topic Hi JodyThanks i think you may in Network Security

Static nat not working

Russell Dawson — Tue, 12 Mar 2019 04:30:04 GMT

Please find below my customers running config. Everything ok apart from static nat. I cant connect to servers using rdp on port 389, 390 or a device using port internal 443 external 8443 for secure HTTP. From the router i can ping the devices. It was working can some please check my config as i'm at a loss. can anyone help!

????????_DATA#sh run
Building configuration...

Current configuration : 5372 bytes
!
! Last configuration change at 11:37:50 UTC Sat Jul 19 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ??????????_DATA
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn FCZ1608C11J
!
!
username admin privilege 15 password 7 0963401A101112445D5B507278
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly in
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
switchport access vlan 1
no ip address
!
interface FastEthernet1
switchport access vlan 14
no ip address
!
interface FastEthernet2
switchport access vlan 14
no ip address
!
interface FastEthernet3
switchport mode trunk
no ip address
!
interface Vlan1
description VLAN1 LinkVOICEMANAGMENTInterface
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan10
description VLAN10 Interface
ip address 172.17.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan11
description BMS_LAN Interface
ip address 172.17.11.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan12
description CCTV_LAN Interface
ip address 172.17.12.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan13
description Access Control_LAN Interface
ip address 172.17.13.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan14
description MANAGMENT_LAN Interface
ip address 172.17.14.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan15
description TELEPHONY_LAN Interface
ip address 172.17.15.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan16
description SPARE2_DATA_LAN Interface
ip address 172.17.16.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ??????????
ppp chap password 7 00544156530D595E5B761F1F
ppp pap sent-username ??????????? password 7 06565D711B185B415140415A
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat translation timeout 1800
ip nat translation tcp-timeout 1800
no ip nat service skinny tcp port 2000
no ip nat service sip udp port 5060
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 172.17.14.11 3390 interface Dialer0 3390
ip nat inside source static tcp 172.17.14.10 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.2.1 443 interface Dialer0 8443

ip route 0.0.0.0 0.0.0.0 Dialer0
!

!
access-list 1 permit 172.17.10.0 0.0.0.255
access-list 1 permit 172.17.11.0 0.0.0.255
access-list 1 permit 172.17.12.0 0.0.0.255
access-list 1 permit 172.17.13.0 0.0.0.255
access-list 1 permit 172.17.14.0 0.0.0.255
access-list 1 permit 172.17.15.0 0.0.0.255
access-list 1 permit 172.17.16.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!

!
line con 0
login local
line aux 0
line vty 0 4
session-timeout 30
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server ???????
end

The NAT configuration looks

ghostinthenet — Sat, 19 Jul 2014 13:12:14 GMT

The NAT configuration looks good. What happens if you try the following from the router?

telnet 172.17.14.10 3390 /source-interface Dialer0

telnet 172.17.14.11 3390 /source-interface Dialer0

telnet 192.168.2.1 443 /source-interface Dialer0

Thanks for the reply, and see

Russell Dawson — Sat, 19 Jul 2014 13:31:05 GMT

Thanks for the reply, and see below. The 192.168.2.1 device is connected directly to the router on interface 0 to rule out the switches.

hostname#telnet 192.168.2.1 443 /source-interface dialer0
Trying 192.168.2.1, 443 ...
% Connection timed out; remote host not responding

hostname#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

hostname#telnet 172.17.14.11 3390 /source-interface Dialer0
Trying 172.17.14.11, 3390 ...
% Connection timed out; remote host not responding

hostname#ping 172.17.14.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.14.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Looks like the default

ghostinthenet — Sat, 19 Jul 2014 13:40:44 GMT

Looks like the default gateway isn't set correctly on the machines you're trying to reach. Either that or there's a host-based firewall blocking the connection.

Try running those telnet commands again on the router without the "/source-interface Dialer0" part and see the ports open. If they do, you've got a default gateway problem. If they don't, it's likely a host-based firewall.

The default gateways for those machines should be 172.17.14.254 and 192.168.2.254. You might want to make sure someone hasn't set them up for 172.17.14.1 and 192.168.2.1.

Hi JodyThanks i think you may

Russell Dawson — Sat, 19 Jul 2014 17:04:17 GMT

Hi Jody

Thanks i think you may of hit the nail on the head, I'll need to have someone at site check. Thanks for your help and I'll update what the problem was Monday.

Russ