837 won't pass traffic from eth0 to internet

- X
- X--Eliminator
  
  Contact options for registered users
posted
18 years ago

Mon, Jul 4, 2005 1:34 AM

I have an 837 that won't pass traffic from eth0 to the internet. The statically addressed hosts attached to the 1548M switch are in the same subnet as eth0, and there is a default route to pass eth0 traffic to atm0.1, but I seem to have brick wall between eth0 and atm0.

When I set-up a logging access list permitting traffic in both directions on eth0 and atm0, I can see traffic hitting eth0 from the switch, and can see inbound traffic hitting atm0 from the internet. The speed & duplex on the switch and the router are the same (not autodetect).

I can successfully ping out from atm0 to internet & see traffic coming back. I also see corresponding CDP neighbor adjacency on both the switch connected to eth0 and the 837. I can ping eth0 from a workstation attached to the switch, but cannot ping the internet from the same workstation.

I have run the show tech thru the Cisco Output Intepreter and see no meaningful trouble, but I can find no real reason why I can't seem to pass traffic from eth0 to the internet. There's no reason for me to NAT in this scenario.

I have used the SAME basic config on an 827 & 1720 (and it works), and the ONLY thing I need to pass traffic to the internet is the basic default route: ip route 0.0.0.0 0.0.0.0 ATM0.1

Can anyone tell me why I can't pass traffic to the internet ? Am I missing something really basic here? ===========================================

Current configuration : 1468 bytes ! version 12.3 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname 837 ! boot-start-marker boot-end-marker ! memory-size iomem 5 ! no aaa new-model ip subnet-zero ! ! ip audit notify log ip audit po max-events 100 ip ssh break-string no ftp-server write-enable ! ! no crypto isakmp enable ! ! interface Ethernet0 description INSIDE INTERFACE ip address 10.10.10.1 255.0.0.0 hold-queue 100 out ! interface ATM0 description OUTSIDE INTERFACE mac-address 0004.9a87.1bb8 no ip address no ip unreachables no ip proxy-arp ip accounting access-violations no ip mroute-cache logging event subif-link-status no atm ilmi-keepalive bundle-enable dsl operating-mode ansi-dmt dsl enable-training-log hold-queue 224 in ! interface ATM0.1 point-to-point description "EXTERNAL INTERFACE" ip address (not shown) no ip unreachables no ip proxy-arp ip nat outside no ip mroute-cache timeout absolute 35790 0 pvc 0/35 protocol ip (not shown) ! ! ip classless ip route 0.0.0.0 0.0.0.0 ATM0.1 no ip http server no ip http secure-server ! ! control-plane ! ! line con 0 no modem enable transport preferred all transport output all line aux 0 transport preferred all transport output all line vty 0 4 login transport preferred all transport input all transport output all ! scheduler max-task-time 5000 ! end

======================== Here's the show CDP neighbor output...

1548m#sho cdp neigh Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, P - Repeater, H - Host I - IGMP DeviceID IP Addr Local Port Capability Platform Remote Port 837 10.10.10.1 fa 0/1 R Cisco C837 Ethernet0

837#sho cdp neigh Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater

Device ID Local Intrfce Holdtme Capability Platform Port ID

1548m MAC:0090F2 B13EF1 Eth 0 179 T S 1548m Fas 0/1

- U
- Uli Link
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Jul 4, 2005 8:45 AM

X--Eliminator schrieb:

The route to internet from a client is through 10.10.10.1/8. Your Provider *must* drop such traffic. This is not a valid ip address in the internet. Only usefull with PAT/NAT or in LANs not connected to the internet.

If you have valid IP addresses for the Ethernet side of the 837, the IP Address and netmask must be set to a routable address given to you by your ISP.

