Solved: Re: Is my 877 forwarding all IP packets?

cmorley · ‎01-17-2007

Hi, the adsl router does a simple NAT from the WAN ip to LAN ip 10.0.0.2. All packets then goto our firewall. I know IP TCP/UDP is being forwarded ok, but could someone kindly check the access list and confirm all IP packets are being forwaded as i wish to allow GRE tunnel (IP protocol 47) packets through also. Config below:

interface Vlan1

ip address 10.0.0.2 255.255.255.0

ip nat inside

!

interface Dialer0

ip address negotiated

ip nat outside

ip route 0.0.0.0 0.0.0.0 Dialer0

ip nat inside source static 10.0.0.1 interface Dialer0

!

access-list 110 permit ip 10.0.0.0 0.0.0.255 any

dialer-list 10 protocol ip permit

Many thanks

Chris

sourabhagarwal · ‎01-17-2007

Access lists can be applied either In or OUT of an interface using ip access-group command.

ip access-group 110

check this URL to get more information.

http://www.cisco.com/warp/public/707/confaccesslists.html#sourcedefine

ACL is used to filter traffic, but ACL 110 is permitting everything so it is as good as using no ACL.

HTH, rate if it does ...

View solution in original post

sourabhagarwal · ‎01-17-2007

have you put complete configuration of vlan 1 and dialer 0?

per your config, i don't see ACL 110 applied to any interface, neither I see use of dialer list 10 in the config.

if this config is working for you, as ACL is not applied to dialer 0 or VLAN 1, no traffic will be blocked. Even if ACL is applied on any interface, it won't block anything coming from 10.0.0.0/24 network as you are permitting all IP traffic.

also you have configured static NAT for only 10.0.0.1, so there will not be any NAT translations for other IPs.

hope this answer your query. rate if it does ...

let us know if you are looking for something else.

cmorley · ‎01-17-2007

Thanks for the quick reply. Full config below, passwords removed!

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xx

!

boot-start-marker

boot system flash c870-advsecurityk9-mz.124-4.XC4.bin

boot-end-marker

!

no aaa new-model

!

resource policy

!

ip cef

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/50

encapsulation aal5snap

protocol ppp dialer

dialer pool-member 5

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

ip address 10.0.0.2 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1300

no ip mroute-cache

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1300

no ip mroute-cache

dialer pool 5

dialer remote-name Etisalat

dialer-group 10

ppp chap hostname test

ppp chap password 7 test

ppp pap sent-username test password 7 test

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

no ip http server

no ip http secure-server

ip nat inside source static 10.0.0.1 interface Dialer0

!

access-list 110 permit ip 10.0.0.0 0.0.0.255 any

dialer-list 10 protocol ip permit

!

control-plane

!

line con 0

no modem enable

transport output all

line aux 0

transport output all

line vty 0 4

privilege level 15

login local

transport input ssh

transport output all

!

scheduler max-task-time 5000

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Not that i want to in this case and out of curiosity, how would you apply the ACL to interface?

Thanks,

Chris

sourabhagarwal · ‎01-17-2007

Access lists can be applied either In or OUT of an interface using ip access-group command.

ip access-group 110

check this URL to get more information.

http://www.cisco.com/warp/public/707/confaccesslists.html#sourcedefine

ACL is used to filter traffic, but ACL 110 is permitting everything so it is as good as using no ACL.

HTH, rate if it does ...