jgh52
@cox.net
| Cisco 2811 static nat statements stopped working!
I checked my servers this morning and I had lost outside connectivity to my email and ftp servers. Checked public IP's from the outside and there is no connectivity. I have Internet and all other network traffic is normal.
I have 3 ip nat inside source static statements that direct traffic to my email, ftp and a Citrix gateway. None of these are working. No changes have been made to the router config. The Cisco 2811 router and switch have been restarted several times.
Anyone have any ideas on this issue? My email server is down and I am pressured to get this back up and running.
Thanks for your help! |
|
Bink
join:2006-05-14
Denver, CO | Does a traceroute to these IPs from somewhere on the Internet show the traffic is, at least, making it to your router? |
|
jgh52
@cox.net | reply to jgh52
Running a tracert from the outside stops at our provider. I assume the last hop before the router.
Thanks for the response. |
|
jgh52
@cox.net | reply to jgh52
Also the nat'd public IP's are resolved by my internal DNS servers. DNS appears to be working fine internally. |
|
Bink
join:2006-05-14
Denver, CO | reply to jgh52
Post the config of your router. |
|
elnino
join:2006-08-27
Akron, OH | reply to jgh52
Run a "show ip nat trans" and see if it shows static translations to your servers |
|
jgh52
@cox.net
| reply to jgh52
Here is the router config.
Using 12383 out of 245752 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$A3FE$uCytQPb3RyVcwNNLIbhJS1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -7
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect max-incomplete high 2000
ip inspect max-incomplete low 1900
ip inspect one-minute high 2000
ip inspect one-minute low 1900
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW citrix
ip inspect name SDM_LOW ica
ip inspect name SDM_LOW icabrowser
ip inspect name SDM_LOW citriximaclient
ip inspect name SDM_LOW pcanywheredata
ip inspect name SDM_LOW pcanywherestat
ip inspect name SDM_LOW gdoi
ip inspect name SDM_LOW isakmp
ip inspect name SDM_LOW ipsec-msft
ip inspect name SDM_LOW ssp
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool sdm-pool1
import all
network x.x.x.x 255.255.255.0
dns-server x.x.x.x x.x.x.x
default-router 192.168.1.2
netbios-name-server 192.168.1.33
!
!
ip ips notify SDEE
no ip bootp server
ip domain name xxxxxxxxxxx.com
ip name-server x.x.x.x
ip name-server x.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-900829763
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-900829763
revocation-check none
rsakeypair TP-self-signed-900829763
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-900829763
certificate self-signed 01 nvram:IOS-Self-Sig#3301.cer
crypto pki certificate chain test_trustpoint_config_created_for_sdm
username xxxxxxxx privilege 15 secret 5 $1$nF59$GYh/jvFMbtvQ2F1WSCuwx0
username xxxxxxxx privilege 15 secret 5 $1$o.fj$nUgbJQpKcYebLpl4Xinyn.
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group xxxxxxxxxxx
key xxxxxxxx
dns 192.168.1.74 192.168.1.33
wins 192.168.1.33
domain xxxxxxxx
pool vpnclient
acl split
save-password
max-users 10
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1400
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address x.x.x.x 255.255.255.x
ip access-group 104 in
no ip redirects
no ip unreachables
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
interface Serial0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
!
ip local pool SDM_POOL_1 192.168.1.200 192.168.1.220
ip local pool vpnclient 192.168.99.1 192.168.99.30
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x3.x
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat translation tcp-timeout 300
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static 192.168.1.100 x.x.x.x route-map CITRIXGateway
ip nat inside source static 192.168.1.33 x.x.x.x route-map EMAILServer
ip nat inside source static 192.168.1.39 x.x.x.x route-map DNSnFTPServer
!
