Solved

after 30 minute of working, my router stop responding to"long distance requests"

Posted on 2002-06-26
15
191 Views
Last Modified: 2010-04-17
im using cisco2600 with io3 12.1 with firewall feature set.
i have 10 static address translations (on eth1). and a firewall rules to enable access from the internet to those Nats...
the internet connection is T1.
 my office uses eth0 with 1 ip for NAT.
 after 30 minutes (aprox), the router stop responding for long distance requests.
the office is in japan, and i can access only local web sites (inside japan). all others are sudenly unreachable.
what can be the problem?
regards
tom
0
Comment
Question by:tom233
15 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Can you post your config? Change the actual IP addresses and cut out the passwords etc for security reasons.
All clients are on Eth 0? What about the systems on Eth1, can they still get out? How many IP addresses do you have from your ISP?
What is your IP address block/subnet mask?
0
 
LVL 11

Expert Comment

by:geoffryn
Comment Utility
listening
0
 
LVL 1

Expert Comment

by:Chriskohn
Comment Utility
Hi tom233:
Sounds strange that only "long distance requests" are not being responded to by the router??? Not certain what you mean by this.

For clarification do you mean incoming connections to your network's E1/0 are dropping? Or are you referring to outgoing connections from your office on E0/0? Sounds like the latter.

If the latter case it may not be that your router or its configuration is the problem, as you still have connectivity to your provider so it seems.
 
Still, I agree with Irmoore, that a post of your configuration would be helpful in helping to solve your dilemma.

If that isn't acceptable, you could issue the command logging buffered 4096 debugging, and if you suspect it is a firewall related matter then add a last statement to all your firewall access-list or lists statements saying for example access-list 101 deny ip any any log. This implicit deny statement will then cause logging of potential violations of your firewall access-list/s. Recommend also that you clear your log after applying your new access-list/s, then reattempt your connections and if unsuccessful as before, then view your log to see if you can determine if it is a firewall problem. You can also compare that data to a show access-lists command output and see if anything sticks out. Good luck, Sincerely, Chriskohn
0
 

