Hello,
I have just set up a 3620 onto a network that was using a speedtouch PRO adsl modem. The current configuration has been setup that the speed touch is now fuctioning as a transparent bridge and the PPPOE authenticatin is being done by the router via one of the ethernet ports.
I have created nat rules to allow user on nth internet to get access to a mail and web server sitting on th private network.
There is a problem that I Ihave run into and this problem has to do with users on the local network not being able to access the web and mail server on the local LAN.
The users need to be able to access this server via the internoet front end address and not directly fom the lan. I know there is a way with nat to do this setup I believe it is called Inside to Inside NAT - NAT Virtual Interface Support but I cant seem to get this working.
I have attached my setup and would appreciate if you furu would be able to tell me where I am going wrong.
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
enable secret 5 password
enable password password
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip name-server 192.231.203.132
no ip dhcp conflict logging
!
ip dhcp pool localnet
network 10.0.0.0 255.0.0.0
domain-name xyz.com
dns-server 192.231.203.132 192.231.203.3
default-router 10.0.0.200
lease 30
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Serial0/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Ethernet1/0
description ADSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1/1
ip address 10.0.0.200 255.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip mroute-cache
half-duplex
no cdp enable
!
interface Ethernet1/2
no ip address
half-duplex
no cdp enable
!
interface Ethernet1/3
no ip address
half-duplex
no cdp enable
!
interface Dialer1
description ADSL WAN Dialer
mtu 1492
ip address negotiated
no ip unreachables
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username@isp
ppp chap password 0 isppassword
ppp pap sent-username username@isp password 0 isppassword
!
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.110 80 interface Dialer1 80
ip nat inside source static tcp 10.0.0.110 25 interface Dialer1 25
ip nat inside source static tcp 10.0.0.110 32000 interface Dialer1 32000
ip nat inside source static tcp 10.0.0.110 32001 interface Dialer1 32001
ip nat inside source static tcp 10.0.0.110 110 interface Dialer1 110
ip nat inside source static tcp 10.0.0.110 143 interface Dialer1 143
ip nat inside source static tcp 10.0.0.110 995 interface Dialer1 995
ip nat inside source static tcp 10.0.0.110 993 interface Dialer1 993
ip nat inside source static udp 10.0.0.110 53 interface Dialer1 53
ip nat inside source static tcp 10.0.0.110 1143 interface Dialer1 1143
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 10 permit any
dialer-list 1 protocol ip permit
no cdp run
!
snmp-server community public RO
snmp-server enable traps tty
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password password
login
!
!
end
Also having troubles working out what kind of access list to create the access list I have put together is also attached but the second I apply it to the interface I lose all internet access on the local lan.
access-list 110 permit tcp any eq 80 any
access-list 110 permit tcp any any eq 80
access-list 110 permit tcp any eq 25 any
access-list 110 permit tcp any any eq 25
access-list 110 permit tcp any range 32000 32001 any
access-list 110 permit tcp any any range 32000 32001
access-list 110 permit udp any eq 53 any
access-list 110 permit udp any any eq 53
access-list 110 permit tcp any eq 143 any
access-list 110 permit tcp any any eq 143
access-list 110 permit icmp any any
access-list 110 permit tcp any any eq 995
access-list 110 permit tcp any eq 995 any
access-list 110 permit tcp any eq 993 any
access-list 110 permit tcp any any eq 993
access-list 110 permit tcp any eq 1143 any
access-list 110 permit tcp any any eq 1143
access-list 110 permit udp any eq ntp any
access-list 110 deny ip 10.0.0.0 0.0.0.255 any
access-list 120 deny tcp any any eq 135 log
access-list 120 deny udp any any eq 135 log
access-list 120 deny tcp any any eq 137 log
access-list 120 deny tcp any any eq 139 log
access-list 120 deny tcp any any eq 445 log
access-list 120 deny udp any any eq 445 log
access-list 120 deny tcp any any eq 5800 log
access-list 120 deny tcp any any eq 43958 log
access-list 120 deny udp any any eq netbios-ns log
access-list 120 deny udp any any eq netbios-ss log
access-list 120 permit ip any any
access list 110 is meant to be applied to dialer1 in
and access list 120 is meant to be appled to dialer1 out.
