Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 801 loopback config?

Status
Not open for further replies.
Phoenix235

Phoenix235

Programmer
Sep 23, 2002
30
GB
Hello I have a Cisco 801 as my router, I just setup Win2k with IIS 5.0 and want to host OWA for Exchange on this machine, problem is I cannot get out though the router, I been looking and I think it's to do with setting up a loopback? Can anyone please help me with this?

Below is a copy of my routers config:

Thank you for taking a look
Mike



version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname demon-gw
!
boot system flash:c800-osy6-mw_121-5.bin
!
!
!
ip subnet-zero
no ip source-route
!
ip inspect name firewall cuseeme
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall smtp
ip inspect name firewall ftp
ip inspect name firewall http
ip inspect name firewall h323
ip inspect name firewall realaudio
ip inspect name firewall sqlnet
ip inspect name firewall streamworks
ip inspect name firewall tftp
ip inspect name firewall vdolive
ip inspect name firewall tcp
ip inspect name firewall udp
no ip domain-lookup
no ip finger
isdn switch-type basic-net3
!
!
!
interface Ethernet0
ip address 192.168.0.254 255.255.255.0
ip access-group 101 in
no ip proxy-arp
ip nat inside
ip inspect firewall in
no cdp enable
no shutdown
!
interface BRI0
no ip address
encapsulation ppp
dialer pool-member 1
isdn switch-type basic-net3
no cdp enable
ppp authentication chap pap callin
no shutdown
!
interface Dialer2
description Dial-up link to Demon Internet
ip address negotiated
ip access-group 112 in
ip nat outside
ip inspect firewall out
encapsulation ppp
dialer pool 1
dialer idle-timeout 3600
dialer string 08450418587
dialer load-threshold 1 either
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username honda1 password 7 05431562788436
ppp multilink
!
ip nat inside source list 18 interface Dialer2 overload
ip nat inside source static tcp 192.168.0.2 25 193.195.86.134 25 extendable
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer2
!
access-list 18 permit 192.168.0.0 0.0.0.255
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq ftp
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq pop3
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 443
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq domain
access-list 101 permit udp 192.168.0.0 0.0.0.255 any eq domain
access-list 101 permit icmp 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any established
access-list 101 permit tcp 192.168.0.0 0.0.0.255 any eq 123
access-list 101 permit udp 192.168.0.0 0.0.0.255 any eq ntp
access-list 101 deny tcp 192.168.0.0 0.0.0.255 any eq www
access-list 101 deny tcp 192.178.0.0 0.0.0.255 any eq www
access-list 112 deny ip any 192.168.0.0 0.0.255.255
access-list 112 permit ip any any
access-list 120 permit tcp 192.168.0.0 0.0.0.255 any eq www
access-list 120 permit tcp 192.168.0.0 0.0.0.255 any eq ftp
access-list 120 permit tcp 192.168.0.0 0.0.0.255 any eq domain
access-list 120 permit udp 192.168.0.0 0.0.0.255 any eq domain
access-list 120 permit tcp 192.168.0.0 0.0.0.255 any eq pop3
access-list 120 permit tcp 192.168.0.0 0.0.0.255 any eq smtp
access-list 120 permit tcp 192.168.0.0 0.0.0.255 any eq 443
access-list 120 permit icmp 192.168.0.0 0.0.0.255 any
access-list 120 permit tcp 192.168.0.0 0.0.0.255 any eq 123
access-list 120 deny tcp 192.178.0.0 0.0.0.255 any eq www
dialer-list 1 protocol ip list 120
no cdp run
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
exec-timeout 0 0
login local
!
time-range TIME
periodic daily 0:00 to 23:59
!
end
 
Sort by date Sort by votes
your acls

on the outside int you have

access-list 112 deny ip any 192.168.0.0 0.0.255.255
access-list 112 permit ip any any

ok, what you are doing is saying, "dont allow anyone into my LAN" i am pretty sure NAT happens after the access-lists are evaluated for inbound pkts, therefore when you for instance ping 32.32.23.1......

1
your pc gets translated to the dhcp assigned address and sends the echo request packet out

2
32.32.23.1 sends an echo-reply pkt back to the routers dhcp address

3 the router reverses the translation and then it is denied by the access-list

since you only have two interfaces, you are very much over complicating you configuration.
acl 101 doesn't do anything in the 'in' position and there is NO need to have the 'firewall in' on the e1 interface

you have the cbac so all you need to do is permit the wanted traffic for inbound access and have cbac inspect your 'pc initiaited' traffic on the way out so that it can create dynamic acl entries for return traffic on it's own


once again, here is some cbac advice from my website, and a reply from yesterday i supplied to a poster.

CBAC CONFIGURATION

CBAC THEORY

REPLY FROM YESTERDAY
thread557-573524
 
Upvote 0 Downvote
sorry i meant

ok, what you are doing is saying, "dont allow anyone into my LAN" i am pretty sure NAT happens BEFORE the access-lists are evaluated for inbound pkts, therefore when you for instance ping 32.32.23.1......


NAT

outbound

src----------------------------------->dst
outbound access-list evaluated ----> NAT<--OutsideRouterInterface



inbound

src <------return traffic--------------dst
inbound access-list evaluated<---------NAT<--OutsideRouterInterface
 
Upvote 0 Downvote
Thank you for your good advice, I am trying to decode it :)
can you explain me in layman terms?

I did not write this list only added a few lines once to block two IP's for but later I removed them again due to problems and then I opened port 123 to allow us time sync.

Now My PC is on 192.168.0.20 and I would like this machine to be our http server, I am running OWA on it but I just can't work out what line to add and where to put it on the list?



Kind regards

Mike
 
Upvote 0 Downvote
I am wondering if I add this:

ip nat inside source list 18 interface Dialer2 overload
ip nat inside source static tcp 192.168.0.2 25 193.195.86.134 25 extendable
ip nat inside source static tcp 192.168.0.20 80 193.195.86.134 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer2

and take out the line: no ip http server

would this not allow the outside network to access 192.168.0.20 on port 80?


Regards

Mike
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
327
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
315
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
296
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
305
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
385
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top