Author Comment

by:tom233
Comment Utility
ITS EMBARRASSING, BUT I MADE THE CONFIGURATION USING "CONFIG MAKER"...
MANY THANKS!
!
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service tcp-small-servers
no service udp-small-servers
!
hostname Cisco2611
!
enable password xxxx
!
ip source-route
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Context-Based Access Control
!
no ip inspect audit-trail
ip inspect tcp synwait-time 30
ip inspect tcp finwait-time 5
ip inspect tcp idle-time 3600
ip inspect udp idle-time 30
ip inspect dns-timeout 5
ip inspect one-minute low 900
ip inspect one-minute high 1100
ip inspect max-incomplete low 900
ip inspect max-incomplete high 1100
ip inspect tcp max-incomplete host 50 block-time 0
!
! IP inspect Ethernet_0_1
!
no ip inspect name Ethernet_0_1
ip inspect name Ethernet_0_1 tcp
ip inspect name Ethernet_0_1 udp
ip inspect name Ethernet_0_1 cuseeme
ip inspect name Ethernet_0_1 ftp
ip inspect name Ethernet_0_1 h323
ip inspect name Ethernet_0_1 rcmd
ip inspect name Ethernet_0_1 realaudio
ip inspect name Ethernet_0_1 smtp
ip inspect name Ethernet_0_1 streamworks
ip inspect name Ethernet_0_1 vdolive
ip inspect name Ethernet_0_1 sqlnet
ip inspect name Ethernet_0_1 tftp
!
! IP inspect Ethernet_0_0
!
no ip inspect name Ethernet_0_0
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 udp
ip inspect name Ethernet_0_0 cuseeme
ip inspect name Ethernet_0_0 ftp
ip inspect name Ethernet_0_0 h323
ip inspect name Ethernet_0_0 rcmd
ip inspect name Ethernet_0_0 realaudio
ip inspect name Ethernet_0_0 smtp
ip inspect name Ethernet_0_0 streamworks
ip inspect name Ethernet_0_0 vdolive
ip inspect name Ethernet_0_0 sqlnet
ip inspect name Ethernet_0_0 tftp
!
! IP inspect Serial_0_0
!
no ip inspect name Serial_0_0
ip inspect name Serial_0_0 smtp
ip inspect name Serial_0_0 ftp
ip inspect name Serial_0_0 tcp
ip inspect name Serial_0_0 udp
!
interface Ethernet 0/0
 no shutdown
 description connected to SAIKI-TECH
 ip address 192.168.0.253 255.255.255.0
 ip nat inside
 ip inspect Ethernet_0_0 in
 ip access-group 101 in
 keepalive 10
!
interface Ethernet 0/1
 no shutdown
 description connected to DMZ
 ip address 192.168.1.253 255.255.255.0
 ip nat inside
 ip inspect Ethernet_0_1 in
 ip access-group 100 in
 keepalive 10
!
interface Serial 0/0
 no shutdown
 description connected to Internet
 ip address 61.126.86.58 255.255.255.252
 ip nat outside
 ip inspect Serial_0_0 in
 ip access-group 102 in
 encapsulation ppp
!
interface Serial 0/1
 no description
 no ip address
 shutdown
!
! Access Control List 1
!
no access-list 1
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
!
! Access Control List 100
!
no access-list 100
access-list 100 deny ip 192.168.0.0 0.0.0.255 any
access-list 100 permit udp any eq rip any eq rip
access-list 100 deny ip host 192.168.1.2 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.2 any
access-list 100 deny ip host 192.168.1.19 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.19 any
access-list 100 deny ip host 192.168.1.22 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.22 any
access-list 100 deny ip host 192.168.1.7 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.7 any
access-list 100 deny ip host 192.168.1.4 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.4 any
access-list 100 deny ip host 192.168.1.3 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.3 any
access-list 100 deny ip host 192.168.1.6 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.6 any
access-list 100 deny ip host 192.168.1.8 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.8 any
access-list 100 deny ip host 192.168.1.10 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.10 any
access-list 100 deny ip host 192.168.1.14 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.14 any
access-list 100 deny ip host 192.168.1.12 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.12 any
access-list 100 deny ip host 192.168.1.20 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.20 any
access-list 100 deny ip host 192.168.1.21 192.168.0.0 0.0.0.255
access-list 100 permit ip host 192.168.1.21 any
access-list 100 deny ip any 192.168.0.0 0.0.0.255
access-list 100 permit ip any any
!
! Access Control List 101
!
no access-list 101
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip any any
