Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

NAT translations won't work

Status
Not open for further replies.
Lazrum

Lazrum

Technical User
Dec 4, 2006
6
US
I have been messing around with some NAT translations for a couple of weeks now and still cant seem to connect to internal servers from the outside. From what I've researched, my config is correct so im puzzled. Can anyone help me out?




Current configuration : 4117 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SPS
!
boot-start-marker
boot system flash c2801-advsecurityk9-mz.124-10a.bin
boot-end-marker
!
no logging buffered
enable secret 5 $1$qZNX$JshcFii.n/hu8/2NcR12/0
!
no aaa new-model
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
!
!
!
!
ip name-server xxx.xxx.xxx.9
ip name-server xxx.xxx.xxx.8
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description This is the WAN interface
ip address xxx.xxx.xxx.100 255.255.255.240
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description This is the LAN interface
ip address 172.18.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx..113
!
ip http server
no ip http secure-server
ip nat pool PaulsPool 172.18.0.1 172.18.19.255 prefix-length 16
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.18.0.19 25 xxx.xxx.xxx.114 25 extendable
ip nat inside source static tcp 172.18.0.19 80 xxx.xxx.xxx.114 80 extendable
ip nat inside source static tcp 172.18.0.19 443 xxx.xxx.xxx.114 443 extendable
ip nat inside source static tcp 172.18.0.19 3389 xxx.xxx.xxx.114 3389 extendable
ip nat inside source static tcp 172.18.1.242 5003 xxx.xxx.xxx.115 5003 extendable
ip nat inside source static tcp 172.18.0.101 80 xxx.xxx.xxx.116 80 extendable
ip nat inside source static tcp 172.18.0.101 443 xxx.xxx.xxx.116 443 extendable
ip nat inside source static tcp 172.18.1.198 80 xxx.xxx.xxx.118 80 extendable
ip nat inside source static tcp 172.18.1.198 443 xxx.xxx.xxx.118 443 extendable
ip nat inside source static tcp 172.18.1.241 1677 xxx.xxx.xxx.118 1677 extendable
ip nat inside source static tcp 172.18.1.241 xxx.xxx.xxx.118 8300 extendable
ip nat inside source static tcp 172.18.1.254 80 xxx.xxx.xxx.120 80 extendable
ip nat inside source static tcp 172.18.0.19 3389 xxx.xxx.xxx.120 3389 extendable
ip nat inside source static tcp 172.18.1.240 8080 xxx.xxx.xxx.122 8080 extendable
!
logging 172.18.5.80
access-list 1 permit 172.18.0.0 0.0.255.255
access-list 2 permit 172.18.0.0 0.0.255.255 log
access-list 102 permit udp host xxx.xxx.xxx.8 eq domain any log
access-list 102 permit udp host xxx.xxx.xxx.9 eq domain any log
access-list 102 permit tcp any eq xxx.xxx.xxx.114 log
access-list 102 permit tcp any eq 443 host xxx.xxx.xxx.114 log
access-list 102 permit tcp any eq 5003 host xxx.xxx.xxx.115 log
access-list 102 permit tcp any eq 8300 host xxx.xxx.xxx.118 log
access-list 102 permit tcp any eq 1677 host xxx.xxx.xxx.118 log
access-list 102 permit tcp any eq 3389 host xxx.xxx.xxx.114 log
access-list 102 permit tcp any eq 3389 host xxx.xxx.xxx.120 log
access-list 102 permit tcp any eq xxx.xxx.xxx.118 log
access-list 102 permit tcp any eq 443 host xxx.xxx.xxx.118 log
access-list 102 permit tcp any eq xxx.xxx.xxx.120 log
access-list 102 permit tcp any eq xxx.xxx.xxx.116 log
access-list 102 permit tcp any eq 443 host xxx.xxx.xxx.116 log
access-list 102 permit tcp any eq smtp host xxx.xxx.xxx..114 log
access-list 102 permit tcp any eq 8080 host xxx.xxx.xxx..122 log
access-list 102 permit tcp any host xxx.xxx.xxx..114 established log
access-list 102 permit tcp any eq 1723 host xxx.xxx.xxx..114 log
access-list 102 permit icmp any host xxx.xxx.xxx..114 echo-reply log
access-list 102 permit icmp any host xxx.xxx.xxx..114 unreachable log
access-list 102 deny icmp any any log
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip host 255.255.255.255 any log
access-list 102 deny ip 172.18.0.0 0.0.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 deny ip any any log
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7 115D4B5407131E0017
login
!
scheduler allocate 20000 1000
end
 
Sort by date Sort by votes
ip nat inside source static tcp 172.18.0.101 80 xxx.xxx.xxx.116 80 extendable
Click to expand...

