02-04-2011 05:01 PM - edited 03-04-2019 11:19 AM
I set up NAT, with a DHCP pool (15-20 addresses) on a simple LAN on eth0/1. Static IP's (five of them) 66.60.185.18 - .21.
WAN on eth0/0, LAN on eth0/1, eth0/2 not used at this time (DMZ). I set up a static NAT for .20 to a FTP server and .21 to a videophone.
My problem is even though the firewall ACL was applied (acl 100), and removed, I'm still not able to connect in from the outside. And this is IP to IP mapping (static LAN ip to a static).
What do I need to do in order to have the ftp service working correctly as well as specific ports to the LAN - ACL 100 (inbound WAN ACL) was applied and then unapplied, no changes.
sho run here:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2921
!
boot-start-marker
boot system flash0:/c2900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
logging buffered 256000 informational
enable secret 5 $1$NNtB$1JUg1gDKwSD3WgiRdm5y71
!
no aaa new-model
!
clock timezone PCTime -8 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.1.100.1 10.1.100.109
ip dhcp excluded-address 10.1.100.126 10.1.100.254
!
ip dhcp pool internal
import all
network 10.1.100.0 255.255.255.0
dns-server 10.1.100.254 66.60.130.6
default-router 10.1.100.254
!
!
ip name-server 66.60.130.2
ip name-server 66.60.130.6
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-552194196
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-552194196
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-552194196
certificate self-signed 01
quit
license udi pid CISCO2921/K9 sn !
!
username dman privilege 15
username admin privilege 15 !
redundancy
!
!
!
!
no ip ftp passive
!
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1
match protocol ftp
match protocol h323
match protocol sip
match protocol h323-nxg
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any sdm-service-ccp-inspect-1
match protocol http
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-any ftp
match protocol ftp
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-dmz-protocols
match protocol http
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-9
match class-map sdm-mgmt-cls-0
match access-group 114
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-8
match class-map sdm-mgmt-cls-0
match access-group 110
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-7
match class-map sdm-mgmt-cls-0
match access-group 106
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-6
match class-map sdm-mgmt-cls-0
match access-group 104
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-5
match class-map sdm-mgmt-cls-0
match access-group 113
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-4
match class-map sdm-mgmt-cls-0
match access-group 112
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-3
match class-map sdm-mgmt-cls-0
match access-group 111
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-2
match class-map sdm-mgmt-cls-0
match access-group 109
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-1
match class-map sdm-mgmt-cls-0
match access-group 108
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
match class-map sdm-mgmt-cls-0
match access-group 107
class-map type inspect match-all sdm-nat-sip-1
match access-group 105
class-map type inspect match-all ccp-protocol-http
match class-map sdm-service-ccp-inspect-1
class-map type inspect match-all sdm-nat-ftp-1
match access-group 105
match protocol ftp
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-sip-1
pass
class type inspect sdm-nat-ftp-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ftp
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect sdm-mgmt-cls-ccp-permit-9
inspect
class class-default
drop
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-dmz-traffic
inspect
class class-default
drop
!
zone security internet
zone security out-zone
zone security in-zone
zone security dmz-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 66.60.185.22 255.255.255.248
ip access-group 100 in
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 10.1.100.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description $FW_DMZ$$ETH-LAN$
ip address 10.10.10.1 255.255.255.248
ip virtual-reassembly in
zone-member security dmz-zone
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat pool 10 66.60.185.18 66.60.185.21 netmask 255.255.255.248
ip nat inside source list 1 pool 10 overload
ip nat inside source static network 10.1.100.150 66.60.185.20 /32
ip nat inside source static network 10.1.100.210 66.60.185.21 /32
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 66.60.185.21
!
