Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
5
Replies

Cisco Router 871 - Internal Web Server behind two NATs

sada
Level 1
Level 1

‎08-11-2017 01:00 AM - edited ‎03-05-2019 08:59 AM

- we are provided a public IP address 1.2.3.4

- our ISP uses NAT on their router (first router on the way) which translates 1.2.3.4 to 10.38.36.n

- we use Cisco Router 871 (second router on the way) which translates 10.38.36.2 to 172.16.0.n

- there is no problem to use dynamic NAT to access internet from end devices from 172.16.0.0/24 subnet

- it is possible to access Cisco Router 871's embedded web server (port 80) when no static NAT is configured

But when I try to use the following NAT rules, it is not possible to access an internal web server with IP address 172.16.0.67:

ip nat inside source static tcp 172.16.0.67 80 interface FastEthernet4 80
ip nat inside source static tcp 172.16.0.67 443 interface FastEthernet4 443

An outside interface of Cisco Router 871 has the following IP Address:

Router#show ip interface FastEthernet 4
FastEthernet4 is up, line protocol is up
Internet address is 10.38.136.2/26
Broadcast address is 255.255.255.255
Address determined by DHCP

The following translations are configured on Cisco Router 871 using the rules mentioned above:

Router#show ip nat translation | include tcp
tcp 10.38.136.2:80 172.16.0.67:80 --- ---
tcp 10.38.136.2:443 172.16.0.67:443 --- ---

The following default route is configured on Cisco Router 871 :

ip route 0.0.0.0 0.0.0.0 10.38.136.1

Could you please help me to point out what is not visible to me - what is wrong on this configuration? 

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎08-11-2017 01:24 AM

It should work so there must be something else blocking it. 

Do you have any acls that could be blocking the traffic ? 

Also make sure you have proxy arp enabled on fa4 interface (it should be unless you have disabled it) but you can check with - 

"sh ip int fa4"

Jon

0 Helpful

sada
Level 1
Level 1
In response to Jon Marshall

‎08-11-2017 01:40 AM

I checked both Proxy ARP is enabled and existing ACLs, but still don't see what could be wrong:

Router#show ip interface FastEthernet 4 | include Proxy
Proxy ARP is enabled
Local Proxy ARP is disabled
Router#show running-config | include access
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.0.0 0.0.0.127

0 Helpful

sada
Level 1
Level 1
In response to Jon Marshall

‎08-11-2017 02:59 AM

So, as always it was not an issue directly related to Cisco Support Forum. In this case, Default Gateway was missing after IPv4 re-configuration within Windows Server and a box restart (I would bet Default Gateway was present after the re-configuration and was only missing after a restart).

But let me ask one more question - do you recommend ACLs accompanying NAT static rules - in my case rules allowing http and https traffic?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to sada

‎08-11-2017 03:18 AM

Yes I do. 

The way I look at it is acls are used to control what traffic is allowed or not whereas NAT was never intended for that purpose. 

Just my opinion. 

Jon

0 Helpful

sada
Level 1
Level 1

‎08-11-2017 01:52 AM

I did debug ip nat and here is an outcome:

013849: .Aug 11 09:42:59.420: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10759]
013850: .Aug 11 09:42:59.672: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10760]
013851: .Aug 11 09:43:01.136: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10761]
013855: .Aug 11 09:43:02.427: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10762]
013861: .Aug 11 09:43:02.679: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10763]
013869: .Aug 11 09:43:04.147: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10764]
013881: .Aug 11 09:43:08.434: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10765]
013886: .Aug 11 09:43:08.682: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10766]
013906: .Aug 11 09:43:10.161: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10767]
014315: .Aug 11 09:43:50.458: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10768]
014319: .Aug 11 09:43:50.710: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10769]
014337: .Aug 11 09:43:53.477: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10770]
014338: .Aug 11 09:43:53.729: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10771]
014351: .Aug 11 09:43:59.476: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10772]
014352: .Aug 11 09:43:59.723: NAT*: s=10.38.254.254, d=10.38.136.2->172.16.0.67 [10773]
014539: .Aug 11 09:44:08.609: NAT: expiring 10.38.136.2 (172.16.0.67) tcp 80 (80)
014557: .Aug 11 09:44:09.121: NAT: expiring 10.38.136.2 (172.16.0.67) tcp 80 (80)
014561: .Aug 11 09:44:10.145: NAT: expiring 10.38.136.2 (172.16.0.67) tcp 80 (80)

Can anybody advice reading events above whether NAT process is doing well and I should start to investigate somewhere else?  

0 Helpful
Customers Also Viewed These Support Documents