Its the wrong way round.

You need to nat to structure your nat statement like this:

ip nat inside source static Global_IP Local_IP

This will mean that a destination IP of Global_IP will be nated to Local_IP.



UnaBomber
ccnp mcse2k
 
Upvote 0 Downvote
I personally think the NAT statements are fine.

I would however question your access control list 102. For instance, this line:

access-list 102 permit tcp any eq xxx.xxx.xxx.114 log

says allow traffic from any host but with a source port of 80.

The source port is usually random but the destination port is predictable. Therefore I believe this statement should read as:


access-list 102 permit tcp any host xxx.xxx.xxx.114 eq
However before you go changing all your access control list, just try and see if connectivity is restored by removing the access-group off Fa0/0 first with the "no ip access-group 102 in" command.
 
Upvote 0 Downvote
ohh shoot :)

yeap

Ip nat inside source static x.x.x.x y.y.y.y

where y.y.y.y is the destination address and it gets nated to x.x.x.x, thus y is global x is local

<--- engage brain first

UnaBomber
ccnp mcse2k
 
Upvote 0 Downvote
Ahh, almost solved it. I'm now able to reach my mail filter but none of the other servers from the outside. They are accessibe from the inside still. It's actually quite strange because everytime I plug the router in to test the config out it steals my filemaker server's ip address. After a couple minutes it gets its ip back and works fine. Maybe that's normal? Or could that be any sign as to why other servers cant be reached from the outside? Also, I've only tested web servers from the outside on port 80, no others.

*The xxx.xxx.xxx.114 is the server that works from the outside
*The Filemaker server is 172.18.1.242

My new config is as follows:


Current configuration : 4071 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SPS
!
boot-start-marker
boot system flash c2801-advsecurityk9-mz.124-10a.bin
boot-end-marker
!
no logging buffered
enable secret 5 $1$qZNX$JshcFii.n/hu8/2NcR12/0
!
no aaa new-model
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
!
!
!
!
ip name-server xxx.xxx.xxx.9
ip name-server xxx.xxx.xxx.8
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description This is the WAN interface
ip address xxx.xxx.xxx.114 255.255.255.240
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description This is the LAN interface
ip address 172.18.1.253 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113
!
ip http server
no ip http secure-server
ip nat pool PaulsPool 172.18.0.1 172.18.19.255 prefix-length 16
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.18.0.19 25 xxx.xxx.xxx.114 25 extendable
ip nat inside source static tcp 172.18.0.19 80 xxx.xxx.xxx.114 80 extendable
ip nat inside source static tcp 172.18.0.19 443 xxx.xxx.xxx.114 443 extendable
ip nat inside source static tcp 172.18.0.19 3389 xxx.xxx.xxx.114 3389 extendable
ip nat inside source static tcp 172.18.1.242 5003 xxx.xxx.xxx.115 5003 extendable
ip nat inside source static tcp 172.18.0.101 80 xxx.xxx.xxx.116 80 extendable
ip nat inside source static tcp 172.18.0.101 443 xxx.xxx.xxx.116 443 extendable
ip nat inside source static tcp 172.18.1.198 80 xxx.xxx.xxx.118 80 extendable
ip nat inside source static tcp 172.18.1.198 443 xxx.xxx.xxx.118 443 extendable
ip nat inside source static tcp 172.18.1.241 1677 xxx.xxx.xxx.118 1677 extendable
ip nat inside source static tcp 172.18.1.241 8300 xxx.xxx.xxx.118 8300 extendable
ip nat inside source static tcp 172.18.1.254 80 xxx.xxx.xxx.120 80 extendable
ip nat inside source static tcp 172.18.0.19 3389 xxx.xxx.xxx.120 3389 extendable
ip nat inside source static tcp 172.18.1.240 8080 xxx.xxx.xxx.122 8080 extendable
!
logging 172.18.5.80
access-list 1 permit 172.18.0.0 0.0.255.255
access-list 102 permit udp host xxx.xxx.xxx.8 eq domain any log
access-list 102 permit udp host xxx.xxx.xxx.9 eq domain any log
access-list 102 permit tcp any host xxx.xxx.xxx.114 eq access-list 102 permit tcp any host xxx.xxx.xxx.114 eq 443 log
access-list 102 permit tcp any host xxx.xxx.xxx.115 eq 5003 log
access-list 102 permit tcp any host xxx.xxx.xxx.118 eq 8300 log
access-list 102 permit tcp any host xxx.xxx.xxx.118 eq 1677 log
access-list 102 permit tcp any host xxx.xxx.xxx.114 eq 3389 log
access-list 102 permit tcp any host xxx.xxx.xxx.120 eq 3389 log
access-list 102 permit tcp any host xxx.xxx.xxx.118 eq access-list 102 permit tcp any host xxx.xxx.xxx.118 eq 443 log
access-list 102 permit tcp any host xxx.xxx.xxx.120 eq access-list 102 permit tcp any host xxx.xxx.xxx.116 eq access-list 102 permit tcp any host xxx.xxx.xxx.116 eq 443 log
access-list 102 permit tcp any host xxx.xxx.xxx.114 eq smtp log
access-list 102 permit tcp any host xxx.xxx.xxx.122 eq 8080 log
access-list 102 permit tcp any host xxx.xxx.xxx.114 eq 1723 log
access-list 102 permit tcp any host xxx.xxx.xxx.114 established log
access-list 102 permit icmp any host xxx.xxx.xxx.114 echo-reply log
access-list 102 permit icmp any host xxx.xxx.xxx.114 unreachable log
access-list 102 deny icmp any any log
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip host 255.255.255.255 any log
access-list 102 deny ip 172.18.0.0 0.0.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 deny ip any any log
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7 115D4B5407131E0017
login
!
scheduler allocate 20000 1000
end




