Announcement

Collapse
No announcement yet.

cisco 837 nat issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco 837 nat issue

    Hi there,

    I'm having a strange problem where I can ping out, but cannot browse or even query external dns servers unless I basically open everything up to the world.

    Here is my config, which to my knowledge *should* work, but doesn't (pretty much the same config works fine with an 877):

    IOS Version: k9o3sy6-mz.124-16

    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    no service dhcp
    !
    hostname (Client Name)-c837
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 warnings
    enable secret 5 (secret)
    !
    aaa new-model
    !
    !
    aaa authentication login local_authen local
    aaa authentication enable default enable
    aaa authorization exec local_author local
    !
    aaa session-id common
    no ip source-route
    !
    !
    !
    !
    ip cef
    no ip domain lookup
    ip domain name (client domain)
    no ip bootp server
    ip inspect name FW-OUT cuseeme
    ip inspect name FW-OUT ftp
    ip inspect name FW-OUT h323
    ip inspect name FW-OUT icmp
    ip inspect name FW-OUT netshow
    ip inspect name FW-OUT rcmd
    ip inspect name FW-OUT realaudio
    ip inspect name FW-OUT rtsp
    ip inspect name FW-OUT esmtp
    ip inspect name FW-OUT sqlnet
    ip inspect name FW-OUT streamworks
    ip inspect name FW-OUT tftp
    ip inspect name FW-OUT tcp
    ip inspect name FW-OUT udp
    ip inspect name FW-OUT vdolive
    !
    !
    !
    partition flash 2 10 2
    !
    username (user) secret 5 (secret)
    username (user) privilege 15 secret 5 (secret)
    archive
    log config
    hidekeys
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    !
    !
    interface Ethernet0
    ip address 10.24.1.5 255.255.0.0
    ip access-group 160 in
    ip access-group 150 out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside
    ip inspect FW-OUT out
    ip virtual-reassembly
    ip tcp adjust-mss 1412
    hold-queue 100 out
    !
    interface Ethernet2
    no ip address
    shutdown
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    dsl operating-mode itu-dmt
    hold-queue 224 in
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    speed 100
    half-duplex
    !
    interface FastEthernet2
    speed 100
    half-duplex
    !
    interface FastEthernet3
    speed 100
    half-duplex
    !
    interface FastEthernet4
    speed 100
    half-duplex
    !
    interface Dialer0
    description PPP Dialer (to BCT)
    mtu 1452
    ip address (DSL IP) 255.255.255.254
    ip access-group 180 in
    ip access-group 170 out
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    no ip route-cache cef
    no ip route-cache
    ip tcp adjust-mss 1412
    load-interval 30
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname (username)
    ppp chap password 7 (password)
    !
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    !
    no ip http server
    ip http access-class 10
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    !
    ip nat translation timeout 60
    ip nat translation tcp-timeout 60
    ip nat translation finrst-timeout 30
    ip nat translation syn-timeout 120
    ip nat translation max-entries 2000
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 10.24.1.10 25 interface Dialer0 25
    ip nat inside source static tcp 10.24.1.10 80 interface Dialer0 80
    ip nat inside source static tcp 10.24.1.10 3389 interface Dialer0 3389
    !
    !
    ip access-list extended VTY
    permit tcp 10.24.0.0 0.0.255.255 any eq telnet
    permit tcp (remote admin range) 0.0.0.7 any eq telnet
    permit tcp host (remote admin ip) any eq telnet
    deny ip any any
    access-list 1 permit 10.24.0.0 0.0.255.255
    access-list 10 permit 10.24.0.0 0.0.255.255
    access-list 150 permit ip any any
    access-list 160 deny ip host 255.255.255.255 any
    access-list 160 deny ip 127.0.0.0 0.255.255.255 any
    access-list 160 permit ip any any
    access-list 170 permit ip any any
    access-list 180 deny tcp any any range 135 139
    access-list 180 deny udp any any range 135 netbios-ss
    access-list 180 deny tcp any any eq 445
    access-list 180 deny udp any any eq 445
    access-list 180 deny ip host 0.0.0.0 any
    access-list 180 deny ip host 255.255.255.255 any
    access-list 180 deny ip host 127.0.0.1 any
    access-list 180 deny ip 10.24.0.0 0.0.255.255 any
    access-list 180 permit icmp any any echo-reply
    access-list 180 permit udp host (ISP DNS1) any eq domain
    access-list 180 permit udp host (ISP DNS2) any eq domain
    access-list 180 permit tcp any host (DSL IP) eq smtp
    access-list 180 permit tcp any host (DSL IP) eq www
    access-list 180 permit tcp any host (DSL IP) eq 3389
    access-list 180 permit icmp (remote admin range) 0.0.0.7 host (DSL IP) echo
    access-list 180 permit icmp host (remote admin ip) host (DSL IP) echo
    access-list 180 deny ip any any
    !
    !
    !
    control-plane
    !
    banner login ^C
    ---------------------------------------------------------------------------------
    Unauthorised connections are strictly prohibited.
    If you are not authorised to access this device disconnect immediately!
    For technical assistance please contact (us)
    Phone (our phone number)
    ---------------------------------------------------------------------------------
    ^C
    !
    line con 0
    exec-timeout 120 0
    login authentication local_authen
    no modem enable
    transport output telnet
    stopbits 1
    line aux 0
    login authentication local_authen
    transport output telnet
    line vty 0 4
    access-class VTY in
    exec-timeout 120 0
    authorization exec local_author
    login authentication local_authen
    length 0
    transport input telnet
    !
    scheduler max-task-time 5000
    scheduler interval 500
    end





