Sorry if this is long, but I have been working on this for a while and am frustrated! I understand NAT and PAT completely, and can configure it in my sleep on a normal IOS router or a PIX. However, I can't seem to get this little 678 DSL router to do what I want it to do. I have opened up a Cisco TAC case, and they haven't been able to give me any answers. Rather than retype everything I've gone through, I figured I would just paste in the notes from the TAC case. If anyone can give me a definitive answer, I will be most grateful!!
Problem Description: I am pretty familiar with these devices but I am a bit stumped here and cannot find documentation on this issue. I currently have a 678 - NAT enabled. Using the default 10.0.0.0/24 network on the inside (Eth0). DHCP is enabled. Wan0-0 is dynamically receiving IP info from carrier. Public address is on a 29 bit masked network so there are 6 usable addresses (including address for modem). Web browsing and basic Internet connectivity for inside hosts is working fine. With NAT I can set up static NAT rules fine using the public address assigned to the modem and I can then successfully access inside hosts from external Internet hosts.
My problem is that I want to be able to use some of the other 5 public addresses given to me from the carrier so that I can set up additional NAT rules allowing me to access multiple internal hosts on the same TCP port (for example port 3389). I have tried adding these addresses to VIP interfaces, but the traffic does not get translated after I create my NAT rules.
I have received conflicting information from the documenation on whether or not this can be done. I would prefer not to shut off NAT and give the IP addresses to the intenal hosts if at all possible.
Urls shown to the user :
*** EMAIL OUT 31-MAY-2002 06:50:19 PST, XXXX, Action Type: Email Out ***
Send to: XXXX
Scott,
My name is Rick and I have just accepted your case. Can you please tell me what commands you are using to try to configure NAT on the 678?
Thanks,
Rick
*** NOTES LOG 31-MAY-2002 08:29:39 PST, ciscodotcom, Action Type: Action ***
Notes logged
The following is an email sent at 9:07 Central Time in response:
Rick,
For example, let's use 15.15.15.0/29 as my sample public network (real numbers changed to protect the innocent). 15.15.15.6/29 is the address given to wan0-0 dynamically by the carrier. Even though it is dynamic configuration, the address is always the same. Eth0 has no configuration So if I put in:
set nat entry add 10.0.0.3 3389 15.15.15.6 3389 tcp
All works well. I can open 3389 successfully by accessing it on 15.15.15.6. However if I now put in:
set nat entry add 10.0.0.2 3389 15.15.15.5 3389 tcp
The traffic is not passed when I try to open 3389 on 15.15.15.5. I have performed traceroutes to confirm that the traffic is sent to the 678. In fact if I assign the 15.15.15.5 address to VIP0, I can then telnet to the 678 using that address. I have also tried changing the rules around to point at different internal hosts to ensure it is not specific to an internal host. It appears that I am missing something or it is not possible to use multiple global addresses. If I do a "show Nat", I see the rule in the list. However, the difference I see in the list is in the last field (interface). Rather than saying "eth0 wan0-0", it just says "eth0". Take a look:
10.0.0.2:3389 15.15.15.5:3389 0 0x00041 tcp eth0
as opposed to:
10.0.0.3:3389 15.15.15.6:3389 0 0x00041 tcp eth0 wan0-0
Hopefully I'm making sense!
Scott
Hello Scott,
Have you tried to enter the NAT statement without the port?
Do you need to translate the port to an outside IP Address?
Thanks,
Corey
*** NOTES LOG 31-MAY-2002 15:35:06 PST, XXXX, Action Type: Action ***
Hello Scott,
I did some checking and what you want to isn't possible with the router that you have.
<Please open the link above and look under NAT configuration.
Corey
*** NOTES LOG 03-JUN-2002 05:29:04 PST, ciscodotcom, Action Type: Action ***
Notes logged XXXX
Sent the following email to Corey on 6/1 and am waiting for a reply -
I read the info in that link at least 3 times to make sure I was not missing anything, and I do not see anything in that particular link that says anything in regards to my question. Maybe you could cut and paste the text you want me to see?
*** NOTES LOG 03-JUN-2002 09:18:31 PST, XXXX, Action Type: Action ***
Email to scott. Told him i'm researching the static nat problem, and to try doing a write and reboot after adding second nat translation and see if he still has the problem.
