Re: Basic NAT problem

apaxson · ‎10-31-2001

Hey All! I'm using a 2600 with the Firewall Feature Set, but I'm just buggin out on this problem!!!

I'm using basic dynamic NAT translation for my network to get out to the internet. Now, I want to statically open a couple of ports to my email server. I open ports 25 and 110, but I can't telnet into them using the outside address. I can, however, with my inside address. I can also ping the outside address just fine.

ip nat inside source static tcp w.x.y.z 25 a.b.c.d 25

where "w.x.y.z" is my inside address

where "a.b.c.d" is my outside address

I've also played with other settings, such as setting it to a static outside, rather than inside, or not even setting the ports. I am just not getting any luck here. Anyone have any ideas??

apaxson · ‎10-31-2001

Okay, I recently found, that I CAN telnet to port 25 from the outside world, but then, why can I not from my internal network? I have BOTH static inside AND static outside defined in my NAT tables.

Anyone know why?

ikusuma · ‎10-31-2001

paxson, in the PIX afaik if u ping from inside using global ip, u'll _never_ get the answer, u can trace this with "debug icmp trace".

u can use alias command to connect to the server using domain name.

ref : http://www.cisco.com/warp/public/110/alias.html

niallseletzky · ‎11-02-2001

Have you defined a conduit?

apaxson · ‎11-02-2001

Conduit? I have two ethernet interfaces. Each with NAT defined. Is that what you mean? Dynamic NAT is working great.

I finally found out, that my configuration is good, and I've opened up port 25. But, why can I not get to it from an inside local address?

In otherwords, I cannot telnet to my outside global address using my inside local address. Why is that?

Also, Kusuma,

I do not have a PIX Firewall (Although, I wish I did). I am running a Cisco 2600 with the Firewall Feature Set installed. Will 'alias' still work?

bperrin · ‎11-02-2001

You won't be able to telnet to the outside interface if you are also nat'ing out our connection. Try doing the telnet to the 25 or 110 ports from a host that has a real public ip address ( not nat), and I'll bet you will be able to; this is working as designed.

apaxson · ‎11-02-2001

You are exactly right. I can telnet from an outside address. But, why can I not from an internal address? My concern being, if I have users not getting to my email server, how can I verify port 25/110 through NAT works?

'show ip nat tranlations' definately shows me my static definition. But how can I verify it's working? Or would I even need to?

It would really disappoint me if I have to physically move to a machine outside of my network to verify connection.

Thanks for all the great help!!

elehman · ‎11-09-2001

i would hope that you have more than one public ip right?? if you do not, this will be a pain. The idea is to static a public ip to an internal ip, set the ACL for permissions and bind it either to the ip or the interface - depends on which command you use. If you only have one external ip, all incoming traffic might be seen as subject to that rule. anyway, look for the "ip nat inside source static tcp [internal addr] [port - like 25] [external addr] [port - same] extendable" commmand.