scrummie02Bentley Premium Member join:2004-04-16 Arlington, VA |
Cisco IOS NAT problemI've been following some guides that I have and I've configured some routers before but I'm having an issue trying to implement a static nat back to a web server.
Here is my config version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname fw2 ! aaa new-model enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx enable password xxxxxxxxxxxxxxxxxx ! username xxxx password 0 xxxxxxxxx ip subnet-zero ip cef ! ! ip domain-name fw2.dainbentley.com ! ip audit notify log ip audit po max-events 100 ip ssh time-out 60 ! call rsvp-sync ! ! ! ! ! ! ! ! interface FastEthernet0/0 description Inside private interface ip address 192.168.50.252 255.255.255.0 ip nat inside speed auto full-duplex hold-queue 100 out ! interface FastEthernet0/1 description WAN interface ip address 192.168.100.251 255.255.255.0 ip nat outside speed auto full-duplex ! ip nat inside source list 1 interface FastEthernet0/1 overload ip nat inside source static tcp 192.168.50.5 80 192.168.100.252 80 extendable ip classless ip route 0.0.0.0 0.0.0.0 192.168.100.252 no ip http server ! access-list 1 permit 192.168.50.0 0.0.0.255 access-list 2 permit 192.168.50.0 0.0.0.255 ! dial-peer cor custom ! ! ! ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 transport input ssh line vty 5 15 access-class 2 in transport input ssh ! scheduler max-task-time 5000 end
I can't seem to get this working, thanks in advance. |
|
KA0OUV Premium Member join:2010-02-17 Jefferson City, MO |
KA0OUV
Premium Member
2011-Dec-18 10:05 pm
Scrummie:
Here is a slightly sterilized working example:
C871_NAT#show run Building configuration...
Current configuration : 12168 bytes ! version 12.4 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname MISC_Cisco_Device ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log logging message-counter syslog logging buffered 32768 ! no aaa new-model clock timezone CST -6 clock summer-time CDT recurring clock save interval 24 !
no dot11 syslog no ip source-route ! ! ip dhcp excluded-address 192.168.104.1 192.168.104.208 ip dhcp excluded-address 192.168.104.223 192.168.104.254 ! ip dhcp pool 1 network 192.168.104.0 255.255.255.0 default-router 192.168.104.1 dns-server fill in servers here lease 0 16 ! ! ip cef no ip bootp server no ip domain lookup ip domain name hidden.toprotect.theinnocent.net ip ips config location flash:/SDM_IPS/ retries 2 timeout 5 ip ips notify SDEE ip ips name sdm_ips_rule ! ip ips signature-category category all retired true category ios_ips basic retired false ! ip inspect WAAS enable ip inspect tcp idle-time 600 ip inspect tcp max-incomplete host 50 block-time 2 ip inspect name FW-INSPECT ftp ip inspect name FW-INSPECT http ip inspect name FW-INSPECT icmp ip inspect name FW-INSPECT realaudio ip inspect name FW-INSPECT rtsp ip inspect name FW-INSPECT smtp ip inspect name FW-INSPECT tcp ip inspect name FW-INSPECT tftp ip inspect name FW-INSPECT udp ip inspect name FW-INSPECT pcanywheredata ip inspect name FW-INSPECT pcanywherestat ip sdee messages 100 login block-for 120 attempts 5 within 120 login quiet-mode access-class LOGIN_QUIET login on-failure log every 4 no ipv6 cef ntp max-associations 4 ! multilink bundle-name authenticated ! ! ! ! spanning-tree portfast bpduguard vtp mode transparent username GENERIC privilege 15 secret 5 $1imodifiedthisonpurpose901 username REGULAR privilege 15 secret 5 $1$cVthisonetoo/Ws6PN/XXHHgrx. !
! archive log config hidekeys ! ! vlan 2 name SECOND_VLAN ! ip tcp synwait-time 10 ip ssh port 4722 rotary 1 ip ssh version 2 ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0 description [TRUNK] Misc description line switchport trunk allowed vlan 1,2,1002-1005 switchport mode trunk duplex full speed 100 no cdp enable spanning-tree portfast ! interface FastEthernet1 description MGMT PC no cdp enable spanning-tree portfast ! interface FastEthernet2 description UPS no cdp enable spanning-tree portfast ! interface FastEthernet3 description Device Control no cdp enable spanning-tree portfast ! interface FastEthernet4 description WAN$ES_WAN$ ip address dhcp ip access-group NONSEC_IN in no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat outside ip ips sdm_ips_rule in ip inspect FW-INSPECT in ip inspect FW-INSPECT out ip virtual-reassembly duplex auto speed auto no cdp enable ! interface Vlan1 description MGMT_VLAN-1 ip address 192.168.104.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip nat inside ip inspect FW-INSPECT in ip virtual-reassembly ! interface Vlan2 description VLAN-2 ip address 192.168.112.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ! no ip forward-protocol nd ip route 192.168.13.0 255.255.255.0 FastEthernet4 permanent ip http server ip http port 56550 ip http authentication local ip http secure-server ip http secure-port 56660 ip http timeout-policy idle 60 life 900 requests 1500 ! ip flow-top-talkers top 10 sort-by bytes ! ip dns server queue limit forwarder 1500 ip nat translation timeout 300 ip nat translation tcp-timeout 930 ip nat translation pptp-timeout 600 ip nat translation finrst-timeout 10 ip nat translation syn-timeout 10 ip nat translation icmp-timeout 10 ip nat translation max-entries 500 ip nat inside source list 100 interface FastEthernet4 overload ip nat inside source static tcp 192.168.104.29 80 interface FastEthernet4 8029 ! ip access-list extended NAT-LIST remark CCP_ACL Category=2 permit ip 192.168.104.0 0.0.0.255 any deny ip any any ip access-list extended NONSEC_IN permit udp host 128.206.12.130 eq ntp host 68.25.102.122 eq ntp permit udp host 208.100.0.36 eq ntp host 68.25.102.122 eq ntp permit udp any eq bootps any eq bootpc log permit tcp any gt 1023 host 68.25.102.122 eq 8029 remark implicit deny any for stats deny ip any any log ! logging trap debugging access-list 100 remark CCP_ACL Category=2 access-list 100 permit ip 192.168.104.0 0.0.0.255 any access-list 100 deny ip any any no cdp run
! ! ! ! ! control-plane ! banner exec ^C !
! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 ntp logging ntp server 128.206.12.130 minpoll 8 source FastEthernet4 iburst ntp server 208.100.0.36 minpoll 8 prefer source FastEthernet4 iburst end
C871_MISC#
In this example, tcp traffic coming to the WAN port (Fa4) at port 8029 is NATted to an inside address of 192.168.104.29 at port 80. NONSEC_IN list allows the traffic in. |
|
|
to scrummie02
First, off, a) where is IP 192.168.100.252 in the scheme of things, and b) does your router know how to route to it? What I'd try is this instead ip nat inside source static tcp 192.168.50.5 80 int fastethernet 0/1 80 extendable
and blow away this line : ip route 0.0.0.0 0.0.0.0 192.168.100.252
Also get us the output of "show ip nat trans" Regards |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
cramer
Premium Member
2011-Dec-19 2:39 am
That's his default route -- note the lack of DHCP. Remove it and *everything* will stop working.
The key question here is wtf is 192.168.100.252? That's a *private* address, not "the internet". In other words, there's another NAT'ing router upstream of you that will have to have it's own mappings for the rest of the world to get to your web server.
If this is just a lab setup, then as long as things on the "outside" know how to get to 100.252, what you have should work. Note however, you've mapped a single port, so ping (which uses ICMP), traceroute (udp), etc. will never get an answer. Connections to port 80 should work. |
|
scrummie02Bentley Premium Member join:2004-04-16 Arlington, VA |
It is a lab setup. From the inside subnet I can get out to the internet. Im just trying to get to a webserver on port 80 inbound |
|
|
to scrummie02
If 192.168.100.252 is the default gateway IP address, then I wonder what made you pick the IP address as the web server NAT IP address.
Long Answer:
With IP networks, in general you can only assign one IP address for one device. When one IP address is used for something, then you can't (in most cases) use the same IP address for something else.
In the world of IP NAT, you could utilize TCP and UDP session of single IP address to represent multiple source or destination IP addresses. With this special condition, the following must occur.
* NAT process must take place witihin a NAT device dealing with such source and destination IP addresses * Either source or destination IP addresses must be reachable from the NAT device * The NAT IP addresses must be within the NAT device NAT pool or must be one of the NAT device interface IP addresses * Network devices that communicate with the NAT device must know how to reach the NAT device from IP routing perspective * NAT pool or the NAT device interface IP address used as NAT IP address must be reachable by either Inside or Outside IP scheme
Short Answer:
You can't use 192.168.100.252 as NAT IP address. Use something within 192.168.100.0/24 that is not yet used. One approach is to use the WAN interface IP address as the NAT IP address as others have suggested, which will then be static PAT.
Different approach is to use NAT pool which can allow you to do static NAT for broader use of IP address functionality. Should you decide to use NAT pool, make sure the gateway (192.168.100.252) and the rest of Outside network know how to reach such NAT pool subnet. |
|
scrummie02Bentley Premium Member join:2004-04-16 Arlington, VA |
I got it working, This helped: ip nat inside source static tcp 192.168.50.5 80 int fastethernet 0/1 80 extendable
I also put this in ip default-gateway 192.168.100.252
That is the ip of the internet facing ASA. Thanks a lot for everyone's help. |
|
|
aryoba
MVM
2011-Dec-19 11:09 am
said by scrummie02:I also put this in
ip default-gateway 192.168.100.252
That is the ip of the internet facing ASA. The router already has route of last resort pointing to the 192.168.100.252. I wonder why you had to add the ip default-gateway 192.168.100.252. Further that command only applies to Layer-2 devices which your router does not fall under. What are you trying to accomplish? :) |
|
aryoba |
to scrummie02
If you also manage the ASA, then perhaps NAT is not needed on the router unless you have valid reason to do so. Having NAT within a network sometimes introduces problems such as NAT timeout not to mention adding complexity to the network. |
|
|
to scrummie02
ip default-gateway is a Layer 2 switch command. The Layer 3 command for that is ip route 0.0.0.0 0.0.0.0 |
|
cramer Premium Member join:2007-04-10 Raleigh, NC |
cramer
Premium Member
2011-Dec-19 7:22 pm
"ip default-gateway" does apply to a router. It's supposed to only apply when routing is disabled ("no ip routing"), but I've seen it work as a shortcut for a full route command. |
|
|
in router, type no ip routing...
lol
Now that's what I call brilliant! |
|
|
to aryoba
Agree, glad it's working now, but I'm really wondering. A diagram and addressing scheme would really help us figure out what is going on.
Regards |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to scrummie02
Unless this router is the default gateway for the webserver, it won't work. Think about it... NAT is changing the destination (to that of the server). The source is unchanged. The server won't know that it came from that router and that it has to go back through it.
Asymmetric routing in a NAT environment simply will not work. |
|
cramer |
to Da Geek Kid
I cannot count how many times I've seen "no ip routing" in configs.
There are reasons to do so, but they'll be in places where there are people who know wtf they're doing, and thus will not be bugging me about it. Just like turning off cef and route-cache. (answer: to force process switching for debugging purposes.) |
|