If you are trying to use FA 0/0 as the outside interface then remove from serial interface:
config t interface FastEthernet0/0 ip nat outside exit interface Serial0/0 no ip nat outside exit wri mem
I'm by no means an expert but you should put "ip nat outside" on fastethernet 0 instead of Serial. At least that's that what your ip nat rule says.
ML
Still haven't got it right, Anybody see what is wrong with following config? This is a 2620.
Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname csco ! enable secret 5 $1$IQHh$0GBfTADUxGsxpblAfubsen/ enable password ! ! ! ! ! ip subnet-zero ip name-server 206.55.236.242 ip name-server 206.55.236.245 ! ! ! ! interface FastEthernet0/0 description OUTSIDE INTERFACE TO THE INTERNET ip address 206.55.236.241 255.255.255.240 ip access-group 101 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp speed auto full-duplex no cdp enable ! interface Serial0/0 ip address 206.55.246.110 255.255.255.252 ip access-group 101 in ip access-group 102 out no ip directed-broadcast ip nat outside no ip mroute-cache ! interface FastEthernet1/0 description INSIDE INTERFACE TO PRIVATE NETWORK ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast ip nat inside duplex auto speed auto ! ip nat inside source list 1 interface FastEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 206.55.246.109 ip http server ! access-list 1 permit 10.0.0.0 0.0.0.255 access-list 101 remark PREVENT UNWANTED ACCESS access-list 101 remark DENY RFC 1918 SOURCES access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.0.15.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 remark ANTI-SPOOFING PROTECTION access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 224.0.0.0 31.255.255.255 any access-list 101 remark DENY BROADCASTS access-list 101 deny ip 255.0.0.0 0.255.255.255 any access-list 101 deny ip any 255.0.0.0 0.255.255.255 access-list 101 remark PERMIT/DENY a few knowns access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 deny icmp any any echo access-list 101 remark PREVENT ANY INBOUND SNMP access-list 101 deny udp any any eq snmp access-list 101 deny udp any any eq snmptrap access-list 101 remark ICMP TYPES access-list 101 deny icmp any any access-list 101 remark PREVENT CISCO CODE VULNERABILITY access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny pim any any access-list 101 remark PERMIT everything else access-list 101 permit ip any any access-list 102 permit ip 206.55.236.240 0.0.0.15 any access-list 102 permit ip host 206.55.246.110 any access-list 102 deny ip any any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 exec-timeout 0 0 transport input none line aux 0 line vty 0 4 password login ! no scheduler allocate end
BTW, I like your access-list 101. Very thorough and well 'remarked'.
Steve
But you have default route on the serial Iface... Shouldn't you use default GW from your f0 ?
If you think that access-list might be the problem unbind them for now.
Tried that didn't work, is ther eperhaps something amiss in the access-list
interface FastEthernet0/0 description OUTSIDE INTERFACE TO THE INTERNET ip address 206.55.236.241 255.255.255.240 ip access-group 101 in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp ip nat outside speed auto full-duplex no cdp enable ! interface Serial0/0 ip address 206.55.246.110 255.255.255.252 ip access-group 101 in ip access-group 102 out no ip directed-broadcast no ip mroute-cache ! interface FastEthernet1/0 description INSIDE INTERFACE TO PRIVATE NETWORK ip address 10.0.0.1 255.255.255.0 no ip directed-broadcast ip nat inside duplex auto speed auto ! ip nat inside source list 1 interface FastEthernet0/0 overload ip classless ip route 0.0.0.0 0.0.0.0 206.55.246.109 ip http server ! access-list 1 permit 10.0.0.0 0.0.0.255 access-list 101 remark PREVENT UNWANTED ACCESS access-list 101 remark DENY RFC 1918 SOURCES access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.0.15.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 remark ANTI-SPOOFING PROTECTION access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 224.0.0.0 31.255.255.255 any access-list 101 remark DENY BROADCASTS access-list 101 deny ip 255.0.0.0 0.255.255.255 any access-list 101 deny ip any 255.0.0.0 0.255.255.255 access-list 101 remark PERMIT/DENY a few knowns access-list 101 permit icmp any any echo-reply access-list 101 permit icmp any any time-exceeded access-list 101 deny icmp any any echo access-list 101 remark PREVENT ANY INBOUND SNMP access-list 101 deny udp any any eq snmp access-list 101 deny udp any any eq snmptrap access-list 101 remark ICMP TYPES access-list 101 deny icmp any any access-list 101 deny icmp any any access-list 101 deny 53 any any access-list 101 deny 55 any any access-list 101 deny 77 any any access-list 101 deny pim any any access-list 101 remark PERMIT everything else access-list 101 permit ip any any access-list 102 permit ip 206.55.236.240 0.0.0.15 any access-list 102 permit ip host 206.55.246.110 any access-list 102 deny ip any any dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit !
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.