Has anyone ever experienced this before? We have two NATs, leading to two Ethernets on a Cisco 2916 One is: interface Ethernet0/0 ip address 10.50.0.1 255.255.255.0 ip mask-reply no ip directed-broadcast ip nat inside no cdp enable The other is: interface Ethernet0/1 description To: I-FILM's DMZ LAN (10.50.1.0/24) -NAT ip address 192.168.0.1 255.255.255.0 ip mask-reply no ip directed-broadcast ip nat inside no cdp enable With a serial T1 going to the rest of the world via Serial0/0: interface Serial0/0 bandwidth 1536 ip unnumbered Ethernet0/0 ip access-group s0-in in no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp ip nat outside no ip mroute-cache no cdp enable (all of this is on a Cisco 2916 running IOS 12.0) Machines on the 192.168.0.x network cannot connect via SSH to any server on the internet, although telnetting to any machine's port 22 (on the net, from either 192.168.x.x or 10.x.x.x) works ! SSH hangs on outbound connections, which makes zero sense. It's making me completely mental, considering SSH (unix client) works from windows and Mac Clients (via SecureCRT/NiftyTelnet) from machines on the 10.x.x.x network! If I disable the following ACL, SSH works just fine. We have an ACL on the inbound serial line, serial0/0 that's quite normal, with some anti-spoofing (feel free to use this for your own site): ip access-list extended s0-in deny ip 10.0.0.0 0.255.255.255 any log deny ip 0.0.0.0 0.255.255.255 any log deny ip host 255.255.255.255 any log deny ip 127.0.0.0 0.255.255.255 any log deny ip 224.0.0.0 15.255.255.255 any log deny ip 240.0.0.0 7.255.255.255 any log deny ip 192.0.2.0 0.0.0.255 any log deny ip 169.254.0.0 0.0.255.255 any log deny tcp any any eq 6666 log deny tcp any any range 6000 6100 log deny tcp any any eq 18000 log deny tcp any any eq 7007 log deny tcp any any eq 5050 log deny tcp any any eq 1521 log deny tcp any any eq 1522 log deny tcp any any eq 1526 log deny tcp any any eq 1031 log deny udp any any eq tftp log deny tcp any any eq 2049 log deny tcp any any eq 4045 log deny tcp any any eq 1030 log deny tcp any any eq 1032 log deny udp any any eq sunrpc log deny udp any any eq 2049 log deny udp any any eq 2000 deny udp any any eq tftp permit tcp any any eq www permit tcp any any eq telnet permit tcp any any eq 22 permit tcp any any eq ftp permit tcp any any eq ftp-data permit icmp 209.10.35.0 0.0.0.255 any permit icmp 209.10.36.0 0.0.0.255 any permit tcp 209.10.40.32 0.0.0.31 host 209.10.47.56 eq 1984 permit icmp 209.10.40.32 0.0.0.31 any deny udp any any eq 4045 log permit udp 209.10.40.32 0.0.0.31 host 209.10.47.56 eq syslog deny udp any any eq syslog permit udp any any permit tcp any any gt 1023 deny ip 192.168.0.0 0.0.255.255 any log Thanks in advance for any help/assistance. Personally, I think something is wrong with IOS 12.0, but I can't believe that yet. -john - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
