|
Question : NAT and ACL on 2600
|
|
Hello !!
Couple days ago I have posted a config question about Cisco 1800 series and I got the answer.
But now I have an cisco IOS 2600 series router, which I tryed to configure on the same way as 1800 series, but it was not success full.
I think the reason for it is CBAC configuration. Below I will paste only WAN part of the ocnfiguration, because that is problem.
Router info: Cisco 2600 series software : Version 12.2(12a)
As example I will not use my offical wan addresses, but example ip addresses.
I got 3 IP addresses from my ISP which are in the same subnet.
I will open for traffic from WAN on to internal server on port 80.
I will use the example wan address which will be used to access the server from WAN.
I need acces to the server from WAN IP 213.161.255.42
______________________________________________________________________
interface FastEthernet0/0.30
encapsulation dot1Q 30
ip address 213.161.255.40 255.255.255.0
ip access-group ACL_CBAC in
ip nat outside
ip nat pool wan_addresses 213.161.255.40 213.161.255.43 netmask 255.255.255.0
ip nat inside source route-map wan_addresses interface FastEthernet0/0.30 overload
ip nat inside source static tcp 10.0.0.7 80 213.161.255.42 80 extendable
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.30 213.161.255.1
ip access-list extended ACL_CBAC
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp any any eq www
ip access-list extended ACL_NAT
permit ip 10.0.0.0 0.0.0.255 any
route-map wan_addresses permit 1
match ip address ACL_NAT
__________________________________________________________________________
When I use the config above, I am not able to access the internet from LAN and I am not able to access the internal server on port 80 from WAN. But when I remove the ip access-group ACL_CBAC in from the sub-interface 0/0.30 than I can access the internet from LAN but still I can not access the internal server on port 80 from WAN.
I tryed to add the folowing CBAC config:
______________________________________________________________________
ip inspect udp idle-time 15
ip inspect dns-timeout 7
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect name cbac_in_to_out cuseeme timeout 3600
ip inspect name cbac_in_to_out ftp timeout 3600
ip inspect name cbac_in_to_out h323 timeout 3600
ip inspect name cbac_in_to_out netshow timeout 3600
ip inspect name cbac_in_to_out rcmd timeout 3600
ip inspect name cbac_in_to_out realaudio timeout 3600
ip inspect name cbac_in_to_out rtsp timeout 3600
ip inspect name cbac_in_to_out smtp timeout 3600
ip inspect name cbac_in_to_out sqlnet timeout 3600
ip inspect name cbac_in_to_out streamworks timeout 3600
ip inspect name cbac_in_to_out tcp timeout 3600
ip inspect name cbac_in_to_out tftp timeout 30
ip inspect name cbac_in_to_out udp timeout 15
ip inspect name cbac_in_to_out vdolive timeout 3600
ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
___________________________________________________________________________
But this router reported the errors when I tryed to use "ip inspect name" commands
The error like one below:
Router(config)#ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
^
% Invalid input detected at '^' marker.
Router(config)#
So I think that CBAC is either not supported on this software version or there is other way to do it.
Thank You
Very best regards
Steve_I
|
Answer : NAT and ACL on 2600
|
|
If you don't have the ability to do any 'ip inspect' commands, you won't have CBAC, and your ACL will block Internet access. Send us a 'sh ver' from your router.
|
|
|
|
|
