[CCNA] port address translation problem

Author	All Replies
falolay join:2011-12-30 Los Angeles, CA	[CCNA] port address translation problem Hi Members, I have configured PAT on my Cisco 1811 router to make my webserver accessible from internet but the server still remains inaccessible. I will be grateful if someone would assist me troubleshoot my configuration. The below presented configuration is the router's running configuration that failed to produce the result. Thank you. ABCRouter#SH RUN Building configuration... Current configuration : 1655 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ABCRouter ! boot-start-marker boot-end-marker ! enable secret 5 $1$bDbh$lcRriXege111Cdgbuv2jI1 enable password trust ! no aaa new-model ! resource policy ! ! ! ip cef ! ! ! ! ! username admin privilege 15 password 0 cisco ! ! ! ! ! ! interface FastEthernet0 ip address 192.168.3.1 255.255.255.252 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 description $ETH-LAN$ ip address 192.168.2.1 255.255.255.248 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface FastEthernet9 ! interface Vlan1 ip address 41.194.10.68 255.255.255.248 ip nat outside ip virtual-reassembly ! interface Async1 no ip address encapsulation slip ! ip route 0.0.0.0 0.0.0.0 Vlan1 ! ! ip http server no ip http secure-server ip nat inside source list 1 interface Vlan1 overload ip nat inside source static tcp 192.168.2.3 80 41.194.10.69 80 exte ip nat inside source static tcp 192.168.2.3 443 41.194.10.69 443 ex ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.2.0 0.0.0.3 access-list 1 permit 192.168.3.0 0.0.0.3 ! ! ! ! ! ! control-plane ! ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 password TRUST login ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end ABCRouter# ABCRouter#COPY RU ST Destination filename [startup-config]? Building configuration... [OK] ABCRouter#SH RUN Building configuration... Current configuration : 1655 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
	to forum · permalink · 2012-01-01 14:29:46 ·
Paulg Displaced Yooper Premium join:2004-03-15 Neenah, WI kudos:1 Reviews: ·AT&T U-Verse	ip nat inside source list 1 interface Vlan1 overload ip nat inside source static tcp 192.168.2.3 80 41.194.10.69 80 exte ip nat inside source static tcp 192.168.2.3 443 41.194.10.69 443 ex ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.2.0 0.0.0.3 access-list 1 permit 192.168.3.0 0.0.0.3 ! You need to prevent 192.168.2.3 from matching the ACL you're using for your overload NAT. access-list 1 should look like this: access-list 1 deny host 192.168.2.3 access-list 1 permit 192.168.2.0 0.0.0.3 access-list 1 permit 192.168.3.0 0.0.0.3
	to forum · permalink · 2012-01-01 14:46:05 ·
ladino join:2001-02-24 USA	The original config should still work. No need to deny the server IP via the ACL. Have a user try to access the web server & confirm that NAT translations are occurring correctly using 'show ip nat translation' after the user attempts to connect. You can also troubleshoot the NAT translations using debug ip nat detailed debug ip tcp transactions term mon
	to forum · permalink · 2012-01-01 16:56:39 ·
cramer join:2007-04-10 Raleigh, NC kudos:5 Reviews: ·AT&T Southeast	reply to Paulg No he doesn't. That just means any traffic 2.3 generates will NAT to .68 (interface). That nat config should work. However... • the access-list is wrong; 192.168.2.0 has 8 addresses, not 4 -- wildcard is .7 not .3. • the default route should not be to a broadcast/ethernet interface (vlan1) -- that results in proxy-arp routing. Put an actual IP address as the next hop.
	to forum · permalink · 2012-01-01 18:54:39 ·
cramer join:2007-04-10 Raleigh, NC kudos:5 Reviews: ·AT&T Southeast	reply to falolay I gather your public network looks like this: `64 - NETWORK 65 - ISP GATEWAY 66 67 68 - CPE GATEWAY 69 - [www] 70 71 - BROADCAST` Your default route should thus be: `ip route 0.0.0.0 0.0.0.0 41.194.10.65`
	to forum · permalink · 2012-01-01 19:05:14 ·
falolay join:2011-12-30 Los Angeles, CA	reply to falolay Thanks to Paulg, Ladino, Cramer and everybody who has offered to help. The configuration is working now. I was only trying to login through the public IP address only from inside the network previously. Now I have tried it from outside the network and I was able access the server. Thanks to you all once again. Regards.
	to forum · permalink · 2012-01-03 03:01:03 ·

Equipment Support > Hardware By Brand > Cisco > [CCNA] port address translation problem