?
Solved

Cisco 877 internet access problem from VLAN1

Posted on 2008-11-08
44
Medium Priority
?
1,421 Views
Last Modified: 2012-05-05
Hi there, I have done an intial configuration using SDM with the following facts:

1. VLAN1 set up with range 192.168.0.1 - 255 in the DHCP available addresses - other machines added to ethernet ports on Cisco 877 pick up IP addresses OK within this range
2. Dialer0 interface set up correctly to connect to my ADSL connection, connection test successful pinging external domain e.g. www.google.com
3. NAT configured with VLAN1 entire range as inside and Dialer0 as outside

But I cannot browse the internet using a browsr from anywhere within VLAN1.

How can I get to browse the web?
0
Comment
Question by:butterhook
  • 19
  • 15
  • 10
44 Comments
 
LVL 4

Expert Comment

by:futurefiles
ID: 22912789
can you do a show run and paste your config
0
 
LVL 1

Author Comment

by:butterhook
ID: 22912915
Here it is. Passwords and domains etc. replaced with 'blah'
Thanks!
!This is the running config of the router: 192.168.0.2
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco877
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$Nh.H$kYh6B6XVs5urKjdqvCYg90
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.2
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.2 
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name blah.blah
ip name-server blah.blah.blah.blah
ip name-server blah.blah.blah.blah
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-1033066415
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1033066415
 revocation-check none
 rsakeypair TP-self-signed-1033066415
!
!
crypto pki certificate chain TP-self-signed-1033066415
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31303333 30363634 3135301E 170D3032 30333031 30323030 
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30333330 
  36363431 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  81009FA8 D7B7B6AD C5118292 FC22D708 98489AF5 530E1652 401CBEB9 C593E98E 
  68D39738 04DFFFD0 FF6DED68 6B63512A 1D437999 08566A1B 9983E523 82048562 
  7751BE86 FC1E5B60 4CBE4CDE 69FB31C6 8377223B 3A1637F4 AFA82172 1FE918BF 
  58D41028 3A76FD6F 78CB84A3 E93131F7 A24A3C69 5D1B2EAF B5A5E380 6E6F8796 
  E8770203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 149290B9 069F09A6 48B46DFA AE888812 ADCFFEB9 
  16301D06 03551D0E 04160414 9290B906 9F09A648 B46DFAAE 888812AD CFFEB916 
  300D0609 2A864886 F70D0101 04050003 8181008F 67D10E0B A6B76DB6 A84A62F9 
  32004E04 0BDE7A7F 99074135 CBC4C568 883D1197 8E4FC287 40A53F84 E6C07167 
  48123F94 48994106 948689B4 975E178E 24ECF414 009E5A51 78444AD1 32B87D1B 
  4A9D3370 5BD0FDE2 FB67EA8B BDD1B825 BD73A2A9 E0A6EDF6 4B0FF8AE AB46DCB4 
  DB12EB3C 343573C1 8C9FF08D CBDB0785 DB77FD
  quit
username administrator privilege 15 secret 5 $1$WF71$VGG9ZNckoRE0CWcWLnfxp0
!
! 
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 no snmp trap link-status
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.2 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname blah@blah.demonadsl.co.uk
 ppp chap password 7 0707205F460118161F
 ppp pap sent-username blah@blah.demonadsl.co.uk password 7 blah
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
logging trap debugging
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 158.152.1.43 eq domain any
access-list 101 permit udp host 158.152.1.58 eq domain any
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Open in new window

0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22913016
I dont see any Nat statement...

pppoanat.pdf
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
LVL 79

Expert Comment

by:lrmoore
ID: 22913154
futurefiles is correct that you need nat. Here is what you need to enter:

interface dialer 0
 ip nat outside

interface vlan 1
 ip nat inside

access-list 10 permit 192.168.0.0 0.0.0.255
ip nat inside source list 10 interface Dialer0 overload
 
0
 
LVL 1

Author Comment

by:butterhook
ID: 22917477
Hello, I've tried the nat configuation and appear to have set it up right according to your recommendations though still cannot connect. Here is my updated config - could you have a look at it? thanks so much.

