topic Re: NAT inside config problem in Routing and SD-WAN

NAT inside config problem

carpovalexandru123 — Mon, 04 Mar 2019 20:27:05 GMT

Hello Cisco comunity

I am trying to configure NAT to route trafic from outside port to an inside webserver but i keep failing. After a month of reading forums i decided to ask for help here.

The inside/outside interfaces are defined and working.

I tryed to route trafic received on outside interface on port 5555 to an internal webserver on port 80 but failed. Here is the command i used:

ip nat inside source static tcp <ip_of_webserver> 80 interface fastEthernet 0/0 5555

fa0/0 is the outside interface

fa0/1 is the inside interface

do i need to route trafic from fa0/0 to fa0/1 and then from fa0/1 to my webserver? Do i need to setup an ACL?

Any help would be apreciated.

Re: NAT inside config problem

Thotsaphon Lueangwattanaphong — Thu, 19 May 2011 09:59:46 GMT

Hi,

When you're trying to access this server from the internet , please post the output "show ip nat translation | inc ".

Toshi

Re: NAT inside config problem

cadet alain — Thu, 19 May 2011 10:05:43 GMT

Hi Toshi,

This is a static NAT so the entry will always be in the NAT table even if there is no traffic.

To verify if it's NAT the problem then a debug ip nat would be more appropriate IMHO.

Is there an ACL on the outside interface or is there ZBF configured on the router?

I think a running config would be helpful here.

Regards.

Alain.

Re: NAT inside config problem

Thotsaphon Lueangwattanaphong — Thu, 19 May 2011 10:16:49 GMT

Hi Alian,

"This is a static NAT so the entry will always be in the NAT table even if there is no traffic." You're right. However, we will see new entries if there are connections connecting to the router.

F.e.

Router#sh ip nat translations | inc 172.17.1.22
tcp 202.x.y.z:80 172.17.1.22:80 203.a.b.c:49155 203.a.b.c:49155 <--- Incoming Connection
tcp 202.x.y.z:80 172.17.1.22:80 --- --- <---- Static Entry

That's why I ask for the output. However, it's a good idea to post the current configuration on the router.

Toshi

Re: NAT inside config problem

cadet alain — Thu, 19 May 2011 10:24:10 GMT

Hi Toshi,

You're right. I thought about it after I posted.

Regards.

Alain.

Re: NAT inside config problem

carpovalexandru123 — Thu, 19 May 2011 10:32:19 GMT

show ip nat translations shows:

Pro Inside global Inside local Outside local Outside global

tcp fa0/0:5555 webserver_ip:80 --- ---

debug ip nat crashed my router and i had to restart it

i'll post some of my runing config, i will try to remove some of the irelevant info:

crypto pki trustpoint

enrollment selfsigned

serial-number none

ip-address none

revocation-check crl

rsakeypair _RSAKey 512

crypto pki certificate chain

certificate self-signed 01

quit

crypto isakmp policy 100

encr aes

authentication pre-share

group 2

crypto isakmp key address

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside-map 10 ipsec-isakmp

set peer

set transform-set ESP-3DES-MD5

match address

interface FastEthernet0/0

ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map outside-map

interface FastEthernet0/1

description $ES_LAN$

ip address

ip access-group acl_out in

ip nbar protocol-discovery

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

service-policy input SDM-QoS-Policy-1

ip http server

no ip http secure-server

ip dns server

ip nat inside source list 122 interface FastEthernet0/0 overload

ip nat inside source static tcp 80 interface FastEthernet0/0 5555

ip access-list extended acl_out

remark SDM_ACL Category=17

permit ip any host

permit tcp host any eq smtp

deny tcp any any eq smtp

permit ip any any

ip access-list extended

permit ip

access-list 122 permit ip host

end

Re: NAT inside config problem

carpovalexandru123 — Thu, 19 May 2011 10:42:22 GMT

Ok, i tested from outside to connect to fa0/0:5555. the output is below

tcp fa0/0:5555 :80 92.85.253.180:59626 92.85.253.180:59626

aparently NAT works. So what is my problem then? The page requested from outside wasn't displayed.

Re: NAT inside config problem

Thotsaphon Lueangwattanaphong — Thu, 19 May 2011 10:45:09 GMT

Hi,

1. You can access this server via local lan. Right? Please check the server by using "netstat -an". Is there connections from 92.85.253.180?

