I have a network that is becoming more complicated than I am used to.
It is a remote office that has asked me to provide wireless internet access for their guests. I initially told them no way, they'd have to get a second T1. But I finally compromised on a second ethernet WIC in their 1700 router running FW IOS.
The two segments worked fine. 192.168.1.0/24 is the office network, and
10.1.1.0/24 is the guest network.The public segment is using NAT/overload on the serial interface.
Now they are asking that a vendor be allowed to put some device on their network. A web server than rusn some sort of weather monitoring station or something. I told them I would put it on the 10.1.1.0 network. But it require a public IP so the weather company can connect to it via port 80.
So I added a static nat mapping: ip nat inside source static 10.1.1.5
212.74.17.71. This seems to work as long as I don't use my ACL. The weather company was able to connect and configure the device.But when I apply my ACL, the weather station become unavailable. When the weather company tries to ping it, they get host unreachable.
If I take the ACL off, I can ping the weather station all day long.
When I put the ACL back on, I get destination host unreachable.
I'm thinking this has something to do with the address translation, but I'm not sure what it is.
10 permit tcp any any established --- WORKS !!! 20 permit icmp any host 212.74.17.70 echo-reply --- WORKS!!! 30 permit icmp any host 212.74.17.71 echo-reply --- DOESN'T WORK!!!212.74.17.70 is the ip of S0 interface
212.74.17.71 is the ip of the weather station computerThank you