What could stop this NAT configuration working? It's strange that I can ping internet domains successfully every time but can't get the NAT sorted despite doing all the right bits according to both the SDM interface and your own recommendations ... is there any particular way I should be connecting equipment to the router itself? I suppose the computer I am using SDM on should be able to simultaneously connect using it's browser to the web?

Thanks again.




!This is the running config of the router: 172.16.0.2
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.0.1 172.16.0.2
ip dhcp excluded-address 172.16.1.0 172.16.255.254
!
ip dhcp pool sdm-pool
   import all
   network 172.16.0.0 255.255.0.0
   default-router 172.16.0.2 
!
!
ip domain name yourdomain.com
ip name-server x.x.x.x
ip name-server x.x.x.x
!
!
crypto pki trustpoint TP-self-signed-1033066415
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1033066415
 revocation-check none
 rsakeypair TP-self-signed-1033066415
!
!
crypto pki certificate chain TP-self-signed-1033066415
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31303333 30363634 3135301E 170D3032 30333031 30323237 
  32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30333330 
  36363431 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  81009FA8 D7B7B6AD C5118292 FC22D708 98489AF5 530E1652 401CBEB9 C593E98E 
  68D39738 04DFFFD0 FF6DED68 6B63512A 1D437999 08566A1B 9983E523 82048562 
  7751BE86 FC1E5B60 4CBE4CDE 69FB31C6 8377223B 3A1637F4 AFA82172 1FE918BF 
  58D41028 3A76FD6F 78CB84A3 E93131F7 A24A3C69 5D1B2EAF B5A5E380 6E6F8796 
  E8770203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 149290B9 069F09A6 48B46DFA AE888812 ADCFFEB9 
  16301D06 03551D0E 04160414 9290B906 9F09A648 B46DFAAE 888812AD CFFEB916 
  300D0609 2A864886 F70D0101 04050003 8181001B C763857E 98B3126E C5EBF972 
  EA634960 A3FB9124 BDEA63CF D9CBE787 70CF2ECB B0EF1526 38E6FA36 7A746E33 
  DD1DEE43 6C12AD8C CC6E0C01 B4F3A8A9 A51F4AA0 6C476484 B7D0844B 154DFC06 
  9F9D3519 7BB702E7 AC167395 86FD2CCB 1DDE5B0C A87C548C BB5C49E2 B80EC1EE 
  5AE6DCD7 AC5822D5 02A4DB48 E8043D97 01D3FB
  quit
username administrator privilege 15 secret 5 x.
!
! 
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 description Main ADSL
 no snmp trap link-status
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description General VLAN$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 172.16.0.2 255.255.0.0
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname x
 ppp chap password 0 x
 ppp pap sent-username x password 0 hashhash
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 199 interface Dialer0 overload
!
access-list 199 remark Charlie's NAT rule
access-list 199 remark SDM_ACL Category=2
access-list 199 remark Permit any VLAN host to see the internet
access-list 199 permit ip 172.16.0.0 0.0.0.255 any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^CC
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device. 
This feature requires the one-time use of the username "cisco" 
with the password "cisco". The default username and password have a privilege level of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI. 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use. 
 
For more information about SDM please follow the instructions in the QUICK START 
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

Open in new window

0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22917498
What IP address does your pc get that you are running SDM on? 172.16.0.x?
Setup a continuous ping on the pc to 198.6.1.2
C:\>ping -t 198.6.1.2
Then post result of "show ip nat trans"
and result of "sho ip access-list 199"
0
 
LVL 1

Author Comment

by:butterhook
ID: 22920022
Hi there. Will do. Out of interest, what is the relevance of 198.6.1.2?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22920958
198.6.1.2 is just a permanent tier 1 dns cache server that is always on line and always responds to pings.
0
 