2. Please post detailed ACL of interesting traffic for crypto map.

HTH,

Toshi

Re: NAT inside config problem

carpovalexandru123 — Thu, 19 May 2011 11:00:13 GMT

That's all there is to post about cryptomap. The only thing i haven't posted was the map name and the peer ip. Is there anything else you think i haven't posted?

netstat -an doesn't show the request from outside.

Re: NAT inside config problem

Jon Marshall — Thu, 19 May 2011 11:11:26 GMT

Is the webserver IP on the same subnet as the fa0/1 interface IP ?

If not does the device that routes for the web server have a default route pointing back to this router ?

Also, as Toshi suggested, can you post the actual acl details for the crypto map.

Jon

Re: NAT inside config problem

cadet alain — Thu, 19 May 2011 11:17:19 GMT

Have you tried disabling firewall on server?

Is the service up on the router netstat -a -p tcp should output port 80 listening

Could you sniff your interface.

Regards.

Alain.

Re: NAT inside config problem

carpovalexandru123 — Thu, 19 May 2011 11:28:58 GMT

fa0/1 is on a diferent subnet than my webserver.

The layout is basicaly:

router->switch->ISA server->switch->webserver

The firewall on the webserver is disabled. Port 80 is listening. Maybe my ISA server is blocking the trafic?

Re: NAT inside config problem

Jon Marshall — Thu, 19 May 2011 11:31:13 GMT

carpovalexandru123 wrote:

fa0/1 is on a diferent subnet than my webserver.

The layout is basicaly:

router->switch->ISA server->switch->webserver

The firewall on the webserver is disabled. Port 80 is listening. Maybe my ISA server is blocking the trafic?

Is your ISA server acting as a router then ?

Check the ISA server settings, is it doing any firewalling ?

Jon

Re: NAT inside config problem

cadet alain — Thu, 19 May 2011 11:35:22 GMT

Yes you can look for that possibility.

You can mirror traffic(loca SPAN) coming from isa server to switch port to another port connected to a pc where youinstall a sniffer and see if you have the syn packets.

Regards.

Alain.

Re: NAT inside config problem

carpovalexandru123 — Thu, 19 May 2011 11:46:42 GMT

Yes, i am using some policies on ISA but i have a rule in my ISA firewall that basicaly says allow all tcp trafic port 5555 from external/anywhere to webserver_ip for all users.

Re: NAT inside config problem

Thotsaphon Lueangwattanaphong — Thu, 19 May 2011 11:50:33 GMT

Hi,

It should not be TCP/5555. It has to be TCP/80.

Toshi

Re: NAT inside config problem

carpovalexandru123 — Thu, 19 May 2011 12:34:47 GMT

Thanks but i'm not sure it should be 80 and not 5555. Anyway, i changed it to http/https/80/5555 just to be sure and include all. Now when i try to connect if i type /start.html it doesn't work BUT when i just type fa0/0 ip it says 'It works!'. I guess it's the apache server that replies that. Strange that it says that. It should pop SDM if i only type fa0/0 ip adress.

I'm just geting more confused.

Re: NAT inside config problem

cadet alain — Thu, 19 May 2011 12:49:06 GMT

Hi,

As Toshi said above it must be 80, don't forget you are doing static PAT on your router.

It should pop SDM if i only type fa0/0 ip adress

Why? as long as you're hitting the router at tcp port 5555 then it will translate to server at port 80 and when you don't specify the page it should go to index..html.

So your port forwarding is now working .

Regards.

Alain.

Re: NAT inside config problem

carpovalexandru123 — Thu, 19 May 2011 12:57:38 GMT

No mate, when i input just fa0/0 ip, without a port number, it says 'It works!'

Typing the port number results in an 'cannot display the page' error

Re: NAT inside config problem

cadet alain — Thu, 19 May 2011 13:22:26 GMT

Now when i try to connect if i type /start.html it doesn't work BUT when i just type fa0/0 ip it says 'It works!'

I see no reference to any port

When it says it works can you do sh tcp brief on the router as well as sh ip nat transl and post output

Typing the port number results in an 'cannot display the page' error

Which page ? /start.html? Do you still not see connections on port 80 of server with netstat?

Are you testing from internet or on the LAN?

Regards.

Alain.