Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2465
Views
0
Helpful
13
Replies

ACL / NAT Issue Cisco 3845

mjiacoletti
Level 1
Level 1

‎03-30-2011 09:18 PM - edited ‎03-04-2019 11:56 AM

I'm having a strange issue with a Cisco 3845 ISR router. I am setting up basic ACL and NAT but 2 issues occur. When using pat (overload) and a static nat assignment on the same subnet, the host with the static assignment has no wan connectivity except for icmp. The host is not reachable via the wan and the static public ip. Running show ip nat translations show the correct inside local and inside global addresses. The other issue is when applying an extended ACL to the outside or WAN interface coming in. No host on the inside has connectivity (icmp, tcp etc.) even to the gateway. I've cleared out all the ACL's as well as the ipsec tunnel setttings and created only the nat overload and a single static assignement with the same results.I'm posting the running config below.

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot system flash:/c3845-adventerprisek9-mz.151-3.T.bin

boot-end-marker

!

!

! card type command needed for slot/vwic-slot 0/0

!card type command needed for slot 1

logging buffered 51200

logging console critical

enable secret

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

aaa session-id common

!

!

dot11 syslog

ip source-route

!

ip cef

!

!

ip dhcp excluded-address 192.168.2.1 192.168.2.99

ip dhcp excluded-address 192.168.2.200 192.168.2.254

!

ip dhcp pool LAN

network 192.168.2.0 255.255.255.0

dns-server 8.8.8.8 4.2.2.2

default-router 192.168.2.1

option 150 ip 192.168.2.26

option 66 ip 192.168.2.26

lease 4

!

ip dhcp pool Desktop1

host 192.168.2.201 255.255.255.0

hardware-address 001f.e125.d6a9 ieee802

client-name Desktop1

!

ip dhcp pool Desktop2

host 192.168.2 255.255.255.0

hardware-address 0023.4d5b.b307 ieee802

client-name Desktop2

!

!

no ip domain lookup

ip domain name company.local

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

voice-card 0

!

!

!

!

!

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-913640124

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-913640124

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-913640124

certificate self-signed 01

3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 39313336 34303132 34301E17 0D313130 33323531 38313834

345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3931 33363430

31323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

CD4237F4 54F8E607 6A103B97 9F393D79 2E474597 E34E5840 0FA6DB7D 2930C0BC

80D3EB44 D5E88C2E B50749B9 EC617B19 257B07B6 DF5E3869 79432ED3 52E49645

D42FCB6B 7CA73163 608D6479 94E07ECE 9DC8BE05 9425FCB1 0031F30A 038D629F

1877C77A 469482EF 0AA0154F F10A0626 9BC323DE 85974AB1 A88FEE1A F9957A03

02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

11041830 16821443 6973636F 33383435 2E637374 2E676C6F 62616C30 1F060355

1D230418 30168014 A062DD49 FBB35F90 41FE1DAE 6A650994 88C42515 301D0603

551D0E04 160414A0 62DD49FB B35F9041 FE1DAE6A 65099488 C4251530 0D06092A

864886F7 0D010104 05000381 8100C412 E1FAF11D 8C0E5493 8735C484 03DC300C

C15B1909 912A50F7 CBE88CF7 BD629127 DE8E3399 2602E924 F382CF29 9E0BB526

3584BB36 BB333BE8 83278FF8 F0A1A968 8D950201 D613956E 2D717865 F6719FC1

10A23B59 98586082 9006B438 6536D140 F1EAA09F F9688D5E C78F43AF 2B0D858F

E122C1D2 DD538E76 6B0EFA1E 2EE0

quit

!

!

license udi pid CISCO3845-MB sn FOC12104M4T

object-group service VOIP

tcp eq 5060

udp range 5060 5061

!

object-group network Cisco1_WAN

host [wan ip]

!

object-group service Cisco1_Services

tcp eq 3389

tcp range 9992 9999

!

object-group network Cisco2_External

host [wan ip]

!

object-group service Cisco2_Services

tcp eq www

tcp eq 3389

tcp eq 5060

udp range 5060 5061

!

object-group service VOIP2

tcp range 10000 20000

udp range 10000 20000

!

object-group network Host

host [wan ip]

!

redundancy

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key address [wan ip]

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to[wan ip]

set peer [wan ip]

set transform-set ESP-3DES-SHA

match address 102

!

!

!

!

!

