Trying to remove NAT

[gtjames]

I am new to this so bear with me. We have a point to point T1 between our office and our hosting facility. All internet traffic from the office goes through the T1 to the hosting facility where our firewall is. At the moment NAT is being done from our hosting side router. We would like to remove this and have our firewall do the NATing. I am having trouble removing the NATing without taking internet service down as well. I have checked the firewall and the packets are indeed making it back out and in, but somehow port 80 or something is not making it back to the office side of the T1. I have tested NAT on the hosting side with a 192.168.1.x addres with no problems. It only appears to be the 192.168.1.x addresses on the Office side that don't work. In summary I just want to turn NAT completely OFF while still passing all traffic back to the office transparently. Here are the two router configs:

Office Side
------------------------------------------------
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname OFFICE
!
logging buffered 4096 warnings
enable password 7 xxxxxxxxxxxxxxxx
!
ip subnet-zero
!
!
no ip domain-lookup
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip address 192.168.0.1 255.255.255.0
no cdp enable
!
interface FastEthernet0/0.xx
description Phone_LAN
encapsulation dot1Q xx
ip address xx.xx.xx.177 255.255.255.240
ip nat inside
!
interface FastEthernet0/0.192
description User_LAN
encapsulation dot1Q 192
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/0.xxx
description Server_LAN
encapsulation dot1Q xxx
ip address xxx.xxx.110.162 255.255.255.240
!
interface Serial0/0
ip address 192.168.2.2 255.255.255.252
no cdp enable
!
interface FastEthernet0/1
ip address 10.0.1.5 255.255.255.0
ip nat outside
speed 100
full-duplex
!
ip nat inside source route-map mylist interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10
ip route 192.168.1.254 255.255.255.255 192.168.2.1
ip route xxx.xxx.110.164 255.255.255.255 192.168.2.1
ip route xxx.xxx.110.170 255.255.255.255 192.168.2.1
ip route xxx.xxx.110.171 255.255.255.255 192.168.2.1
ip route xxx.xxx.110.172 255.255.255.255 192.168.2.1
ip route xxx.xxx.110.173 255.255.255.255 192.168.2.1
no ip http server
!
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit xxx.0.0.0 0.255.255.255
access-list 10 permit xx.xx.xx.0 0.0.0.255
no cdp run
route-map mylist permit 10
match ip address 10
!
!
dial-peer cor custom
!
!
!
!
line con 0
password 7 xxxxxxxxxxxxxx
logging synchronous
login
line aux 0
password 7 xxxxxxxxxxxxxx
login
line vty 0 4
password 7 xxxxxxxxxxxxxx
login
!
end

Hosting Side
-------------------------
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname HOSTING
!
logging buffered 4096 warnings
enable password 7 xxxxxxxxxxxxxxxx
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain lookup
ip name-server xxx.xxx.8.186
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
interface FastEthernet0
ip address xxx.xxx.126.101 255.255.255.240
ip access-group 101 in
no ip redirects
ip nat outside
no ip mroute-cache
speed auto
no cdp enable
!
interface Serial0
ip address 192.168.2.1 255.255.255.252
ip nat inside
no cdp enable
!
ip nat pool HQ_NAT xxx.xxx.126.100 xxx.xxx.126.100 prefix-length 28
ip nat inside source route-map noNAT pool HQ_NAT overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.126.97
ip route xxx.xxx.8.176 255.255.255.240 192.168.2.2
ip route 192.168.1.0 255.255.255.0 192.168.2.2
ip route xxx.xxx.110.165 255.255.255.255 192.168.2.2
no ip http server
!
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 101 permit tcp host xxx.xxx.12.86 host xxx.xxx.126.101 eq telnet
access-list 101 permit tcp host xxx.xxx.96.86 host xxx.xxx.126.101 eq telnet
access-list 101 deny tcp any host xxx.xxx.126.101 eq telnet
access-list 101 permit ip any any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip host xxx.xxx.110.165 any
access-list 102 deny ip host 192.168.1.11 any
no cdp run
!
route-map noNAT permit 10
match ip address 102
!
!
line con 0
password 7 xxxxxxxxxxxxxx
line aux 0
password 7 xxxxxxxxxxxxxx
line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxxxxxx
login
!
end
----------------------------------

 

[DrGreen26]

enter into config terminal mode and

enter

no ip nat inside source route-map mylist interface FastEthernet0/1 overload

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[DrGreen26]

oh almost forgot, you are going to want to access your firewall Assuming its a PIX and just enable NAT (1) <internal subnet> and make sure you have th global command and nat'g should start working..



Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[gtjames]

I have done that...it said that it could not do it because dynamic mapping was still going on. It could not destroy it. Let me know.

 

[gtjames]

I have done that...it said that it could not do it because dynamic mapping was still going on. It could not destroy it. Let me know. That is my problem. I figure that it will work once I get rid of the NAT on the router.

 

[DrGreen26]

Oh yeah, you have to remove the IP NAT INSIDE and IP NAT OUTSIDE from the interfaces on the remote end.

interface FastEthernet0
no ip nat outside
!
interface Serial0
no ip nat inside

then

no ip nat pool HQ_NAT xxx.xxx.126.100 xxx.xxx.126.100 prefix-length 28
no ip nat inside source route-map noNAT pool HQ_NAT overload


Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[gtjames]

Done all of the above. Finally was able to get rid of them in the config. The problem now is that web traffic doesn't seem to be coming back across the router. I can see on my firewall that the local address is sending the request packet out and that it is coming back, but it does not make it across the router back to my office. This is ridiculously frustrating.

 

[DrGreen26]

My bad, I see what your problem is now. Your router has an external public IP and an Internal private IP. In order for your router to route inside to out, it has to NAT from the private IP to the public. I should have noticed that. Had both your inside and outside interfaces been public you would not have to even mess with nat'g. but because of the 192.168 address you need the nat to make it work.



Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[NetworkGhost]

Also make sure your firewall has a route back to your routers internal network (Office Network) the packets are going out coming back but going nowhere after that seem to be the firewall doesnt know where to send the pack back to(Next hop)

 

[DrGreen26]

if you have a pix firewall the command would be

ip nat inside <The ip address> <netmask> <next hop ip> <metric>

the metric should be set to 1 for this network.



Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.