!
! Access Control List 102
!
no access-list 102
access-list 102 deny ip host 61.127.110.57 any
access-list 102 deny ip host 61.127.110.51 any
access-list 102 deny ip host 61.127.110.58 any
access-list 102 deny ip host 61.127.110.56 any
access-list 102 deny ip host 61.127.110.54 any
access-list 102 deny ip host 61.127.110.50 any
access-list 102 deny ip host 61.127.110.55 any
access-list 102 deny ip host 61.127.110.53 any
access-list 102 deny ip host 61.127.110.60 any
access-list 102 deny ip host 61.127.110.61 any
access-list 102 deny ip host 61.127.110.62 any
access-list 102 deny ip host 61.127.110.59 any
access-list 102 deny ip host 61.127.110.52 any
access-list 102 permit tcp any host 61.127.110.50 eq smtp
access-list 102 deny ip any host 61.127.110.50
access-list 102 permit tcp any host 61.127.110.51 range ftp-data ftp
access-list 102 permit tcp any host 61.127.110.51 eq www
access-list 102 deny ip any host 61.127.110.51
access-list 102 permit tcp any host 61.127.110.51 eq 443
access-list 102 permit tcp any host 61.127.110.54 eq smtp
access-list 102 permit tcp any host 61.127.110.54 eq 22
access-list 102 permit tcp any host 61.127.110.54 eq pop3
access-list 102 deny ip any host 61.127.110.54
access-list 102 permit udp any host 61.127.110.53 eq domain
access-list 102 permit udp any host 61.127.110.53 eq 1646
access-list 102 permit tcp any host 61.127.110.53 eq 22
access-list 102 permit udp any host 61.127.110.53 eq 1645
access-list 102 deny ip any host 61.127.110.53
access-list 102 permit udp any host 61.127.110.55 eq domain
access-list 102 permit udp any host 61.127.110.55 eq 1645
access-list 102 permit udp any host 61.127.110.55 eq 1646
access-list 102 permit tcp any host 61.127.110.55 eq 22
access-list 102 deny ip any host 61.127.110.55
access-list 102 permit icmp any host 61.127.110.56
access-list 102 permit tcp any host 61.127.110.56 eq www
access-list 102 permit tcp any host 61.127.110.56 range ftp-data ftp
access-list 102 permit tcp any host 61.127.110.56 eq 443
access-list 102 deny ip any host 61.127.110.56
access-list 102 permit tcp any host 61.127.110.57 eq www
access-list 102 permit tcp any host 61.127.110.57 eq 3389
access-list 102 deny ip any host 61.127.110.57
access-list 102 permit tcp any host 61.127.110.58 eq 3389
access-list 102 deny ip any host 61.127.110.58
access-list 102 permit tcp any host 61.127.110.59 eq 22
access-list 102 permit tcp any host 61.127.110.59 eq smtp
access-list 102 permit tcp any host 61.127.110.59 eq pop3
access-list 102 deny ip any host 61.127.110.59
access-list 102 permit tcp any host 61.127.110.60 eq www
access-list 102 deny ip any host 61.127.110.60
access-list 102 permit tcp any host 61.127.110.61 eq www
access-list 102 deny ip any host 61.127.110.61
access-list 102 permit tcp any host 61.127.110.62 eq www
access-list 102 deny ip any host 61.127.110.62
access-list 102 permit tcp any host 61.127.110.52 eq smtp
access-list 102 permit tcp any host 61.127.110.52 eq 22
access-list 102 permit tcp any host 61.127.110.52 eq pop3
!
! Static NAT
!
ip nat inside source static 192.168.1.2 61.127.110.50
ip nat inside source static 192.168.1.6 61.127.110.56
ip nat inside source static 192.168.1.4 61.127.110.51
ip nat inside source static 192.168.1.14 61.127.110.55
ip nat inside source static 192.168.1.12 61.127.110.53
ip nat inside source static 192.168.1.20 61.127.110.60
ip nat inside source static 192.168.1.3 61.127.110.58
ip nat inside source static 192.168.1.7 61.127.110.57
ip nat inside source static 192.168.1.10 61.127.110.52
ip nat inside source static 192.168.1.8 61.127.110.54
ip nat inside source static 192.168.1.19 61.127.110.59
ip nat inside source static 192.168.1.21 61.127.110.61
ip nat inside source static 192.168.1.22 61.127.110.62
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat pool Cisco2611-natpool-1 61.127.110.49 61.127.110.49 netmask 255.255.255.240
ip nat inside source list 1 pool Cisco2611-natpool-1 overload
!
router rip
 version 2
 network 192.168.0.0
 network 192.168.1.0
 passive-interface Serial 0/0
 no auto-summary
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0/0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
 exec-timeout 0 0
 password xxxx
 login
!
line vty 0 4
 password xxxx
 login
!
end
0
 

