outbound nat on a 3640

Discussion in 'Cisco' started by kevin.noall, Oct 4, 2006.

  1. kevin.noall

    kevin.noall Guest

    I am trying to setup outbound nat on a 3640 with 2 interfaces. I have
    followed Cisco's reccomended config as closely as possible for my
    situation...
    http://www.cisco.com/en/US/products...s_configuration_example09186a008009445f.shtml

    I have also used the CCNA handbook to assist in my config. Alas still
    no success.
    Below is my latest attempt at a config as vanilla as i can get it just
    to get outboug www traffic going. I can ping the external upstream DNS
    server but http requests timeout.

    Any help would be greatly apprecaited!

    ----

    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096 debugging
    !
    no aaa new-model
    ip subnet-zero
    !
    !
    ip cef
    !
    ip inspect name ethernetin cuseeme timeout 3600
    ip inspect name ethernetin ftp timeout 3600
    ip inspect name ethernetin h323 timeout 3600
    ip inspect name ethernetin http timeout 3600
    ip inspect name ethernetin rcmd timeout 3600
    ip inspect name ethernetin realaudio timeout 3600
    ip inspect name ethernetin smtp timeout 3600
    ip inspect name ethernetin sqlnet timeout 3600
    ip inspect name ethernetin streamworks timeout 3600
    ip inspect name ethernetin tcp timeout 3600
    ip inspect name ethernetin tftp timeout 3600
    ip inspect name ethernetin udp timeout 3600
    ip inspect name ethernetin vdolive timeout 3600
    ip audit po max-events 100
    !
    !
    !
    !
    interface Ethernet0/0
    mac-address 0010.5a0b.a8d6
    ip address dhcp
    ip access-group 112 in
    no ip redirects
    no ip unreachables
    ip nat outside
    full-duplex
    !
    interface Ethernet0/1
    ip address 192.168.2.1 255.255.255.0
    ip access-group 101 in
    ip nat inside
    ip inspect ethernetin in
    full-duplex
    !
    interface Ethernet0/2
    no ip address
    shutdown
    half-duplex
    !
    interface Ethernet0/3
    no ip address
    shutdown
    half-duplex
    !
    ip nat inside source list 1 interface Ethernet0/0 overload
    ip http server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Ethernet0/0
    !
    !
    access-list 1 permit 192.168.2.0 0.0.0.255
    access-list 101 permit tcp any any
    access-list 101 permit udp any any
    access-list 101 permit icmp any any
    access-list 101 deny ip any any log
    access-list 112 permit icmp any any unreachable
    access-list 112 permit icmp any any echo-reply
    access-list 112 permit icmp any any packet-too-big
    access-list 112 permit icmp any any time-exceeded
    access-list 112 permit icmp any any traceroute
    access-list 112 permit icmp any any administratively-prohibited
    access-list 112 permit icmp any any echo
    access-list 112 deny ip any any log
    !
    line con 0
    logging synchronous
    line aux 0
    line vty 0 4
    !
    !
    end
     
    kevin.noall, Oct 4, 2006
    #1
    1. Advertisements

  2. kevin.noall

    Thrill5 Guest

    First rule in networking, if you can't get it to work, REMOVE the ACL's and
    see if it works. If it does, you know its a problem with the ACL.

    Does access-list 112 permit http traffic?

    Scott
     
    Thrill5, Oct 6, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.