From: NoOne Important (lm_nguyen@xxxxxxxxxxx)
Date: Tue Feb 13 2001 - 17:23:33 GMT-3
You should buy me a six packs if this works out for you :)
change access-list 160 to permit only the inside network. Don't permit any
any. This somehow got the serial interface mix up...
NAT works in mysterious way eh? :)
debug ip nat detail on your router
and run snoop or some sort of sniffing software on whereever you try to
telnet from to see what's going on.
>From: "Sam Munzani" <sam@munzani.com>
>Reply-To: "Sam Munzani" <sam@munzani.com>
>To: <Ron.Fuller@3x.com>
>CC: <ccielab@groupstudy.com>, "NoOne Important" <lm_nguyen@hotmail.com>,
> <nobody@groupstudy.com>
>Subject: Re: CISCO FW IOS with allowing SSH to it from outside
>Date: Tue, 13 Feb 2001 13:52:22 -0600
>
>Here is my full configs with IP addresses changed a bit. Tell me what am I
>doing wrong?
>
>version 12.1
>no service single-slot-reload-enable
>service timestamps debug uptime
>service timestamps log uptime
>service password-encryption
>!
>hostname cisco
>!
>logging buffered 4096 debugging
>logging rate-limit console 10 except errors
>aaa new-model
>aaa authentication login default local
>enable password 7 045C1E031C32455A
>!
>username admin password 1234
>ip subnet-zero
>no ip source-route
>!
>!
>no ip finger
>ip domain-name xyz.com
>ip name-server 1.1.1.1
>!
>ip inspect max-incomplete high 1100
>ip inspect max-incomplete low 900
>ip inspect one-minute high 1100
>ip inspect one-minute low 900
>ip inspect name outbound tcp
>ip inspect name outbound udp
>ip inspect name outbound cuseeme
>ip inspect name outbound ftp
>ip inspect name outbound h323
>ip inspect name outbound rcmd
>ip inspect name outbound realaudio
>ip inspect name outbound smtp
>ip inspect name outbound streamworks
>ip inspect name outbound vdolive
>ip inspect name outbound sqlnet
>ip inspect name outbound tftp
>!
>ip inspect name mail smtp
>!
>ip audit notify log
>ip audit po max-events 100
>ip ssh time-out 60
>ip ssh authentication-retries 3
>!
>!
>call rsvp-sync
>cns event-service server
>!
>!
>!
>interface FastEthernet0/0
> description connection to Internal Network
> ip address 192.168.100.2 255.255.255.0
> ip nat inside
> duplex auto
> speed auto
>!
>interface FastEthernet0/1
> description Connection to Internet
> ip address 2.2.2.2 255.255.255.0
> ip access-group 101 in
> ip nat outside
> ip inspect outbound out
> ip inspect mail in
> duplex auto
> speed auto
>!
>ip kerberos source-interface any
>ip nat pool legal_ip 2.2.2.3 2.2.2.10 netmask 255.255.255.0
>ip nat inside source route-map nonat pool legal_ip overload
>ip nat inside source static 192.168.100.5 2.2.2.15
>ip classless
>ip route 0.0.0.0 0.0.0.0 2.2.2.1
>no ip http server
>!
>logging source-interface FastEthernet0/0
>logging 192.168.100.11
>access-list 101 permit tcp any host 2.2.2.15 eq smtp
>access-list 101 permit tcp any host 2.2.2.15 eq www
>access-list 101 permit tcp any host 2.2.2.15 eq 443
>access-list 101 permit tcp any host 2.2.2.15 eq pop3
>access-list 101 permit tcp any host 2.2.2.15 eq 143
>access-list 101 permit tcp any host 2.2.2.2 eq 22
>access-list 101 permit tcp any host 2.2.2.2 eq telnet
>access-list 101 deny tcp any any
>access-list 101 deny udp any any
>access-list 101 permit icmp any any echo-reply
>access-list 101 permit icmp any any time-exceeded
>access-list 101 permit icmp any any packet-too-big
>access-list 101 permit icmp any any traceroute
>access-list 101 permit icmp any any unreachable
>access-list 101 deny ip any any log
>access-list 160 permit ip any any
>no cdp run
>!
>route-map nonat permit 10
> match ip address 160
>!
>!
>!
>line con 0
> exec-timeout 0 0
> password 7 094F471A1A0A
> transport input none
>line aux 0
> password 7 070834495D1A1011
>line vty 0 4
> password 7 104D000A0618
> transport input telnet ssh
>!
>end
>
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:47 GMT-3