Thank you very much for your posts guys, it's very much appreciated.
 
Upvote 0 Downvote
From
Q. Is it possible to build a configuration with both static and dynamic NAT translations?

A. Yes, this is possible. The caveat that the global addresses use in static translations are not automatically excluded with dynamic pools that contain those global addresses. You must create your dynamic pools to exclude addresses assigned via static entries.

So, you may wish to exclude the static entries in your
dynamic PaulsPool.
 
Upvote 0 Downvote
I note that you are not allowing TCP established traffic for your other static hosts except the xxx.xxx.xxx.114 host which works. Try adding:

access-list 102 permit tcp any host xxx.xxx.xxx.116 established log

for all your other static NAT hosts as well

Also can you confirm that, as requested in my previous post, that you could reach every host from the outside when the access group 102 was temporarily removed?
 
Upvote 0 Downvote
Sounds good. I'll be able to try those suggestions out hopefully either thursday or friday. Ill keep you guys posted and thank you for all the replies.
 
Upvote 0 Downvote
I was able to play around with the router today but didn't get too far. I plugged the ethernet cables in and normally 3 lights for both interfaces are lit. This time only the LAN interface (e0/1) was completely lit and the WAN interface (e0/0) had the "link" and "100" light blinking (normally constant) while the "FDX" light showed no activity with no lighting. I have no idea what the FDX light indicates. Nothing in the configuration was changed since my last post. show ip int brief says e0/0 status is up/down. I go to plug the ethernet cables back into the original firewall (gateway) and everything works fine. Obviously a layer 2 issue but I can't figure it out, my modem doesn't keep gateway devices mac addresses so its not a matter of resetting the modem or clearing the arp cache; I tried that. I called up my ISP and told him the situation but he wasn't very helpful. He could access my modem and said he couldn't see anything past that so its a misconfiguration on my side. Once again, I haven't changed anything in my config since last post. Plus, I plugged the LAN ethernet cable into the WAN interface just for the heck of it and all 3 lights were solid. I plugged the WAN ethernet cable into the LAN interface and same light errors as before. This may be too much information, sorry about that, but if anyone has any idea as to what is going on please let me know.

Thanks
 
Upvote 0 Downvote
Ok, It turns out my ISP did change something with the config that required me to manually set the WAN interface to full duplex, speed 100. That solved the issue from the previous post. Everything including NAT translations is working fine now. Thank you everyone for your help. Here is my final WORKING config:



Building configuration...

