Firewall+NAT problems - Page 2

volkeningheim · ‎01-31-2013

Hi,

I run Cisco 861 to connect a small LAN to the Internet. The router provides DHCP and DNS to the local users and does NAT to map to one public IP. To secure the router I followed the steps given at

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

However, I encounter two problems now:

1) When I bind an access-list to the inside-interface, DHCP stops functioning. For the beginning, the access-list is very permissive:

access-list 102 permit tcp 192.168.43.0 0.0.0.255 any

access-list 102 permit udp 192.168.43.0 0.0.0.255 any

access-list 102 permit icmp 192.168.43.0 0.0.0.255 any

access-list 102 permit ip 192.168.43.0 0.0.0.255 any

Additionally, for the firewall to work, the interface is inspecting packets that are coming in:

ip inspect name firewall http timeout 3600

ip inspect name firewall tcp timeout 3600

ip inspect name firewall udp timeout 15

2) When I now bind an access-list to the outside-interface, communication to the internet is totally blocked:

access-list 112 permit icmp any any

access-list 112 deny ip any any log

See the appended config for full details. Without the access-lists, the setup works perfectly.

Which part am I doing wrong? Any help is appreciated,

Benjamin

volkeningheim · ‎02-07-2013

Hello,

thanks for this idea. I tried

interface FastEthernet4

ip inspect firewall in

ip inspect firewall out

but it's still the same issue. The router itself has no access to the internet.