Re: Cisco 1841 NAT Issue

jake.bunce · ‎03-14-2011

Hi,

I have an issue with NAT on a Cisco 1841. See following configuration:

interface FastEthernet0/0
description Connection to LAN
bandwidth 100000
ip address 10.90.0.100 255.255.0.0
ip helper-address 10.100.2.2
ip helper-address 10.100.2.3
ip load-sharing per-packet
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface Dialer1
description ADSL connection
bandwidth 448
ip address X.X.X.X 255.255.255.248
ip access-group 150 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname hostname
ppp chap password password
ppp pap sent-username hostname password password
crypto map vpn

ip nat inside source list 102 interface Dialer1 overload

router#show ip access-list

Extended IP access list 102
10 permit ip 10.90.0.0 0.0.255.255 any !! No matches

router#show ip nat stat

Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Outside interfaces:
Virtual-Access2, Dialer1
Inside interfaces:
FastEthernet0/0
Hits: 8388 Misses: 151
CEF Translated packets: 8401, CEF Punted packets: 2029356 !! The CEF Punted packets counter keeps increasing. No matches on ACL though.
Expired translations: 127
Dynamic mappings:
-- Inside Source
[Id: 3] access-list 102 interface Dialer1 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

router#show ip nat trans
(empty)

I've tried this with both a source list NAT statement, and a route-map. The router can contact hosts on the Internet:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.31.0.51, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/147/148 ms

Any ideas?

Thanks

Peter Kiogora · ‎03-14-2011

what does the ip access list 150 look like "ip access-group 150 in"

jake.bunce · ‎03-14-2011

Extended IP access list 150

10 permit esp any any (257967 matches)

20 permit tcp host 1.1.1.1 host X.X.X.X eq 22 (6885 matches)

30 permit udp any any eq isakmp (36765 matches)

40 permit udp any any eq non500-isakmp

50 permit icmp any any (24540 matches)

60 permit udp host 158.43.128.33 host X.X.X.X eq ntp (540 matches)

70 permit udp host 158.43.128.66 host X.X.X.X eq ntp

80 permit gre any any

90 permit udp any any eq domain

100 deny ip any any log (2329 matches)

Peter Kiogora · ‎03-14-2011

try adding the local lan onto it, and if you can check the matches on deny ip any any and confirm if your local lan is one of the matches

jake.bunce · ‎03-14-2011

I've done that, however the local LAN is not one of the matches on the deny any.

Akula Jyoti Lakshmi · ‎03-14-2011

On dialer 1, access-list 150 is applied in inside direction. And there is no statement saying,

"permit ip 10.90.0.0 0.0.255.255 any ". Hence implictly access-list 150 will deny the Internal LAN IP address.

You can try adding same statement in access-list 150 and check it out, if it works. Initiate a ping to Global domain server via internal lan interface
and check the result for,

ping 4.2.2.2 source interface Fe0/0/0....?

Rate the post , if it helps you.

Regards,

Jyoti

jake.bunce · ‎03-14-2011

I've added:

Extended IP access list 150
5 permit ip 10.90.0.0 0.0.255.255 any

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.90.0.100
.....
Success rate is 0 percent (0/5)

Akula Jyoti Lakshmi · ‎03-14-2011

Ok then remove that,

Add the old access-list 102 in inside direction of Fe0/0,

Int fe0/0

Ip access-group 102 in

Let me know if it works.

Regards,

Jyoti

jake.bunce · ‎03-14-2011

That hasn't worked:

router#ping 4.2.2.2 source fa0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.90.0.100
.....
Success rate is 0 percent (0/5)

Peter Kiogora · ‎03-14-2011

try the access list the other way round i.e permit ip any 10.90.0.0 0.0.255. remember you are allowing traffic back to your lan

jake.bunce · ‎03-14-2011

It's currently applied in both directions.

Akula Jyoti Lakshmi · ‎03-14-2011

It did not work because overload statement given on Di0 is Access-list 102.

You need to give access-list 150.

ip nat inside source list 150 interface Dialer1 overload

And please remove "access-group 102 in" from Fa0/0 interface.

Regards,

Jyoti

jake.bunce · ‎03-14-2011

ACL 102 is used for interesting traffic identification:

access-list 102 permit ip 10.90.0.0 0.0.255.255 any

ACL 150 is used to prevent access to the router/LAN from the Internet:

Extended IP access list 150

10 permit esp any any (257967 matches)

20 permit tcp host 1.1.1.1 host X.X.X.X eq 22 (6885 matches)

30 permit udp any any eq isakmp (36765 matches)

40 permit udp any any eq non500-isakmp

50 permit icmp any any (24540 matches)

60 permit udp host 158.43.128.33 host X.X.X.X eq ntp (540 matches)

70 permit udp host 158.43.128.66 host X.X.X.X eq ntp

80 permit gre any any

90 permit udp any any eq domain

100 deny ip any any log (2329 matches)

ip nat inside source list 102 interface Dialer1 overload

Akula Jyoti Lakshmi · ‎03-14-2011

You have defined interesting traffic on ACL102. However since you applied 150 on Di1, it's ignoring ACL 102.

What you need to do is,

1. Remove access-list 150 from Di1

2. Overload ACL 102 on Di1

Initiate a ping.... It will work for sure.

Then to Block or allow traffic on Di1 , please use "port -forwarding."

Like in below example,

Internal Management IP : 10.10.10.1 and WAN IP is 67.93.194.80

ip nat inside source static tcp 10.10.10.1 80 67.93.37.194 80 extendable << Allowing http traffic

ip nat inside source static tcp 10.10.10.1 443 67.93.37.194 443 extendable << Allowing SSL traffic

You can use this method to achieve same.

Regards,

Jyoti

jake.bunce · ‎03-14-2011

I don't want to use port-forwarding, I need to use NAT Overload - Port address translation, which is why ACL 102 has been created.