    Now if I add the following:

    access-list 180 permit tcp any host (DSL IP)
    access-list 180 permit udp any host (DSL IP)

    everything starts working, however I don't really want to leave this as the solution as it basically opens the external interface right up.


    If anyone has any ideas they would be greatly appreciated.

    Thanks in advance!
    Last edited by zedbo9; 26th May 2009, 06:09.

  • #2
    Re: cisco 837 nat issue

    Interesting...does smtp work? Inbound I mean.

    I'd need to dig out my notes on inspects, but one thing that strikes me straight off is: while acl 180 details dns, there's no corresponding inspect rule for it.

    I might be getting it wrong though- as I say, will check notes.

    genkidesu

    Comment


    • #3
      Re: cisco 837 nat issue

      Thanks for your reply genkid,


      does smtp work? Inbound I mean.
      Why yes indeed it does. Everything I've allowed inbound is fine (ie the port-forwards) and I can telnet to it remotely.

      It's just outbound traffic that's the problem.

      Comment


      • #4
        Re: cisco 837 nat issue

        Try this:

        Original:

        access-list 180 permit udp host (ISP DNS1) any eq domain
        access-list 180 permit udp host (ISP DNS2) any eq domain

        Change to:

        access-list 180 permit udp host (ISP DNS1) host (DSL IP)eq domain
        access-list 180 permit udp host (ISP DNS2) host (DSL IP) eq domain

        OR:

        access-list 180 permit udp any host (DSL IP) eq domain
        access-list 180 permit udp any host (DSL IP) eq domain

        just in case your ISP has a battery of DNS servers that answer in a round-robin fashion, ie, you dont get an answer from the box you expect to.

        Comment


        • #5
          Re: cisco 837 nat issue

          Originally posted by genkidesu View Post
          Try this:


          Change to:

          access-list 180 permit udp host (ISP DNS1) host (DSL IP)eq domain
          access-list 180 permit udp host (ISP DNS2) host (DSL IP) eq domain

          OR:

          access-list 180 permit udp any host (DSL IP) eq domain
          access-list 180 permit udp any host (DSL IP) eq domain

          Hmm, tried the latter - still nothing (direct queries to ISP DNS1+2 fail).

          However if I do this (which opens up all udp ports to the ISP's DNS servers that aren't explicitly blocked earlier in the ACL) -

          () access-list 180 permit udp host (ISP DNS1) host (DSL IP)
          () access-list 180 permit udp host (ISP DNS2) host (DSL IP)

          DNS lookups start working again, but browsing still doesn't happen unless I add -

          () access-list 180 permit tcp any host (DSL IP)
          () access-list 180 permit udp any host (DSL IP)

          *Will only work with both tcp & udp rule. Take away udp and I can't even open Google.

          Comment

          Working...
          X