Solved: Re: Strange Nat Issue

matthew.long · ‎02-04-2005

Hi,

I have a router (config is basically the same as 20 other routers we have installed)

Outbound nat works ok and the users can get out without an issue. However when we try to telnet into the router from the outside (837 ADSL PPPoA) we cannot get a connection. The router is setup to allow telnet, you even see the access-list hitcount increasing but you don't get to the router.

Igf I remove NAT by taking out the line

ip nat inside source route-map nonat interface Dialer1 overload

Then we can telnet into the router from the outside. So it looks like the nat is not routing inbound data correctly.

Does anyone have any suggestions?

I have tried 2 versions of 12.3 software and enven downgraded to 12.2 and still the same fault occurs. Is it possible that a hardware fault could affect a router in this way?

Here are the important bits of the config

!

interface Ethernet0

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ####

ppp chap password ####

ppp pap sent-username #### password ####

ppp ipcp dns request

ppp ipcp wins request

hold-queue 224 in

!

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

no ip http secure-server

!

ip nat inside source route-map nonat interface Dialer1 overload

!

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 permit tcp ###.###.###.### ###.###.###.### any eq telnet

access-list 111 permit tcp ###.###.###.### ###.###.###.### any eq www

access-list 111 permit tcp ###.###.###.### ###.###.###.### any eq 22

access-list 111 permit tcp any host ###.###.###.### eq www

access-list 111 permit tcp any host ###.###.###.### eq smtp

access-list 111 deny ip any any

access-list 181 permit ip any any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 181

!

tekha · ‎02-04-2005

Your access-list 181 is wrong, you can't NAT "any", because that would make the router NAT it's own Dialer1 ip address, to it's own Dialer1 ip address, to it's own Dialer1 ip address.... you get the idea.

Try and replace access-list 181 with:

access-list 181 permit ip 10.0.0.0 0.0.0.255 any

now you should be able to telnet to the Dialer1 ip address.

View solution in original post

stephtchoko · ‎02-04-2005

What is the ip address of the interface dialer 1 ?

In your configuration make sure that the nat is applied at the end of process.

matthew.long · ‎02-04-2005

The ip of D1 is appllied by the ISP on connection to the DSL network

"In your configuration make sure that the nat is applied at the end of process" what do you mean by this, the nat is applied the configuration I cannot control where in the configuration it comes, can i?

tekha · ‎02-04-2005

Your access-list 181 is wrong, you can't NAT "any", because that would make the router NAT it's own Dialer1 ip address, to it's own Dialer1 ip address, to it's own Dialer1 ip address.... you get the idea.

Try and replace access-list 181 with:

access-list 181 permit ip 10.0.0.0 0.0.0.255 any

now you should be able to telnet to the Dialer1 ip address.

matthew.long · ‎02-11-2005

Thanks finally go a chance to test the change and its now working...