  ip nat inside
    >  ip virtual-reassembly
    >  ip tcp adjust-mss 1452
    > !
    > ip forward-protocol nd
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > !
    > !
    > ip http server
    > ip http authentication local
    > ip http secure-server
    > ip nat inside source list 1 interface Dialer0 overload
    > ip nat inside source static udp 192.168.1.2 5060 interface Dialer0 5060
    > ip nat inside source static tcp 192.168.1.2 5060 interface Dialer0 5060
    > ip nat inside source static udp 192.168.1.3 9 interface Dialer0 9
    > ip nat inside source static tcp 192.168.1.3 4711 interface Dialer0 4711
    > ip nat inside source static tcp 192.168.1.3 7395 interface Dialer0 7395
    > ip nat inside source static udp 192.168.1.3 8457 interface Dialer0 8457
    > ip nat inside source static udp 192.168.1.3 35238 interface Dialer0
    > 35238
    > ip nat inside source static tcp 192.168.1.3 35238 interface Dialer0
    > 35238
    > ip nat inside source static tcp 192.168.1.3 81 interface Dialer0 81
    > ip nat inside source static tcp 192.168.1.3 5900 interface Dialer0 5900
    > ip nat inside source static tcp 192.168.1.3 6346 interface Dialer0 6346
    > ip nat inside source static udp 192.168.1.3 6346 interface Dialer0 6346
    > ip nat inside source static tcp 192.168.1.4 4712 interface Dialer0 4712
    > ip nat inside source static udp 192.168.1.4 5672 interface Dialer0 5672
    > ip nat inside source static udp 192.168.1.4 4665 interface Dialer0 4665
    > ip nat inside source static tcp 192.168.1.3 5800 interface Dialer0 5800
    > ip nat inside source static tcp 192.168.1.3 36433 interface Dialer0
    > 36433
    > ip nat inside source static tcp 192.168.1.3 6348 interface Dialer0 6348
    > ip nat inside source static udp 192.168.1.3 6348 interface Dialer0 6348
    > ip nat inside source static tcp 192.168.1.3 15698 interface Dialer0
    > 15698
    > ip nat inside source static udp 192.168.1.3 15698 interface Dialer0
    > 15698
    > ip nat inside source static tcp 192.168.1.3 6347 interface Dialer0 6347
    > ip nat inside source static udp 192.168.1.3 6347 interface Dialer0 6347
    > ip nat inside source static tcp 192.168.1.4 5662 interface Dialer0 5662
    > !
    > access-list 1 remark SDM_ACL Category=2
    > access-list 1 permit 192.168.1.0 0.0.0.255
    > access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
    > access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
    > access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
    > access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
    > access-list 101 permit tcp host 63.208.196.96 eq www any log
    > access-list 101 permit udp host 207.46.232.42 eq ntp any
    > access-list 101 permit udp host 192.43.244.18 eq ntp any
    > access-list 101 remark Traffico abilitato ad entrare nel router da
    > internet
    > access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
    > access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
    > access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
    > access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
    > access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
    > access-list 101 deny   ip any host 255.255.255.255
    > access-list 101 permit udp host 195.186.1.111 eq domain any
    > access-list 101 permit gre any any
    > access-list 101 deny   icmp any any echo
    > access-list 101 deny   ip any any log
    > access-list 101 permit udp host 195.186.4.111 eq domain any
    > access-list 102 deny   udp any any eq 135 log
    > access-list 102 deny   tcp any any eq 135 log
    > access-list 102 deny   udp any any eq netbios-ns log
    > access-list 102 deny   udp any any eq netbios-dgm log
    > access-list 102 deny   tcp any any eq 445 log
    > access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    > access-list 102 remark Traffico abilitato ad entrare nel router dalla
    > ethernet
    > access-list 102 permit ip any host 192.168.1.1
    > access-list 102 deny   ip any host 192.168.1.255
    > access-list 102 deny   udp any any eq tftp log
    > access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
    > access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
    > access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
    > access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
    > access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
    > access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
    > access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
    > access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
    > access-list 102 permit ip any host 255.255.255.255
    > access-list 102 deny   ip any any log
    > dialer-list 1 protocol ip permit
    > !
    > !
    > !
    > !
    > control-plane
    > !
    > bridge 1 protocol ieee
    > bridge 1 route ip
    > !
    > line con 0
    >  no modem enable
    > line aux 0
    > line vty 0 4
    >  privilege level 15
    >  login local
    >  transport input telnet ssh
    > !
    > scheduler max-task-time 5000
    > sntp server 207.46.197.32
    > sntp server 192.43.244.18
    > end

    I don't know if emule is a voip service that uses h323 but inspecting
    h323 traffic may be an issue

    If it is h323 based service then consider checking if their are
    adjustable timeout settings in the Firewall IOS inspection of h323.

    "ip inspect name Firewall h323"
    You are inspecting h323 traffic with firewall IOS per command above.

    Regards



    >
    > **********************************************************
    >
    > Thanks ;-)
    >
    > --
    > Contest(abile) !!!! Partecipate numerosi!!http://www.1e2.it/contest-abile
    >
    > --------------------------------------------------------http://www.flickr..com/photos/galerio/
    > ogni commento e critica son graditi!!!
    > -------------------------------------------------------
    > Iscriviti anche tu al gruppo Facebook di
    > appassionati di fotografia digitale:http://www.facebook.com/group.php?gid=28645424291
    > ---------------------------------------------------------------
     
    , Mar 5, 2009
    #4
  5. Galerio

    Galerio Guest

    > I don't know if emule is a voip service that uses h323 but inspecting
    > h323 traffic may be an issue


    Ho, emule is a p2p program, not a voip service. Anyway I don't have any
    h323 inspecting.

    --
    Contest(abile) !!!! Partecipate numerosi!!
    http://www.1e2.it/contest-abile

    --------------------------------------------------------
    http://www.flickr.com/photos/galerio/
    ogni commento e critica son graditi!!!
    -------------------------------------------------------
    Iscriviti anche tu al gruppo Facebook di
    appassionati di fotografia digitale:
    http://www.facebook.com/group.php?gid=28645424291
    ---------------------------------------------------------------
     
    Galerio, Mar 5, 2009
    #5
  6. Galerio

    Galerio Guest

    > You will need to also allow this traffic in
    > access-list 101 otherwise it will not work.


    I have tried to add a rule in access-list 101 that traffic with lines
    like this:

    "access-list 101 permit tcp any host 192.168.0.3 eq 5900"

    and so I've done for each other port I have to open to internet traffic
    inbound.

    but it doesn't work. The only way to get internet traffic to pass to
    the right port of the right device is to disable at all the access-list
    101 by doing this:
    "interface Dialer0
    no ip access-group 101 in"

    but this way I lost all basic protections!
    >
    > Secondly - as answer you have not asked for:)
    > Unless you are *hosting* a dns server you do not need
    >
    > access-list 101 permit udp host 195.186.1.111 eq domain any


    this ip is not on my lan, it is an internet public dns.

    Anyway, thanks for the tips ;-)

    --
    Contest(abile) !!!! Partecipate numerosi!!
    http://www.1e2.it/contest-abile

    --------------------------------------------------------
    http://www.flickr.com/photos/galerio/
    ogni commento e critica son graditi!!!
    -------------------------------------------------------
    Iscriviti anche tu al gruppo Facebook di
    appassionati di fotografia digitale:
    http://www.facebook.com/group.php?gid=28645424291
    ---------------------------------------------------------------
     
    Galerio, Mar 5, 2009
    #6
  7. Galerio

    bod43 Guest

    On 5 Mar, 23:01, Galerio <> wrote:
    > > You will need to also allow this traffic in
    > > access-list 101 otherwise it will not work.

    >
    > I have tried to add a rule in access-list 101 that traffic with lines
    > like this:
    >
    > "access-list 101 permit tcp any host 192.168.0.3 eq 5900"
    > and so I've done for each other port I have to open to internet traffic
    > inbound.
    >
    > but it doesn't work. The only way to get internet traffic to pass to


    Do you know that the access list is processed sequentially?

    That is, if the "deny ip any any" is *before* some permit
    statement then the permit statement is ignored.

    > > Secondly - as answer you have not asked for:)
    > > Unless you are *hosting* a dns server you do not need

    >
    > > access-list 101 permit udp host 195.186.1.111 eq domain any

    >
    > this ip is not on my lan, it is an internet public dns.


    Obviously.

    You are allowing it *inbound* from the internet.

    My point is that if your DNS access requirement is for
    a DNS clients inside to use the DNS server
    195.186.1.111 then the "Inspect" feature will
    permit the replies to come in. You do not need to create
    explicit entries in the inbound access-list.

    The Inspect feature temporarily opens access for
    response traffic in replies to requests.

    In summary my suggestions are probably correct.
    This is my day job.
     
    bod43, Mar 5, 2009
    #7
  8. Galerio

    Galerio Guest

    bod43 ha usato la sua tastiera per scrivere :
    > On 5 Mar, 23:01, Galerio <> wrote:
    >>> You will need to also allow this traffic in
    >>> access-list 101 otherwise it will not work.

    >>
    >> I have tried to add a rule in access-list 101 that traffic with lines
    >> like this:
    >>
    >> "access-list 101 permit tcp any host 192.168.0.3 eq 5900"
    >> and so I've done for each other port I have to open to internet traffic
    >> inbound.
    >>
    >> but it doesn't work. The only way to get internet traffic to pass to

    >
    > Do you know that the access list is processed sequentially?
    >
    > That is, if the "deny ip any any" is *before* some permit
    > statement then the permit statement is ignored.
    >
    >>> Secondly - as answer you have not asked for:)
    >>> Unless you are *hosting* a dns server you do not need
    >>> access-list 101 permit udp host 195.186.1.111 eq domain any

    >>
    >> this ip is not on my lan, it is an internet public dns.

    >
    > Obviously.
    >
    > You are allowing it *inbound* from the internet.
    >
    > My point is that if your DNS access requirement is for
    > a DNS clients inside to use the DNS server
    > 195.186.1.111 then the "Inspect" feature will
    > permit the replies to come in. You do not need to create
    > explicit entries in the inbound access-list.
    >
    > The Inspect feature temporarily opens access for
    > response traffic in replies to requests.
    >
    > In summary my suggestions are probably correct.
    > This is my day job.


    Sorry, it was my bad brain that misundestands everything this night!
    I got an important lesson! Thanks :D I'm new to IOS so I'm still
    learning...

    Go to bed now, bye!

    --
    Contest(abile) !!!! Partecipate numerosi!!
    http://www.1e2.it/contest-abile

    --------------------------------------------------------
    http://www.flickr.com/photos/galerio/
    ogni commento e critica son graditi!!!
    -------------------------------------------------------
    Iscriviti anche tu al gruppo Facebook di
    appassionati di fotografia digitale:
    http://www.facebook.com/group.php?gid=28645424291
    ---------------------------------------------------------------
     
    Galerio, Mar 5, 2009
    #8
  9. Galerio

    bod43 Guest

    On 5 Mar, 23:43, bod43 <> wrote:
    > On 5 Mar, 23:01, Galerio <> wrote:
    >
    > > > You will need to also allow this traffic in
    > > > access-list 101 otherwise it will not work.

    >
    > > I have tried to add a rule in access-list 101 that traffic with lines
    > > like this:

    >
    > > "access-list 101 permit tcp any host 192.168.0.3 eq 5900"
    > > and so I've done for each other port I have to open to internet traffic
    > > inbound.

    >
    > > but it doesn't work. The only way to get internet traffic to pass to

    >
    > Do you know that the access list is processed sequentially?
    >
    > That is, if the "deny ip any any" is *before* some permit
    > statement then the permit statement is ignored.
    >
    > > > Secondly - as answer you have not asked for:)
    > > > Unless you are *hosting* a dns server you do not need

    >
    > > > access-list 101 permit udp host 195.186.1.111 eq domain any

    >
    > > this ip is not on my lan, it is an internet public dns.

    >
    > Obviously.
    >
    > You are allowing it *inbound* from the internet.
    >
    > My point is that if your DNS access requirement is for
    > a DNS clients inside to use the DNS server
    > 195.186.1.111  then the "Inspect" feature will
    > permit the replies to come in. You do not need to create
    > explicit entries in the inbound access-list.
    >
    > The Inspect feature temporarily opens access for
    > response traffic in replies to requests.
    >
    > In summary my suggestions are probably correct.
    > This is my day job.


    Sorry for that - bit irritated tonight.

    if you are adding the ACL entries with
    access-list 101 ......

    then the new lines go at the bottom
    (after the deny ip any any).

    You need to delete the ACL and re-add the whole thing.

    no access-l 101
    .....
    .....

    Alternatively there is a more recent editor.

    sh ip access-list 101
    - displays with line numbers
    conf t
    ip access-l extended 101

    no 10 ! remove line 10

    15 permit .........

    Add new line between 10 and 20.

    If in doubt re-test and post config again.
    Also sh ip access-list might be useful.

    If you expand your logging buffer you will be able to see
    logged access-list packets.

    logging buffered 50000
    logg buff deb

    sh log
     
    bod43, Mar 5, 2009
    #9
  10. Galerio

    Galerio Guest

    Dopo dura riflessione, bod43 ha scritto :
    > On 5 Mar, 23:43, bod43 <> wrote:
    >> On 5 Mar, 23:01, Galerio <> wrote:
    >>
    >>>> You will need to also allow this traffic in
    >>>> access-list 101 otherwise it will not work.
    >>> I have tried to add a rule in access-list 101 that traffic with lines
    >>> like this:

    >>
    >>> "access-list 101 permit tcp any host 192.168.0.3 eq 5900"
    >>> and so I've done for each other port I have to open to internet traffic
    >>> inbound.

    >>
    >>> but it doesn't work. The only way to get internet traffic to pass to

    >>
    >> Do you know that the access list is processed sequentially?
    >>
    >> That is, if the "deny ip any any" is *before* some permit
    >> statement then the permit statement is ignored.
    >>
    >>>> Secondly - as answer you have not asked for:)
    >>>> Unless you are *hosting* a dns server you do not need
    >>>> access-list 101 permit udp host 195.186.1.111 eq domain any
    >>> this ip is not on my lan, it is an internet public dns.

    >>
    >> Obviously.
    >>
    >> You are allowing it *inbound* from the internet.
    >>
    >> My point is that if your DNS access requirement is for
    >> a DNS clients inside to use the DNS server
    >> 195.186.1.111  then the "Inspect" feature will
    >> permit the replies to come in. You do not need to create
    >> explicit entries in the inbound access-list.
    >>
    >> The Inspect feature temporarily opens access for
    >> response traffic in replies to requests.
    >>
    >> In summary my suggestions are probably correct.
    >> This is my day job.

    >
    > Sorry for that - bit irritated tonight.


    :-@ No, no, you have no excuses!
    I'm a noob, that's why I permit myself to contradict a pro like you :eek:Þ

    >
    > if you are adding the ACL entries with
    > access-list 101 ......
    >
    > then the new lines go at the bottom
    > (after the deny ip any any).
    >
    > You need to delete the ACL and re-add the whole thing.
    >
    > no access-l 101
    > ....
    > ....
    >
    > Alternatively there is a more recent editor.
    >
    > sh ip access-list 101
    > - displays with line numbers
    > conf t
    > ip access-l extended 101
    >
    > no 10 ! remove line 10
    >
    > 15 permit .........
    >
    > Add new line between 10 and 20.
    >
    > If in doubt re-test and post config again.
    > Also sh ip access-list might be useful.
    >
    > If you expand your logging buffer you will be able to see
    > logged access-list packets.
    >
    > logging buffered 50000
    > logg buff deb
    >
    > sh log


    this is more than a help! Thanks!!!

    --
    Contest(abile) !!!! Partecipate numerosi!!
    http://www.1e2.it/contest-abile

    --------------------------------------------------------
    http://www.flickr.com/photos/galerio/
    ogni commento e critica son graditi!!!
    -------------------------------------------------------
    Iscriviti anche tu al gruppo Facebook di
    appassionati di fotografia digitale:
    http://www.facebook.com/group.php?gid=28645424291
    ---------------------------------------------------------------
     
    Galerio, Mar 6, 2009
    #10
  11. Galerio

    Galerio Guest

    Ok, the problem is always here.

    my config:

    *****************************
    interface Dialer0
    ip ddns update hostname xxxxxx.gotdns.com
    ip ddns update sdm_ddns1
    ip address negotiated
    ip access-group 101 in
    ip mtu 1492
    ip nat outside
    ip inspect Firewall out
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname xxxxxxxxx
    ppp chap zxxx 0 xxxx
    **********************************

    I have done this:

