Cisco 3620 with Comcast SMC Gateway

[xevious2k]

Hello,

I need some advice.

I am attempting to get a Cisco 3620 Router to work behind a Comcast Business Class Modem w/ built-in SMC Router. We are assigned 5 static IP's from Comcast--the Modem/Router uses the .50 address, with the other 4 just below this. According to Comcast, all one must do is to assign the Cisco Router a static IP of, for example, .49 w/ subnet mask, then somehow specify it to use the SMC Modem/Router as a Gateway (using the .50 address as the gateway address). As of right now, there is a Linksys Router in place that works jsut fine--can access from outside world using the .49 address.

The Cisco does not allow me any I-Net access on the inside, and needless to say, no outside-> in access either.

If anyone has any advice, please help! Thanks.

 

[xevious2k]

BTW, Here is my config...


service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname blahblahblah
!
enable password nottelling
!
ip source-route
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Context-Based Access Control
!
no ip inspect audit-trail
ip inspect tcp synwait-time 30
ip inspect tcp finwait-time 5
ip inspect tcp idle-time 3600
ip inspect udp idle-time 30
ip inspect dns-timeout 5
ip inspect one-minute low 900
ip inspect one-minute high 1100
ip inspect max-incomplete low 900
ip inspect max-incomplete high 1100
ip inspect tcp max-incomplete host 50 block-time 0
!
! IP inspect Ethernet_0_1
!
no ip inspect name Ethernet_0_1
ip inspect name Ethernet_0_1 tcp
ip inspect name Ethernet_0_1 udp
ip inspect name Ethernet_0_1 cuseeme
ip inspect name Ethernet_0_1 ftp
ip inspect name Ethernet_0_1 h323
ip inspect name Ethernet_0_1 rcmd
ip inspect name Ethernet_0_1 realaudio
ip inspect name Ethernet_0_1 smtp
ip inspect name Ethernet_0_1 streamworks
ip inspect name Ethernet_0_1 vdolive
ip inspect name Ethernet_0_1 sqlnet
ip inspect name Ethernet_0_1 tftp
!
! IP inspect Ethernet_0_0
!
no ip inspect name Ethernet_0_0
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 smtp
!
interface Ethernet 0/0
no shutdown
description connected to Internet
ip address 75.xxx.xxx.57 255.255.255.240
ip nat outside
ip inspect Ethernet_0_0 in
ip access-group 101 in
keepalive 10
!
interface Ethernet 0/1
no shutdown
description connected to EthernetLAN
ip address 192.xxx.xxx.2 255.255.255.0
ip nat inside
ip inspect Ethernet_0_1 in
ip access-group 100 in
keepalive 10
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 192.xxx.xxx.0 0.0.0.255
!
! Access Control List 100
!
no access-list 100
access-list 100 permit ip any any
!
! Access Control List 101
!
no access-list 101
access-list 101 deny ip host 75.xxx.xxx.56 any
access-list 101 deny ip host 75.xxx.xxx.55 any
access-list 101 deny ip host 75.xxx.xxx.53 any
access-list 101 deny ip host 75.xxx.xxx.52 any
access-list 101 deny ip host 75.xxx.xxx.51 any
!access-list 101 deny ip any host 75.xxx.xxx.56
!access-list 101 deny ip any host 75.xxx.xxx.55
!access-list 101 deny ip any host 75.xxx.xxx.53
!access-list 101 deny ip any host 75.xxx.xxx.52
!access-list 101 deny ip any host 75.xxx.xxx.51
access-list 101 permit gre any any
access-list 101 permit tcp any host 75.xxx.xxx.56 eq smtp
access-list 101 permit tcp any host 75.xxx.xxx.55 eq www
access-list 101 permit tcp any host 75.xxx.xxx.55 eq 443
access-list 101 permit tcp any host 75.xxx.xxx.55 eq 1723
access-list 101 permit tcp any host 75.xxx.xxx.53 eq www
access-list 101 permit tcp any host 75.xxx.xxx.53 eq 443
access-list 101 permit tcp any host 75.xxx.xxx.52 eq pop3
access-list 101 permit tcp any host 75.xxx.xxx.52 eq smtp
access-list 101 permit tcp any host 75.xxx.xxx.51 eq www
!
! Static NAT
!
ip nat inside source static 192.xxx.xxx.3 75.xxx.xxx.75
ip nat inside source static 192.xxx.xxx.5 75.xxx.xxx.76
ip nat inside source static 192.xxx.xxx.6 75.xxx.xxx.73
ip nat inside source static 192.xxx.xxx.7 75.xxx.xxx.72
ip nat inside source static 192.xxx.xxx.8 75.xxx.xxx.71
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat pool blahblahblah-natpool-1 75.xxx.xxx.65 75.xxx.xxx.65 netmask 255.255.255.0
ip nat inside source list 1 pool blahblahblah-natpool-1 overload
!
router rip
version 2
network 192.xxx.xxx.0
passive-interface Ethernet 0/0
no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Ethernet 0/0
no ip http server
snmp-server community public RO
snmp-server location
snmp-server contact
line console 0
exec-timeout 0 0
password nottelling
login
!
line vty 0 4
password nottelling
login
!
end

 

[burtsbees]

Try the router forum---this is cisco certification and testing...
ACL101 is doing too much---you need "permit ip any any" at the end. Also, what kind of NAT is THAT? Try
ip nat inside source list 100 int e0 overload
You also do not need to apply acl 100 to interface e1, because it's not doing any blocking. Don't delete it, as it can permit NAT for interface e0. One more thing...is the MODEM in bridge mode? If Comcast says that the only thing you have to do is assign the static address to the Cisco router, then do they plan on you using public IP's and NOT NATting at all?

Burt

 

[xevious2k]

Thanks Burt,

won't "permit ip any any" then allow everything in on all addresses, (basically wide open)?

Comcast only gives a mamimum of 13 IP address, so to conserve them, I only want to use 1 IP for NAT

The modem is in gateway mode and my linksys home router works great, I just don't want to have to use 1 for every IP address I am going to use.

This exact configuration worked on our old t-1 line, but when we switched to the cable modem, this problem arose. Nothing else has changed, I just don't get it...

 

[xevious2k]

One other thing...

Our t-1 line was only 1.5Mbps and the Cable is about 27Mbps, I know the ports are only 10Mbps, could that have any impact on this?

 

[burtsbees]

ACL 101 permit ip any any is needed, because there is an implicit deny statement at the end. The acl starts denying what you specified, so without the permit ip any any,it denies EVERYTHING...with the permit ip any any, it only denies what you have specified---it goes in order of the statements until a match is made.
The speed of everything is only as fast as the slowest link, so the nodes on the 10MBps side will only see 10MBps download speeds, as opposed to the 1.5 you saw before.
ip nat inside source list 100 75.x.x.x x.x.x.x overload
will work for the many-to-one NAT, or PAT.
Can you ping interface e0's IP address from the LAN?

Burt