logging 10.1.100.111
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.100.0 0.0.0.255
access-list 3 permit 10.1.100.112
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 71.142.241.22
access-list 3 permit 66.205.158.73
access-list 3 permit 66.205.158.108
access-list 3 permit 64.30.104.149
access-list 3 permit 192.168.0.195
access-list 3 permit 66.60.164.51
access-list 3 permit 71.142.251.221
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 permit 10.1.100.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq 22
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq 22
access-list 100 permit tcp host 10.1.100.112 host 66.60.185.22 eq 22
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq 22
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq 22
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq 22
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq 22
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq www
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq www
access-list 100 permit tcp host 10.1.100.112 host 66.60.185.22 eq www
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq www
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq www
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq www
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq www
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq 443
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq 443
access-list 100 permit tcp host 10.1.100.112 host 66.60.185.22 eq 443
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq 443
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq 443
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq 443
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq 443
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 10.1.100.112 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq cmd
access-list 100 deny tcp any host 66.60.185.22 eq telnet
access-list 100 deny tcp any host 66.60.185.22 eq 22
access-list 100 deny tcp any host 66.60.185.22 eq www
access-list 100 deny tcp any host 66.60.185.22 eq 443
access-list 100 deny tcp any host 66.60.185.22 eq cmd
access-list 100 deny udp any host 66.60.185.22 eq snmp
access-list 100 permit ip any host 66.60.185.18
access-list 100 permit ip any host 66.60.185.19
access-list 100 permit udp host 66.60.130.2 eq domain host 66.60.164.62
access-list 100 permit udp host 66.60.130.6 eq domain host 66.60.164.62
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip host 71.142.241.22 any
access-list 101 permit ip host 66.205.158.108 any
access-list 101 permit ip host 10.1.100.112 any
access-list 101 permit ip host 66.205.158.73 any
access-list 101 permit ip host 192.168.0.195 any
access-list 101 permit ip host 66.60.164.51 any
access-list 101 permit ip host 64.30.104.149 any
access-list 101 permit ip 10.1.100.0 0.0.0.255 any
access-list 101 permit ip host 71.142.251.221 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip host 71.142.241.22 any
access-list 102 permit ip host 66.205.158.108 any
access-list 102 permit ip host 10.1.100.112 any
access-list 102 permit ip host 66.205.158.73 any
access-list 102 permit ip host 192.168.0.195 any
access-list 102 permit ip host 66.60.164.51 any
access-list 102 permit ip host 64.30.104.149 any
access-list 102 permit ip 10.1.100.0 0.0.0.255 any
access-list 102 permit ip host 71.142.251.221 any
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip 66.60.185.16 0.0.0.15 any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit ip host 192.168.0.195 host 66.60.185.22
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.1.100.150
access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark CCP_ACL Category=1
access-list 106 permit ip host 66.205.158.73 host 66.60.185.22
access-list 107 remark Auto generated by SDM Management Access feature
access-list 107 remark CCP_ACL Category=1
access-list 107 permit ip host 71.142.251.221 host 66.60.164.62
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 remark CCP_ACL Category=1
access-list 108 permit ip 10.1.100.0 0.0.0.255 host 66.60.164.62
access-list 109 remark Auto generated by SDM Management Access feature
access-list 109 remark CCP_ACL Category=1
access-list 109 permit ip host 64.30.104.149 host 66.60.164.62
access-list 110 remark Auto generated by SDM Management Access feature
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip host 10.1.100.112 host 66.60.185.22
access-list 111 remark Auto generated by SDM Management Access feature
access-list 111 remark CCP_ACL Category=1
access-list 111 permit ip host 64.30.104.149 host 66.60.185.22
access-list 112 remark Auto generated by SDM Management Access feature
access-list 112 remark CCP_ACL Category=1
access-list 112 permit ip host 66.60.164.51 host 66.60.185.22
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark CCP_ACL Category=1
access-list 113 permit ip host 66.205.158.108 host 66.60.185.22
access-list 114 remark Auto generated by SDM Management Access feature
access-list 114 remark CCP_ACL Category=1
access-list 114 permit ip host 71.142.241.22 host 66.60.185.22
access-list 120 remark CCP_ACL Category=16
access-list 120 deny tcp host 10.1.100.200 eq www any
access-list 120 deny tcp host 10.1.100.200 eq 443 any
access-list 120 deny tcp host 10.1.100.30 eq 22 any
access-list 120 deny udp host 10.1.100.30 eq 22 any
access-list 120 deny tcp host 10.1.100.30 eq www any
access-list 120 deny tcp host 10.1.100.30 eq 443 any
access-list 120 deny udp host 10.1.100.30 eq 5060 any
access-list 120 permit ip 10.1.100.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 102 in
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
02-04-2011 07:58 PM
hi david,
try to do the below and test again by using show ip nat translation command. Your ACL100 has the "permit ip any any" and this would allow your FTP traffic.
