cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
186
Views
0
Helpful
8
Replies
Highlighted
Beginner

1:1 nat, unable to get it working

I feel this probably has a obvious easy answer, but struggling a bit. PBX is 172.31.213.130

 

The public IPs are completely public and cinnected to our ISP.

At a branch office they are setting up a PBX box that we have assigned to a vlan. But cant get port forwarding to work.

These are the forwarding rules:

ip nat inside source static udp 172.31.213.130 2727 <public_primary_ip> 2727 extendable
ip nat inside source static udp 172.31.213.130 8181 <public_primary_ip> 8181 extendable
ip nat inside source static udp 172.31.213.130 9300 <public_primary_ip> 9300 extendable
ip nat inside source static udp 172.31.213.130 15060 <public_primary_ip> 35560 extendable
ip nat inside source static tcp 172.31.213.130 15061 <public_primary_ip> 35561 extendable
ip nat inside source static 172.31.213.131 <public_secondary_ip>

Interfaces:

interface GigabitEthernet0/1
 description ** First connection to IED Office - Public **$ETH-LAN$$FW_OUTSIDE$
 ip address <public_primary_ip> 255.255.255.248 
 ip address <public_secondary_ip> 255.255.255.248 secondary
 ip access-group ACLLine1 in
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in
 zone-member security ZoneOutside
 duplex auto
 speed auto
 no mop enabled
 service-policy output QoS
!
!
interface GigabitEthernet0/0.51
description PBX_VLAN
encapsulation dot1Q 51
ip address 172.31.213.129 255.255.255.248
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security ZoneDMZ
no cdp enable
!



NOTE: I have tried to completely disable the incoming ACL and Zone based firewall to see if it was something blocking, but no go :(

Now we also have the following configured, is this conflicting?

ip nat inside source route-map NAT_LINE1_ROUTEMAP interface GigabitEthernet0/1 overload

route-map NAT_LINE1_ROUTEMAP permit 10
 match ip address LANInside
 match interface GigabitEthernet0/1

ip access-list extended LANInside
deny ip 172.21.13.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.21.13.0 0.0.0.255 57.66.8.48 0.0.0.15
permit ip 172.24.100.0 0.0.0.255 any
permit ip 172.21.13.0 0.0.0.255 any



2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Beginner

Re: 1:1 nat, unable to get it working

Thanks for the quick reply, however I am not entering 'extendable', gets added automatically. I just removed them and added
ip nat inside source static udp 172.31.213.130 2727 <public_primary_ip> 2727
ip nat inside source static udp 172.31.213.130 8181 <public_primary_ip> 8181
ip nat inside source static udp 172.31.213.130 9300 <public_primary_ip> 9300
ip nat inside source static udp 172.31.213.130 15060 <public_primary_ip> 35560
ip nat inside source static tcp 172.31.213.130 15061 <public_primary_ip> 35561

But comes up with extendable behind :(

View solution in original post

Highlighted
Beginner

Re: 1:1 nat, unable to get it working

Ok, found the issue.

We have two ISP interfaces, and it didnt like asymetric routing. Adjusted our routing and now it works.

Thanks for all the replies

View solution in original post

8 REPLIES 8
Highlighted
VIP Mentor

Re: 1:1 nat, unable to get it working

Hello,

 

the 'extendable' keyword is needed when you want to translate a private IP address to more than one public IP address. So in your case, the static entries should look like below:

 

ip nat inside source static udp 172.31.213.130 2727 <public_primary_ip> 2727 
ip nat inside source static udp 172.31.213.130 8181 <public_primary_ip> 8181 
ip nat inside source static udp 172.31.213.130 9300 <public_primary_ip> 9300 
ip nat inside source static udp 172.31.213.130 15060 <public_primary_ip> 35560 
ip nat inside source static tcp 172.31.213.130 15061 <public_primary_ip> 35561 
ip nat inside source static 172.31.213.131 <public_secondary_ip> extendable

