dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3741
share rss forum feed


scrummie02
Bentley
Premium
join:2004-04-16
Arlington, VA
Reviews:
·Verizon FiOS

Cisco IOS NAT problem

I've been following some guides that I have and I've configured some routers before but I'm having an issue trying to implement a static nat back to a web server.

Here is my config
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname fw2
!
aaa new-model
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxxxxx
!
username xxxx password 0 xxxxxxxxx
ip subnet-zero
ip cef
!
!
ip domain-name fw2.dainbentley.com
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description Inside private interface
ip address 192.168.50.252 255.255.255.0
ip nat inside
speed auto
full-duplex
hold-queue 100 out
!
interface FastEthernet0/1
description WAN interface
ip address 192.168.100.251 255.255.255.0
ip nat outside
speed auto
full-duplex
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.50.5 80 192.168.100.252 80 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.100.252
no ip http server
!
access-list 1 permit 192.168.50.0 0.0.0.255
access-list 2 permit 192.168.50.0 0.0.0.255
!
dial-peer cor custom
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
line vty 5 15
access-class 2 in
transport input ssh
!
scheduler max-task-time 5000
end

I can't seem to get this working, thanks in advance.
--
"He's a politician. It's like being a hooker. You can't be one unless you can pretend to like people while you're f*cking them."
General Welfare


KA0OUV
Premium
join:2010-02-17
Jefferson City, MO
Scrummie:

Here is a slightly sterilized working example:

C871_NAT#show run
Building configuration...

Current configuration : 12168 bytes
!
version 12.4
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname MISC_Cisco_Device
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging message-counter syslog
logging buffered 32768
!
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
clock save interval 24
!

no dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.104.1 192.168.104.208
ip dhcp excluded-address 192.168.104.223 192.168.104.254
!
ip dhcp pool 1
network 192.168.104.0 255.255.255.0
default-router 192.168.104.1
dns-server fill in servers here
lease 0 16
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name hidden.toprotect.theinnocent.net
ip ips config location flash:/SDM_IPS/ retries 2 timeout 5
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
ip inspect WAAS enable
ip inspect tcp idle-time 600
ip inspect tcp max-incomplete host 50 block-time 2
ip inspect name FW-INSPECT ftp
ip inspect name FW-INSPECT http
ip inspect name FW-INSPECT icmp
ip inspect name FW-INSPECT realaudio
ip inspect name FW-INSPECT rtsp
ip inspect name FW-INSPECT smtp
ip inspect name FW-INSPECT tcp
ip inspect name FW-INSPECT tftp
ip inspect name FW-INSPECT udp
ip inspect name FW-INSPECT pcanywheredata
ip inspect name FW-INSPECT pcanywherestat
ip sdee messages 100
login block-for 120 attempts 5 within 120
login quiet-mode access-class LOGIN_QUIET
login on-failure log every 4
no ipv6 cef
ntp max-associations 4
!
multilink bundle-name authenticated
!
!
!
!
spanning-tree portfast bpduguard
vtp mode transparent
username GENERIC privilege 15 secret 5 $1imodifiedthisonpurpose901
username REGULAR privilege 15 secret 5 $1$cVthisonetoo/Ws6PN/XXHHgrx.
!

!
archive
log config
hidekeys
!
!
vlan 2
name SECOND_VLAN
!
ip tcp synwait-time 10
ip ssh port 4722 rotary 1
ip ssh version 2
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description [TRUNK] Misc description line
switchport trunk allowed vlan 1,2,1002-1005
switchport mode trunk
duplex full
speed 100
no cdp enable
spanning-tree portfast
!
interface FastEthernet1
description MGMT PC
no cdp enable
spanning-tree portfast
!
interface FastEthernet2
description UPS
no cdp enable
spanning-tree portfast
!
interface FastEthernet3
description Device Control
no cdp enable
spanning-tree portfast
!
interface FastEthernet4
description WAN$ES_WAN$
ip address dhcp
ip access-group NONSEC_IN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip ips sdm_ips_rule in
ip inspect FW-INSPECT in
ip inspect FW-INSPECT out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Vlan1
description MGMT_VLAN-1
ip address 192.168.104.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip inspect FW-INSPECT in
ip virtual-reassembly
!
interface Vlan2
description VLAN-2
ip address 192.168.112.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
!
no ip forward-protocol nd
ip route 192.168.13.0 255.255.255.0 FastEthernet4 permanent
ip http server
ip http port 56550
ip http authentication local
ip http secure-server
ip http secure-port 56660
ip http timeout-policy idle 60 life 900 requests 1500
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip dns server queue limit forwarder 1500
ip nat translation timeout 300
ip nat translation tcp-timeout 930
ip nat translation pptp-timeout 600
ip nat translation finrst-timeout 10
ip nat translation syn-timeout 10
ip nat translation icmp-timeout 10
ip nat translation max-entries 500
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.104.29 80 interface FastEthernet4 8029
!
ip access-list extended NAT-LIST
remark CCP_ACL Category=2
permit ip 192.168.104.0 0.0.0.255 any
deny ip any any
ip access-list extended NONSEC_IN
permit udp host 128.206.12.130 eq ntp host 68.25.102.122 eq ntp
permit udp host 208.100.0.36 eq ntp host 68.25.102.122 eq ntp
permit udp any eq bootps any eq bootpc log
permit tcp any gt 1023 host 68.25.102.122 eq 8029
remark implicit deny any for stats
deny ip any any log
!
logging trap debugging
access-list 100 remark CCP_ACL Category=2
access-list 100 permit ip 192.168.104.0 0.0.0.255 any
access-list 100 deny ip any any
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^C
!

!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp logging
ntp server 128.206.12.130 minpoll 8 source FastEthernet4 iburst
ntp server 208.100.0.36 minpoll 8 prefer source FastEthernet4 iburst
end

C871_MISC#

In this example, tcp traffic coming to the WAN port (Fa4) at port 8029 is NATted to an inside address of 192.168.104.29 at port 80. NONSEC_IN list allows the traffic in.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to scrummie02
First, off, a) where is IP 192.168.100.252 in the scheme of things, and b) does your
router know how to route to it?

What I'd try is this instead

ip nat inside source static tcp 192.168.50.5 80 int fastethernet 0/1 80 extendable
 

and blow away this line :

ip route 0.0.0.0 0.0.0.0 192.168.100.252
 

Also get us the output of "show ip nat trans"

Regards

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
That's his default route -- note the lack of DHCP. Remove it and *everything* will stop working.

The key question here is wtf is 192.168.100.252? That's a *private* address, not "the internet". In other words, there's another NAT'ing router upstream of you that will have to have it's own mappings for the rest of the world to get to your web server.

If this is just a lab setup, then as long as things on the "outside" know how to get to 100.252, what you have should work. Note however, you've mapped a single port, so ping (which uses ICMP), traceroute (udp), etc. will never get an answer. Connections to port 80 should work.


scrummie02
Bentley
Premium
join:2004-04-16
Arlington, VA
It is a lab setup.
From the inside subnet I can get out to the internet. Im just trying to get to a webserver on port 80 inbound

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to scrummie02
If 192.168.100.252 is the default gateway IP address, then I wonder what made you pick the IP address as the web server NAT IP address.

Long Answer:

With IP networks, in general you can only assign one IP address for one device. When one IP address is used for something, then you can't (in most cases) use the same IP address for something else.

In the world of IP NAT, you could utilize TCP and UDP session of single IP address to represent multiple source or destination IP addresses. With this special condition, the following must occur.

* NAT process must take place witihin a NAT device dealing with such source and destination IP addresses
* Either source or destination IP addresses must be reachable from the NAT device
* The NAT IP addresses must be within the NAT device NAT pool or must be one of the NAT device interface IP addresses
* Network devices that communicate with the NAT device must know how to reach the NAT device from IP routing perspective
* NAT pool or the NAT device interface IP address used as NAT IP address must be reachable by either Inside or Outside IP scheme

Short Answer:

You can't use 192.168.100.252 as NAT IP address. Use something within 192.168.100.0/24 that is not yet used. One approach is to use the WAN interface IP address as the NAT IP address as others have suggested, which will then be static PAT.

Different approach is to use NAT pool which can allow you to do static NAT for broader use of IP address functionality. Should you decide to use NAT pool, make sure the gateway (192.168.100.252) and the rest of Outside network know how to reach such NAT pool subnet.


scrummie02
Bentley
Premium
join:2004-04-16
Arlington, VA
Reviews:
·Verizon FiOS
reply to scrummie02
I got it working,
This helped:
 ip nat inside source static tcp 192.168.50.5 80 int fastethernet 0/1 80 extendable
 

I also put this in
ip default-gateway 192.168.100.252
 

That is the ip of the internet facing ASA.

Thanks a lot for everyone's help.

--
"He's a politician. It's like being a hooker. You can't be one unless you can pretend to like people while you're f*cking them."
General Welfare

aryoba
Premium,MVM
join:2002-08-22
kudos:4
said by scrummie02:

I also put this in

ip default-gateway 192.168.100.252
 

That is the ip of the internet facing ASA.

The router already has route of last resort pointing to the 192.168.100.252. I wonder why you had to add the ip default-gateway 192.168.100.252. Further that command only applies to Layer-2 devices which your router does not fall under.

What are you trying to accomplish? :)

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to scrummie02
If you also manage the ASA, then perhaps NAT is not needed on the router unless you have valid reason to do so. Having NAT within a network sometimes introduces problems such as NAT timeout not to mention adding complexity to the network.


Da Geek Kid

join:2003-10-11
::1
kudos:1
reply to scrummie02
ip default-gateway is a Layer 2 switch command. The Layer 3 command for that is ip route 0.0.0.0 0.0.0.0

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
"ip default-gateway" does apply to a router. It's supposed to only apply when routing is disabled ("no ip routing"), but I've seen it work as a shortcut for a full route command.


Da Geek Kid

join:2003-10-11
::1
kudos:1
in router, type no ip routing...

lol

Now that's what I call brilliant!

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to aryoba
Agree, glad it's working now, but I'm really wondering. A diagram and addressing scheme
would really help us figure out what is going on.

Regards

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to scrummie02
Unless this router is the default gateway for the webserver, it won't work. Think about it... NAT is changing the destination (to that of the server). The source is unchanged. The server won't know that it came from that router and that it has to go back through it.

Asymmetric routing in a NAT environment simply will not work.

cramer
Premium
join:2007-04-10
Raleigh, NC
kudos:9
reply to Da Geek Kid
I cannot count how many times I've seen "no ip routing" in configs.

There are reasons to do so, but they'll be in places where there are people who know wtf they're doing, and thus will not be bugging me about it. Just like turning off cef and route-cache. (answer: to force process switching for debugging purposes.)