!

interface GigabitEthernet0/0

description WAN$FW_OUTSIDE$

ip address [wan ip] [netmask]

ip access-group 101 in

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

no mop enabled

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

description LAN$FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

no mop enabled

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source static tcp 192.168.2.10 21 interface GigabitEthernet0/0 21

ip nat inside source static tcp 192.168.2.170 13178 interface GigabitEthernet0/0 13178

ip nat inside source static udp 192.168.2.170 6574 interface GigabitEthernet0/0 6574

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source static 192.168.2.15 [wan ip]

ip nat inside source static 192.168.2.16 [wan ip]

ip route 0.0.0.0 0.0.0.0 [gateway]

!

logging esm config

logging trap debugging

access-list 100 remark SDM_ACL Category=16

access-list 100 remark IPSec Rule

access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 remark SDM_ACL Category=17

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.20 0.0.0.255

access-list 101 permit udp host [wan ip] host [wan ip] eq non500-isakmp

access-list 101 permit udp host [wan ip] host [wan ip] eq isakmp

access-list 101 permit esp host [wan ip] host [wan ip]

access-list 101 permit ahp host [wan ip] host [wan ip]

access-list 101 permit tcp any host [wan ip] eq ftp

access-list 101 permit tcp any host [wan ip] eq 13178

access-list 101 permit udp any host [wan ip] eq 6574

access-list 101 permit tcp any host [wan ip] eq 22

access-list 101 permit object-group Cisco1_Services any object-group Cisco1_External

access-list 101 permit object-group VOIP object-group Host object-group Cisco1_External

access-list 101 permit object-group Cisco2_Services any object-group Cisco2_External

access-list 101 permit icmp any any

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

!

!

!

control-plane

!

!

!

!

mgcp profile default

!

!

!

!

!

banner login  Authorized access only!

!

line con 0

line aux 0

line vty 0 4

transport input telnet ssh

!

scheduler allocate 20000 1000

end

Labels:
0 Helpful
13 Replies 13

ciscoben2009
Level 1
Level 1

‎03-31-2011 03:28 AM

i not 100% with the SDM but when i set up an ACL for inbound traffic i have to use CBAC/IOS firewall to set an outbound rule which allows the return traffic to come back in from a web request if you get that working and let the server just PAT and take of the static NAT can it get on the internet ok?

0 Helpful

mjiacoletti
Level 1
Level 1
In response to ciscoben2009

‎03-31-2011 06:50 AM

With PAT enabled traffic from the lan to wan is fine but when the static nat assignment is set then the host with the assignment has no wan connectivity. Even if I remove PAT and leave only a single static nat assignment it does the same. I ran debug ip nat and received nothing which is strange. One thing I noticed is that the NVI is administratively down. I'm thinking I need to remove the ip nat inside and outside from the interfaces and run ip nat enable on both interfaces.

0 Helpful

ciscoben2009
Level 1
Level 1
In response to mjiacoletti

‎03-31-2011 06:54 AM

both your static nats are pointing to WAN IP ? do you mean to seprate IPs as that would do a 1 to 1 mapping and maybe confusing it if both have the same ip set

0 Helpful

mjiacoletti
Level 1
Level 1
In response to ciscoben2009

‎03-31-2011 07:00 AM

The 1 to 1 nat is set for another ip that is part of the wan block. I did notice that not all tcp traffic is going through. I believe telnet to an outside server was not connecting so maybe I do need to try something similar to this:

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml

0 Helpful

ciscoben2009
Level 1
Level 1
In response to mjiacoletti

‎03-31-2011 07:02 AM

if you take of your ACL does it work ? you will need CBAC to let the return traffic in past your ACL

test it with out the ACL

0 Helpful

mjiacoletti
Level 1
Level 1
In response to ciscoben2009

‎03-31-2011 07:39 AM

When I tested it with the 1 to 1 nat, I removed all acl's but no traffic (other than icmp) was passing to the wan.

0 Helpful

ciscoben2009
Level 1
Level 1
In response to mjiacoletti

‎03-31-2011 07:49 AM

can you show the config with the changes made please?

0 Helpful

mjiacoletti
Level 1
Level 1
In response to ciscoben2009

‎03-31-2011 08:30 AM

Here is the config:

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot system flash:/c3845-adventerprisek9-mz.151-3.T.bin

boot-end-marker

!

!

! card type command needed for slot/vwic-slot 0/0

!card type command needed for slot 1

logging buffered 51200

logging console critical

enable secret

!

aaa new-model

!

!

aaa authentication login default local

!

!

!

!

!

aaa session-id common

!

!

dot11 syslog

ip source-route

!

ip cef

!

!

ip dhcp excluded-address 192.168.2.1 192.168.2.99

ip dhcp excluded-address 192.168.2.200 192.168.2.254

!

ip dhcp pool LAN

network 192.168.2.0 255.255.255.0

dns-server 8.8.8.8 4.2.2.2

default-router 192.168.2.1

option 150 ip 192.168.2.26

option 66 ip 192.168.2.26

lease 4

!

ip dhcp pool Desktop1

host 192.168.2.201 255.255.255.0

hardware-address 001f.e125.d6a9 ieee802

client-name Desktop1

!

ip dhcp pool Desktop2

host 192.168.2 255.255.255.0

hardware-address 0023.4d5b.b307 ieee802

client-name Desktop2

!

