Hello,

I tried the adjusted access list syntax to no avail.

I have the the two lines as the first entries in acces list 101

?hmmm

Do you get anything when you do "show ip nat statistics"??

It returns:

Total active translations: 9 (0 static, 9 dynamic; 9 extended)

Outside interfaces:

Ethernet1

Inside interfaces:

Ethernet0

Hits: 384411 Misses: 5245

Expired translations: 5242

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 1 interface Ethernet1 refcount 7

NAT seems to be working.

It could be the arrangement of statements in ACL 101.

By the way,may i ask..what is the reason for:

1)access-list 101 deny ip 10.10.10.0 0.0.0.255 any

and

2)access-list 101 deny ip 10.0.0.0 0.255.255.255 any

in your ACL???

it seems like your

first statement will block any ip packet(coming in thru interface e1) from 10.10.10 subnet, to any destination,

while your second will block all packets from 10.0.0.0 network coming into e1.

Just a quick note on your access-list before i try to address your problem. The access-list for remote desktop has both 3389 as source and destination ports. Are you sure that this is indeed the case? I would be inclined to think that remote desktop traffic will have a destination port of 3389 while the source port could vary.

That being said i think the problem is that your access-list has your internal (private) ip address as the destination and not the public ip address. The NAT order of operation is such that the ACL is checked first (from outside to inside) before NAT is performed and as such the ACL will deny any packets to the interface's public ip address that you are NATTING. The issue with this configuration is that the IP Address of your interface is dynamic. Personally i am not aware of any solution to overcome this problem other than to open access to all ip addresses or atleast all addresses in your ISP's pool. Maybe someone else can provide more insight into this.

This whole process has been a hoot!

Things are working now. I figured out how to switch between SDM and CRWS. I used CRWS to create the basic working config. My RDP and SMTP can now get into my little home network even though I have a dynamic IP: NAT, ACL, and the Firewall now work together.

the changes to my untrained eyes:

CRWS created an extended ACL rule for the NAT, while SDM did not

On the inbound ACL there is only the implicit deny with logging, all other entries are permit statements.

The CRWS and SDM configs are different, so I am sure there is something else in there too.

I switched back to SDM now.

no pain no gain, right?

Thanks for the replies and help!!

Thank you for posting the feedback here. I would like to take a look at the new configuration that CRWS added. Can you please post that when you get a chance?

Hi, I attached the un-editted functioning config directly from crws. CRWS created some inbound openings that I have since manually removed.

I have noticed that SDM does not "like" the inbound ACL rule from CRWS. It has put the ACL in a "read-only" or unsupported view, and will not allow me to edit it from SDM. The SDM logging function also does not work either on the inbound ACL from CRWS.

I do see logging from the Console, as packets are rejected.

Maybe there is an issue with SDM2.0; regarding NAT, ACLs, and a dynamic wan link?

I am new to Cisco, but I am getting the feeling that the way to do all of this is the Command Line? ;-)

UnclePaul,

glad you got it working.

seems like your ACL 111 has replaced ACL 101.eh?

and contrary to one of your earlier posts there is not 1 deny statement but many(in the config you originally posted)...but yes...there is only 1 deny statement in your working config you just posted.

There are quite a few changes in the ACL's of your working config when compared to the initial one.

Maybe the order of your access-list statements really had a part to play in why your remote desktop and mail(smtp) were being blocked.

I prefer CLI myself. Anyways coming back to the point the new configuration works because it is permitting destination ports 3389 and 25 for all ip addresses while your previous configuration was permitting these ports for your internal ip addresses. There are a few entries in this access-list 111 that i do not think should be there (like netbios-ns, netbios-dgm, bootpc, bootps, 139, gre). I will recommend removing them if your ethernet1 is just being used to connect to the internet.

Also, let the router do the work for you. At the end of every ACL is an implicit deny, spell out that deny while debugging and >log it<, ie:

access-list XXX deny ip any any log

Then the output that gets logged will aid you in creating a working ACL. This is esp. true when working with NAT'd connections as it will help you to understand exactly what IP needs to be in the ACL.