Hi all,
I have a problem with configuration ACL with NAT. When I remove ACL evrything is working correct. When I assing them to interface only ICMP-PING is working on computers connected to switch. It looks like packets goes to ISP and not comes back and computers have no access to Internet. Below You can find configuration of my devices. Have You any idea what is wrong?
==================== ROUTER =======================
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
logging console informational
enable password cisco
!
no aaa new-model
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.10
ip dhcp excluded-address 10.1.2.1 10.1.2.10
!
ip dhcp pool VLAN100
network 10.1.1.0 255.255.255.0
dns-server 194.204.152.34 8.8.8.8
default-router 10.1.1.1
!
ip dhcp pool VLAN200
network 10.1.2.0 255.255.255.0
dns-server 194.204.152.34 8.8.8.8
default-router 10.1.2.1
!
ip dhcp pool VLAN300
network 10.1.3.0 255.255.255.0
dns-server 194.204.152.34 8.8.8.8
default-router 10.1.3.1
!
!
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
username cisco password 0 cisco
archive
log config
hidekeys
!
interface GigabitEthernet0/0
description INTERNET UPLINK
ip address XXX.YYY.169.250 255.255.255.248
ip access-group INCOME in
ip access-group OUTCOME out
ip nat outside
ip virtual-reassembly
duplex auto
speed 100
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description VLAN 100
encapsulation dot1Q 100
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.2
description VLAN 200
encapsulation dot1Q 200
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.3
description VLAN 300
encapsulation dot1Q 300
ip address 10.1.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.10
description VLAN 1
encapsulation dot1Q 1 native
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 XXX.YYY.169.249
!
!
ip http server
no ip http secure-server
ip nat pool NAT-VLAN XXX.YYY.169.251 XXX.YYY.169.252 netmask 255.255.255.248
ip nat inside source list VLANS pool NAT-VLAN overload
ip nat inside source static 10.1.3.0 XXX.YYY.169.253
!
ip access-list extended INCOME
permit tcp any any eq www
permit tcp any any eq 443
permit udp host 194.204.152.34 any gt 1023
permit udp host 8.8.8.8 any gt 1023
permit tcp any any eq whois
permit icmp any any
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq 4443
permit udp any any eq non500-isakmp
permit udp any any eq 10000
permit tcp any any eq telnet
ip access-list extended OUTCOME
permit tcp any any eq www
permit tcp any any eq 443
permit udp host 194.204.152.34 any gt 1023
permit udp host 8.8.8.8 any gt 1023
permit tcp any any eq whois
permit icmp any any
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq 4443
permit udp any any eq non500-isakmp
permit udp any any eq 10000
permit tcp any any eq telnet
ip access-list extended VLANS
permit ip 10.0.0.0 0.255.255.255 any
!
logging trap debugging
!
!
control-plane
!
!
banner exec ^CC
|=======================================================================|
| WARNING |
banner motd ^CC
|=======================================================================|
WARNING
!
line con 0
password cisco
line aux 0
line vty 0 4
password cisco
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
=========================== SWITCH ===================================
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname SWITCH
!
enable password cisco
!
username cisco password 0 cisco
ip subnet-zero
!
!
spanning-tree mode pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
!
!
interface FastEthernet0/1
switchport access vlan 100
!
interface FastEthernet0/2
switchport access vlan 100
!
interface FastEthernet0/3
switchport access vlan 100
!
interface FastEthernet0/4
switchport access vlan 100
!
interface FastEthernet0/5
switchport access vlan 100
!
interface FastEthernet0/6
switchport access vlan 100
!
interface FastEthernet0/7
switchport access vlan 100
!
interface FastEthernet0/8
switchport access vlan 100
!
interface FastEthernet0/9
switchport access vlan 100
!
interface FastEthernet0/10
switchport access vlan 100
!
interface FastEthernet0/11
switchport access vlan 100
!
interface FastEthernet0/12
switchport access vlan 100
!
interface FastEthernet0/13
switchport access vlan 100
!
interface FastEthernet0/14
switchport access vlan 100
!
interface FastEthernet0/15
switchport access vlan 100
!
interface FastEthernet0/16
switchport access vlan 100
!
interface FastEthernet0/17
switchport access vlan 100
!
interface FastEthernet0/18
switchport access vlan 100
!
interface FastEthernet0/19
switchport access vlan 100
!
interface FastEthernet0/20
switchport access vlan 100
!
interface FastEthernet0/21
switchport access vlan 100
!
interface FastEthernet0/22
switchport access vlan 100
!
interface FastEthernet0/23
switchport access vlan 100
!
interface FastEthernet0/24
switchport access vlan 100
!
interface FastEthernet0/25
switchport access vlan 200
!
interface FastEthernet0/26
switchport access vlan 200
!
interface FastEthernet0/27
switchport access vlan 200
!
interface FastEthernet0/28
switchport access vlan 200
!
interface FastEthernet0/29
switchport access vlan 200
!
interface FastEthernet0/30
switchport access vlan 200
!
interface FastEthernet0/31
switchport access vlan 200
!
interface FastEthernet0/32
switchport access vlan 200
!
interface FastEthernet0/33
switchport access vlan 200
!
interface FastEthernet0/34
switchport access vlan 200
!
interface FastEthernet0/35
switchport access vlan 200
!
interface FastEthernet0/36
switchport access vlan 200
!
interface FastEthernet0/37
switchport access vlan 200
!
interface FastEthernet0/38
switchport access vlan 200
!
interface FastEthernet0/39
switchport access vlan 200
!
interface FastEthernet0/40
switchport access vlan 200
!
interface FastEthernet0/41
switchport access vlan 200
!
interface FastEthernet0/42
switchport access vlan 200
!
interface FastEthernet0/43
switchport access vlan 200
!
interface FastEthernet0/44
switchport access vlan 200
!
interface FastEthernet0/45
switchport access vlan 200
!
interface FastEthernet0/46
switchport access vlan 200
!
interface FastEthernet0/47
switchport access vlan 200
!
interface FastEthernet0/48
switchport access vlan 200
!
interface GigabitEthernet0/1
switchport mode trunk
!
interface GigabitEthernet0/2
switchport access vlan 300
!
interface Vlan1
ip address 10.10.10.2 255.255.255.0
no ip route-cache
!
interface Vlan100
ip address 10.1.1.2 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan200
ip address 10.1.2.2 255.255.255.0
no ip route-cache
shutdown
!
interface Vlan300
ip address 10.1.3.2 255.255.255.0
no ip route-cache
shutdown
!
ip default-gateway 10.10.10.1
ip http server
banner exec ^CC
|=======================================================================|
| WARNING |
| ======= |
banner motd ^CC
|=======================================================================|
| WARNING |
| --------- ======= |
!
line con 0
password cisco
line vty 0 4
password cisco
login local
transport input telnet
line vty 5 15
login
!
!
end
