Solved: NAT issues...

jm · ‎10-27-2017

Hi there...

I have a network where i want to access some sub-networks where i have isolated several video recorders on port 7000. Each network is isolated by a Cisco 881 router and the first one that was put online works but not the rest of them.

What is wrong with my nat rules?

I have added two of the configuration files and I have a total of five routers to configure.

Router one...

******************************************************************

interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 172.16.10.181 255.255.254.0
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
interface Vlan1
ip address 192.168.181.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
ip forward-protocol nd
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.181.100 7000 interface FastEthernet4 7000
ip route 0.0.0.0 0.0.0.0 172.16.10.1
access-list 1 permit 192.168.181.0 0.0.0.255

******************************************************************

Router two...

******************************************************************

interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 172.16.10.182 255.255.254.0
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
interface Vlan1
ip address 192.168.182.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
ip forward-protocol nd
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.182.100 7000 interface FastEthernet4 7000
ip route 0.0.0.0 0.0.0.0 172.16.10.1
access-list 1 permit 192.168.182.0 0.0.0.255

******************************************************************

jm · ‎12-12-2017

Hi guys and sorry for my late reply.

The issue is fixed.

Turns out the routers were not the problem.

The recorders had a built-in network for the attached cameras, which was programmed to use 172.16.x.x/16. Those networks was configured on all recorders except one, and that caused routing problems obviously.

Thanks for your suggestions.

View solution in original post

Francesco Molino · ‎10-27-2017

Hi

Your nat statement on each router look like good.
Can you explain from where are you trying to access and what's not working?

when trying to access on the host through the natted ip, can you run "debug ip nat" and paste the output on a text file please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jm · ‎11-09-2017

Hi Francesco and sorry for my late reply.

We are trying to access video recorders that are located on subnets (192.168.181.100, ..182.100, ..183.100 etc.).

We are using a program installed on a computer which is located on the 172.16.10.x network via port 7000.

Now.. I am not a Cisco expert so when I look at the current configuration there are a few lines that confuses me.

To me it looks like the two lines below only provide NAT and access for traffic inside -> outside.

Shouldn't there be an access-list that allows access from 172.16.10.x to 192.168.185.100?

***

ip nat inside source static tcp 192.168.185.100 7000 interface FastEthernet4 7000

access-list 1 permit 192.168.185.0 0.0.0.255

***

Show ip nat translations

Pro Inside global Inside local Outside local Outside global

Tcp 172.16.10.185:7000 192.168.185.100:7000 --- ---

And again... the strangest thing is that it works fine for the first router we installed. But the following fails.

Johnny

Francesco Molino · ‎11-09-2017

Hi

The line below is to nat all users from LAN (only subnet 192.168.182.0/24) going to outside with router interface Fa4 IP:

ip nat inside source list 1 interface FastEthernet4 overload

This one allows to nat port tcp 7000 of IP 192.168.182.100 to interface Fa4 on port 7000:
ip nat inside source static tcp 192.168.182.100 7000 interface FastEthernet4 7000

If you access your Fa4 IP using port 7000 it will redirect to your internal recorder 192.168.182.100 on port 7000.

However, you can't have multiple recorder natted over the same Fa IP on the same port. Let's say you want to have your other recorder 192.168.182.101 natted, then you'll do something like:

ip nat inside source static tcp 192.168.182.101 7000 interface FastEthernet4 7001

Access Fa4 IP using port 7001 will redirect your traffic to internal host 192.168.182.101 on port 7000.

Is that more clear?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

jm · ‎11-09-2017

Fair enough. Looks like the config is ok NAT-wise :)

I do not have multiple recorders behind same router.

Each recorder is placed behind a Cisco 881 router which separate IP addresses.

Main LAN is 172.16.10.0/23

Subnets are:

192.168.181.0/24 -> Cisco 881 (WAN: 172.16.10.181)

192.168.182.0/24 -> Cisco 881 (WAN: 172.16.10.182)

192.168.183.0/24 -> Cisco 881 (WAN: 172.16.10.183)

192.168.184.0/24 -> Cisco 881 (WAN: 172.16.10.184)

192.168.185.0/24 -> Cisco 881 (WAN: 172.16.10.185)

So when I call one of the recorders I use IP 172.16.10.181:7000 or 172.16.10.182:7000.

As I see it the problem must be either in the Cisco router config or somewhere on the main-LAN.

Francesco Molino · ‎11-09-2017

Can you do a sh ip nat and also a debug ip nat and try to access your recorder using the WAN IP?

What symptoms do you get when accessing?
Recorder are windows or linux machine? Have you tried checking on machine to see if traffic arrives (wireshark, tcpdump...)?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

paul driver · ‎11-13-2017

Hello

You can try NVI NAT ( dominaless NAT) instead of Domain based nat

Unlike domain based nat - NVI nat perfroms 2 route lookups, one towards the NVI interface and the second route the packet on it natted address

int x/x
no ip nat inside
no ip nat outside
ip nat enable

no ip nat inside source list 1 interface FastEthernet4 overload
no ip nat inside source static tcp 192.168.181.100 7000 interface FastEthernet4 7000

ip nat source list 1 interface FastEthernet4 overload
ip nat source static tcp 192.168.181.100 7000 interface FastEthernet4 7000

etc...

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jm · ‎12-12-2017

Hi guys and sorry for my late reply.

The issue is fixed.

Turns out the routers were not the problem.

The recorders had a built-in network for the attached cameras, which was programmed to use 172.16.x.x/16. Those networks was configured on all recorders except one, and that caused routing problems obviously.

Thanks for your suggestions.