    *****************************
    interface Dialer0
    no ip inspect Firewall out
    *****************************

    but as you can see I always have the line "ip inspect Firewall out"
    (please, dont' laugh!!) Anyway it seems that dns requests still pass.
    These are my ip inspect name Firewall:

    **************************************
    ip inspect name Firewall cuseeme
    ip inspect name Firewall dns
    ip inspect name Firewall ftp
    ip inspect name Firewall h323
    ip inspect name Firewall https
    ip inspect name Firewall icmp
    ip inspect name Firewall imap
    ip inspect name Firewall pop3
    ip inspect name Firewall rcmd
    ip inspect name Firewall realaudio
    ip inspect name Firewall rtsp
    ip inspect name Firewall esmtp
    ip inspect name Firewall sqlnet
    ip inspect name Firewall streamworks
    ip inspect name Firewall tftp
    ip inspect name Firewall tcp
    ip inspect name Firewall udp
    ip inspect name Firewall vdolive
    ********************************************


    Then my nat and firewall:

    ***************************************
    ip http server
    ip http authentication local
    ip http secure-server
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static udp 192.168.1.2 5060 interface Dialer0 5060
    ip nat inside source static tcp 192.168.1.2 5060 interface Dialer0 5060
    ip nat inside source static udp 192.168.1.3 9 interface Dialer0 9
    ip nat inside source static tcp 192.168.1.3 4711 interface Dialer0 4711
    ip nat inside source static tcp 192.168.1.3 7395 interface Dialer0 7395
    ip nat inside source static udp 192.168.1.3 8457 interface Dialer0 8457
    ip nat inside source static udp 192.168.1.3 35238 interface Dialer0 35238
    ip nat inside source static tcp 192.168.1.3 35238 interface Dialer0 35238
    ip nat inside source static tcp 192.168.1.3 81 interface Dialer0 81
    ip nat inside source static tcp 192.168.1.3 5900 interface Dialer0 5900
    ip nat inside source static tcp 192.168.1.3 6346 interface Dialer0 6346
    ip nat inside source static udp 192.168.1.3 6346 interface Dialer0 6346
    ip nat inside source static tcp 192.168.1.4 4712 interface Dialer0 4712
    ip nat inside source static udp 192.168.1.4 5672 interface Dialer0 5672
    ip nat inside source static udp 192.168.1.4 4665 interface Dialer0 4665
    ip nat inside source static tcp 192.168.1.3 5800 interface Dialer0 5800
    ip nat inside source static tcp 192.168.1.3 36433 interface Dialer0 36433
    ip nat inside source static tcp 192.168.1.3 6348 interface Dialer0 6348
    ip nat inside source static udp 192.168.1.3 6348 interface Dialer0 6348
    ip nat inside source static tcp 192.168.1.3 15698 interface Dialer0 15698
    ip nat inside source static udp 192.168.1.3 15698 interface Dialer0 15698
    ip nat inside source static tcp 192.168.1.3 6347 interface Dialer0 6347
    ip nat inside source static udp 192.168.1.3 6347 interface Dialer0 6347
    ip nat inside source static tcp 192.168.1.4 5662 interface Dialer0 5662
    !
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 101 remark **************************************
    access-list 101 remark *** ACL port forwarding ***
    access-list 101 permit tcp any host 192.168.0.3 eq 4711
    access-list 101 permit tcp any host 192.168.0.3 eq 7395
    access-list 101 permit tcp any host 192.168.0.3 eq 35238
