Cisco 2600 w/ NAT....No internet access 1

[SouthernConfusion]

Ok...I have a Cisco 2621 with 2 FastEthernet cards...one is inside network and the other is the wan connection. I have designated the appropriate interfaces as ip nat inside and outside. The problem is that when I change my access-list from permit ip any any to permitting only certain ports etc I lose all internet connectivity on the local network. This access-list I speak of is applied to the outside interface as "access-group 102 out". Seeing as changing the access-list 102 to "permit ip any any" solves this problem I am obviosly missing something. Thanks in advance for any assistance.

 

[ROUTERKID1]

Southern please post your router running-config file.

 

[SouthernConfusion]

Unless I add "permit ip any any" to access-list 102 below I have NO internet connectivity. Thanks again for the help.


Current configuration : 2118 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
!
ip subnet-zero
ip name-server 24.xxx.xx.x
ip name-server 24.xxx.xx.x
ip dhcp excluded-address 192.168.200.1
ip dhcp excluded-address 192.168.200.2
ip dhcp excluded-address 192.168.200.3
ip dhcp excluded-address 192.168.200.4
ip dhcp excluded-address 192.168.200.5
ip dhcp excluded-address 192.168.200.6
ip dhcp excluded-address 192.168.200.7
ip dhcp excluded-address 192.168.200.8
ip dhcp excluded-address 192.168.200.9
ip dhcp excluded-address 192.168.200.10
!
ip dhcp pool jeremy
network 192.168.200.0 255.255.255.0
domain-name xxx.com
default-router 192.168.200.1
dns-server 192.168.199.3
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.200.1 255.255.255.0
ip nat inside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
ip address 24.158.xxx.xxx 255.255.255.224 secondary
ip address 24.158.xxx.xxx 255.255.255.224
ip access-group 102 in
ip nat outside
no ip mroute-cache
duplex auto
speed auto
!
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.200.1 23 interface FastEthernet0/1 23
ip nat inside source static 192.168.200.3 24.158.xxx.xxx
ip classless
ip route 0.0.0.0 0.0.0.0 24.158.xxx.xxx
ip http server
!
access-list 101 permit ip any any
access-list 102 permit tcp any host 24.158.xxx.xxx eq www
access-list 102 permit tcp any host 24.158.xxx.xxx eq telnet
access-list 102 permit tcp any host 24.158.xxx.xxx eq smtp
access-list 102 permit tcp any host 24.158.xxx.xxx eq 3389
access-list 102 permit tcp any host 24.158.xxx.xxx eq ftp
access-list 102 permit icmp any any
!
!
line con 0
password xxx
line aux 0
line vty 0 4
password xxx
login
line vty 5 15
password xxx
login
!
end

 

[SouthernConfusion]

Anyone have any ideas????

 

[rudeboy]

You have no Context Based Access-Control lists set up. CBAC makes temporary holes in your f/w to allow traffic back to your LAN. Your LAN is going out ok, but the return traffic is stopped by access-list 102. Adding the below lines to your config should help you out.

ip inspect name myinspect tcp
ip inspect name myinspect udp
ip inspect name myinspect cuseeme
ip inspect name myinspect ftp
ip inspect name myinspect h323
ip inspect name myinspect rcmd
ip inspect name myinspect realaudio
ip inspect name myinspect smtp
ip inspect name myinspect streamworks
ip inspect name myinspect vdolive
ip inspect name myinspect tftp
ip inspect name myinspect sqlnet
ip inspect name myinspect http java-list 30
int fastethernet0/1
ip inspect myinpsect out
access-list 30 permit any

here is a link

http://cisco.com/en/US/products/sw/...ommand_reference_chapter09186a00800ca7a1.html