On an 870 router:
I can get the ADSl connection to work. From what I gather:
[modem]->[FA 4] -> [DIALER 1] -> [BVI 10] -> [VLAN 10] -> [FA 0]FA 4 has no IP address. Dialer1 gets the IP address from the ISP. BVI 10 gets the router's IP address (10.0.0.2) VLAN10 has no ip address FA 0 is a trunk.
(interface definitions at bottom of this message)
I have NAT statements such as:
ip nat pool natpool1 10.0.0.0 10.0.255.255 netmask 255.255.0.0 ip nat inside source list 23 interface Dialer1 overload ! ip nat inside source static tcp 10.0.0.11 25 interface Dialer1 25 ip nat inside source static tcp 10.0.0.50 80 interface Dialer1 80 ip nat inside source static 10.0.0.11 interface Dialer1
The last one (thanks to this newsgroup is supposed to be a catch all one)
My access list is defined as:
ip access-list extended ACLinbound permit tcp any any established permit tcp any 10.0.0.0 0.0.255.255 eq 80 deny ip host 72.0.206.240 any deny tcp any any eq 445 deny tcp any any eq 135 deny tcp any any eq 139 deny tcp any any eq 1433 deny tcp any any eq 22 permit tcp any any range 6809 6999 permit ip any 10.0.0.0 0.0.255.255 log
within Dialer 1: ip access-group ACLinbound in
The 3rd entry is a placeholder to block some IP that is nagging me with millions of calls to ftp/pop for password dictionary attacks on the account "Administrator" and is modified when such attacks start to bother me.
MY NEEDS:
-I don't want to prevent any access to the internet from the LAN, including pings and traceroutes (the later 2 are not functional under current config, but web access and telnet works).
-I want to log inbound call establishement packets only for ports not listed. Don't want to log any packets partr of a call originating from a local host. (and that includes UDP communications (which are not "established").
-Don't want to log anything about outbound calls (for instance when a local web browser makes a gazillion TCP connections to load a page).
-What is blocking locally originated pings and traceroutes and how can I fix that ?
Any suggestions on what to look for to accomplish this ? Anything very wrong with my configs ? My goal is to get something working first and then tighten it up as needed.
Also, I will need to map a whole range of ports in NAT. (about 600 ports). Since Cisco can't map ranges (say from 6000 to 6599), is it able to have a very long list of IP NAT statements ?
Interface definitions below :
interface FastEthernet4 description PPPoE to Modem no ip address carrier-delay 10 duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1
interface Dialer1 description PPPoE to Modem ip address negotiated ip mtu 1492 ip tcp adjust-mss 1452 ip nat outside ip virtual-reassembly ip access-group ACLinbound in encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer enable-timeout 10 dialer persistent no cdp enable ppp authentication pap callin ppp pap sent-username myuser@myisp password 0 mypassword
interface BVI 10 ip address 10.0.0.2 255.255.0.0 ip nat inside ip virtual-reassembly no shutdown
interface Vlan10 description Intranet no ip address bridge-group 10 bridge-group 10 spanning-disabled
And finally, FA/0 which is a trunk to my LAN. All relevant hosts in my lan are in a 10.0.*.* subnet.