LVL 4

Assisted Solution

by:futurefiles
futurefiles earned 450 total points
ID: 22920999
try adding this....

ip nat inside source list 199 interface Dialer0 overload
0
 
LVL 1

Author Comment

by:butterhook
ID: 22921011
That is already in the current configuration.
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921017
so it is i missed that!
0
 
LVL 1

Author Comment

by:butterhook
ID: 22921028
No probs - thanks so much for your efforts! Will be interesting to see the fruits of my ping experiment later.
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921046
I think you need to add to.................
interface ATM0.1 point-to-point
 description Main ADSL
 no snmp trap link-status
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
add this............
 ip nat outside
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921050
or too interface ATM0
not sure which
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921073
ni i'm way off there ignore me this time!
0
 
LVL 1

Author Comment

by:butterhook
ID: 22921097
What is the difference between the ATM0, ATM 0.1 and Dialer0?

ATM0 appears to be in the default configuration but cannot be edited within SDM
ATM0.1 appears when I create a new DSL connection using the SDM wizard, and I can test this connection OK
Dialer0 - what is this one?

Which bit should I ignore? All of the ATM changes you mention?
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921110
ignore all of it
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22921122
Yes, ignore all of futurefiles' latests posts. I think more coffee is in order.
ATM0 is the physical interface
ATM0.1 is the logical interface for the PVC
Dialer0 is the interface that attaches to the PVC, gets the IP address and sends the username/pass, etc..
Dialer0 is where the ip nat outside goes.
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921124
the only difference i can see on your to one i just setup is the access list
MINE
access-list 199 permit 172.16.0.0 0.0.0.255
YOURS
access-list 199 permit 172.16.0.0 0.0.0.255 any log
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921129
The coffees where it all started... NO MORE!!!
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921134
lrmoore
your the GURU! whats your take on it
0
 
LVL 1

Author Comment

by:butterhook
ID: 22921142
When you say one you just setup do you mean an actual router with the same settings as mine?
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921178
different model but an 800 series
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1050 total points
ID: 22921214
Ok, switching you to decaf!
Both acls that futurefiles posted are incorrect and neither would work. What you have currently in acl 199 is correct.

MINE
access-list 199 permit 172.16.0.0 0.0.0.255 <== standard acl cannot be "199"  but could be 99
YOURS
access-list 199 permit 172.16.0.0 0.0.0.255 any log <== actually
access-list 199 permit ip 172.16.0.0 0.0.0.255 any log <== this is what is in the config and correct.
Notice the "ip" and the "any" must be in an extended access-list numbered 100 or higher

0
 
LVL 1

Author Comment

by:butterhook
ID: 22921218
Should I be able to access the web on the same PC from which I'm running SDM? i.e. ethernet cable directly to the port on the 877
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22921226
thanks lrmoore only my fourth week configuring ciscos but learning heaps
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22921244
>Should I be able to access the web on the same PC from which I'm running SDM
Yes, but I need to see the information from "ipconfig/all" and "route print" from your PC
Then I will need to see the output of the show commands listed earlier.
0
 
LVL 1

Author Comment

by:butterhook
ID: 22921365
Do I need to change ACL 199 to number 99 instead?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22921465
No.
What you have is correct.
0
 
LVL 1

Author Comment

by:butterhook
ID: 22923037
show ip nat trans
sho ip access-list 199

What interface do I write these commands into? Can I do it somewhere in SDM?
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 1050 total points
ID: 22923071
Preferably from the router console
yourname>enable
Password:
yourname#sho ip nat trans

yourname#sho ip access-list 199

You still have not provided information on your PC's configuration. I would like to verify that it is getting the proper IP address, subnet mask, default gateway and DNS settings.
0
 
LVL 1

Author Comment

by:butterhook
ID: 22923836
Hi there, I've done the following:

1. Got the ipconfig /all details
2. done the pings and sho ip stuff
3. done the route print

The results to all of this are in the attached file.