*** NOTES LOG 03-JUN-2002 09:23:35 PST, ciscodotcom, Action Type: Action ***
Notes logged XXXX
Sent the following email as a reply:
Yeah. I've tried that. No luck.
Finding out if it has the capability (and if so how) is exactly the point of the question. I know how to do it with IOS routers, but can't get it to go with this. I thought at one point I had seen someone do this, but I can't remember where. The documentation doesn't seem to even address the issue. If you can't I don't understand why you can indicate certain interfaces (such as Virtual Interfaces) as "outside" NAT addresses. Seems pointless if you can't make multiple addresses work.
Thanks,
Scott
*** NOTES LOG 03-JUN-2002 09:56:41 PST, XXXX, Action Type: Action ***
Scott,
You didn't miss anything. The link that I gave you wrapped and it points to something else other than what I intended. Here is the information from the document
that I thought I provided.
-------------
Basic NAT allows a mapping between one private address and one public address. (This is not supported on the 67x CPE devices.) NAT with Port Address Translation (PAT or NAPT) is an extension to NAT in that PAT uses TCP/UDP ports in addition to network addresses (IP addresses) to map many private network addresses to a single outside address.
--------------
Please let me know if you need anything else.
Corey
*** NOTES LOG 03-JUN-2002 10:44:00 PST, ciscodotcom, Action Type: Action ***
Notes logged XXXX
I replied with this email at 12:43 Central Time.
I read this as well before opening the ticket. I do not believe this is a clearly definitive answer. It says that basic NAT provides one-to-one IP address translation and this is not supported. OK, fine - that's not what I'm trying to do. It then goes on to explain PAT as translating multiple addresses to a single address through the use of layer 4 (TCP/UDP) ports. OK - that is what I'm doing. However, it does not go on to say whether or not I can then perform PAT translations from multiple global addresses.
It uses the term "single address" at the end, but that appears to be in the context of explaining how PAT works, not defining a limitation of the device. Is there any place where a limitation of a single global address is clearly defined? If so, I have not seen it yet.
Thanks,
Scott
*** NOTES LOG 03-JUN-2002 13:58:35 PST, XXXX, Action Type: Action ***
Researching still. Can't find anything on the issue yet that says can't do more than one static nat translation.
Problem Description: I am pretty familiar with these devices but I am a bit stumped here and cannot find documentation on this issue. I currently have a 678 - NAT enabled. Using the default 10.0.0.0/24 network on the inside (Eth0). DHCP is enabled. Wan0-0 is dynamically receiving IP info from carrier. Public address is on a 29 bit masked network so there are 6 usable addresses (including address for modem). Web browsing and basic Internet connectivity for inside hosts is working fine. With NAT I can set up static NAT rules fine using the public address assigned to the modem and I can then successfully access inside hosts from external Internet hosts.
My problem is that I want to be able to use some of the other 5 public addresses given to me from the carrier so that I can set up additional NAT rules allowing me to access multiple internal hosts on the same TCP port (for example port 3389). I have tried adding these addresses to VIP interfaces, but the traffic does not get translated after I create my NAT rules.
I have received conflicting information from the documenation on whether or not this can be done. I would prefer not to shut off NAT and give the IP addresses to the intenal hosts if at all possible.
Urls shown to the user :
*** EMAIL OUT 31-MAY-2002 06:50:19 PST, XXXX, Action Type: Email Out ***
Send to: XXXX
Scott,
My name is Rick and I have just accepted your case. Can you please tell me what commands you are using to try to configure NAT on the 678?
