Question : NAT and ACL on 2600

Hello !!

Couple days ago I have posted a config question about Cisco 1800 series and I got the answer.
But now I have an cisco IOS 2600 series router, which I tryed to configure on the same way as 1800 series, but it was not success full.
I think the reason for it is CBAC configuration. Below I will paste only WAN part of the ocnfiguration, because that is problem.

Router info: Cisco 2600 series software : Version 12.2(12a)
As example I will not use my offical wan addresses, but example ip addresses.
I got 3 IP addresses from my ISP which are in the same subnet.

I will open for traffic from WAN on to internal server on port 80.
I will use the example wan address which will be used to access the server from WAN.

I need acces to the server from WAN IP 213.161.255.42
______________________________________________________________________

interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 213.161.255.40 255.255.255.0
 ip access-group ACL_CBAC in
 ip nat outside

ip nat pool wan_addresses 213.161.255.40 213.161.255.43 netmask 255.255.255.0
ip nat inside source route-map wan_addresses interface FastEthernet0/0.30 overload
ip nat inside source static tcp 10.0.0.7 80 213.161.255.42 80 extendable
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.30 213.161.255.1

ip access-list extended ACL_CBAC
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 permit tcp any any eq www
 

ip access-list extended ACL_NAT
permit ip 10.0.0.0 0.0.0.255 any
route-map wan_addresses permit 1
match ip address ACL_NAT

__________________________________________________________________________

When I use the config above, I am not able to access the internet from LAN and I am not able to access the internal server on port 80 from WAN. But when I remove the ip access-group ACL_CBAC in from the sub-interface 0/0.30 than I can access the internet from LAN but still I can not access the internal server on port 80 from WAN.

I tryed to add the folowing CBAC config:
______________________________________________________________________
ip inspect udp idle-time 15
ip inspect dns-timeout 7
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect name cbac_in_to_out cuseeme timeout 3600
ip inspect name cbac_in_to_out ftp timeout 3600
ip inspect name cbac_in_to_out h323 timeout 3600
ip inspect name cbac_in_to_out netshow timeout 3600
ip inspect name cbac_in_to_out rcmd timeout 3600
ip inspect name cbac_in_to_out realaudio timeout 3600
ip inspect name cbac_in_to_out rtsp timeout 3600
ip inspect name cbac_in_to_out smtp timeout 3600
ip inspect name cbac_in_to_out sqlnet timeout 3600
ip inspect name cbac_in_to_out streamworks timeout 3600
ip inspect name cbac_in_to_out tcp timeout 3600
ip inspect name cbac_in_to_out tftp timeout 30
ip inspect name cbac_in_to_out udp timeout 15
ip inspect name cbac_in_to_out vdolive timeout 3600
ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
___________________________________________________________________________
But this router reported the errors when I tryed to use "ip inspect name" commands
The error like one below:

Router(config)#ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
                   ^
% Invalid input detected at '^' marker.

Router(config)#

So I think that CBAC is either not supported on this software version or there is other way to do it.

Thank You
Very best regards
Steve_I

Answer : NAT and ACL on 2600

If you don't have the ability to do any 'ip inspect' commands, you won't have CBAC, and your ACL will block Internet access.  Send us a 'sh ver' from your router.