no ip nat inside source static network 10.1.100.150 66.60.185.20 /32
no ip nat inside source static network 10.1.100.210 66.60.185.21 /32
ip nat inside source static 10.1.100.150 66.60.185.20
ip nat inside source static 10.1.100.210 66.60.185.21
02-04-2011 07:58 PM
hi david,
try to do the below and test again by using show ip nat translation command. Your ACL100 has the "permit ip any any" and this would allow your FTP traffic.
no ip nat inside source static network 10.1.100.150 66.60.185.20 /32
no ip nat inside source static network 10.1.100.210 66.60.185.21 /32
ip nat inside source static 10.1.100.150 66.60.185.20
ip nat inside source static 10.1.100.210 66.60.185.21
02-04-2011 10:57 PM
Hi David,
ip dhcp excluded-address 10.1.100.126 10.1.100.254
So you are excluding from .126 to .254
ip nat pool 10 66.60.185.18 66.60.185.21 netmask 255.255.255.248
ip nat inside source list 1 pool 10 overload
ip nat inside source static network 10.1.100.150 66.60.185.20 /32
ip nat inside source static network 10.1.100.210 66.60.185.21 /32
You do static NAT for .150 and .210 but these are in the excluded range so these inside addresses will never exist.
Second Remark, you do NAT overload on all your static IPs but NAT overload is against one IP
So I would change your config like that:
no ip dhcp excluded-address 10.1.100.126 10.1.100.254
ip dhcp excluded-address 10.1.100.126 10.1.100.149
ip dhcp excluded-address 10.1.100.151 10.1.100.209
ip dhcp excluded-address 10.1.100.211 10.1.100.254
no ip nat pool 10 66.60.185.18 66.60.185.21 netmask 255.255.255.258
no ip nat inside source list 1 pool 10 overload
ip nat inside source list 1 interface Gi0/0
no ip nat inside source static network 10.1.100.150 66.60.185.20 /32
no ip nat inside source static network 10.1.100.210 66.60.185.21 /32
ip nat inside source static 10.1.100.150 66.60.185.20
ip nat inside source static 10.1.100.150 66.60.185.21
Regards.
Alain.
02-04-2011 11:10 PM
hi alain,
i believe david can assign static IP address for the .150 and .210 and would still appear as valid inside LAN addresses.
for the NAT overload, he used 2 IPs 66.60.185.18 and 66.60.185.21 (if .18 is exhausted), which i also believe would still be a valid config.
02-04-2011 11:42 PM
Hi,
Good point for the static private IPs, I didn't take them into account.
Maybe the NAT overload woul have worked as is but I found that it was a waste to overload on more than 1 IP.
Regards.
Alain.
02-05-2011 12:43 AM
i believe he needs to do NAT overload on these 2 IPs considering he's using a class A private IP address (around 16
million+ hosts). NAT overload can only produce around 65,000+ host/dynamic ports on a single IP.
02-07-2011 12:58 PM
John,
Thanks - the statements used below in config worked a cinch!
02-07-2011 06:50 PM
cool! let me check further on this blockage issue and get back to you.
02-07-2011 02:20 PM
Thanks to all for helping - Question....on my LAN, I am seeing blockage between my
dhcp clients and the host that is 10.1.100.150 NAT'd to one of the statics.
In other words I'd like full traffic wide open between my LAN clients, and the host NAT'd.
Or do I need to move the NAT'd hosts to a DMZ zone and separate the subnets, rather than all being in one LAN subnet (10.1.100.x)?
New sho run:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2921
boot-start-marker
boot system flash0:/c2900-universalk9-mz.SPA.151-3.T.bin
boot-end-marker
!
