Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3757
Views
45
Helpful
21
Replies

Cannot access internal server from the outside

Go to solution
n0idnixny
Level 1
Level 1

‎09-20-2010 05:11 PM - edited ‎03-04-2019 09:50 AM

Hi, I'm trying to NAT connections coming from the Serial1/0 interface to the GigabitEthernet0/1 and it's not working. Maybe there's something wrong with my config?

Cisco 3825 Router IOS Version 12.4(13r)T11

here's my current config:

ip nat pool PORTFWD 172.16.10.1 172.16.10.1 netmask 255.255.255.0 type rotary
ip nat inside source list 10 interface Serial1/0 overload
ip nat inside destination list 100 pool PORTFWD
!
access-list 10 permit 172.16.10.0 0.0.0.7
access-list 10 permit 0.0.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 0.0.0.0 0.0.0.255
access-list 100 permit ip 172.16.10.0 0.0.0.255 any
access-list 100 permit tcp any any range uucp 550

172.16.10.1 is GigabitEthernet0/1's IP address I tried already mapping it to 172.16.10.5 which is the actual server I'm trying to reach. When I telnet the 172.16.10.5 from the cisco router to the port I want to get into (ie. ftp/AFP) it goes in, so it is reachable.

Serial1/0 has ip nat outside

GigabitEthernet0/1 has ip nat inside

am I doing something wrong? (d'oh)

Thanks in advance.

Ron

Labels:
0 Helpful
21 Replies 21

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to n0idnixny

‎09-22-2010 01:35 PM

Ron

Given what you have posted it is expected behavior that if you remove the permit ip any any from the access list and leave the other entry that everyone on the LAN would lose Internet connectivity.

I suggest that we take a step back and look at this question from a slightly different perspective. The original question was about the need to do a static translation in addition to dynamic translations. And then the observation was made that if you have an access list filtering traffic on the serial interface that it should permit this traffic. And everyone started assuming that you had an access list (and access group on the interface). Based on what has been in this thread I am guessing that you did not have an access list until we suggested it. And based on what is posted to be in the access list I am going to suggest that you do not need an access list filtering traffic on the serial interface.

The real question of whether you should have an access list (and access group on the interface) requires knowledge of your environment and of your requirements that goes far beyond what is included in this thread. But based on what is in this thread I suggest that you remove the access list, remove the access group from the serial interface and focus on whether the translation is working. If the translation works then it is great. If the translation does not work then you will know that the problem is not the access list.

HTH

Rick

HTH

Rick

Go to solution
n0idnixny
Level 1
Level 1
In response to Richard Burts

‎09-22-2010 01:46 PM

Richard

so is this line necessary?

ip nat inside source list 101 interface Serial1/0 overload

because I added that  line with the access-list 101 permit ip any any in order to provide everyone with internet access because verizon just sent me a config to get the router's IP up and no information on how to allow people in the subnet to connect through it. So I added those lines (from what I read online)  to have everyone access the internet. Is that a wrong entry? Is there a better way to configure this? Maybe that's what's keeping me to get this working?

Thanks in advance.

Ron

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to n0idnixny

‎09-22-2010 02:02 PM 

n0idnixny wrote:
Richard
so is this line necessary?
ip nat inside source list 101 interface Serial1/0 overload
because I added that  line with the access-list 101 permit ip any any in order to provide everyone with internet access because verizon just sent me a config to get the router's IP up and no information on how to allow people in the subnet to connect through it. So I added those lines (from what I read online)  to have everyone access the internet. Is that a wrong entry? Is there a better way to configure this? Maybe that's what's keeping me to get this working?
Thanks in advance.
Ron

Ron

No you need acl 101 for your nat in the above statement but you only need a "permit ip any any". You do not need to apply acl 101 to an interface for it to work with NAT.

You do need this line so all your internal clients can access the internet -

ip nat inside source list 101 interface Serial1/0 overload

Can you -

1) make sure you remove the acl from the serial interface but leave acl 101 for your nat overload

2) try and make a connection from the outside to the server and then look at your nat translation table to see if their is a NAT translation ie.

router# sh ip nat translations | include 172.16.10.5

and post the result.

I'm assuming you are connecting from a device on the outside of the router ?

Jon

Go to solution
n0idnixny
Level 1
Level 1
In response to Jon Marshall

‎09-22-2010 02:56 PM

wow I feel a little retarded, as I was trying to telnet the port from the same line no wonder I was getting connection refused.

sorry

I tried from a different line we have here @ the office and it works!!!

Thanks guys for your help! Jon, Richard, Halijenn for the fast replies.

I will take care of those ACL's and remove the access-group from the interface as well.

Thanks again for your kind help guys. I really appreciate it.

Ron

0 Helpful

Go to solution
n0idnixny
Level 1
Level 1
In response to Richard Burts

‎09-22-2010 01:58 PM

In other words, 172.16.10.0 subnet(GigabitEthernet0/1) needs internet connectivity from the Serial Interface and tcp port 548 needs to be forwarded to address 172.16.10.5.

Maybe there is a better way to configure this scenario from what I already have?

I appreciate the help and time.

Thanks in advance.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to n0idnixny

‎09-22-2010 02:25 PM

Ron

I am glad to know that my understanding was correct that you did not originally have an access list applied to the serial interface. And part of the solution is to remove the access-group from the serial interface but not necessarily to remove access list 101.

When I had been talking about access list 101 I was thinking of it in terms of how you had applied it to the serial interface (using access-group) and I missed the fact that you also use that access list in your nat statement. You still need some access list in your nat statement and do not need an access list (or access-group) on the serial interface.

While I believe that you need an access list for nat I am not sure that this version of access list 101 is the optimum choice. I do not remember the details but I think that I remember reading that using permit any any in nat could cause some problems. I would suggest that you configure an access list like this

acces-list 10 permit 172.16.10.0 0.0.0.255

and use access list 10 in your nat statement rather than using access list 101.

HTH

Rick

HTH

Rick

Go to solution
n0idnixny
Level 1
Level 1
In response to Richard Burts

‎09-22-2010 03:26 PM

Thanks again Richard for your help!

Next time, instead of hitting myself in the head for 2 days, I'll come here for Q&A.

Thanks!!

Regards,

Ron

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card