ip access-list extended split
permit ip 192.168.1.0 0.0.0.255 any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit any
access-list 100 remark auto-generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip x.x.x.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp any host x.x.x.x eq non500-isakmp
access-list 101 permit udp any host x.x.x.x eq isakmp
access-list 101 permit esp any host x.x.x.x
access-list 101 permit ahp any host x.x.x.x
access-list 101 permit icmp any host x.x.x.x echo-reply
access-list 101 permit icmp any host x.x.x.x time-exceeded
access-list 101 permit icmp any host x.x.x.x unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 permit tcp any host x.x.x.x
access-list 101 permit tcp any host x.x.x.x eq ftp
access-list 101 permit tcp any host x.x.x.x eq www
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.31
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit ahp any host x.x.x.x
access-list 103 permit esp any host x.x.x.x
access-list 103 permit udp any host x.x.x.x eq isakmp
access-list 103 permit udp any host x.x.x.x eq non500-isakmp
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 permit icmp any host x.x.x.x echo-reply
access-list 103 permit icmp any host x.x.x.x time-exceeded
access-list 103 permit icmp any host x.x.x.x unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip any any log
access-list 104 deny tcp any host x.x.x.x eq 3389
access-list 104 deny udp any host x.x.x.x eq 3389
access-list 104 permit ip 192.168.99.0 0.0.0.31 192.168.1.0 0.0.0.255
access-list 104 permit udp host x.x.x.x eq domain host x.x.x.x
access-list 104 permit udp host x.x.x.x eq domain host x.x.x.x
access-list 104 permit ahp any host x.x.x.x
access-list 104 permit esp any host x.x.x.x
access-list 104 permit udp any host x.x.x.x eq isakmp
access-list 104 permit icmp any host x.x.x.x echo-reply
access-list 104 permit icmp any host x.x.x.x time-exceeded
access-list 104 permit icmp any host x.x.x.x unreachable
access-list 104 permit icmp any any echo
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any source-quench
access-list 104 permit icmp any any time-exceeded
access-list 104 deny icmp any any
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.0.0.0 0.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit tcp any host x.x.x.x eq ftp
access-list 104 permit tcp any host x.x.x.x eq ftp-data
access-list 104 permit udp any host x.x.x.x eq non500-isakmp
access-list 104 permit tcp any any eq domain log
access-list 104 permit udp any any eq domain log
access-list 104 permit tcp any any eq ident
access-list 104 permit tcp any any eq smtp
access-list 104 permit tcp any any eq www
access-list 104 permit tcp any any eq 443
access-list 104 permit udp any eq ntp any eq ntp
access-list 104 permit tcp any any established
access-list 104 permit tcp any host x.x.x.x gt 1023
access-list 104 permit tcp any host x.x.x.x eq 1494
access-list 104 permit tcp any host x.x.x.x eq 443
access-list 104 permit tcp any host x.x.x.x eq 143
access-list 104 permit tcp any host x.x.x.x eq 993
access-list 104 permit tcp any host x.x.x.x eq 443
access-list 104 permit tcp host x.x.x.x eq 5631 any
access-list 104 permit udp host x.x.x.x eq 5632 any
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.31
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 110 permit tcp host 192.168.1.39 eq domain any
access-list 110 permit udp host 192.168.1.39 eq domain any
access-list 110 permit tcp host 192.168.1.39 eq ftp any gt 1023
access-list 110 permit tcp host 192.168.1.39 eq ftp-data any gt 1023
access-list 110 permit tcp host 192.168.1.39 gt 1023 any
access-list 110 permit tcp host 192.168.1.39 eq 5631 any
access-list 110 permit udp host 192.168.1.39 eq 5632 any
access-list 110 permit tcp host 192.168.1.39 eq 5500 any
access-list 110 deny tcp any host x.x.x.x eq 3389
access-list 110 deny udp any host x.x.x.x eq 3389
access-list 110 deny tcp any any
access-list 110 deny udp any any
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.31
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 115 permit tcp host 192.168.1.33 eq smtp any
access-list 115 permit tcp host 192.168.1.33 eq 443 any
access-list 115 permit tcp host 192.168.1.33 eq 1723 any
access-list 115 permit tcp host 192.168.1.33 eq domain any
access-list 115 permit udp host 192.168.1.33 eq domain any
access-list 115 permit udp host 192.168.1.33 eq 2409 host 91.192.52.56
access-list 115 permit udp host 192.168.1.33 eq 2409 host 91.192.52.57
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.31
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.99.0 0.0.0.255
access-list 120 permit tcp host 192.168.1.100 eq 1494 any
access-list 120 permit tcp host 192.168.1.100 eq 443 any
access-list 120 permit tcp host 192.168.1.100 eq www any
access-list 120 permit tcp host 192.168.1.100 eq 8080 any
access-list 120 permit tcp host 192.168.1.33 eq domain any
access-list 120 permit udp host 192.168.1.33 eq domain any
access-list 120 permit udp host 192.168.1.100 eq 10000 any
access-list 120 permit tcp host 192.168.1.100 eq 10010 any
access-list 120 permit udp host 192.168.1.100 eq 10010 any
access-list 120 permit udp host 192.168.1.100 eq 10020 any
access-list 120 permit udp host 192.168.1.100 eq 10030 any
no cdp run
route-map CITRIXGateway permit 10
match ip address 120
!
route-map DNSnFTPServer permit 10
match ip address 110
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map EMAILServer permit 10
match ip address 115
!
!
!
control-plane
!
!
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end |
|
jgh52
@cox.net | reply to elnino
It shows the inside global to inside local IPs and that looks good. Nothing in outside global to outside local.
Thanks, |
|