Thanks - please note that the configuration is identical.
ipconfig-sho-ip-route-print.txt
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1050 total points
ID: 22925932
I don't see any DNS server settings in your ipconfig/all output.
Consider adding them explicitly to the dns scope/pool on the router.

I also don't see any hits on the access-list 199 which means the router is not seeing it, and because it is not hitting acl 199 then of course it is not being nattd'...

Can you post result of 'show ip int brief' from the router?
0
 
LVL 1

Author Comment

by:butterhook
ID: 22928550
On my other (Netgear!) router, it comes up with the IP addresses for DNS servers, which I copied into SDM under the DNS server settings. I know when I test the connection it uses these DNS servers to locate the remote server e.g. www.google.com which was tested correctly.

Where do I place the DNS server settings in order to get them to populate through to hosts on the domain?

Attached are the results to 'sho ip int brief'

Thanks so much!
sho-ip-int-brief.txt
0
 
LVL 4

Assisted Solution

by:futurefiles
futurefiles earned 450 total points
ID: 22928623
put them in your dhcp pool
dns-server x.x.x.x x.x.x.x
0
 
LVL 1

Author Comment

by:butterhook
ID: 22928754
So if I have 2 DNS servers available I would just put it in like
dns-server address1 address2

?
0
 
LVL 4

Expert Comment

by:futurefiles
ID: 22928840
yes
0
 
LVL 1

Author Comment

by:butterhook
ID: 22935689
You guys will be pleased to hear that I have solved the internet access problem. I'll post what I think the solution was tomorrow.
0
 
LVL 1

Author Comment

by:butterhook
ID: 22935690
You guys will be pleased to hear that I have solved the internet access problem. I'll post what I think the solution was tomorrow.
0
 
LVL 1

Author Comment

by:butterhook
ID: 22935691
You guys will be pleased to hear that I have solved the internet access problem. I'll post what I think the solution was tomorrow.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 22935990
Awesome!
0
 
LVL 1

Author Comment

by:butterhook
ID: 22938015
I'll post the differences in the configs up later. As originally suggested, the problems related to the DNS servers not being transferred across to hosts in the DHCP pool, and also wrongly configured NAT. You guys have been great - and I have learnt loads so thanks for your help. Will post up the information later this evening.
0
 
LVL 1

Author Comment

by:butterhook
ID: 22976817
Hi Guys, Attached are I believe the changes that made the config work.

As you can see - DNS servers are specified (I've used x in the IP addresses to obfuscate them)

I also enabled RIP

and you can also see the access rules.

Thanks for your help, I believe you both helped me learn so you will see what I hope is a fair breakdown of the points between you both.
!
ip dhcp pool sdm-pool
   network 172.16.0.0 255.255.0.0
   dns-server x.x.1.58 x.x.1.43 
   default-router 172.16.0.2 
!
---------------------
 
!
interface Vlan1
 description General VLAN$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 172.16.0.2 255.255.0.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
!
 
----------------
 
!
router rip
 passive-interface Dialer0
 network 172.16.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 172.16.0.10 80 interface Dialer0 80
ip nat inside source static tcp 172.16.0.11 3390 interface Dialer0 3390
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq www
access-list 101 permit udp host 158.152.1.43 eq domain any
access-list 101 permit udp host 158.152.1.58 eq domain any
access-list 101 deny   ip 172.16.0.0 0.0.255.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 195 remark permit HTTP traffic
access-list 195 remark SDM_ACL Category=2
access-list 195 permit tcp any any eq www
access-list 199 remark Charlie's NAT rule
access-list 199 remark SDM_ACL Category=2
access-list 199 remark Permit any VLAN host to see the internet
access-list 199 permit ip 172.16.0.0 0.0.0.255 any log
dialer-list 1 protocol ip permit
no cdp run
!

Open in new window

0
 
LVL 1

Author Closing Comment

by:butterhook
ID: 31514673
Thanks. I used the hints from both of you to solve my problem and get a better understanding of my new router, VLANs and firewalls and NATing in general. So thanks again!
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question