11-30-2011 03:35 PM - edited 03-07-2019 03:40 AM
I have an external interface (MFR0) that is connected to our ISP router using dual serial interfaces (WIC cards) as Frame relay and this is working.
I have an internal interface that is our internal network (FastEthernet0/0) and this is working. I was able to get Dynamic NAT working and everything is fine here.
I have another external interface (FastEthernet0/1) that is connected to a switch with a few servers that are intended to be DMZ on our ISP-given IP range. This is not working. I can't get traffic to be routed from the ISP serial interfaces to this network. I have gotten traffic routed to this external interface from our internal interface using a second 'ip nat inside source list...' but this was not necessary on our previous T1 setup so I'm not sure what's different.
My main test is to try to get traffic from the outside to be able to see port 80 of #.#.156.120 and I can't figure out why nothing can get there. I hope it's something simple like out instead of in or no ip nat outside. Also, it's been a while since I took a cisco class so go easy on me.
I'm not sure of the policy on IP addresses so I tried blanking out the first two octets of the important ones.
Using Cisco 1841 with version:
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Thanks,
Brandon
interface MFR0
description Multi-Link Frame Circuit
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface MFR0.100 point-to-point
description Internet
bandwidth 3000
ip address #.#.197.146 255.255.255.252
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 100
!
interface FastEthernet0/0
description LAN$ETH-LAN$$FW_INSIDE$
ip address 192.168.5.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description WAN$ETH-LAN$$FW_OUTSIDE$
ip address #.#.156.113 255.255.255.240
ip access-group 104 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
no ip address
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation frame-relay MFR0
ip route-cache flow
no arp frame-relay
!
interface Serial0/1/0
description multilink 1 interface
no ip address
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation frame-relay MFR0
ip route-cache flow
no arp frame-relay
!
ip classless
ip route 0.0.0.0 0.0.0.0 #.#.197.145
ip route #.#.156.112 255.255.255.240 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source list 3 interface MFR0.100 overload
!
logging trap debugging
access-list 1 remark NAT access list for PESI LAN
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 deny any
access-list 2 remark HTTP Server access list
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 2 deny any
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.5.0 0.0.0.255
access-list 100 permit ip any any
access-list 104 permit ip any any
access-list 105 permit udp any #.#.156.0 0.0.0.255 eq domain
access-list 105 permit tcp any #.#.156.0 0.0.0.255 eq domain
access-list 105 permit udp host 8.8.8.8 eq domain host #.#.197.145
access-list 105 permit udp host 4.2.2.2 eq domain host #.#.197.145
access-list 105 permit icmp any any echo-reply log
access-list 105 permit icmp any any time-exceeded log
access-list 105 permit icmp any any unreachable log
access-list 105 permit tcp any host #.#.156.115 eq smtp
access-list 105 permit tcp any host #.#.156.116 eq smtp
access-list 105 permit tcp any host #.#.156.116 eq 443
access-list 105 permit tcp any host #.#.156.120 eq www
access-list 105 permit tcp any host #.#.156.120 eq 443
access-list 105 permit tcp any host #.#.156.120 eq ftp
access-list 105 deny ip host 255.255.255.255 any log
access-list 105 deny ip host 0.0.0.0 any log
access-list 105 deny ip any any log
no cdp run
12-01-2011 08:57 AM
Replying to my own post.
The problem has to be in the routing between the two external interfaces because I found the access-list is correctly being hit for port 80 and icmp traffic but nothing was returned.
Truncated result of 'show access-list'
80 permit tcp any host #.#.156.120 eq www (6 matches)
110 permit icmp any host #.#.156.120 (4 matches)
I changed the config around a little bit to remove the access-groups on serial interfaces and adding a few additional lines to access group 105. The information above for access-list matches was taken after these changes to the config.
Any help would be appreciated.
Thanks,
Brandon
interface MFR0
description Multi-Link Frame Circuit
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
!
interface MFR0.100 point-to-point
description Internet
bandwidth 3000
ip address #.#.197.146 255.255.255.252
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 100
!
interface FastEthernet0/0
description LAN$ETH-LAN$$FW_INSIDE$
ip address 192.168.5.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description WAN$ETH-LAN$$FW_OUTSIDE$
ip address #.#.156.113 255.255.255.240
ip access-group 104 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW in
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface Serial0/0/0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation frame-relay MFR0
ip route-cache flow
no arp frame-relay
!
interface Serial0/1/0
description multilink 1 interface
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation frame-relay MFR0
ip route-cache flow
no arp frame-relay
!
ip classless
ip route 0.0.0.0 0.0.0.0 #.#.197.145
ip route #.#.156.112 255.255.255.240 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source list 3 interface MFR0.100 overload
!
logging trap debugging
access-list 1 remark NAT access list for PESI LAN
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 deny any
access-list 2 remark HTTP Server access list
access-list 2 permit 192.168.5.0 0.0.0.255
access-list 2 deny any
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.5.0 0.0.0.255
access-list 100 permit ip any any
access-list 104 permit ip any any
access-list 105 permit udp any #.#.156.0 0.0.0.255 eq domain
access-list 105 permit tcp any #.#.156.0 0.0.0.255 eq domain
access-list 105 permit udp host 8.8.8.8 eq domain host #.#.197.145
access-list 105 permit udp host 4.2.2.2 eq domain host #.#.197.145
access-list 105 permit tcp any host #.#.156.115 eq smtp
access-list 105 permit tcp any host #.#.156.116 eq smtp
access-list 105 permit tcp any host #.#.156.116 eq 443
access-list 105 permit tcp any host #.#.156.120 eq www
access-list 105 permit tcp any host #.#.156.120 eq 443
access-list 105 permit tcp any host #.#.156.120 eq ftp
access-list 105 permit icmp any host #.#.156.120
access-list 105 permit icmp host #.#.156.120 any
access-list 105 permit icmp any any
access-list 105 deny ip host 255.255.255.255 any log
access-list 105 deny ip host 0.0.0.0 any log
access-list 105 deny ip any any log
no cdp run
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide