[c-nsp] FW: Static PAT problem
Andrew Herdman
andrew at whine.com
Tue Mar 22 20:51:54 EST 2005
Yes, I have both;
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp timeout 900
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 fragment maximum 256 timeout 1
ip inspect name DEFAULT100 sip
ip inspect name DEFAULT100 skinny
access-list 101 permit udp host 128.138.140.44 any eq ntp
access-list 101 permit udp host 129.119.3.2 any eq ntp
access-list 101 permit udp host x.x.x.147 any eq 10000
access-list 101 permit udp host x.x.x.147 any eq non500-isakmp
access-list 101 permit udp host x.x.x.147 any eq isakmp
access-list 101 permit esp host x.x.x.147 any
access-list 101 permit ahp host x.x.x.147 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any host x.x.x.x.254 echo
access-list 101 permit udp any eq 5060 any
access-list 101 permit tcp any any eq 22
access-list 101 permit udp x.x.x.0 0.0.0.255 any eq snmp
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 81
access-list 101 deny ip any any
Thanks
Andrew
-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de]
Sent: Tuesday, March 22, 2005 5:22 PM
To: Andrew Herdman
Cc: 'Gert Doering'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] FW: Static PAT problem
Hi,
On Tue, Mar 22, 2005 at 03:41:28PM -0500, Andrew Herdman wrote:
> I performed a small shell script to test and get some debug info from the
> router, so running "while true; do telnet x.x.x.254 81; done" and "debug
ip
> nat detail" running. I noticed that the only nat going on during this
> entire time was my SSH session to the server doing the poking of port 81.
> Not once did the log show a NAT attempt or anything for port 81... Hope
> this tweaks some ideas.
Weird. Any ACLs or firewall inspect features on the "outside" interface?
(I've forgotten the start of the thread, so please excuse me if that was
already included)
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany
gert at greenie.muc.de
fax: +49-89-35655025
gert at net.informatik.tu-muenchen.de
More information about the cisco-nsp
mailing list