Re: need help with NAT and ACL

npereira · ‎12-13-2006

Hi,

See my config bellow.

I have a webserver directly connected to fa1/0 with an IP of 10.1.10.10 with xover cable.

fa0/0 is directly connected to the internet.

With the access list and NAT translations, no one from the internet (or connections originating from the same subnet as the fa0/0 ex: x.x.x.25) can connect to the webserver via x.x.x.253 or 254

What am I missing?

Code:

Building configuration...

Current configuration : 2571 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SIP-NA-PUBLIC

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxxxx

enable password xxxxxxxx

!

aaa new-model

!

aaa session-id common

!

resource policy

!

ip cef

ip domain name xxxxxx.com

ip name-server 206.191.0.141

ip name-server 206.191.0.210

!

username xxxxxx password 0 xxxxxxxx

!

interface FastEthernet0/0

ip address x.x.x.254 255.255.255.0 secondary

ip address x.x.x.253 255.255.255.0

ip access-group 100 in

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

no mop enabled

!

interface FastEthernet1/0

ip address 10.1.10.1 255.255.255.0

ip access-group 101 out

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1/1

ip address 10.1.11.1 255.255.255.0

duplex auto

speed auto

!

ip default-gateway x.x.x.1

no ip http server

no ip http secure-server

ip route 0.0.0.0 0.0.0.0 x.x.x.1

!

ip nat source list 100 interface FastEthernet0/0 overload

ip nat inside source static tcp 10.1.10.10 80 x.x.x.253 80 extendable

ip nat inside source static tcp 10.1.10.10 5060 x.x.x.253 5060 extendable

ip nat inside source static tcp 10.1.10.11 80 x.x.x.254 80 extendable

ip nat inside source static tcp 10.1.10.11 5060 x.x.x.254 5060 extendable

!

access-list 100 permit tcp any x.x.x.0 0.0.0.255 established

access-list 100 permit tcp any x.x.x.0 0.0.0.255 eq 22

access-list 100 permit udp any x.x.x.0 0.0.0.255 eq tftp

access-list 100 permit tcp any x.x.x.0 0.0.0.255 eq www

access-list 100 permit tcp any x.x.x.0 0.0.0.255 eq 161

access-list 100 permit tcp any x.x.x.0 0.0.0.255 eq 162

access-list 100 permit udp any x.x.x.0 0.0.0.255 eq syslog

access-list 100 permit tcp any x.x.x.0 0.0.0.255 eq 5060

access-list 100 deny udp any any eq time

access-list 100 deny udp any any eq tacacs

access-list 100 deny udp any any eq bootps

access-list 100 deny tcp any any eq sunrpc

access-list 100 deny udp any any eq sunrpc

access-list 100 deny ip any any log

access-list 101 permit tcp any 10.1.10.0 0.0.0.255 eq www

access-list 101 permit tcp any 10.1.10.0 0.0.0.255 eq 5060

access-list 101 deny ip any any log

snmp-server community xxxxxx RW

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password xxxxxxxx

login authentication xxxxxxxx

transport input all

transport output all

!

end

amit-singh · ‎12-13-2006

Hi,

Try removing the access-group 101 from Fa1/0 interface. And also try changing your static NAT statement to " ip nat inside source static 10.1.10.10 x.x.x.253" and see if that works.

HTH,

-amit singh

npereira · ‎12-13-2006

i can't remove my ip nat statement and replace it with what you suggested as then, it shuts off my ssh session to the fa0/0

npereira · ‎12-13-2006

I got it working,

the problem is the device connected to fa1/0 has 1 ETH ports, one is active, the other one is standby and I wanst connected to the correct one.