Highlighted
Beginner

Re: 1:1 nat, unable to get it working

Thanks for the quick reply, however I am not entering 'extendable', gets added automatically. I just removed them and added
ip nat inside source static udp 172.31.213.130 2727 <public_primary_ip> 2727
ip nat inside source static udp 172.31.213.130 8181 <public_primary_ip> 8181
ip nat inside source static udp 172.31.213.130 9300 <public_primary_ip> 9300
ip nat inside source static udp 172.31.213.130 15060 <public_primary_ip> 35560
ip nat inside source static tcp 172.31.213.130 15061 <public_primary_ip> 35561

But comes up with extendable behind :(

View solution in original post

Highlighted
Collaborator

Re: 1:1 nat, unable to get it working

Hi,

 

    Most probably you need the PBX to be accessed from the outside, so leave the static NAT statements, it was good (as long as you've properly configured the port bindings). You don't care about the "extendable" keyword, it's there by default, it does not affect you.

   To stay on the NAT problem, remove the ingress ACL and the interface zone membership on both interfaces, ands try again. While you send traffic matching your NAT statements, look in "show ip nat translations" and do "debug ip nat detailed". This has to work, otherwise post the outputs.

  If it does work and stops working with ZBFW, post the complete ZBFW configuration; if using ZBFW, it is not recommended and redundant to have an ingress ACL on any zone member interfaces, so the ACL should be removed anyways.

 

Regards,

Cristian Matei.

Highlighted
Beginner

Re: 1:1 nat, unable to get it working

Thanks :)

So without ACL and without ZBFW, something is happening but ports still reported as closed when i test from outside. According to the company settting up the PBX there should also be a web interface available at 8181. But im having no luck with both firewall and ZBFW off. (Im using https://www.yougetsignal.com/tools/open-ports/ to test)

 

tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:50632 198.199.98.246:50632
tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:50638 198.199.98.246:50638
tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:50643 198.199.98.246:50643
tcp <public_ip1>:8181 172.31.213.130:8181 --- ---
udp <public_ip1>:8181 172.31.213.130:8181 --- ---
udp <public_ip1>:9300 172.31.213.130:9300 --- ---
udp <public_ip1>:35560 172.31.213.130:15060 --- ---
tcp <public_ip1>:35561 172.31.213.130:15061 --- ---
Pro Inside global Inside local Outside local Outside global
tcp <public_ip2>:23 172.31.213.131:23 79.1.194.79:6413 79.1.194.79:6413
--- <public_ip2> 172.31.213.131 --- ---

08547: Apr 1 17:48:18.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008549: Apr 1 17:48:18.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip1>, dest-port:0)
008550: Apr 1 17:48:18.700 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008552: Apr 1 17:48:18.700 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip1>, dest-port:0)
008599: Apr 1 17:48:20.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008601: Apr 1 17:48:20.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip1>, dest-port:0)
008789: Apr 1 17:48:37.152 CET: NAT: API parameters passed: src_addr:218.102.109.119, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008791: Apr 1 17:48:37.152 CET: NAT: API Failed to get Translated-Info from: (src-addr:218.102.109.119, src-port:0) (dest-addr:<public_ip1>, dest-port:0)


With the ACL in place not much happens

udp <public_ip1>:2727   172.31.213.130:2727   ---                   ---
tcp <public_ip1>:8181   172.31.213.130:8181   ---                   ---
udp <public_ip1>:8181   172.31.213.130:8181   ---                   ---
udp <public_ip1>:9300   172.31.213.130:9300   ---                   ---
udp <public_ip1>:35560  172.31.213.130:15060  ---                   ---
tcp <public_ip1>:35561  172.31.213.130:15061  ---                   ---
--- <public_ip2>        172.31.213.131        ---                   ---

08547: Apr  1 17:48:18.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008549: Apr  1 17:48:18.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip2>, dest-port:0)
008550: Apr  1 17:48:18.700 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008552: Apr  1 17:48:18.700 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip2>, dest-port:0)
008599: Apr  1 17:48:20.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008601: Apr  1 17:48:20.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip2>, dest-port:0)
008789: Apr  1 17:48:37.152 CET: NAT: API parameters passed: src_addr:218.102.109.119, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
008791: Apr  1 17:48:37.152 CET: NAT: API Failed to get Translated-Info from: (src-addr:218.102.109.119, src-port:0) (dest-addr:<public_ip2>, dest-port:0)
 

