cisco 1841 port translation not working

matthewrosePI · ‎10-21-2013

Hi all, I have an 1841 for a test environment and I've been trying to get port translation to work and I just can't get it to work. I can get to the router via Telnet or SSh no problem, but nothing internal. My scrubbed config is below, thanks in advance for any help

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.10.21 12:27:30 =~=~=~=~=~=~=~=~=~=~=~=

show run

Building configuration...

Current configuration : 4858 bytes

!

! Last configuration change at 11:23:40 EDT Mon Oct 21 2013 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SandboxRT1

!

boot-start-marker

boot system flash:c1841-adventerprisek9-mz.151-4.M1.bin

boot-end-marker

!

logging buffered 50000

logging console informational

!

aaa new-model

!

aaa authentication login default local

aaa authentication enable default none

!

aaa session-id common

!

clock timezone EST -5 0

clock summer-time EDT recurring

dot11 syslog

ip source-route

!

ip cef

no ip domain lookup

ip domain name entsand.local

ip name-server 4.2.2.2

ip name-server 8.8.8.8

ip inspect name Firewall tcp router-traffic

ip inspect name Firewall udp router-traffic

ip inspect name Firewall icmp router-traffic

login block-for 600 attempts 10 within 5

login delay 5

login on-failure log

login on-success log

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

license udi pid CISCO1841 sn FTX1228Y0YA

archive

log config

logging enable

hidekeys

username admin privilege 15 secret 5 $1$zJUp$cENJm525gTb0kxTu6kDMs.

!

redundancy

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

interface FastEthernet0/0

description To Internet

ip address x.x.x.x x.x.x.x

ip access-group fwall in

ip nat outside

ip inspect Firewall out

ip virtual-reassembly in

speed 100

full-duplex

!

interface FastEthernet0/1

description To LAN

ip address 172.16.1.2 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list NAT-LIST interface FastEthernet0/0 overload

ip nat inside source static tcp 172.16.1.51 443 interface FastEthernet0/0 443

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 172.16.1.0 255.255.255.0 172.16.1.1

!

ip access-list standard ACL_VTY-In

permit x.x.x.x

!

ip access-list extended NAT-LIST

permit ip 172.16.1.0 0.0.0.255 any

ip access-list extended fwall

permit gre any any

permit tcp any any eq telnet

permit tcp any any eq 22

permit udp any any eq isakmp

permit esp any any

--More-- permit tcp any any eq 443

!

logging trap debugging

access-list 1 permit 172.16.1.0 0.0.0.255

!

control-plane

!

banner exec ^C

!

line con 0

privilege level 15

logging synchronous

line aux 0

line vty 0 4

access-class ACL_VTY-In in

privilege level 15

logging synchronous

transport input telnet

line vty 5 15

access-class ACL_VTY-In in

privilege level 15

logging synchronous

transport input ssh

!

scheduler allocate 20000 1000

end

John Blakley · ‎10-21-2013

Hi Matthew,

You don't need a static route for a connected route, so you should be safe to remove that. I don't believe that's your problem here, but it's something I noticed. When you say that you can't get to anything, I'm assuming that you're trying to ssh into the static natted private address that you have listed in your config. Is that correct?

HTH,

John

HTH, John *** Please rate all useful posts ***

matthewrosePI · ‎10-21-2013

No, just for testing purposes, I'm trying to get to port 443 on 172.16.1.51 (per this statement

ip nat inside source static tcp 172.16.1.51 443 interface FastEthernet0/0 443)

from the outside

John Blakley · ‎10-21-2013

For testing, does it work if you remove the cbac config and acl on the outside?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

matthewrosePI · ‎10-21-2013

no it does not..... same thing.

John Blakley · ‎10-21-2013

From the router, can you ssh into the device? "ssh -l 172.16.1.51"

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

matthewrosePI · ‎10-21-2013

I have SSH currently turned off on that device.... I could turn them on, but its currently in another building that I won't be able to go to until at least tomorrow. So at this point, no that doesn't work, but I know from a firewall standpoint, its open. Its just an ESXi server.

John Blakley · ‎10-21-2013

I'm sorry...I was looking at something else when I posted that and obviously this is a web server. So, scratch the last thing that I mentioned.

As far as the configuration, I don't see anything wrong. Can you post "show ip nat trans"?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

matthewrosePI · ‎10-21-2013

Pro Inside global Inside local Outside local Outside global

tcp x.x.x.x:443 172.16.1.51:443 --- ---

x.x.x.x is my external address obviously

John Blakley · ‎10-21-2013

Okay, so the entry is there. I'm assuming that you can hit the site internally?

Try debugging nat, hit the site from the outside, and then post that debug here. "debug ip nat" (You may want to tie to an access-list for that single host)

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

matthewrosePI · ‎10-21-2013

getting a bunch of these

*Oct 21 17:55:36.398: NAT*: s=outsideip, d=localwanIP->172.16.1.51 [11734]