Re: Can Dynamic NAT but not Static NAT on 877

Peter Brady · ‎06-14-2011

Hi All,

This should be simple, I just think I've been staring at it for too long and can't see what I'm missing.

I've got an 877 WAN router that I'm provisioning and I can't configure a static map to let an outside connection talk into an internal box via SSH. What I've currently got:

I can ping, and ssh when configured, into the 877 from outside.
The 877 can ping outside from the terminal
The 877 knows, via static routes, about all my internal subnets, it can ping devices
I can ping, and ssh, the 877 from inside
The 877 is running DNAT for internal hosts fine to share the net connection.

And the kicker: I've got a similar 877, but with a simpler single internal subnet, at another site that is doing exactly this perfectly. Same OS version, same ISP, same connection plan. I'm offsite right now and the device is powered off so I can't post output of show, debug etc. I've tried:

The routing table looks OK, my default gateway is upstream to the ISP and all the static routes are in place for the local subnets
I've stripped out most of the ACLs
I've stripped out the firewall
Looking at the nat translations table there appears to be a static map in place when connecting in from the outside world but is not arriving at the destination box. FYI this destination box is currently available from another WAN link and I checked the firewall policies on it and I don't think this is the issue. Haven't done a packet dump at that end yet to see if its getting anything though.

Like I said, I think I just can't see my mistake right now. Any help would be appreciated and the running config is below. It is very much a minimal configuration to try to isolate my NAT mistake.

Thanks in advance,

-pete

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname orcus

ip domain name wmawater.com.au

ip name-server 192.168.70.17

ip name-server 192.168.70.18

scheduler max-task-time 5000

ntp clock-period 17182119

ntp server 192.168.70.18 source Vlan1

ntp server 192.168.70.17 source Vlan1

!

! Turn off host name lookups unless we want to

no ip domain-lookup

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 <password>

!

no aaa new-model

!

dot11 syslog

ip cef

!

username root privilege 15 secret 5 <password>

!

archive

log config

hidekeys

!

no ip ftp passive

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Vlan1

ip address 192.168.60.3 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

interface Dialer0

ip address negotiated

ip mtu 1452

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap callin

ppp pap sent-username <user> password 7 <password>

!

! ****************

! Set the IP routing and default routes

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.70.0 255.255.255.0 192.168.60.1

ip route 192.168.80.0 255.255.255.0 192.168.60.1

ip route 192.168.90.0 255.255.255.0 192.168.60.1

ip route 192.168.100.0 255.255.255.0 192.168.60.1

ip route 192.168.120.0 255.255.255.0 192.168.60.1

ip route 192.168.130.0 255.255.255.0 192.168.60.1

ip route 192.168.140.0 255.255.255.0 192.168.60.1

!

! ip http server

! ip http access-class 1

! ip http authentication local

! ip http secure-server

! ip http timeout-policy idle 60 life 86400 requests 10000

!

!****************

! Configure NAT

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source static tcp 192.168.70.34 22 interface Dialer0 22

! Permit all access from local subnets with no restrictions

access-list 2 permit 192.168.0.0 0.0.255.255

! Dialer access so we allow anything to access it

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

! Lock down the local access to restrict command line access for

! configuration

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input ssh

!

end

johnlloyd_13 · ‎06-14-2011

hi peter,

your inside device 192.168.70.34 is on a different subnet with your LAN default gateway 192.168.60.3/24. you may want to reassign its IP.

Peter Brady · ‎06-14-2011

Doh, thanks. Yes your are probably right on that. I'm offsite for a day or so but will try when I get back. Production verses development VLANs got me then I think.

Thanks

-pete

johnlloyd_13 · ‎06-14-2011

Hi Peter,

Glad to be some assistance to you. Do rate if post helped on your issue.

Sent from Cisco Technical Support iPhone App

Peter Brady · ‎06-16-2011

Hi John,

Turns out it wasn't the subnet but your suggestion caused me to look at my configuration differently. I was not explicitly enabling the firewall to allow incoming packets that did not originate on my network from coming in.

Thanks for the suggestion though.

-pete