Hi, Thank you for your replay:

NAT:

ip nat inside source list 100 interface Dialer1 overload

access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 100 deny   ip any any

J

What is the output for:

sh ip nat statistics

This is from:    Sh ip NAT statistics

Total active translations: 167 (0 static, 167 dynamic; 167 extended)
Peak translations: 1669, occurred 22:11:14 ago
Outside interfaces:
  Dialer1, GigabitEthernet1, Virtual-Access1
Inside interfaces:
  Vlan1
Hits: 5765836  Misses: 0
CEF Translated packets: 2085942, CEF Punted packets: 61498
Expired translations: 103470
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 100 interface Dialer1 refcount 165

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

J

Total active translations: 167 (0 static, 167 dynamic; 167 extended)

...looks like the PAT is working. Are you able to show some of the output from :

show ip nat trans

Hi Seb,

10 permit icmp any any
20 permit tcp "my public IP" any eq 3389
30 permit tcp "my public IP" any eq 22

95 permit tcp 192.168.0.0 0.0.0.255 any

100 permit ip any any

Maybe I didn't stated my problem well. If I use ACL above, Everything is working, but all the traffice is captured on statement 100. So all traffic is allowed, if I remove statement 100, then local users don't have web Access. And that what is bothering me.

J

Ah I see. This behavior is due to the ACL being applied before outside-inside NAT, therefore line 100 is required for return traffic to be NAT'd.

If you are NAT'ing to a private inside network, do you really need an inbound ACL on your outside interface? Unless there is a static NAT statement, outside traffic cannot traverse the router.

I would remove the access-group from dialer1; you will not be exposing the inside unnecessarily.

cheers,

Seb.

o.k. But I do have one static nat translation, which allows me (from my public IP) to connect to their server on 3389.

J

In that case you will need to retain that line in the 101 ACL. Are you connecting from a fixed IP so that you can further secure the rule?

If you are connecting from various dynamic IPs and need to leave the ACL line as source-any, then the ACL no security and should be removed.

cheers,

Seb.

I have class C network that I am using for connection to client.

Should I put another ACL on Vlan interface?

Thank you Sep for all the effert.

This sollution with ACL is Quite complicated.

I've tried the suggestion which Karsten (above) posted with turning on the FW functionality and that worked.

Thanks again.

J

Would you mind posting your final config for the thread? Read through and  some useful information, but it's in bits and pieces without the final story. Would appreciate it.

Thanks!

T

Helly Tyrone,

I added this to global configuration on router:

ip inspect name FW dns
ip inspect name FW icmp router-traffic
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW smtp

then this to my Outside Interface:

ip access-group 101 IN
ip inspect FW out

Access list 101:

access-list 101 permit icmp any any
access-list 101 permit tcp "My public IP" any eq 3389
access-list 101 permit tcp "My public IP" any eq 22
access-list 101 permit tcp any any eq smtp
access-list 101 permit udp any any eq ntp
access-list 101 deny   ip any any

So this configuration allows outside traffic from my Public Ip only. FW function on router takes care of traffic that is inicialized from inside. Probably the conf. could be optimized, but since it is working.....

J