!

no ip domain lookup

ip domain name company.local

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

voice-card 0

!

!

!

!

!

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-913640124

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-913640124

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-913640124

certificate self-signed 01

3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 39313336 34303132 34301E17 0D313130 33323531 38313834

345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3931 33363430

31323430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

CD4237F4 54F8E607 6A103B97 9F393D79 2E474597 E34E5840 0FA6DB7D 2930C0BC

80D3EB44 D5E88C2E B50749B9 EC617B19 257B07B6 DF5E3869 79432ED3 52E49645

D42FCB6B 7CA73163 608D6479 94E07ECE 9DC8BE05 9425FCB1 0031F30A 038D629F

1877C77A 469482EF 0AA0154F F10A0626 9BC323DE 85974AB1 A88FEE1A F9957A03

02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

11041830 16821443 6973636F 33383435 2E637374 2E676C6F 62616C30 1F060355

1D230418 30168014 A062DD49 FBB35F90 41FE1DAE 6A650994 88C42515 301D0603

551D0E04 160414A0 62DD49FB B35F9041 FE1DAE6A 65099488 C4251530 0D06092A

864886F7 0D010104 05000381 8100C412 E1FAF11D 8C0E5493 8735C484 03DC300C

C15B1909 912A50F7 CBE88CF7 BD629127 DE8E3399 2602E924 F382CF29 9E0BB526

3584BB36 BB333BE8 83278FF8 F0A1A968 8D950201 D613956E 2D717865 F6719FC1

10A23B59 98586082 9006B438 6536D140 F1EAA09F F9688D5E C78F43AF 2B0D858F

E122C1D2 DD538E76 6B0EFA1E 2EE0

quit

!

!

license udi pid CISCO3845-MB sn FOC12104M4T

object-group service VOIP

tcp eq 5060

udp range 5060 5061

!

object-group network Cisco1_WAN

host [wan ip]

!

object-group service Cisco1_Services

tcp eq 3389

tcp range 9992 9999

!

object-group network Cisco2_External

host [wan ip]

!

object-group service Cisco2_Services

tcp eq www

tcp eq 3389

tcp eq 5060

udp range 5060 5061

!

object-group service VOIP2

tcp range 10000 20000

udp range 10000 20000

!

object-group network Host

host [wan ip]

!

redundancy

!

interface GigabitEthernet0/0

description WAN$FW_OUTSIDE$

ip address [wan ip] [netmask]

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

no mop enabled

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

description LAN$FW_INSIDE$

ip address 192.168.2.1 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

no mop enabled

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source static 192.168.2.16 [wan ip]

ip route 0.0.0.0 0.0.0.0 [gateway]

!

logging esm config

logging trap debugging

!
control-plane
!

!

!

!

mgcp profile default

!

!

!

!

!

banner login  Authorized access only!
!
line con 0

line aux 0

line vty 0 4

transport input telnet ssh

!

scheduler allocate 20000 1000

end

0 Helpful

johnlloyd_13
Level 9
Level 9

‎03-31-2011 05:30 AM

hi michael,

ip route 0.0.0.0 0.0.0.0 [gateway]

is the "gateway" or next hop set to the ISP WAN IP?

0 Helpful

mjiacoletti
Level 1
Level 1
In response to johnlloyd_13

‎03-31-2011 06:47 AM

That is correct.

0 Helpful

johnlloyd_13
Level 9
Level 9

‎03-31-2011 08:47 AM

Hi,

Kindly post your show ip nat translation output. Have you check the IP settings on your host 192.168.2.16? Can you ping 192.168.2.1 and 4.2.2.2?

What I meant is to perform ping tests to GW 192.168.2.1 and 4.2.2.2 from host 192.168.2.16.

Sent from Cisco Technical Support iPhone App

Message was edited by: johnlloyd_13

0 Helpful

mjiacoletti
Level 1
Level 1

‎03-31-2011 08:52 AM

I don't have access to the router at the moment but I'll try to get those results when I do.

0 Helpful

mjiacoletti
Level 1
Level 1

‎04-04-2011 08:10 AM

After working on it, the only way I could static NAT to work was to add the public ips as secondary addresses to the outside interface as well as use the ip nat inside source static command. That created a problem since the servers need to access each other via the public ips so traffic gets redirected to the outside interface. Traffic coming from the outside in goes to the correct location.

I also looked into the ACL issue more and everytime I applied the ACL to the outside interface going in, no traffic other than icmp could get out from the local network. I ended up removing all the acl's and using the SDM to create class-maps and policy-maps.

0 Helpful
Customers Also Viewed These Support Documents