Question : NAT and ACL on 2600

Hello !!

Couple days ago I have posted a config question about Cisco 1800 series and I got the answer.
But now I have an cisco IOS 2600 series router, which I tryed to configure on the same way as 1800 series, but it was not success full.
I think the reason for it is CBAC configuration. Below I will paste only WAN part of the ocnfiguration, because that is problem.

Router info: Cisco 2600 series software : Version 12.2(12a)
As example I will not use my offical wan addresses, but example ip addresses.
I got 3 IP addresses from my ISP which are in the same subnet.

I will open for traffic from WAN on to internal server on port 80.
I will use the example wan address which will be used to access the server from WAN.

I need acces to the server from WAN IP 213.161.255.42
______________________________________________________________________

interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 213.161.255.40 255.255.255.0
ip access-group ACL_CBAC in
ip nat outside

ip nat pool wan_addresses 213.161.255.40 213.161.255.43 netmask 255.255.255.0
ip nat inside source route-map wan_addresses interface FastEthernet0/0.30 overload
ip nat inside source static tcp 10.0.0.7 80 213.161.255.42 80 extendable
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.30 213.161.255.1

ip access-list extended ACL_CBAC
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp any any eq www

ip access-list extended ACL_NAT
permit ip 10.0.0.0 0.0.0.255 any
route-map wan_addresses permit 1
match ip address ACL_NAT

__________________________________________________________________________

When I use the config above, I am not able to access the internet from LAN and I am not able to access the internal server on port 80 from WAN. But when I remove the ip access-group ACL_CBAC in from the sub-interface 0/0.30 than I can access the internet from LAN but still I can not access the internal server on port 80 from WAN.

I tryed to add the folowing CBAC config:
______________________________________________________________________
ip inspect udp idle-time 15
ip inspect dns-timeout 7
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect name cbac_in_to_out cuseeme timeout 3600
ip inspect name cbac_in_to_out ftp timeout 3600
ip inspect name cbac_in_to_out h323 timeout 3600
ip inspect name cbac_in_to_out netshow timeout 3600
ip inspect name cbac_in_to_out rcmd timeout 3600
ip inspect name cbac_in_to_out realaudio timeout 3600
ip inspect name cbac_in_to_out rtsp timeout 3600
ip inspect name cbac_in_to_out smtp timeout 3600
ip inspect name cbac_in_to_out sqlnet timeout 3600
ip inspect name cbac_in_to_out streamworks timeout 3600
ip inspect name cbac_in_to_out tcp timeout 3600
ip inspect name cbac_in_to_out tftp timeout 30
ip inspect name cbac_in_to_out udp timeout 15
ip inspect name cbac_in_to_out vdolive timeout 3600
ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
___________________________________________________________________________
But this router reported the errors when I tryed to use "ip inspect name" commands
The error like one below:

Router(config)#ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
^
% Invalid input detected at '^' marker.

Router(config)#

So I think that CBAC is either not supported on this software version or there is other way to do it.

Thank You
Very best regards
Steve_I

Answer : NAT and ACL on 2600

If you don't have the ability to do any 'ip inspect' commands, you won't have CBAC, and your ACL will block Internet access. Send us a 'sh ver' from your router.

Random Solutions

RMI over TCP/UDP

variable lenght subnet mask

Downgrading 64bit Domino to 32 bit domino

Can't activate Windows Server 2003

Novell 4.11 crashes when opening scsi cdrom drive

Modify SMTP Recieved IP Header

How to edit DNS, ALT DNS

Configure two NIC cards running Windows XP

Linksys router - static mac to IP address - howto