Opps, typo, I meant I added in the following:

ip nat inside source static tcp 192.168.2.11 25 interface dialer0 22

ip nat inside source static tcp 192.168.2.11 25 interface dialer0 122

Should I be using "ip nat inside" or "ip nat outside"? I am a bit confused.

"ip nat inside" is the correct one. Are you sure that your connectivity goes down? Did you try reloading the router? Can you paste output of "sh ip nat translations" and "traceroute 4.2.2.2"

Yes after I all in those entries, internet connection dropped. And when I remove all of them the internet connection is up again. I did not try to re-start the router.

The router is not with me now so I cannot get the output for you.

Should I be adding the commands at the vlan1 interface or the dialer0 interface?

Thanks.

I added acl104 to allow incoming port 22 and 122 from the internet to the internal server (192.168.2.11). If not how should I configure the router?

I am a firewall expert than router, but router should be a stateful device also, I mean return traffic of traffic that is originated locally should bypass an ACL applied to inbound of Dialer0, thats why it shouldnt cause internet connectivity loss.

But lets find it out by trial and error,

Patrick, let the nat statements stay and remove the ip access-group 104 in command from interface. Internet connection still down?

Patrick,as the nat is already dere to allow external traffic to hit the internal server, there should not be any need for an acl on the dialer interface. Anyways the acl is not doin much here. I wud suggest removing the acl & tryin the access..as in situations like this the nat should suffice for traffic redirection to correct internal segment!

let us know ur thoughts or results..

Husy..the router being stateful wud have been stateful if there would hv been an explicit inspect statement attached to the interface to keep the originated traffic under inspection.

Firewalls on the other hand are built to be stateful cos they are xclusive security stuff.

Lets w8 for patrick to revert with results!

Rate if this helps..Thanks!!!!

Patrick,

Before removing the acl, try adding this

access-list 104 permit tcp any any established

Regards

Hi all,

OK, in that case I will try changing it tomorrow when I am back to office.

In that case do I still need to put "ip access-group 104 in" at the dialer0 interface?

So in total I will put in

"access-list 104 permit tcp any any established",

"ip nat inside source static tcp 192.168.5.11 25 interface dialer0 22",

and

"ip nat inside source static tcp 192.168.5.11 25 interface dialer0 122"?

I notice that there are some statement on the router's current config is mentioning port 22 as well, will my port 22 NAT affect those current settings as well?

Thanks.

Patrick,

Here is the total comands that you have to issue

interface d0

ip access-group 104 in

access-list 104 permit tcp any any established

access-list 104 permit tcp any any eq 22

access-list 104 permit tcp any any eq 122

ip nat inside source static tcp 192.168.5.11 25 interface dialer0 22

ip nat inside source static tcp 192.168.5.11 25 interface dialer0 122

Port 22 is for Secure Shell (SSH), dont know where it can be stated in your config so cant say what would it affect other than SSH communication.

Assuming that CBAC, which is a part of IOS firewall feature set for your router is not enabled or doesnt exist, It can not bypass the return traffic of locally originated sessions, thus return traffic for your internet traffic hits the implicit deny and you have no internet connectivity. The permti statement for "established" would take care of that.

Regards

You should be using "inspection" on the internal and external interfaces.

Inspection will create dynamic holes in the firewall to facilitate traffic in the return path, and will simplify your interface ACLs.

The internal interface ACL should be configured to permit the specific protocols permitted (by security policy) for outbound communication. Applying inspection on the internal interface will provision the return path by opening dynamic holes in the outside interface ACL.

The same is done on the external interface. An ACL is created to permit connections from external hosts to your internal servers. Inspection is applied there to facilitate packets returning from your servers, by opening dynamic holes in the internal interface's ACL.

Inspection would be a better choice that using the established key word in ACLs.

e.g.: A simple inspection example:

ip inspect log drop-pkt

ip inspect audit-trail

ip inspect name our-insp tcp

ip inspect name our-insp udp

ip inspect name our-insp icmp

ip inspect name our-insp dns

ip inspect name our-insp ftp

ip inspect name our-insp pop3

interface Ethernet0

description ~5Mbps Exposed to Internet

ip inspect our-insp in

interface FastEthernet0

description Internal Network

ip inspect our-insp in

Note: Ideally you would migrate to Granular Protocol Inspection and avoid the generic UDP and TCP inspection, but that is up to you.

I've not looked at your NAT issues, just the lack of Internet connectivity following application of the limited ACL on the external interface.