Author Comment

by:tom233
Comment Utility
oh, when i applied the debug command i saw this on the terminal:

getting aggressive, count (180/1100) current 1-min rate

tom
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Suggestion:
Start simple to get it working, then add features as needed.

!Remove ip inspect from serial 0/0:
!
Interface serial 0/0
 no ip inspect Serial_0_0 in
!
! enable CBAC:
ip inspect audit-trail
!

Simplify access-lists. Most of your deny statements are unneccesary:

!
no access-list 101
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
no access-list 100
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

! allow more icmp:
access-list 102 permit icmp any any eq echo-reply
access-list 102 permit icmp any any eq time-exceeded
access-list 102 permit icmp any any eq packet-too-big
!
access-list 102 permit tcp any host 61.127.110.50 eq smtp
access-list 102 permit tcp any host 61.127.110.51 range ftp-data ftp
access-list 102 permit tcp any host 61.127.110.51 eq www
access-list 102 permit tcp any host 61.127.110.51 eq 443
access-list 102 permit tcp any host 61.127.110.54 eq smtp
access-list 102 permit tcp any host 61.127.110.54 eq 22
access-list 102 permit tcp any host 61.127.110.54 eq pop3
access-list 102 permit udp any host 61.127.110.53 eq domain
access-list 102 permit udp any host 61.127.110.53 eq 1646
access-list 102 permit tcp any host 61.127.110.53 eq 22
access-list 102 permit udp any host 61.127.110.53 eq 1645
access-list 102 permit udp any host 61.127.110.55 eq domain
access-list 102 permit udp any host 61.127.110.55 eq 1645
access-list 102 permit udp any host 61.127.110.55 eq 1646
access-list 102 permit tcp any host 61.127.110.55 eq 22
access-list 102 permit icmp any host 61.127.110.56
access-list 102 permit tcp any host 61.127.110.56 eq www
access-list 102 permit tcp any host 61.127.110.56 range ftp-data ftp
access-list 102 permit tcp any host 61.127.110.56 eq 443
access-list 102 permit tcp any host 61.127.110.57 eq www
access-list 102 permit tcp any host 61.127.110.57 eq 3389
access-list 102 permit tcp any host 61.127.110.58 eq 3389
access-list 102 permit tcp any host 61.127.110.59 eq 22
access-list 102 permit tcp any host 61.127.110.59 eq smtp
access-list 102 permit tcp any host 61.127.110.59 eq pop3
access-list 102 permit tcp any host 61.127.110.60 eq www
access-list 102 permit tcp any host 61.127.110.61 eq www
access-list 102 permit tcp any host 61.127.110.62 eq www
access-list 102 permit tcp any host 61.127.110.52 eq smtp
access-list 102 permit tcp any host 61.127.110.52 eq 22
access-list 102 permit tcp any host 61.127.110.52 eq pop3
!
! log all denied packets for troubleshooting:
access-list 102 deny ip any any log
!
!turn on logging:
logg buff 4096 debug
!

Do you have other routers that talk to you via RIP?
If not, turn it off:

!
no router rip
!


For troubleshooting:
Cisco2611# show ip access
(look for hit counts for each line, and look for dynamically created entries)

Cisco2611# sho log
(look for denied packets for source/destination/ports that you might have overlooked)


!
0
 

Author Comment

by:tom233
Comment Utility
thanks for the prompt reply.
fortunatly i have a spare router to shave on...
i will try it now and update.
tom
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:tom233
Comment Utility
HOW CAN I DETERMINE WHICH OF THE STATEMENTS IS UNNECESSARY??

TOM
0
 

Author Comment

by:tom233
Comment Utility
HOW CAN I DETERMINE WHICH OF THE STATEMENTS IS UNNECESSARY??

TOM
0
 

Author Comment

by:tom233
Comment Utility
dear lrmoore ,
i tried that, (i entered only the commands you have listed)
but i lost the NAT functionality for my office.means we cant access the internet from eth-0, i didnt try eth-1

please advice.

tom
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
If you see my example, there is only one deny statement that prevents users on the 192.168.1.0 network from reaching users on the 192.168.0.0 network. All other deny statements have been taken out.

I hope you started with the same config you posted, then made the changes I suggested.