With ZBFW on, I get :

udp <public_ip1>:2727   172.31.213.130:2727   ---                   ---
tcp <public_ip1>:8181   172.31.213.130:8181   198.199.98.246:52724  198.199.98.246:52724
tcp <public_ip1>:8181   172.31.213.130:8181   198.199.98.246:52729  198.199.98.246:52729
tcp <public_ip1>:8181   172.31.213.130:8181   198.199.98.246:52734  198.199.98.246:52734
tcp <public_ip1>:8181   172.31.213.130:8181   ---                   ---
udp <public_ip1>:8181   172.31.213.130:8181   ---                   ---
udp <public_ip1>:9300   172.31.213.130:9300   ---                   ---
udp <public_ip1>:35560  172.31.213.130:15060  ---                   ---
tcp <public_ip1>:35561  172.31.213.130:15061  ---                   ---
tcp <public_ip2>:1433   172.31.213.131:1433   42.247.5.87:55377     42.247.5.87:55377
--- <public_ip2>        172.31.213.131        ---                   ---


025140: Apr  1 18:02:51.351 CET: NAT: API parameters passed: src_addr:185.217.0.156, src_port:0 dest_addr:87.198.211                                .162, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
025142: Apr  1 18:02:51.351 CET: NAT: API Failed to get Translated-Info from: (src-addr:185.217.0.156, src-port:0) (                                dest-addr:<public_ip1>, dest-port:0)
025143: Apr  1 18:02:51.355 CET: NAT - SYSTEM PORT for <public_ip1>: allocated port 0, refcount 208, localport 429                                4967295, localaddr 0.0.0.0, flags 1, syscount 208, proto 6
025294: Apr  1 18:02:59.287 CET: NAT: API parameters passed: src_addr:195.54.166.26, src_port:0 dest_addr:87.198.211                                .162, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1
025296: Apr  1 18:02:59.287 CET: NAT: API Failed to get Translated-Info from: (src-addr:195.54.166.26, src-port:0) (                                dest-addr:<public_ip1>, dest-port:0)
025297: Apr  1 18:02:59.287 CET: NAT - SYSTEM PORT for <public_ip1>: allocated port 0, refcount 209, localport 429                                4967295, localaddr 0.0.0.0, flags 1, syscount 209, proto 6
025305: Apr  1 18:02:59.667 CET: NAT: expiring <public_ip1> (172.31.213.130) tcp 8181 (8181)
025331: Apr  1 18:03:00.691 CET: NAT: expiring <public_ip1> (172.31.213.130) tcp 8181 (8181)
025368: Apr  1 18:03:01.715 CET: NAT: expiring <public_ip1> (172.31.213.130) tcp 8181 (8181)

 

Highlighted
VIP Mentor

Re: 1:1 nat, unable to get it working

Hello,

 

post the full running configuration...

Highlighted
Collaborator

Re: 1:1 nat, unable to get it working

Hi,

 

   Your static PAT statement for port 8181 makes use of UDP, while i see you generating TCP traffic for port 8181, which clearly doesn't match any NAT statements. So make sure the testing matches the configuration.

  Also, what you could do is a 1-to-1 static NAT for the PBX and restrict access at the service level (TCP,UDP) via your ZBFW configuration.

 

Regards,

Cristian Matei.

Highlighted
Beginner

Re: 1:1 nat, unable to get it working

ahh, i had both UDP and TCP, but for testing removed UDP now.

One to one static wouldnt work due to 35560/25561 > 15060/15061. This what I have now:

ip nat inside source static udp 172.31.213.130 2727 <pubIP1> 2727 extendable
ip nat inside source static tcp 172.31.213.130 8181 <pubIP1> 8181 extendable
ip nat inside source static udp 172.31.213.130 9300 <pubIP1> 9300 extendable
ip nat inside source static udp 172.31.213.130 15060 <pubIP1> 35560 extendable
ip nat inside source static tcp 172.31.213.130 15061 <pubIP1> 35561 extendable
ip nat inside source static 172.31.213.131 <pubIP2>
I will try to post the whole config, but gonna take me some time to redact it :(

Highlighted
Beginner

Re: 1:1 nat, unable to get it working

Ok, found the issue.

We have two ISP interfaces, and it didnt like asymetric routing. Adjusted our routing and now it works.

Thanks for all the replies

View solution in original post