    access-list 101 permit tcp any host 192.168.0.3 eq 81
    access-list 101 permit tcp any host 192.168.0.3 eq 5900
    access-list 101 permit tcp any host 192.168.0.3 eq 6346
    access-list 101 permit tcp any host 192.168.0.3 eq 5800
    access-list 101 permit tcp any host 192.168.0.3 eq 36433
    access-list 101 permit tcp any host 192.168.0.3 eq 6348
    access-list 101 permit tcp any host 192.168.0.3 eq 15698
    access-list 101 permit tcp any host 192.168.0.3 eq 6347
    access-list 101 permit tcp any host 192.168.0.2 eq 5060
    access-list 101 permit udp any host 192.168.0.2 eq 5060
    access-list 101 permit tcp any host 192.168.0.4 eq 4712
    access-list 101 permit tcp any host 192.168.0.4 eq 5662
    access-list 101 permit udp any host 192.168.0.4 eq 5672
    access-list 101 permit udp any host 192.168.0.4 eq 4665
    access-list 101 permit udp any host 192.168.0.3 eq discard
    access-list 101 permit udp any host 192.168.0.3 eq 8457
    access-list 101 permit udp any host 192.168.0.3 eq 35238
    access-list 101 permit udp any host 192.168.0.3 eq 6346
    access-list 101 permit udp any host 192.168.0.3 eq 6348
    access-list 101 permit udp any host 192.168.0.3 eq 15698
    access-list 101 permit udp any host 192.168.0.3 eq 6347
    access-list 101 remark **********************************
    access-list 101 remark *** inbound ****
    access-list 101 permit tcp host 63.208.196.96 eq www any log
    access-list 101 permit udp host 207.46.232.42 eq ntp any
    access-list 101 permit udp host 192.43.244.18 eq ntp any
    access-list 101 permit gre any any
    access-list 101 deny ip 0.0.0.0 0.255.255.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip 169.254.0.0 0.0.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.0.2.0 0.0.0.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 198.18.0.0 0.1.255.255 any
    access-list 101 deny ip 224.0.0.0 0.15.255.255 any
    access-list 101 deny ip any host 255.255.255.255
    access-list 101 deny icmp any any echo
    access-list 101 deny ip any any log
    access-list 102 remark ******************************
    access-list 102 remark in from ethernet
    access-list 102 permit ip any host 192.168.1.1
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 102 permit ip any host 255.255.255.255
    access-list 102 deny ip any host 192.168.0.255
    access-list 102 deny udp any any eq tftp log
    access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
    access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
    access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
    access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
    access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
    access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
    access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
    access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
    access-list 102 deny udp any any eq 135 log
    access-list 102 deny tcp any any eq 135 log
    access-list 102 deny udp any any eq netbios-ns log
    access-list 102 deny udp any any eq netbios-dgm log
    access-list 102 deny tcp any any eq 445 log
    access-list 102 deny ip any any log
    access-list 102 remark ******************************
    dialer-list 1 protocol ip permit
    no cdp run
    **********************************************