!
logging buffered 256000 informational
enable secret 5 $1$NNtB$1JUg1gDKwSD3WgiRdm5y71
!
no aaa new-model
!
clock timezone PCTime -8 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.1.100.1 10.1.100.109
ip dhcp excluded-address 10.1.100.126 10.1.100.254
!
ip dhcp pool internal
import all
network 10.1.100.0 255.255.255.0
dns-server 10.1.100.254 66.60.130.6
default-router 10.1.100.254
!
!
ip name-server 66.60.130.2
ip name-server 66.60.130.6
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-552194196
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-552194196
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-552194196
*snip*
quit
license udi pid CISCO2921/K9 sn !
!
username admin privilege 15 view root !
redundancy
!
!
!
!
no ip ftp passive
!
class-map type inspect match-any SDM_TELNET
match access-group name SDM_TELNET
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_TELNET
match class-map SDM_HTTP
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1
match protocol ftp
match protocol h323
match protocol sip
match protocol h323-nxg
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any sdm-service-ccp-inspect-1
match protocol http
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-any ftp
match protocol ftp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-9
match class-map sdm-mgmt-cls-0
match access-group 114
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-8
match class-map sdm-mgmt-cls-0
match access-group 110
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-7
match class-map sdm-mgmt-cls-0
match access-group 106
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-6
match class-map sdm-mgmt-cls-0
match access-group 104
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-5
match class-map sdm-mgmt-cls-0
match access-group 113
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-4
match class-map sdm-mgmt-cls-0
match access-group 112
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-3
match class-map sdm-mgmt-cls-0
match access-group 111
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-2
match class-map sdm-mgmt-cls-0
match access-group 109
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-1
match class-map sdm-mgmt-cls-0
match access-group 108
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
match class-map sdm-mgmt-cls-0
match access-group 107
class-map type inspect match-all ccp-protocol-http
match class-map sdm-service-ccp-inspect-1
class-map type inspect match-all sdm-nat-ftp-1
match access-group 105
match protocol ftp
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-ftp-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ftp
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect sdm-mgmt-cls-ccp-permit-9
inspect
class class-default
drop
policy-map type inspect ccp-permit-dmzservice
class class-default
drop
!
zone security internet
zone security out-zone
zone security in-zone
zone security dmz-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
!
!
!
!
!
!
!
interface GigabitEthernet0/0
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 66.60.185.22 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 10.1.100.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description $FW_DMZ$$ETH-LAN$
ip address 10.10.10.1 255.255.255.248
ip virtual-reassembly in
zone-member security dmz-zone
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat pool 10 66.60.185.18 66.60.185.21 netmask 255.255.255.248
ip nat inside source list 1 pool 10 overload
ip nat inside source static 10.1.100.150 66.60.185.18
ip nat inside source static 10.1.100.151 66.60.185.19
ip nat inside source static 10.1.100.210 66.60.185.21
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq www
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended SDM_TELNET
remark CCP_ACL Category=0
permit tcp any any eq telnet
!
logging 10.1.100.111
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.100.0 0.0.0.255
access-list 3 permit 10.1.100.112
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 71.142.241.22
access-list 3 permit 66.205.158.73
access-list 3 permit 66.205.158.108
access-list 3 permit 64.30.104.149
access-list 3 permit 192.168.0.195
access-list 3 permit 66.60.164.51
access-list 3 permit 71.142.251.221
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 permit 10.1.100.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq telnet
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq 22
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq 22
access-list 100 permit tcp host 10.1.100.112 host 66.60.185.22 eq 22
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq 22
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq 22
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq 22
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq 22
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq www
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq www
access-list 100 permit tcp host 10.1.100.112 host 66.60.185.22 eq www
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq www
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq www
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq www