Thanks,
Rick
*** NOTES LOG 31-MAY-2002 08:29:39 PST, ciscodotcom, Action Type: Action ***
Notes logged
The following is an email sent at 9:07 Central Time in response:
Rick,
For example, let's use 15.15.15.0/29 as my sample public network (real numbers changed to protect the innocent). 15.15.15.6/29 is the address given to wan0-0 dynamically by the carrier. Even though it is dynamic configuration, the address is always the same. Eth0 has no configuration So if I put in:
set nat entry add 10.0.0.3 3389 15.15.15.6 3389 tcp
All works well. I can open 3389 successfully by accessing it on 15.15.15.6. However if I now put in:
set nat entry add 10.0.0.2 3389 15.15.15.5 3389 tcp
The traffic is not passed when I try to open 3389 on 15.15.15.5. I have performed traceroutes to confirm that the traffic is sent to the 678. In fact if I assign the 15.15.15.5 address to VIP0, I can then telnet to the 678 using that address. I have also tried changing the rules around to point at different internal hosts to ensure it is not specific to an internal host. It appears that I am missing something or it is not possible to use multiple global addresses. If I do a "show Nat", I see the rule in the list. However, the difference I see in the list is in the last field (interface). Rather than saying "eth0 wan0-0", it just says "eth0". Take a look:
10.0.0.2:3389 15.15.15.5:3389 0 0x00041 tcp eth0
as opposed to:
10.0.0.3:3389 15.15.15.6:3389 0 0x00041 tcp eth0 wan0-0
Hopefully I'm making sense!
Scott
Hello Scott,
Have you tried to enter the NAT statement without the port?
Do you need to translate the port to an outside IP Address?
Thanks,
Corey
*** NOTES LOG 31-MAY-2002 15:35:06 PST, XXXX, Action Type: Action ***
Hello Scott,
I did some checking and what you want to isn't possible with the router that you have.
<Please open the link above and look under NAT configuration.
Corey
*** NOTES LOG 03-JUN-2002 05:29:04 PST, ciscodotcom, Action Type: Action ***
Notes logged XXXX
Sent the following email to Corey on 6/1 and am waiting for a reply -
I read the info in that link at least 3 times to make sure I was not missing anything, and I do not see anything in that particular link that says anything in regards to my question. Maybe you could cut and paste the text you want me to see?
*** NOTES LOG 03-JUN-2002 09:18:31 PST, XXXX, Action Type: Action ***
Email to scott. Told him i'm researching the static nat problem, and to try doing a write and reboot after adding second nat translation and see if he still has the problem.
*** NOTES LOG 03-JUN-2002 09:23:35 PST, ciscodotcom, Action Type: Action ***
Notes logged XXXX
Sent the following email as a reply:
Yeah. I've tried that. No luck.
Finding out if it has the capability (and if so how) is exactly the point of the question. I know how to do it with IOS routers, but can't get it to go with this. I thought at one point I had seen someone do this, but I can't remember where. The documentation doesn't seem to even address the issue. If you can't I don't understand why you can indicate certain interfaces (such as Virtual Interfaces) as "outside" NAT addresses. Seems pointless if you can't make multiple addresses work.
Thanks,
Scott
*** NOTES LOG 03-JUN-2002 09:56:41 PST, XXXX, Action Type: Action ***
Scott,
You didn't miss anything. The link that I gave you wrapped and it points to something else other than what I intended. Here is the information from the document
that I thought I provided.
-------------
Basic NAT allows a mapping between one private address and one public address. (This is not supported on the 67x CPE devices.) NAT with Port Address Translation (PAT or NAPT) is an extension to NAT in that PAT uses TCP/UDP ports in addition to network addresses (IP addresses) to map many private network addresses to a single outside address.
--------------
Please let me know if you need anything else.
Corey
*** NOTES LOG 03-JUN-2002 10:44:00 PST, ciscodotcom, Action Type: Action ***
Notes logged XXXX
I replied with this email at 12:43 Central Time.
I read this as well before opening the ticket. I do not believe this is a clearly definitive answer. It says that basic NAT provides one-to-one IP address translation and this is not supported. OK, fine - that's not what I'm trying to do. It then goes on to explain PAT as translating multiple addresses to a single address through the use of layer 4 (TCP/UDP) ports. OK - that is what I'm doing. However, it does not go on to say whether or not I can then perform PAT translations from multiple global addresses.
It uses the term "single address" at the end, but that appears to be in the context of explaining how PAT works, not defining a limitation of the device. Is there any place where a limitation of a single global address is clearly defined? If so, I have not seen it yet.
Thanks,
Scott
*** NOTES LOG 03-JUN-2002 13:58:35 PST, XXXX, Action Type: Action ***
Researching still. Can't find anything on the issue yet that says can't do more than one static nat translation.