    Normal traffic still pass (eg: firefox can show websites), but applications that require port forwarding don't work.

    here is my log:

    *****************************

    Mar 6 09:59:26.884: %SEC-6-IPACCESSLOGP: list 101 denied udp 121.233.122.166(37800) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:27.936: %SEC-6-IPACCESSLOGP: list 101 denied udp 218.25.237.238(8560) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:29.252: %SEC-6-IPACCESSLOGP: list 101 denied udp 78.8.53.127(5218) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:30.592: %SEC-6-IPACCESSLOGP: list 101 denied udp 81.44.238.47(10353) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:31.704: %SEC-6-IPACCESSLOGP: list 101 denied udp 91.23.48.117(63077) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:34.184: %SEC-6-IPACCESSLOGP: list 101 denied udp 91.180.222.114(15869) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:35.208: %SEC-6-IPACCESSLOGP: list 101 denied udp 79.5.228.36(16975) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:37.500: %SEC-6-IPACCESSLOGP: list 101 denied udp 80.174.53.168(5467) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:38.656: %SEC-6-IPACCESSLOGP: list 101 denied udp 213.114.111.215(14297) -> 78.12.114.135(54956), 1 packet
    Mar 6 09:59:42.844: %SEC-6-IPACCESSLOGP: list 101 denied udp 60.180.50.250(4670) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:46.516: %SEC-6-IPACCESSLOGP: list 101 denied udp 117.192.1.78(17280) -> 78.12.114.135(54956), 1 packet
    Mar 6 09:59:48.064: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 99 packets
    Mar 6 09:59:49.148: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.14.230.80(52884) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:50.584: %SEC-6-IPACCESSLOGP: list 101 denied udp 79.178.99.149(6393) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:55.944: %SEC-6-IPACCESSLOGP: list 101 denied udp 151.32.66.113(21419) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:56.972: %SEC-6-IPACCESSLOGP: list 101 denied udp 60.216.164.123(8561) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:58.492: %SEC-6-IPACCESSLOGP: list 101 denied udp 222.68.153.208(12082) -> 78.12.114.135(8457), 1 packet
    Mar 6 09:59:59.620: %SEC-6-IPACCESSLOGP: list 101 denied udp 79.55.60.107(4672) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:01.104: %SEC-6-IPACCESSLOGP: list 101 denied udp 61.134.52.130(62938) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:02.272: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.217.13.229(23460) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:04.184: %SEC-6-IPACCESSLOGP: list 101 denied udp 115.82.114.2(59382) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:06.904: %SEC-6-IPACCESSLOGP: list 101 denied tcp 80.181.42.88(4446) -> 78.12.114.135(7395), 1 packet
    Mar 6 10:00:08.780: %SEC-6-IPACCESSLOGP: list 101 denied udp 83.58.153.70(4372) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:10.644: %SEC-6-IPACCESSLOGP: list 101 denied udp 117.28.58.142(7567) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:11.764: %SEC-6-IPACCESSLOGP: list 101 denied udp 86.212.29.73(36246) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:12.988: %SEC-6-IPACCESSLOGP: list 101 denied udp 201.213.155.120(39100) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:14.008: %SEC-6-IPACCESSLOGP: list 101 denied udp 218.25.237.238(8560) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:15.676: %SEC-6-IPACCESSLOGP: list 101 denied udp 77.126.156.239(32547) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:16.728: %SEC-6-IPACCESSLOGP: list 101 denied udp 78.149.203.220(10028) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:18.308: %SEC-6-IPACCESSLOGP: list 101 denied udp 81.53.228.46(4672) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:19.596: %SEC-6-IPACCESSLOGP: list 101 denied udp 151.60.9.93(4672) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:20.768: %SEC-6-IPACCESSLOGP: list 101 denied udp 60.219.12.56(7569) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:22.836: %SEC-6-IPACCESSLOGP: list 101 denied udp 59.39.247.41(4674) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:24.260: %SEC-6-IPACCESSLOGP: list 101 denied udp 124.161.88.228(4815) -> 78.12.114.135(8457), 1 packet
    Mar 6 10:00:26.764: %SEC-6-IPACCESSLOGP: list 101 denied udp 218.173.131.120(4678) -> 78.12.114.135(8457), 1 packet
    *************************************


    and the last thing:
    I have a line in access-list 101 that is not accepted:
    access-list 101 permit udp any host 192.168.0.3 eq discard
    but it must be
    access-list 101 permit udp any host 192.168.0.3 eq 9
    that is for WakeOnLan function!!!

    Ok, that's all

    --
    Contest(abile) !!!! Partecipate numerosi!!
    http://www.1e2.it/contest-abile

    --------------------------------------------------------
    http://www.flickr.com/photos/galerio/
    ogni commento e critica son graditi!!!
    -------------------------------------------------------
    Iscriviti anche tu al gruppo Facebook di
    appassionati di fotografia digitale:
    http://www.facebook.com/group.php?gid=28645424291
    ---------------------------------------------------------------
     
    Galerio, Mar 6, 2009
    #11
  12. Galerio

    Galerio Guest

    The solution could be this:
    in ACL I have to specify theip internet address, and not my eth
    address.
    so the line:
    access-list 101 permit tcp any host 192.168.0.3 eq 4711
    become
    access-list 101 permit tcp any any eq 4711
    and this way the nat port-forwarding shoul function also with access
    list.

    Bye

    --
    --------------------------------------------------------
    http://www.flickr.com/photos/galerio/
    ogni commento e critica son graditi!!!
    -------------------------------------------------------
    Iscriviti anche tu al gruppo Facebook di
    appassionati di fotografia digitale:
    http://www.facebook.com/group.php?gid=28645424291
    ---------------------------------------------------------------
     
    Galerio, Mar 9, 2009
    #12
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. ComputerMan
    Replies:
    3
    Views:
    3,066
  2. Weili
    Replies:
    2
    Views:
    7,399
    Weili
    Mar 1, 2005
  3. Lionel Fourquaux

    NAT type of Cisco 877W

    Lionel Fourquaux, Nov 27, 2005, in forum: Cisco
    Replies:
    0
    Views:
    495
    Lionel Fourquaux
    Nov 27, 2005
  4. FGomez
    Replies:
    1
    Views:
    3,129
    ComputerAid
    Jul 26, 2007
  5. Greg
    Replies:
    0
    Views:
    3,795
Loading...

Share This Page