08-07-2006 07:21 AM - edited 03-03-2019 04:23 AM
Hi,
I am setting up a simple NAT router between a private network (172.16.0.0) and a public network (10.2.0.0).
The Nat part works, except that the router is blocking UDP from coming from WAN (10.2.0.0) to LAN (172.16.0.0). Only TCP is allowed to come inside. I would like to allow udp ports 8000 9000 to enter from wan to lan.
I tried using these commands without any success:
access-list 102 permit udp any range 8000 9000 any range 8000 9000
ip nat inside source list 102 interface fa0/1
Here is my current configuration:
NAT_TEMP#sh run
NAT_TEMP#sh running-config
Building configuration...
Current configuration : 969 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname NAT_TEMP
!
enable password cisco
!
ip subnet-zero
!
!
ip dhcp excluded-address 172.16.0.0 172.16.1.99
ip dhcp ping packets 5
!
ip dhcp pool dhcp
network 172.16.0.0 255.255.0.0
domain-name NAT_TEMP
default-router 172.16.1.1
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.0.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 10.2.240.2 255.255.0.0
ip nat outside
duplex auto
speed auto
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip classless
ip http server
no ip pim bidir-enable
!
access-list 1 permit 172.16.1.0 0.0.0.255
!
dial-peer cor custom
!
!
!
!
line con 0
password cisco
line aux 0
password cisco
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end
Thanks for your help
Ralph
08-07-2006 08:24 AM
first off, 10.2.0.0 is technically considered a private address as this falls within the Class A Private Address Range as defined in RFC 1918.
IP scheme design wise, no NATting should be required between these two networks, 172.16.0.0 & 10.2.0.0.
see this link for more info:
http://www.rfc-archive.org/getrfc.php?rfc=1918
you seem to have NAT setup but i see no ACL to allow/deny traffic between the interfaces. it seems you may be missing some configuration. you may want to try something such as the following:
access-list 101 permit tcp 172.16.0.0 0.0.255.255 any 10.2.0.0 0.0.255.255
access-list 101 permit tcp 10.2.0.0 0.0.255.255 172.16.0.0 0.0.255.255 any
access-list 101 permit udp 172.16.0.0 0.0.255.255 range 8000 9000 10.2.0.0 0.0.255.255
access-list 101 permit udp 10.2.0.0 0.0.255.255 172.16.0.0 0.0.255.255 range 8000 9000
access-group 101 in (set on appropriate interface(s))
08-07-2006 05:21 PM
Ralph
It looks like you have not given anywhere for the traffic to go. If you want the UDP traffic to come into your network (initiated from teh ouside, not a response to something on the inside), you need to have a static NAT saying what IP address on the 172.16.0.0 network you want it to be NATed to.
If you enter something like:
ip nat inside source static udp 172.16.1.10 8000 int f0/1 8000
Anything going to the IP address of interface f0/1 udp port 8000 will be NATed to 172.16.1.10 udp port 8000
Good luck :-)
08-09-2006 05:53 AM
Thank you for your reply,
If I use this command, I have to do it for each port (8000 to 9000). So I used the following which still did not work:
access-list 102 permit udp any range 8000 9000 any range 8000 9000
ip nat inside source list 102 interface fa0/1
Thanks
08-09-2006 06:07 AM
I found out the origin of the problem.
It is this command that was blocking UDP:
ip nat inside source list 1 interface FastEthernet0/1 overload
With:
access-list 1 permit 192.168.1.0 0.0.0.255
To my surprize removing it caused UDP to pass from WAN to LAN (response to something on the inside)
The question is WHY?
08-09-2006 08:02 AM
This is the PAT behavior. In order to allow access from outside to inside you have to add another static NAT entry.
Let me know if you need further explanation,
08-11-2006 12:28 PM
Thank you
yes please I need clarifications. You say it is a PAT issue. In the command, I tell the router to forward packets from the outside to the inside using the allowed private address range of addresses.
Is the PAT caused by the "overload", if so why is it blocking UDP from WAN to LAN?
Thank you
Ralph
08-11-2006 02:17 PM
Well, in order to allow accesss from outside to inside while enabling NAT with overload on the router you need a static NAT entry for the internal host or hosts. Below you can find a sample:
ip nat inside source static InternalIP publicIP
no need for ACL
This would allow the access from outside to inside,
Try it and let me know if works,
Sorry this was a quick reply coz I got to jump into a meeting,
Regards,
08-18-2006 09:52 AM
Any news?
09-26-2006 10:20 AM
Hello,
It is not working.
All I configured on the router is:
Interfaces:
ip nat inside
ip nat outside
ip nat inside source static 192.168.1.103 10.2.240.1 (outside router interface).
With this way nothing is coming in or going out.
The only working configuration is the following but in this case it not letting UDP go in from WAN to LAN:
ip nat inside source list 1 interface fa0/1 overload
where list 1 is:
access-list 1 permit 192.168.1.0 0.0.0.255
Thank you for your reply.
RM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide