• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

IOS: help me with my ACL

X

xyyz

Diamond Member
i have a VoIP box behind my 831 running 12.3. i need to redirect ports 10000-20000 amongst others to that VoIP box.

any ideas how to do it?

---------------

second problem:

i get this error when trying to fetch an ip address from RR. i'm sure it's an ACL problem, because disabling the ACL has the interface fetch an ip address via dhcp.

*Mar 1 08:30:41.027: B'cast on Ethernet1 interface from 0.0.0.0
*Mar 1 08:30:45.019: DHCP: SDiscover attempt # 3 for entry:
*Mar 1 08:30:45.019: Temp IP addr: 0.0.0.0 for peer on Interface: Ethernet1
*Mar 1 08:30:45.019: Temp sub net mask: 0.0.0.0
*Mar 1 08:30:45.019: DHCP Lease server: 0.0.0.0, state: 1 Selecting
*Mar 1 08:30:45.019: DHCP transaction id: 13B7
*Mar 1 08:30:45.019: Lease: 0 secs, Renewal: 0 secs, Rebind: 0 secs
*Mar 1 08:30:45.023: Next timer fires after: 00:00:04
*Mar 1 08:30:45.023: Retry count: 3 Client-ID: cisco-0012.8032.a8b1-Et1
*Mar 1 08:30:45.023: Client-ID hex dump: 636973636F2D303031322E383033322E
*Mar 1 08:30:45.023: 613862312D457431
*Mar 1 08:30:45.027: Hostname: pluto
*Mar 1 08:30:45.027: DHCP: SDiscover: sending 292 byte length DHCP packet
*Mar 1 08:30:45.027: DHCP: SDiscover 292 bytes
*Mar 1 08:30:45.027: B'cast on Ethernet1 interface from 0.0.0.0
*Mar 1 08:30:49.019: DHCP: QScan: Timed out Selecting state%Unknown DHCP problem.. No allocation possible
Click to expand...


here's my ACL

ip inspect name CBAC udp
ip inspect name CBAC icmp
ip inspect name CBAC tcp
ip inspect name CBAC sip
ip inspect name CBAC http
ip inspect name CBAC smtp
ip inspect name CBAC fragment maximum 256 timeout 1
ip inspect name CBAC ftp
ip inspect name CBAC dns
ip inspect name CBAC ssh
ip inspect name CBAC nntp
ip inspect name CBAC ntp
ip inspect name CBAC https
ip inspect name CBAC appleqtc
ip inspect name CBAC ftps
no ip ips deny-action ips-interface

ip access-list extended allowed_inbound_traffic
permit icmp any host 10.10.100.1 administratively-prohibited
permit icmp any host 10.10.100.1 echo
permit icmp any host 10.10.100.1 echo-reply
permit icmp any host 10.10.100.1 packet-too-big
permit icmp any host 10.10.100.1 time-exceeded
permit icmp any host 10.10.100.1 traceroute
permit icmp any host 10.10.100.1 unreachable
permit udp any any eq 6112
permit tcp any any eq 6112
permit udp any any eq 12365
permit tcp any any eq 12365
permit tcp any any range 1020 1032
permit udp any any range 1020 1032
permit tcp any any range 5060 5065
permit udp any any range 5060 5065
permit tcp any any range 10000 20000
permit udp any any range 10000 20000
permit tcp any any eq 546
permit udp any any eq 546

interface Ethernet1
description INTERNET
bandwidth 384
ip address dhcp
ip access-group allowed_inbound_traffic in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip inspect CBAC out
ip virtual-reassembly
no ip mroute-cache
duplex full
no cdp enable
service-policy output MyQoSPolicy
Click to expand...

does anything stand out?

for some reason, i'm thinking that i need to give outbound access for the dhcp client ports on e1.
 
shouldnt need to setup outbound access as there is no acl applied in that direction. try this instead of your last 2 tcp/udp port 546 permits...

permit udp any any eq bootpc
permit udp any any eq bootps
 
alright that worked.

thanks... now i'm having yet another issue.

there is no connectivity.

i've stripped the config to the bare minimum, yet i'm still not getting connectivity. the router seems to connect, because i can ping pretty much anything, but the hosts behind the router can't do much.

here's the config:

version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret ***
enable password ***
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
no crypto isakmp ccm
!
!
!
interface Ethernet0
ip address 10.10.100.1 255.255.255.248
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
bandwidth 384
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
no ip http secure-server
!
ip nat pool SINGLE_ADDRESS 10.10.100.1 10.10.100.1 netmask 255.255.255.248
ip nat inside source list OUTBOUND_ADDRESSES pool SINGLE_ADDRESS overload
!
!
ip access-list standard OUTBOUND_ADDRESSES
permit 10.10.100.4
permit 10.10.100.5
permit 10.10.100.2
permit 10.10.100.3
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
!
scheduler max-task-time 5000
end
Click to expand...
 
need a little more info about the client side issues. do they all recieve ip addresses? can they ping eachother, the router, cable modem, web sites, etc? giving it a very quick once over, i'd look towards NAT...
 
the problem was with the NAT statement:

ip nat pool SINGLE_ADDRESS 10.10.100.1 10.10.100.1 netmask 255.255.255.248
ip nat inside source list OUTBOUND_ADDRESSES pool SINGLE_ADDRESS overload

i'm natting the inside network to the inside address instead of the outside address, which obviously wont work. 🙂
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top