ACL & NAT config

I am trying to bring up a new config, currently the T1 is not plugged in to S0/0 and F0/0 supports routable IPs and F0/1

10.x.x.x. I have a set of devices which are each configured with a unique 10.x.x.x alias to a unique routable IP. When IO try, for example, to ping another device on that net other than 10.0.0.1 or itself it only gets the first packet. When I inspect the access-list there are hits as below

Extended IP access list 101 10 deny ip 10.0.0.0 0.255.255.255 any (9 matches)

Which interface is generating the matches?

It occurred to me that it could be the access-group 101 on F0/0 so I tried removing it and the counters did not increment, but ping behaved the same. Is it sufficient to put the acess-groups on the serial line or does it also need the be on F0/0? Do I perhaps need a new access-group?

The config I am using is as follows: Version 12.3(9)

2 FastEthernet/IEEE 802.3 interface(s) 1 Serial network interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write)

! interface FastEthernet0/0 description OUTSIDE INTERFACE TO THE INTERNET ip address 12.70.58.129 255.255.255.128 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside speed auto full-duplex no cdp enable ! interface Serial0/0 ip address 12.89.208.122 255.255.255.252 ip access-group 101 in ip access-group 102 out ip nat outside no ip mroute-cache ! interface FastEthernet0/1 description INSIDE INTERFACE TO PRIVATE NETWORK ip address 10.0.0.1 255.0.0.0 ip nat inside duplex auto speed auto ! ip nat inside source list 1 interface FastEthernet0/0 overload no ip http server no ip http secure-server ip classless ip route 0.0.0.0 0.0.0.0 12.89.208.121 ! ! access-list 1 permit 10.0.0.0 0.255.255.255 access-list 101 remark PREVENT UNWANTED ACCESS access-list 101 remark DENY RFC 1918 SOURCES access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.0.15.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 remark ANTI-SPOOFING PROTECTION access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 224.0.0.0 31.255.255.255 any access-list 101 remark DENY BROADCASTS access-list 101 deny ip 255.0.0.0 0.255.255.255 any access-list 101 remark PERMIT/DENY a few knowns access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 deny icmp any any echo access-list 101 remark PREVENT ANY INBOUND SNMP access-list 101 deny udp any any eq snmp access-list 101 deny udp any any eq snmptrap access-list 101 remark ICMP TYPES access-list 101 deny icmp any any access-list 101 remark PREVENT CISCO CODE VULNERABILITY access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny pim any any access-list 101 remark PERMIT everything else access-list 101 permit ip any any access-list 102 permit ip 12.70.58.128 0.0.0.127 any access-list 102 permit ip host 12.89.208.122 any access-list 102 deny ip any any dialer-list 1 protocol ip permit

TIA Tom

Reply to
Tom Linden
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.