Forwarding issue

[ntwrkrbkj]

Ok, apparently I'm not understanding IOS 12.4, I hope someone can help me out here. Am I missing an ACL or something that is keeping the forwards from working?

Thanks!

version 12.4
service config
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Comave
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$U2EB$Zg7VIIoWch0ep5uRpYaWN0
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.0.1.1 192.0.1.99
ip dhcp excluded-address 192.0.1.150 192.0.1.254
!
ip dhcp pool sdm-pool1
import all
network 192.0.1.0 255.255.255.0
default-router 192.0.1.40
dns-server 63.90.67.10 63.90.67.11
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name autismwv.com
ip name-server 63.90.67.10
ip name-server 63.90.67.11
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-4187313239
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4187313239
revocation-check none
rsakeypair TP-self-signed-4187313239
!
!
crypto pki certificate chain TP-self-signed-4187313239
certificate self-signed 01 nvram:IOS-Self-Sig#3903.cer
username administrator privilege 15 secret 5 $1$sPT3$9RtpEYPbM7KYCQ.hWMaDy.
!
!
!
bridge irb
!
!
!
interface FastEthernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet1
description $FW_OUTSIDE$$ES_WAN$
ip address xxx.xxx.29.34 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid ComAve1
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 06535D781F1E5D4D504644
!
world-mode dot11d country US indoor
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
!
ssid ComAve1
authentication open
guest-mode
wpa-psk ascii 7 06535D781F1E5D4D504644
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface BVI1
description $ES_LAN$
ip address 192.0.1.40 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.29.33
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet1 overload
ip nat inside source static udp 192.0.1.5 631 interface FastEthernet1 631
ip nat inside source static tcp 192.0.1.5 631 interface FastEthernet1 631
ip nat inside source static tcp 192.0.1.5 22 interface FastEthernet1 22
ip nat inside source static udp 192.0.1.5 22 interface FastEthernet1 22
ip nat inside source static udp 192.0.1.5 873 interface FastEthernet1 873
ip nat inside source static tcp 192.0.1.5 873 interface FastEthernet1 873
ip nat inside source static tcp 192.0.1.5 524 interface FastEthernet1 524
ip nat inside source static udp 192.0.1.5 524 interface FastEthernet1 524
ip nat inside source static udp 192.0.1.5 123 interface FastEthernet1 123
ip nat inside source static tcp 192.0.1.5 123 interface FastEthernet1 123
ip nat inside source static tcp 192.0.1.5 636 interface FastEthernet1 636
ip nat inside source static tcp 192.0.1.5 443 interface FastEthernet1 443
ip nat inside source static tcp 192.0.1.5 80 interface FastEthernet1 80
ip nat inside source static udp 192.0.1.5 21 interface FastEthernet1 21
ip nat inside source static udp 192.0.1.5 2222 interface FastEthernet1 2222
ip nat inside source static tcp 192.0.1.5 2222 interface FastEthernet1 2222
!
logging trap debugging
access-list 1 permit 192.0.1.0 0.0.0.255
no cdp run
!
!
!
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

 

[burtsbees]

Your static translations appear to be trying to translate public addresses into other public addresses...am I missing something, or why do you have the inside interface with a public address pool?

Burt

 

[ntwrkrbkj]

Just doing NAT translation to allow inside users to access the internet. The static statements are statements that I have used in the past and the examples that I have found to do forwarding through the router.

I'm basically trying to pass public traffic from xxx.xxx.29.34 to the internal 192.0.1.5 for the corresponding ports in the static statements.

ie. There is a webserver behind the router on that 192.0.1.5 IP that users need to access from OUTSIDE.

Thanks!

 

[ntwrkrbkj]

Ok, new NAT config:

ip nat inside source list 1 interface FastEthernet1 overload
ip nat inside source static udp 192.0.1.5 631 xxx.xxx.29.35 631
ip nat inside source static tcp 192.0.1.5 631 xxx.xxx.29.35 631
ip nat inside source static tcp 192.0.1.5 22 xxx.xxx.29.35 22
ip nat inside source static udp 192.0.1.5 22 xxx.xxx.29.35 22
ip nat inside source static udp 192.0.1.5 873 xxx.xxx.29.35 873
ip nat inside source static tcp 192.0.1.5 873 xxx.xxx.29.35 873
ip nat inside source static tcp 192.0.1.5 524 xxx.xxx.29.35 524
ip nat inside source static udp 192.0.1.5 524 xxx.xxx.29.35 524
ip nat inside source static udp 192.0.1.5 123 xxx.xxx.29.35 123
ip nat inside source static tcp 192.0.1.5 123 xxx.xxx.29.35 123
ip nat inside source static tcp 192.0.1.5 636 xxx.xxx.29.35 636
ip nat inside source static udp 192.0.1.5 21 xxx.xxx.29.35 21
ip nat inside source static udp 192.0.1.5 2222 xxx.xxx.29.35 2222
ip nat inside source static tcp 192.0.1.5 2222 xxx.xxx.29.35 2222
ip nat inside source static tcp 192.0.1.5 443 xxx.xxx.29.35 443
ip nat inside source static tcp 192.0.1.5 80 xxx.xxx.29.35 80
ip nat inside source static udp 192.0.1.5 80 xxx.xxx.29.35 80
!
logging trap debugging
access-list 1 permit 192.0.1.0 0.0.0.255
no cdp run

I can ping the xxx.xxx.29.35, but cannot hit the webserver, nor successfully telnet open any of the other ports.

Help!

Thanks.

 

[burtsbees]

But 192.0.x.x. is a public address pool, not private. You don't NAT public addresses to public. Perhaps you want 192.168.x.x?

Burt

 

[ntwrkrbkj]

Ah yes, gotcha, Burt. That's the subnet they have in place, and I did mention to them that subnet was not in a private range. I am sure the user can change the subnet if needed, but I was hoping there might be some way to config around it?

 

[burtsbees]

I'm not sure...I have never tried to nat like that...I'm sure you can, but you don't want nat inside, nat outside on the interfaces in this case, I don't think, and no nat source list statement. Try that, I guess...why do they have that entire block of public addresses? Are they sure they have them registered? That's one hell of a block of addresses...

Burt

 

[ntwrkrbkj]

No, they don't have them, they thought that because it was 192.x.x.x that is was private . I said, no, that starts at 192.168.x.x. *shrugs* Like I say, worst case they can redo their subnet, it's only 20 machines and a server, but morbid curiousity made me want to know if I could do this.

Of course if I don't NAT, then if they try to have communication with any network in the 192.x.x.x/32 range it will crap out. Like I say, the internet traffic is working, just the forwards aren't.

 

[eliotB]

Is there a firewall?

I'm assuming you're pinging from the inside of your network? Where within your network are you trying to ping the webserver?

From the outside, you can't ping an inside address. Essentially if you tried that, you'd be pinging the "Actual" 192.0.1.5 address on the Internet that really exists somewhere else.

Have you tried, from the outside, connecting to port 80 using the xxx.xxx.29.35 address?

Essentially to test this, you need to try and get to one of the ports you specified, from the oustide, using the xxx.xxx.29.35 address. You will not be able to directly connect into the 192.0.1.5 webserver from the outside.

Hopefully that makes sense.

 

[ntwrkrbkj]

Yeah, it makes sense, and I knew that connecting to 192.0.1.5 directly was out of the question.

No, I can't connect to the xxx.xxx.29.35 webserver. However, I can ping it. And I know the webserver works internally.

My problem is I don't know the rules for NAT'ing a public IP behind another public IP. The idea behind it was so they didn't have to redo their addressing scheme and I got it to successfully NAT the internet traffic, but can't get forwards to work properly. Now I can remove NAT and just let the traffic route normally and do static mappings for the xxx.xxx.29.35 -> 192.0.1.5, BUT that will create all kinds of routing problems when they are talking across the internet.

If there's no way to trick NAT into successfully forwarding traffic, then I'm going to have to have them change their subnet, just no way around it.

 

[ntwrkrbkj]

Oh, and no firewall yet, this is the perimeter device.

 

[burtsbees]

Just redo the LAN subnet to a private range, and start over bro. The IANA will be all over you because some ISP is reporting IP conflicts in their BGP tables with the entire block that is mistakenly configured on your LAN...you simply can't have public addresses that are routable on the internet that are already in use! It's like having 192.168.1.0/24 configured twice on two different LANs!

Burt

 

[ntwrkrbkj]

I hear you man, yeah, that's why I was trying to NAT them. There's no way I would have turned them loose from behind the NAT.

I think you're right, Burt, it's the easiest solution. I had just hoped someone more learned than myself had successfully done this with NAT before.

 

[burtsbees]

It may be possible, but definitely NOT a good solution, unless those IP addresses are registered to you, then it is still a strange way of going about things.

Burt

 

[eliotB]

Regardless of the odd configuration of public IP addresses on the inside of the network, his setup should still be working and functional and it is not.

I don't think having public IP addresses on the inside of the network has anything to do w/why it isn't working.

 

[burtsbees]

I agree partially, but I was thinking that since the 192.0.x.x block was not registered to him, I am not too sure it won't goof things up... just to test things, just a few comands...

router(config)#int bvi1
router(config-if)#ip add 192.168.1.1 255.255.255.0
router(config-if)#no shut
router(config-if)#exi
router(config)#ip nat inside source static tcp 192.168.1.5 21 int fa1 21
and then plug a laptop or some other Windows box in, and configure IIS for FTP, and try to ftp to the public IP...

Can you connect via ftp currently?