access-list and NAT 1

[Deadasbetamax]

I am attempting to get a 1800 router to connect to the internet using a single external ip address to provide NAT for all client computers using the following relevant portions of the current config.

version 12.4

interface FastEthernet0/0
description Connected to LAN$ES_LAN$
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no mop enabled

!
interface Serial0/0/0
description Connect to the Internet
ip address 144.223.10.150 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
!
ip classless
ip route 0.0.0.0 0.0.0.0 144.223.10.149
!
ip nat pool inet_add 198.69.35.239 198.69.35.239 netmask 255.255.255.248
ip nat inside source list 10 pool inet_add overload
ip nat inside source static 192.168.1.101 198.69.35.237
ip nat inside source static 192.168.1.225 198.69.35.238
!
!
logging trap debugging
access-list 10 permit 192.168.1.0
access-list 101 permit tcp any host 144.223.10.150 eq telnet
access-list 101 permit tcp any host 198.69.35.237 eq 9833
access-list 101 permit tcp any host 198.69.35.237 eq 27015
access-list 101 permit tcp any host 198.69.35.237 eq 27016
access-list 101 permit tcp any host 198.69.35.238 eq 3000
access-list 101 permit tcp any host 198.69.35.238 eq 3001
access-list 101 permit tcp any host 198.69.35.238 eq 3003
access-list 101 permit tcp any host 198.69.35.238 eq 3007
access-list 101 permit tcp any host 198.69.35.238 eq 8800
access-list 101 permit tcp any host 198.69.35.238 eq www
access-list 101 deny ip any any
no cdp run
!

When I remove the 101 access-list everything works fine. Soon as I make the first entry however I loose all connectivity to the Internet. I know I am missing something, I just can't figure out what it is. Any help would be greatly appreciated.

 

[eliotB]

This is the edge router? If your ip address is 144.233 than where are these 198.69 addresses coming from? Is there another router beyond this?

Also, with a 198.69.35.239 you should have a netmask of 255.255.255.255 because the range is one address.

 

[Deadasbetamax]

The highest 144.233 address is the address of the router itself on the internet. It was assigned as the by the provider of the T1 service. The lower numbered 144.233 address is the address of the next hop as defined by my T1 provider.

The 198.69.35 addresses are members of the address block assigned to me by the T1 service provider as public IPs available for assignment to my network servers. The netmasks were assigned by service provider.

I really don't believe this to be an problem with the IP Address assignment or netmask for those addresses. I am led to believe this because when I try to connect with access list 101 removed I can connect fine. It's only when I put the access that access list in place do I end up unable to route any traffic to the Internet.

I might be seeing this from the wrong angle however.

 

[burtsbees]

Post sh access-lists

Burt

 

[plshlpme]

with this acl inbound on your wan.. your blocking all returning traffic that is coming from your internal clients..
you need to turn on some ip inspect rules in order for your traffic to start flowing by punching holes in your acl..

access-list 101 permit tcp any host 144.223.10.150 eq telnet
access-list 101 permit tcp any host 198.69.35.237 eq 9833
access-list 101 permit tcp any host 198.69.35.237 eq 27015
access-list 101 permit tcp any host 198.69.35.237 eq 27016
access-list 101 permit tcp any host 198.69.35.238 eq 3000
access-list 101 permit tcp any host 198.69.35.238 eq 3001
access-list 101 permit tcp any host 198.69.35.238 eq 3003
access-list 101 permit tcp any host 198.69.35.238 eq 3007
access-list 101 permit tcp any host 198.69.35.238 eq 8800
access-list 101 permit tcp any host 198.69.35.238 eq www
access-list 101 deny ip any any

so any traffic that doesnt match these rules will be blocked.

im at work and dont have a router in front of me to try this on but something like (add protocols as required)

ip inspect name INSPECT tcp
ip inspect name INSPECT udp
ip inspect name INSPECT dns
ip inspect name INSPECT smtp

int s0/0/0
ip inspect INSPECT out


give that a whirl.. SDM can do this for you too...

 

[Deadasbetamax]

Is there something I need to configure before hand to enable the ability to use ip inspect commands. As it is from global configuration when I enter ip inspect I get an error on the s inspect. Doesn't appear that I have the command.

 

[plshlpme]

it will depend on the ios image your using..
what ios are you running?