Add these lines to the config example in my last post:

!Remove access-lists from interfaces:
!
Interface Ethernet 0/0
 no ip access-group 101 in
Interface Ethernet 0/1
 no ip access-group 100 in
Interface Serial 0/0
 no ip access-group 102 in
!
<script from above>
no access-list 102
! allow more icmp:
access-list 102 permit icmp any any eq echo-reply
access-list 102 permit icmp any any eq time-exceeded
<continue the access-list and remainder of script here>

Interface Ethernet 0/0
 ip access-group 101 in
Interface Ethernet 0/1
 ip access-group 100 in
Interface Serial 0/0
 ip access-group 102 in


If you need me to, I will post a complete configuration for you to cut and paste....advise...
0
 

Author Comment

by:tom233
Comment Utility
please DO.(complete configuration)
im just starting to realise how much i don't understand...

please maintain the NAT and the firewall rules.
eth0 can access all.
eth1 can access all internet.
internet can access selected services on NAT address.

many thanks..

tom
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
Comment Utility
Please do a write erase, reload to blank config, then load this config:
!
hostname Cisco2611
!
enable password xxxx
!
ip source-route
no ip name-server
!
ip subnet-zero
no ip domain-lookup
ip routing
!
! Context-Based Access Control
!
ip inspect audit-trail
ip inspect tcp synwait-time 30
ip inspect tcp finwait-time 5
ip inspect tcp idle-time 3600
ip inspect udp idle-time 30
ip inspect dns-timeout 5
ip inspect one-minute low 900
ip inspect one-minute high 1100
ip inspect max-incomplete low 900
ip inspect max-incomplete high 1100
ip inspect tcp max-incomplete host 50 block-time 0
!
! IP inspect Ethernet_0_1
!
no ip inspect name Ethernet_0_1
ip inspect name Ethernet_0_1 tcp
ip inspect name Ethernet_0_1 udp
ip inspect name Ethernet_0_1 cuseeme
ip inspect name Ethernet_0_1 ftp
ip inspect name Ethernet_0_1 h323
ip inspect name Ethernet_0_1 rcmd
ip inspect name Ethernet_0_1 realaudio
ip inspect name Ethernet_0_1 smtp
ip inspect name Ethernet_0_1 streamworks
ip inspect name Ethernet_0_1 vdolive
ip inspect name Ethernet_0_1 sqlnet
ip inspect name Ethernet_0_1 tftp
!
! IP inspect Ethernet_0_0
!
no ip inspect name Ethernet_0_0
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 udp
ip inspect name Ethernet_0_0 cuseeme
ip inspect name Ethernet_0_0 ftp
ip inspect name Ethernet_0_0 h323
ip inspect name Ethernet_0_0 rcmd
ip inspect name Ethernet_0_0 realaudio
ip inspect name Ethernet_0_0 smtp
ip inspect name Ethernet_0_0 streamworks
ip inspect name Ethernet_0_0 vdolive
ip inspect name Ethernet_0_0 sqlnet
ip inspect name Ethernet_0_0 tftp
!
!
interface Ethernet 0/0
no shutdown
description connected to SAIKI-TECH
ip address 192.168.0.253 255.255.255.0
ip nat inside
ip inspect Ethernet_0_0 in
!
interface Ethernet 0/1
no shutdown
description connected to DMZ
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip inspect Ethernet_0_1 in
!
interface Serial 0/0
no shutdown
description connected to Internet
ip address 61.126.86.58 255.255.255.252
ip nat outside
encapsulation ppp
!
interface Serial 0/1
no description
no ip address
shutdown
!
!
no access-list 101
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
no access-list 100
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

no access-list 102
access-list 102 permit icmp any any eq echo-reply
access-list 102 permit icmp any any eq time-exceeded
access-list 102 permit icmp any any eq packet-too-big
!
access-list 102 permit tcp any host 61.127.110.50 eq smtp
access-list 102 permit tcp any host 61.127.110.51 range ftp-data ftp
access-list 102 permit tcp any host 61.127.110.51 eq www
access-list 102 permit tcp any host 61.127.110.51 eq 443
access-list 102 permit tcp any host 61.127.110.54 eq smtp
access-list 102 permit tcp any host 61.127.110.54 eq 22
access-list 102 permit tcp any host 61.127.110.54 eq pop3
access-list 102 permit udp any host 61.127.110.53 eq domain
access-list 102 permit udp any host 61.127.110.53 eq 1646
access-list 102 permit tcp any host 61.127.110.53 eq 22
access-list 102 permit udp any host 61.127.110.53 eq 1645
access-list 102 permit udp any host 61.127.110.55 eq domain
access-list 102 permit udp any host 61.127.110.55 eq 1645
access-list 102 permit udp any host 61.127.110.55 eq 1646
access-list 102 permit tcp any host 61.127.110.55 eq 22
access-list 102 permit icmp any host 61.127.110.56
access-list 102 permit tcp any host 61.127.110.56 eq www
access-list 102 permit tcp any host 61.127.110.56 range ftp-data ftp
access-list 102 permit tcp any host 61.127.110.56 eq 443
access-list 102 permit tcp any host 61.127.110.57 eq www
access-list 102 permit tcp any host 61.127.110.57 eq 3389
access-list 102 permit tcp any host 61.127.110.58 eq 3389
access-list 102 permit tcp any host 61.127.110.59 eq 22
access-list 102 permit tcp any host 61.127.110.59 eq smtp
access-list 102 permit tcp any host 61.127.110.59 eq pop3
access-list 102 permit tcp any host 61.127.110.60 eq www
access-list 102 permit tcp any host 61.127.110.61 eq www
access-list 102 permit tcp any host 61.127.110.62 eq www
access-list 102 permit tcp any host 61.127.110.52 eq smtp
access-list 102 permit tcp any host 61.127.110.52 eq 22
access-list 102 permit tcp any host 61.127.110.52 eq pop3
access-list 102 deny ip any any log

!
! Static NAT
!
ip nat inside source static 192.168.1.2 61.127.110.50
ip nat inside source static 192.168.1.6 61.127.110.56
ip nat inside source static 192.168.1.4 61.127.110.51
ip nat inside source static 192.168.1.14 61.127.110.55
ip nat inside source static 192.168.1.12 61.127.110.53
ip nat inside source static 192.168.1.20 61.127.110.60
ip nat inside source static 192.168.1.3 61.127.110.58
ip nat inside source static 192.168.1.7 61.127.110.57
ip nat inside source static 192.168.1.10 61.127.110.52
ip nat inside source static 192.168.1.8 61.127.110.54
ip nat inside source static 192.168.1.19 61.127.110.59
ip nat inside source static 192.168.1.21 61.127.110.61
ip nat inside source static 192.168.1.22 61.127.110.62
!
! Dynamic NAT
!
ip nat translation timeout 86400
ip nat translation tcp-timeout 86400
ip nat translation udp-timeout 300
ip nat translation dns-timeout 60
ip nat translation finrst-timeout 60
ip nat pool Cisco2611-natpool-1 61.127.110.49 61.127.110.49 netmask 255.255.255.240
ip nat inside source list 1 pool Cisco2611-natpool-1 overload
!
!
Interface Ethernet 0/0
 ip access-group 101 in
!
Interface Ethernet 0/1
 ip access-group 100 in
!
Interface Serial 0/0
 ip access-group 102 in
!
!
ip classless
!
! IP Static Routes
ip route 0.0.0.0 0.0.0.0 Serial 0/0
no ip http server
snmp-server community public RO
no snmp-server location
no snmp-server contact
!
line console 0
exec-timeout 0 0
password xxxx
login
!
line vty 0 4
password xxxx
login
!
end
0
 

Author Comment

by:tom233
Comment Utility
lrmoore san,
i tryied this config and again, the subnet 192.168.0.0 have no internet access. only 192.168.1.0 can access inter net.

any way.
i tried again the first config and disabled all irelevant services and it seems ok.

i would like to ask you. how do i check the routers security level?

thanks
tom
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
The reason it did not work is because I forgot one line:
! access-list 1 is required for the nat statement:

ip nat inside source list 1 pool Cisco2611-natpool-1 overload

access-list 1 permit 192.168.0.0

Check you security by watching your access-list hits and watching the log entries for denied packets:

Cisco2611# sho ip access-list

Cisco2611# sho log

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now