NAT configuration issues

[ganeshSE]

Hi Guys
I am having problems with my 2600 router. MY router is closing or resetting all connections except for telnet and http traffic. When i did a port scan on the router, I found that only ports 23 and 80 are open. However, i have defined access-lists that clearly permits all the addresses. We cannot connect to the office network from home. I am posting the configurations. Any suggestions on why router is closing the connections, is highly appreciated. Thanks for ur inputs/ suggestions.

Ganesh

Configuration:

ip subnet-zero
!
interface Ethernet0/0
ip address 217.57.56.216 255.255.255.0
ip nat outside
full-duplex
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface BRI0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 10.10.0.254 255.0.0.0
ip nat inside
full-duplex
!
ip nat pool test 217.57.56.217 217.57.56.217 prefix-length 24
ip nat inside source list 1 pool test overload
ip nat outside source static tcp 217.57.56.218 80 10.10.0.35 80 extendable
ip nat outside source static tcp 217.57.56.218 21 10.10.0.35 21 extendable
ip nat outside source static tcp 217.57.56.218 20 10.10.0.35 20 extendable
ip nat outside source static tcp 217.57.56.218 25 10.10.0.35 25 extendable
ip nat outside source static tcp 217.57.56.218 23 10.10.0.35 23 extendable
ip nat outside source static tcp 217.57.56.218 110 10.10.0.35 110 extendable
ip nat outside source static tcp 217.57.56.218 53 10.10.0.35 53 extendable
ip nat outside source static tcp 217.57.56.218 67 10.10.0.35 67 extendable
ip nat outside source static tcp 217.57.56.218 68 10.10.0.35 68 extendable
ip nat outside source static tcp 217.57.56.218 135 10.10.0.35 135 extendable
ip nat outside source static tcp 217.57.56.218 137 10.10.0.35 137 extendable
ip nat outside source static tcp 217.57.56.218 138 10.10.0.35 138 extendable
ip nat outside source static tcp 217.57.56.218 139 10.10.0.35 139 extendable
ip nat outside source static tcp 217.57.56.218 443 10.10.0.35 443 extendable
ip nat outside source static tcp 217.57.56.218 50 10.10.0.35 50 extendable
ip nat outside source static tcp 217.57.56.218 51 10.10.0.35 51 extendable
ip nat outside source static tcp 217.57.56.218 47 10.10.0.35 47 extendable
ip nat outside source static tcp 217.57.56.218 1723 10.10.0.35 1723 extendable
ip nat outside source static udp 217.57.56.218 500 10.10.0.35 500 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 217.57.56.1
ip http server
ip pim bidir-enable
!
access-list 1 permit 10.10.0.0 0.255.255.255
banner motd ^C

 

[lambent]

Are you going to access the internal server 10.10.0.35 from the Internet?

If yes, why don't you try doing a static inside-to-outside NAT?

ip nat inside source static tcp 10.10.0.35 80 217.57.56.216 80 extendable
...etc.

 

[ganeshSE]

Hi
thank u for replying. Yes I wanted to access the internal server from outside. I am new to this NAT. is there a error in the above configuration?? Is there a specific reason for me to do from inside to outside and will that fix the problem?? ur inputs are highly appreciated.
thanks

 

[lambent]

if your clients are on the outside network and your servers are inside, then normally you'll need an inside-to-outside static translation.

Also please clearly define the statement "We cannot connect to the office network from home". What kind of resources are you trying to access from the outside network? Do you simply want to access the resources on specific servers, or do you want to establish a VPN connection from your clients to your inside network?

 

[ganeshSE]

Yes. We wanted to access some company related files and some backup s/w and applications that is running on the specific server. I assumed , the only way to access server resources from outside network is only through VPN. Correct me if I was wrong. Please suggest me, what changes should i make to get it up and running again.

Also, the above configurations, were a working configuration until a couple of months back. Due to a sudden power and internet outage , it stopped working.

Thanks again...

 

[lambent]

Access internal resources can also be done by NAT. It just depends of the type of resources and the amount of resources. Say if it's FTP/Web then NAT will be doing well. But if you have a lot of resources but you just have 1 public IP for doing PAT, you may consider client-to-site VPN.

Make sure your router interfaces are up up and running. Make sure your ISP gateway is reachable. You can test this by ping if your ISP allows.

For building VPN, you may want to buy VPN accelerator AIM module. And for some sample client-to-site VPN configuration, check this:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml

 

[ganeshSE]

I think I'll go with NAT, as I just wanted to access some resources of the server. And all my router interfaces are up, I can ping the ISP gateway. I dont think there is a problem with the gateway, because we can get onto internet.

My question is only on the above pasted NAT configurations. I am confused if my access-lists are wrong. If they dont match according to the nat translations. I was wondering if you can help me with the configurations. AM sure it is a problem with access-lists because, my router port scan showed me that all ports are closed except port 23 and port 80. So i guess we can concenterate on this direction with respect to access list?? or else has it got anything to do with firmware upgrade of the cisco router??

your input is highly appreciated.

 

[lambent]

use "ip nat inside source static" instead and try again.