 

[Deadasbetamax]

show ver
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(4)T7, RELEASE S
OFTWARE (fc1)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Tue 28-Nov-06 17:31 by kellythw

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)


System returned to ROM by reload at 11:42:05 CDT Thu Sep 27 2007
System image file is "flash:c1841-ipbase-mz.124-4.T7.bin"

Cisco 1841 (revision 7.0) with 115712K/15360K bytes of memory.
Processor board ID FTX1132Y16P
2 FastEthernet interfaces
1 Serial interface
WIC T1-DSU
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

 

[plshlpme]

ya i imagine the more advanced stuff would need an ip plus image

if you cant get anios with a bigger featureset then your going to have to loosen up your acl to allow the other traffic inbound

 

[Deadasbetamax]

So do I need to give access-rules for each protocol I want available on each ip in order to get this to work? That's gonna be one long access list. Is there another way I can accomplish what I am tying to do with the IP Basic image?

 

[eliotB]

What are on your .238 and .237 ip addresses?

 

[plshlpme]

do you have a firewall behind the router on your lan?
typically acls arent good for firewalling if you dont have the firewall feature set in the router..
the price to make it secure is that regular users wont be able to use the service very well.

in your case you pretty much need to have a permit ip any at the end..
so get all your denies out of the way and then allow the rest. you have no way of knowing what ports your internal clients are going to be communicating with so you have to allow them all..

 

[eliotB]

I'm a little confused about this line:

access-list 101 permit tcp any host 198.69.35.238 eq www

Is this your web server?? You are trying to set up an ACL to allow users FROM the internet to access your web server?

There's no line in your 101 ACL to allow your 192.168.1.0 users out to the net.

access lists confuse me. The 101 ACL is being applied to the inbound port of the s0 interface. If all IP traffic is denied, wouldn't your 192.168.1.0 users requests from web servers get stopped at the s0 interface?? In other words, the way I read the ACL 101 is that 192.168.1.0 users can send requests for web pages, but when the requests return there's nothing in the 101 ACL to let that traffic back to the 192.168.1.0 users.

 

[plshlpme]

youve got it eliot.
basically there is no filtering for his internal clients outbound.. but all ip traffic except the few lines listed will be blocked.

access-list 101 permit tcp any host 144.223.10.150 eq telnet
access-list 101 permit tcp any host 198.69.35.237 eq 9833
access-list 101 permit tcp any host 198.69.35.237 eq 27015
access-list 101 permit tcp any host 198.69.35.237 eq 27016
access-list 101 permit tcp any host 198.69.35.238 eq 3000
access-list 101 permit tcp any host 198.69.35.238 eq 3001
access-list 101 permit tcp any host 198.69.35.238 eq 3003
access-list 101 permit tcp any host 198.69.35.238 eq 3007
access-list 101 permit tcp any host 198.69.35.238 eq 8800
access-list 101 permit tcp any host 198.69.35.238 eq www
access-list 101 deny ip any any

if the above hosts are only to receive connections on the ports listed then you should change it to something like this:

access-list 101 permit tcp any host 144.223.10.150 eq telnet
access-list 101 deny ip any host 144.223.10.150
access-list 101 permit tcp any host 198.69.35.237 eq 9833
access-list 101 permit tcp any host 198.69.35.237 eq 27015
access-list 101 permit tcp any host 198.69.35.237 eq 27016
access-list 101 deny ip any host 198.69.35.237
access-list 101 permit tcp any host 198.69.35.238 eq 3000
access-list 101 permit tcp any host 198.69.35.238 eq 3001
access-list 101 permit tcp any host 198.69.35.238 eq 3003
access-list 101 permit tcp any host 198.69.35.238 eq 3007
access-list 101 permit tcp any host 198.69.35.238 eq 8800
access-list 101 permit tcp any host 198.69.35.238 eq www
access-list 101 deny ip any host 198.69.35.238
access-list 101 permit ip any any

 

[eliotB]

Ya, that should work. I was thinking the same thing when I was eating.

 

[Deadasbetamax]

To plshlpme,

Still would need to get at various Internet services from the 237 and 238 hosts. So that would make the access-list more interesting. I would specifically have to open ports for things like dns, email, ftp, ect.

However it looks like it's really my only option at this point. Thank you for the help.

To eliotB,

Yes the the 238 address has a web based application on that we need to leave open for external users. Really what i need is ability to implement Ciscos Context Based Access Controls for the Serial Interface. This option is only available in the IP Plus version of the IOS, I have the basic version on the router. Basically I am missing the complete ip inspect commands set which were used in a previous config I was going off from another router in order to build the config for this one.