- M
- Martin Kayes
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Jul 4, 2005 10:20 AM

As Uli Link says, your NAT is not setup correctly, you are missing 'ip nat inside' form your Ethernet0 interface and a nat statement. You will need the following lines:

access-list 100 permit ip any any ip nat inside source list 100 interface Dialer0 overload ! interface ethernet0 ip nat inside

Also, you may need these adjustments as your ISP may drop oversized packets (we have to do this here in the UK). Don't use them unless you have problems with large packets.

interface Ethernet0 ip tcp adjust-mss 1452 ! interface ATM0.1 point-to-point ip mtu 1492 ip tcp adjust-mss 1452

Regards,

Martin

- X
- X--Eliminator
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Jul 4, 2005 6:03 PM

OK thanks to Uli & Martin for both of those responses. After adding all of those configs, I then added the following logging access lists:

access-list 100 permit icmp any any log access-list 100 permit tcp any any log access-list 100 permit udp any any log access-list 100 permit ip any any log access-list 101 permit icmp any any log access-list 101 permit tcp any any log access-list 101 permit udp any any log access-list 101 permit ip any any log

ip access-group 101 in ip access-group 100 out

I applied the ACL's inbound & outbound to the atm interface, and then in the router log I can see the outbound ping traffic to all internet address going out on atm0.1 but I get "destination host unreachable" on all 4 pings at the W2k workstation. In the router log it shows that "some" of the packets made it out, but no ping returns came back and I can't browse any websites using either Internet Explorer, Netscape, or Opera (I have connected the workstation to the router using both a regular cable & a crossover but the result is the same). I can ping out to the internet 100% of the time (from the 837) and I get 100% returns.

*Mar 1 01:31:56.287: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 10.10.10.7 -> 198.6.1.142 (0/0), 1 packet *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 10.10.10.7 -> 198.6.1.122 (0/0), 3 packets *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 10.10.10.7 -> 198.6.1.146 (0/0), 3 packets *Mar 1 01:32:07.107: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 10.10.10.7 -> 198.6.1.4 (0/0), 3 packets

Now if I connect my Cisco 1720 and ping the same 4 addresses as above I get good ping returns all the way to the W2k workstation.

And I know that traffic is coming inbound to the 837 because I can see the hackers probing my IP address:

*Mar 1 01:35:33.247: %SEC-6-IPACCESSLOGP: list 101 permitted udp 83.24.162.126(0) -> ip address not shown(0), 1 packet *Mar 1 01:36:27.759: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 64.39.171.102(0) -> ip address not shown(0), 1 packet *Mar 1 01:36:56.955: %SEC-6-IPACCESSLOGP: list 101 permitted tcp 212.114.230.64(0) -> ip address not shown(0), 1 packet

If any has more suggestions. I would be very happy to hear them, as I have run out of ideas. Thanks in advance

+++++++++++++++++++++++++++++++++++++++++ >As Uli Link says, your NAT is not setup correctly, you are missing 'ip nat

- M
- Martin Gallagher
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Jul 4, 2005 6:44 PM

Better to use "access-list 100 permit 10.0.0.0 0.255.255.255 any". Using any any in a NAT ACL may lead to unintended consequences. The NAT ACL should match only the traffic you want to have natted. If it was ok to have any any in a NAT ACL, you wouldn't need one at all.

- M
- Martin Kayes
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Mon, Jul 4, 2005 7:45 PM

Did you notice the deliberate mistake in my last post, I left the following statement listing interface dialer0 from my config instead of changing it to ATM0.1 as per your config:

It should be...

'ip nat inside source list 100 interface ATM0.1 overload'

That could be the problem. Let me know if that was it.

Regards,

Martin

- X
- X--Eliminator
  
  Contact options for registered users
Vote on answer
posted
18 years ago

Tue, Jul 5, 2005 12:12 AM

OK. PROBLEM SOLVED !!!!

After I put that source list command to atm0.1, I started to see that when I ping from the workstation to the internet, the first (and ONLY the first) packet would go through and the next 3 packets would fail. If I would then quickly repeat the ping to the same address, all 4 pings then fail.

Just for giggles I decided to put a logging permit inbound & outbound ACL on eth0, and VOILA, all the pings go thru and now I can access the internet from my browser. After deleting and reapplying the individual inbound vs. outbound ACL's on eth0, I verified that I ONLY need the inbound permit on eth0 (to get ICMP echo reply and tcp/udp connectivity when I use the browser)...

access-list 106 permit icmp any any log access-list 106 permit tcp any any log access-list 106 permit udp any any log access-list 106 permit ip any any log

interface Ethernet0 ip access-group 106 in

If I don't have the above configuration, nothing works. I knew this intuitively since I could ping outbound to anywhere to the internet from the router, but not from the ethernet.

This is a real bite in ass since I have an 8274v & 1720 and don't need to place any ACL's on the ethernet interface to have outbound internet access on those routers.

Thank you to Mart>Did you notice the deliberate mistake in my last post, I left the following