Thanks for your help guys
ikhan42
I have just set up a 3620 onto a network that was using a speedtouch PRO adsl modem. The current configuration has been setup that the speed touch is now fuctioning as a transparent bridge and the PPPOE authenticatin is being done by the router via one of the ethernet ports.
I have created nat rules to allow user on nth internet to get access to a mail and web server sitting on th private network.
There is a problem that I Ihave run into and this problem has to do with users on the local network not being able to access the web and mail server on the local LAN.
The users need to be able to access this server via the internoet front end address and not directly fom the lan. I know there is a way with nat to do this setup I believe it is called Inside to Inside NAT - NAT Virtual Interface Support but I cant seem to get this working.
I have attached my setup and would appreciate if you furu would be able to tell me where I am going wrong.
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
enable secret 5 password
enable password password
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip name-server 192.231.203.132
no ip dhcp conflict logging
!
ip dhcp pool localnet
network 10.0.0.0 255.0.0.0
domain-name xyz.com
dns-server 192.231.203.132 192.231.203.3
default-router 10.0.0.200
lease 30
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Serial0/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Ethernet1/0
description ADSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1/1
ip address 10.0.0.200 255.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip mroute-cache
half-duplex
no cdp enable
!
interface Ethernet1/2
no ip address
half-duplex
no cdp enable
!
interface Ethernet1/3
no ip address
half-duplex
no cdp enable
!
interface Dialer1
description ADSL WAN Dialer
mtu 1492
ip address negotiated
no ip unreachables
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username@isp
ppp chap password 0 isppassword
ppp pap sent-username username@isp password 0 isppassword
!
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.110 80 interface Dialer1 80
ip nat inside source static tcp 10.0.0.110 25 interface Dialer1 25
ip nat inside source static tcp 10.0.0.110 32000 interface Dialer1 32000
ip nat inside source static tcp 10.0.0.110 32001 interface Dialer1 32001
ip nat inside source static tcp 10.0.0.110 110 interface Dialer1 110
ip nat inside source static tcp 10.0.0.110 143 interface Dialer1 143
ip nat inside source static tcp 10.0.0.110 995 interface Dialer1 995
ip nat inside source static tcp 10.0.0.110 993 interface Dialer1 993
ip nat inside source static udp 10.0.0.110 53 interface Dialer1 53
ip nat inside source static tcp 10.0.0.110 1143 interface Dialer1 1143
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 10 permit any
dialer-list 1 protocol ip permit
no cdp run
!
snmp-server community public RO
snmp-server enable traps tty
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password password
login
!
!
end
Also having troubles working out what kind of access list to create the access list I have put together is also attached but the second I apply it to the interface I lose all internet access on the local lan.
access-list 110 permit tcp any eq 80 any
access-list 110 permit tcp any any eq 80
access-list 110 permit tcp any eq 25 any
access-list 110 permit tcp any any eq 25
access-list 110 permit tcp any range 32000 32001 any
access-list 110 permit tcp any any range 32000 32001
access-list 110 permit udp any eq 53 any
access-list 110 permit udp any any eq 53
access-list 110 permit tcp any eq 143 any
access-list 110 permit tcp any any eq 143
access-list 110 permit icmp any any
access-list 110 permit tcp any any eq 995
access-list 110 permit tcp any eq 995 any
access-list 110 permit tcp any eq 993 any
access-list 110 permit tcp any any eq 993
access-list 110 permit tcp any eq 1143 any
access-list 110 permit tcp any any eq 1143
access-list 110 permit udp any eq ntp any
access-list 110 deny ip 10.0.0.0 0.0.0.255 any
access-list 120 deny tcp any any eq 135 log
access-list 120 deny udp any any eq 135 log
access-list 120 deny tcp any any eq 137 log
access-list 120 deny tcp any any eq 139 log
access-list 120 deny tcp any any eq 445 log
access-list 120 deny udp any any eq 445 log
access-list 120 deny tcp any any eq 5800 log
access-list 120 deny tcp any any eq 43958 log
access-list 120 deny udp any any eq netbios-ns log
access-list 120 deny udp any any eq netbios-ss log
access-list 120 permit ip any any
access list 110 is meant to be applied to dialer1 in
and access list 120 is meant to be appled to dialer1 out.
Thanks for your help guys
ikhan42