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq www
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq 443
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq 443
access-list 100 permit tcp host 10.1.100.112 host 66.60.185.22 eq 443
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq 443
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq 443
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq 443
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq 443
access-list 100 permit tcp host 71.142.241.22 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 66.205.158.108 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 10.1.100.112 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 66.205.158.73 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 192.168.0.195 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 66.60.164.51 host 66.60.185.22 eq cmd
access-list 100 permit tcp host 64.30.104.149 host 66.60.185.22 eq cmd
access-list 100 deny tcp any host 66.60.185.22 eq telnet
access-list 100 deny tcp any host 66.60.185.22 eq 22
access-list 100 deny tcp any host 66.60.185.22 eq www
access-list 100 deny tcp any host 66.60.185.22 eq 443
access-list 100 deny tcp any host 66.60.185.22 eq cmd
access-list 100 deny udp any host 66.60.185.22 eq snmp
access-list 100 permit ip any host 66.60.185.18
access-list 100 permit ip any host 66.60.185.19
access-list 100 permit udp host 66.60.130.2 eq domain host 66.60.164.62
access-list 100 permit udp host 66.60.130.6 eq domain host 66.60.164.62
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip host 71.142.241.22 any
access-list 101 permit ip host 66.205.158.108 any
access-list 101 permit ip host 10.1.100.112 any
access-list 101 permit ip host 66.205.158.73 any
access-list 101 permit ip host 192.168.0.195 any
access-list 101 permit ip host 66.60.164.51 any
access-list 101 permit ip host 64.30.104.149 any
access-list 101 permit ip 10.1.100.0 0.0.0.255 any
access-list 101 permit ip host 71.142.251.221 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip host 71.142.241.22 any
access-list 102 permit ip host 66.205.158.108 any
access-list 102 permit ip host 10.1.100.112 any
access-list 102 permit ip host 66.205.158.73 any
access-list 102 permit ip host 192.168.0.195 any
access-list 102 permit ip host 66.60.164.51 any
access-list 102 permit ip host 64.30.104.149 any
access-list 102 permit ip 10.1.100.0 0.0.0.255 any
access-list 102 permit ip host 71.142.251.221 any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit ip host 192.168.0.195 host 66.60.185.22
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.1.100.150
access-list 106 remark Auto generated by SDM Management Access feature
access-list 106 remark CCP_ACL Category=1
access-list 106 permit ip host 66.205.158.73 host 66.60.185.22
access-list 107 remark Auto generated by SDM Management Access feature
access-list 107 remark CCP_ACL Category=1
access-list 107 permit ip host 71.142.251.221 host 66.60.164.62
access-list 108 remark Auto generated by SDM Management Access feature
access-list 108 remark CCP_ACL Category=1
access-list 108 permit ip 10.1.100.0 0.0.0.255 host 66.60.164.62
access-list 109 remark Auto generated by SDM Management Access feature
access-list 109 remark CCP_ACL Category=1
access-list 109 permit ip host 64.30.104.149 host 66.60.164.62
access-list 110 remark Auto generated by SDM Management Access feature
access-list 110 remark CCP_ACL Category=1
access-list 110 permit ip host 10.1.100.112 host 66.60.185.22
access-list 111 remark Auto generated by SDM Management Access feature
access-list 111 remark CCP_ACL Category=1
access-list 111 permit ip host 64.30.104.149 host 66.60.185.22
access-list 112 remark Auto generated by SDM Management Access feature
access-list 112 remark CCP_ACL Category=1
access-list 112 permit ip host 66.60.164.51 host 66.60.185.22
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark CCP_ACL Category=1
access-list 113 permit ip host 66.205.158.108 host 66.60.185.22
access-list 114 remark Auto generated by SDM Management Access feature
access-list 114 remark CCP_ACL Category=1
access-list 114 permit ip host 71.142.241.22 host 66.60.185.22
access-list 120 remark CCP_ACL Category=16
access-list 120 deny tcp host 10.1.100.200 eq www any
access-list 120 deny tcp host 10.1.100.200 eq 443 any
access-list 120 deny tcp host 10.1.100.30 eq 22 any
access-list 120 deny udp host 10.1.100.30 eq 22 any
access-list 120 deny tcp host 10.1.100.30 eq www any
access-list 120 deny tcp host 10.1.100.30 eq 443 any
access-list 120 deny udp host 10.1.100.30 eq 5060 any
access-list 120 permit ip 10.1.100.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 101 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 102 in
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
1 | any | 10.1.100.150 | sdm-nat-ftp-1 | Inspect | null |
02-08-2011 06:30 AM
hi david,
looking at your new config, there shouldn't be any blocking since your LAN clients 10.1.100.x is on the same subnet with 10.1.100.150. could you post a traceroute to see where the breakage is?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide