Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help With 2600 Router Script

Status
Not open for further replies.
RayWilson

RayWilson

Technical User
Nov 28, 2001
43
0
0
GB
Hi Everyone,

We have a mess and we're sure its with our router script. One of our problems is that so many people have worked on it over the past months.

We now have intermittent problems like some of our PCs on our internal network (which is connected to E0 - the school) can get Real Media content and ping external addresses (e.g. while other systems can't. We also have issues with FTP (e.g. WS_FTP doesn't work) while some of my colleagues get read-only access when FTPing through Internet Explorer.

I believe the problem has something to do with the access-lists and the IP Inspect commands. Can somebody please elaborate for me what their function is? Are they and alternative to ACLs or should be used in conjuntion? Also, i'm a little confused about inbound and outbound direction when it comes to ACLs.

Current configuration:
!
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GH1
!
enable password <***PASSWORD***>
!
!
ip subnet-zero
no ip finger
no ip domain-lookup
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Internet tcp
ip inspect name Internet udp
ip inspect name Internet ftp
ip inspect name Internet http java-list 99 timeout 300
ip inspect name Internet smtp
ip inspect name Internet realaudio
ip inspect name internet http java-list 99 timeout 300
ip audit notify log
ip audit po max-events 100
!
!
process-max-time 200
!
interface FastEthernet0/0
description connected to school
ip address <IP_ADDRESS> 255.255.255.0
ip access-group 106 out
no ip directed-broadcast
ip accounting output-packets
ip accounting access-violations
ip nat inside
ip inspect Internet in
no cdp enable
!
interface FastEthernet0/1
description connected to art college
ip address <IP_ADDRESS> 255.255.255.0
ip access-group 104 in
no ip directed-broadcast
ip accounting output-packets
ip accounting access-violations
ip nat outside
no ip split-horizon
no cdp enable
!
router ospf 100
network <IP_ADDRESS> 0.0.255.255 area 0
!
ip default-gateway <IP_ADDRESS>
ip nat pool Internet <FIRST_IP_ADDRESS> <LAST_IP_ADDRESS> netmask 255.255.255.0
ip nat inside source list 100 pool Internet
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static <IP_ADDRESS> <IP_ADDRESS>
ip nat inside source static tcp <IP_ADDRESS> 25 <IP_ADDRESS> 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
no ip http server
!
access-list 99 permit any
access-list 100 permit tcp host <IP_ADDRESS> host <IP_ADDRESS>
access-list 100 permit tcp <IP_ADDRESS> 0.255.255.255 any eq www
access-list 100 permit tcp <IP_ADDRESS> 0.255.255.255 any range ftp-data ftp
access-list 100 permit udp <IP_ADDRESS> 0.255.255.255 host <IP_ADDRESS>
access-list 100 permit udp <IP_ADDRESS> 0.255.255.255 host <IP_ADDRESS>
access-list 100 permit tcp host <IP_ADDRESS> host <IP_ADDRESS>
access-list 104 deny ip <IP_ADDRESS> 0.255.255.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 deny tcp any any eq telnet
access-list 104 permit ip any any
access-list 106 permit tcp any any eq smtp
access-list 106 permit icmp any any echo-reply
access-list 106 permit tcp any host <IP_ADDRESS> eq www
no cdp run
!
line con 0
exec-timeout 0 0
password <***PASSWORD***>
login
transport input none
line aux 0
exec-timeout 2 0
password <***PASSWORD***>
login
line vty 0 4
exec-timeout 2 0
password <***PASSWORD***>
login
transport input telnet
!
scheduler interval 500
end
 
Sort by date Sort by votes
Access list 104 is doing this:

access-list 104 deny ip <IP_ADDRESS> 0.255.255.255 any
!Blocks all incoming traffic from fa0/1 with this matching IP network
access-list 104 permit icmp any any echo-reply
!Permit ICMP pings from all the internet except the above network
access-list 104 deny tcp any any eq telnet
!Block telnet traffic from fa0/1
access-list 104 permit ip any any
!Permit everything else that doesn't match the above.

Access list 106 is doing this:
access-list 106 permit tcp any any eq smtp
!Allows all computers to do SMTP email out through fa0/1
access-list 106 permit icmp any any echo-reply
!Allows all computers to do ICMP pings
access-list 106 permit tcp any host <IP_ADDRESS> eq www
!Allows the one computer to surf the web

Access list 100 is doing this:
access-list 100 permit tcp host <IP_ADDRESS> host <IP_ADDRESS>
!Permit all tcp traffic from one computer to another on your NAT pool
access-list 100 permit tcp <IP_ADDRESS> 0.255.255.255 any eq www
!Permit from one network to any network on your NAT pool
access-list 100 permit tcp <IP_ADDRESS> 0.255.255.255 any range ftp-data ftp
!Same except it does ftp data
access-list 100 permit udp <IP_ADDRESS> 0.255.255.255 host <IP_ADDRESS>
!Allows all UDP traffic from one network to one host on your NAT pool
access-list 100 permit udp <IP_ADDRESS> 0.255.255.255 host <IP_ADDRESS>
!Same as above
access-list 100 permit tcp host <IP_ADDRESS> host <IP_ADDRESS>
!Allows one host UDP to another host on your NAT pool


With out IP address and their locations, can't really explain too much here.
 
Upvote 0 Downvote
We now have intermittent problems like some of our PCs on our internal network (which is connected to E0 - the school) can get Real Media content and ping external addresses (e.g. while other systems can't.

interface FastEthernet0/0
description connected to school
ip address <IP_ADDRESS> 255.255.255.0
ip access-group 106 out
no ip directed-broadcast
ip accounting output-packets
ip accounting access-violations
ip nat inside
ip inspect Internet in
no cdp enable

access-list 106 permit tcp any any eq smtp
access-list 106 permit icmp any any echo-reply
access-list 106 permit tcp any host <IP_ADDRESS> eq www
no cdp run
---------------------------------------------------------
I don’t know the schematics of your network. Just tryng to help with what i see

”ip access-group 106 out”

That should be ”ip access-group 106 in” I guess, since your hosts off fe0/0 have to go IN fe0/0 on router to get &quot;out&quot;.

Also

“access-list 106 permit tcp any host <IP_ADDRESS> eq
That is permitting any host off Fe0 only to that one website. Since you have the Acl going the wrong way it’s having no effect on the hosts off fe0. i dunno how you network is setup, it may have some unattended effects on some other subnets

Since you basically have no Acls on Fe0( other entries are permit ALL type), you might as well blow ACL 106 up and see if that fixes the problem

I noticed a lot of Acl mistakes and misconfigurations on the other acls also.

ACL work top to bottom

So if you have “ip access-list 10 deny 106.104.2.1 255.255.0.0” then have
“Ip access-list 10 permit host 106.104.2.2” guess what? After the 1st hit it’s over for that whole subnet. No one well pass even if you have a permit after
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
118
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
87
BIS
BIS
inlsp05
  • Locked
  • Question
2811 ios start with cf
Replies
0
Views
46
inlsp05
inlsp05
khashyar2021
  • Locked
  • Question
Problem with cisco switch after upgrading
Replies
1
Views
72
Geraldine Souza
Geraldine Souza
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
51
bfordz
bfordz

Part and Inventory Search

Sponsor

Back
Top