Publishing internal servers to external 'net via 837

Discussion in 'Cisco' started by Jason, Jun 28, 2004.

  1. Jason

    Jason Guest

    I have an 837 with an ADSL internet (dynamic IP) on the WAN/Dialer1
    interface, and a few NAT'd home PC's on Ethernet0 (192.168.1.2) via DHCP
    (192.168.1.10->192.168.1.99). There's also a static ip server (192.168.1.1)
    on the Ethernet0 interface that I want to be available to the ADSL internet
    for www, ftp, smtp, and ssh.

    Unfortunately though, whilst NAT'ing is working fine, the server isn't
    receiving packets. Below is my running-config and I would appreciate some
    review of it to see what the issue is with making the server available on
    the Dialer1/ADSL interface....


    !
    ! Last configuration change at 13:58:40 UTC Sun Jun 27 2004 by router
    ! NVRAM config last updated at 13:58:43 UTC Sun Jun 27 2004 by router
    !
    version 12.3
    service nagle
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname cisco837
    !
    boot-start-marker
    boot-end-marker
    !
    memory-size iomem 5
    logging buffered 16384 debugging
    enable secret 5 xxxxx
    !
    username Router password 7 xxxxx
    clock summer-time Australia/Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
    no aaa new-model
    ip subnet-zero
    no ip source-route
    ip wccp web-cache
    !
    !
    ip dhcp excluded-address 192.168.1.1 192.168.1.9
    !
    ip dhcp pool CLIENT
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.2
    dns-server 192.168.1.1 210.15.254.240 210.15.254.241
    netbios-name-server 192.168.1.1
    domain-name netspace.net.au
    !
    !
    ip tcp synwait-time 10
    ip domain name netspace.net.au
    ip host openbsd 192.168.1.1
    ip name-server 192.168.1.1
    ip name-server 210.15.254.240
    ip name-server 210.15.254.241
    ip cef
    ip inspect audit-trail
    ip inspect tcp max-incomplete host 50 block-time 2
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 smtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip inspect name DEFAULT100 icmp
    ip ips po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    !
    !
    !
    interface Ethernet0
    description $FW_INSIDE$$ETH-LAN$
    ip address 192.168.1.2 255.255.255.0
    ip access-group 100 in
    no ip redirects
    ip wccp web-cache redirect out
    ip nat inside
    ip virtual-reassembly
    no ip mroute-cache
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer1
    description 512K/128K ADSL to Netspace.net.au
    bandwidth 512
    ip address negotiated
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect DEFAULT100 out
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname xxxxx
    ppp chap password 7 xxxxx
    ppp pap sent-username xxxxx password 7 xxxxx
    hold-queue 224 in
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    ip http server
    ip http secure-server
    ip nat inside source list 102 interface Dialer1 overload
    ip nat inside source static tcp 192.168.1.1 22 interface Dialer1 22
    ip nat inside source static tcp 192.168.1.1 80 interface Dialer1 80
    ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
    ip nat inside source static tcp 192.168.1.1 25 interface Dialer1 25
    !
    !
    logging 192.168.1.1
    access-list 23 permit 192.168.1.0 0.0.0.255
    access-list 100 remark auto generated by SDM firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark auto generated by SDM firewall configuration
    access-list 101 remark SDM_ACL Category=1
    access-list 101 remark Auto generated by SDM for NTP (123)
    ntp.netspace.net.au
    access-list 101 permit udp host 210.15.254.242 eq ntp any eq ntp
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    snmp-server community cisco837 RO
    snmp-server enable traps tty
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    transport preferred all
    transport output all
    stopbits 1
    line aux 0
    transport preferred all
    transport output all
    line vty 0 4
    access-class 23 in
    exec-timeout 120 0
    login local
    length 0
    transport preferred all
    transport input ssh
    transport output all
    !
    scheduler max-task-time 5000
    scheduler interval 500
    sntp server 210.15.254.242
    end
     
    Jason, Jun 28, 2004
    #1
    1. Advertisements

  2. Jason

    News Account Guest

    Just a guess, but I think you need to allow the www, ftp, smtp and ssh
    traffic in on the outside interface (your access-list 101) - I know you have
    to on a PIX.

    Don Woodward
     
    News Account, Jun 29, 2004
    #2
    1. Advertisements

  3. Hey Jason,

    Looks like all you need to do is append "extendable" after the static
    nat commands, e.g.

    ip nat inside source static tcp 192.168.1.1 22 interface Dialer1 22
    extendable
    ip nat inside source static tcp 192.168.1.1 80 interface Dialer1 80
    extendable
    ip nat inside source static tcp 192.168.1.1 21 interface Dialer1 21
    extendable
    ip nat inside source static tcp 192.168.1.1 25 interface Dialer1 25
    extendable

    --Jerome
     
    jerome benton, Jun 29, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.