Current configuration : 4088 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SPS
!
boot-start-marker
boot system flash c2801-advsecurityk9-mz.124-10a.bin
boot-end-marker
!
logging buffered 40096 debugging
enable secret 5 $1$qZNX$JshcFii.n/hu8/2NcR12/0
!
no aaa new-model
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
!
!
!
!
ip name-server xxx.xxx.xxx.9
ip name-server xxx.xxx.xxx.8
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description This is the WAN interface
ip address xxx.xxx.xxx.114 255.255.255.240
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
description This is the LAN interface
ip address 172.18.1.253 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/2/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.113
!
ip http server
no ip http secure-server
ip nat pool PaulsPool 172.18.0.1 172.18.19.255 prefix-length 16
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 172.18.0.19 25 xxx.xxx.xxx.114 25 extendable
ip nat inside source static tcp 172.18.0.19 80 xxx.xxx.xxx.114 80 extendable
ip nat inside source static tcp 172.18.0.19 443 xxx.xxx.xxx.114 443 extendable
ip nat inside source static tcp 172.18.0.19 3389 xxx.xxx.xxx.114 3389 extendable
ip nat inside source static tcp 172.18.1.242 5003 xxx.xxx.xxx.115 5003 extendable
ip nat inside source static tcp 172.18.0.101 80 xxx.xxx.xxx.116 80 extendable
ip nat inside source static tcp 172.18.0.101 443 xxx.xxx.xxx.116 443 extendable
ip nat inside source static tcp 172.18.1.198 80 xxx.xxx.xxx.118 80 extendable
ip nat inside source static tcp 172.18.1.198 443 xxx.xxx.xxx.118 443 extendable
ip nat inside source static tcp 172.18.1.241 1677 xxx.xxx.xxx.118 1677 extendable
ip nat inside source static tcp 172.18.1.241 8300 xxx.xxx.xxx.118 8300 extendable
ip nat inside source static tcp 172.18.1.254 80 xxx.xxx.xxx.120 80 extendable
ip nat inside source static tcp 172.18.0.19 3389 xxx.xxx.xxx.120 3389 extendable
ip nat inside source static tcp 172.18.1.240 8080 xxx.xxx.xxx.122 8080 extendable
!
logging 172.18.1.253
access-list 1 permit 172.18.0.0 0.0.255.255
access-list 102 permit udp host xxx.xxx.xxx.8 eq domain any log
access-list 102 permit udp host xxx.xxx.xxx.9 eq domain any log
access-list 102 permit tcp any host xxx.xxx.xxx.114 eq access-list 102 permit tcp any host xxx.xxx.xxx.114 eq 443 log
access-list 102 permit tcp any host xxx.xxx.xxx.115 eq 5003 log
access-list 102 permit tcp any host xxx.xxx.xxx.118 eq 8300 log
access-list 102 permit tcp any host xxx.xxx.xxx.118 eq 1677 log
access-list 102 permit tcp any host xxx.xxx.xxx.114 eq 3389 log
access-list 102 permit tcp any host xxx.xxx.xxx.120 eq 3389 log
access-list 102 permit tcp any host xxx.xxx.xxx.118 eq access-list 102 permit tcp any host xxx.xxx.xxx.118 eq 443 log
access-list 102 permit tcp any host xxx.xxx.xxx.120 eq access-list 102 permit tcp any host xxx.xxx.xxx.116 eq access-list 102 permit tcp any host xxx.xxx.xxx.116 eq 443 log
access-list 102 permit tcp any host xxx.xxx.xxx.114 eq smtp log
access-list 102 permit tcp any host xxx.xxx.xxx.122 eq 8080 log
access-list 102 permit tcp any host xxx.xxx.xxx.114 eq 1723 log
access-list 102 permit tcp any xxx.xxx.xxx.112 0.0.0.15 established log
access-list 102 permit icmp any host xxx.xxx.xxx.114 echo-reply log
access-list 102 permit icmp any host xxx.xxx.xxx.114 unreachable log
access-list 102 deny icmp any any log
access-list 102 deny ip host 0.0.0.0 any log
access-list 102 deny ip host 255.255.255.255 any log
access-list 102 deny ip 172.18.0.0 0.0.255.255 any log
access-list 102 deny ip 127.0.0.0 0.255.255.255 any log
access-list 102 deny ip any any log
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password 7 115D4B5407131E0017
login
!
scheduler allocate 20000 1000
end
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

serge9
  • Locked
  • Question
Cisco GUI on cme stop working
Replies
2
Views
139
serge9
serge9
darktriad
  • Locked
  • Question
Cisco ASA 9.4: Configuring NAT
Replies
0
Views
91
darktriad
darktriad
netguy2000
  • Locked
  • Question
Cisco router 1841 NAT/PAT problem
Replies
0
Views
63
netguy2000
netguy2000
ngtri
  • Locked
  • Question
Please, need your help to check my configurations. NAT and HSRP
Replies
0
Views
60
ngtri
ngtri
DarthPanda
  • Locked
  • Question
No Telnet after NAT outside
Replies
2
Views
74
DarthPanda
DarthPanda

Part and Inventory Search

Sponsor

Back
Top