Solved: Help configuring NAT on a Cisco 891F router

gary.cannell1 · ‎07-08-2019

Hi,

I'm looking for some help in configuring NAT on my Cisco 891F router.

I have a pool of five public ip addresses provided by my ISP and would like to two of them to provide external access to my security camera's. My ISP also provided an additional router address as part of the public ip address range.

I have assigned the router address to the Dialer1 interface in my router configuration and attempted to NAT using two of the provided addresses as follows

ip nat inside source static udp 192.168.1.2 8000 81.150.26.63 8000 extendable

ip nat inside source static udp 192.168.1.3 8000 81.150.26.64 8000 extendable

The problem I have is I simply cannot get access to my inside network addresses from the outside, I wondered if one of you experts out there would kindly take a look at my configuration to see if there’s anything obvious that I'm doing wrong; one other thing that I did do was to enable autosec_firewall on the router and wondered if this might be having any interference.

Any help is fully appreciated.

Configuration.....

Building configuration...

Current configuration : 4500 bytes

!

version 15.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Router

!

boot-start-marker

boot-end-marker

!

aqm-register-fnf

!

security authentication failure rate 10 log

security passwords min-length 6

logging console critical

enable secret 5 $1$QE2E$cu2ed.d7dKTs6.0ZhJ328/

enable password 7 142417081E573E6A

!

aaa new-model

!

aaa authentication login local_auth local

!

aaa session-id common

!

no ip source-route

no ip gratuitous-arps

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool vlan1pool

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

dns-server 213.120.234.70

!

no ip bootp server

no ip domain lookup

ip inspect audit-trail

ip inspect udp idle-time 1800

ip inspect dns-timeout 7

ip inspect tcp idle-time 14400

ip inspect name autosec_inspect ftp timeout 3600

ip inspect name autosec_inspect http timeout 3600

ip inspect name autosec_inspect rcmd timeout 3600

ip inspect name autosec_inspect realaudio timeout 3600

ip inspect name autosec_inspect smtp timeout 3600

ip inspect name autosec_inspect tftp timeout 30

ip inspect name autosec_inspect udp timeout 15

ip inspect name autosec_inspect tcp timeout 3600

ip cef

login block-for 5 attempts 3 within 5

no ipv6 cef

!

multilink bundle-name authenticated

!

license udi pid C891F-K9 sn FCZ2214137E

!

archive

log config

logging enable

username Grid password 7 097F4B0A0B560353

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface FastEthernet0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0

no ip address

!

interface GigabitEthernet1

no ip address

!

interface GigabitEthernet2

no ip address

!

interface GigabitEthernet3

no ip address

!

interface GigabitEthernet4

no ip address

!

interface GigabitEthernet5

no ip address

!

interface GigabitEthernet6

no ip address

!

interface GigabitEthernet7

no ip address

!

interface GigabitEthernet8

description ### WAN interface ###

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Vlan1

ip address 192.168.1.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

!

interface Async3

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

interface Dialer1

ip address 81.150.26.30 255.255.255.248

ip access-group autosec_firewall_acl in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat outside

ip inspect autosec_inspect out

ip virtual-reassembly in

ip verify unicast source reachable-via rx allow-default 100

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname C000332@hg28.btclick.com

ppp chap password 7 1414130502512628757A60

no cdp enable

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static udp 192.168.1.2 8000 81.150.26.63 8000 extendable

ip nat inside source static udp 192.168.1.3 8000 81.150.26.64 8000 extendable

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended autosec_firewall_acl

permit udp any any eq bootpc

deny ip any any

!

logging trap debugging

logging facility local2

no cdp run

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit udp any any eq bootpc

!

control-plane

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

banner motd ^CUNA^C

!

line con 0

exec-timeout 5 0

login authentication local_auth

no modem enable

transport output telnet

line aux 0

exec-timeout 15 0

login authentication local_auth

transport output telnet

line 3

exec-timeout 15 0

login authentication local_auth

modem InOut

speed 115200

flowcontrol hardware

line vty 0 4

login authentication local_auth

transport input telnet

!

scheduler allocate 20000 1000

!

end

Router#

paul driver · ‎07-08-2019

Hello

Your static nat configuration is okay however you have CBAC applied with unicast reverse path forwarding in strict mode.
If you amend the CBAC & uRPF access control lists to allow communication to these hosts then it should work, please apply the below changes and test again.

ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
permit udp any any eq 8000
deny ip any any

ip access-list extended 100
permit udp any any eq 8000

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎07-09-2019

Hello,

thanks for clarifying. I suppose Paul's post provides the solution, but since I have been looking at your config as well, I have come up with a solution that moves the entire inspection to the inside. The config would look as below The logging and ICMP stuff in the access lists is for verification, you might want to remove these once the connectivity works).

One small thing, also exclude the IP address of the VLAN 1 interface from the DHCP pool.

ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool vlan1pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 213.120.234.70
!
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
!
interface GigabitEthernet8
description ### WAN interface ###
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip access-group autosec_firewall_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect autosec_inspect in
ip virtual-reassembly in
!
interface Dialer1
ip address 81.150.26.30 255.255.255.248
ip access-group autosec_firewall_sec in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname C000332@hg28.btclick.com
ppp chap password 7 1414130502512628757A60
no cdp enable
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 192.168.1.2 8000 81.150.26.63 8000 extendable
ip nat inside source static udp 192.168.1.3 8000 81.150.26.64 8000 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended autosec_firewall_acl
permit tcp 192.168.1.0 0.0.0.255 any
permit udp 192.168.1.0 0.0.0.255 any
permit icmp 192.168.1.0 0.0.0.255 any
deny ip any any log
!
ip access-list extended acl_firewall_sec
permit icmp any 81.150.26.24 0.0.0.7 unreachable
permit icmp any 81.150.26.24 0.0.0.7 echo-reply
permit icmp any 81.150.26.24 0.0.0.7 packet-too-big
permit icmp any 81.150.26.24 0.0.0.7 time-exceeded
permit icmp any 81.150.26.24 0.0.0.7 traceroute
permit icmp any 81.150.26.24 0.0.0.7 administratively-prohibited
permit icmp any 81.150.26.24 0.0.0.7 echo
permit udp any 81.150.26.24 0.0.0.7 eq 8000
deny ip any any log
!
access-list 1 permit 192.168.1.0 0.0.0.255

View solution in original post

paul driver · ‎07-09-2019

Hello

@Georg Pauwen i see you have amended the cbac acl for icmp, - FYI though cbac has a icmp feature to call on just for this reason if you wanted to allow icmp

ip inspect name autosec_inspect icmp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Georg Pauwen · ‎07-08-2019

Hello,

the three IP addresses (the Dialer interface IP address and the two static IP addresses) all belong to different subnets:

81.150.26.63/29 --> broadcast address of subnet 81.150.26.56/29
81.150.26.64/29 --> subnet address of subnet 81.150.26.64/29

81.150.26.30/29 --> belongs to subnet 81.150.26.24/29

If your provider gives you 5 public IP addresses, they should be contiguous. Since you have a /29 subnet mask, check if the below addresses are usable:

81.150.26.25/29

81.150.26.26/29

81.150.26.27/29

81.150.26.28/29

81.150.26.29/29

gary.cannell1 · ‎07-08-2019

Hi Georg,

My apologies for causing some confusion here. For security reasons I attempted to mask the real addresses being used not realising that I had invalidated the range.

The ip address range provided by my ISP are contiguous, they are:

81.150.26.25 to 81.150.26.29 and a router address of 81.150.26.30

IPv4 Network address 81.150.26.24

IPv4 Router address: 81.150.26.30

IPv4 Subnet mask: 255.255.255.248

Thank your for taking a look at this, Is there anything within the rest of my configuration that might be causing the issue

Regards

Gary

Georg Pauwen · ‎07-09-2019

Hello,

thanks for clarifying. I suppose Paul's post provides the solution, but since I have been looking at your config as well, I have come up with a solution that moves the entire inspection to the inside. The config would look as below The logging and ICMP stuff in the access lists is for verification, you might want to remove these once the connectivity works).

One small thing, also exclude the IP address of the VLAN 1 interface from the DHCP pool.

ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool vlan1pool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 213.120.234.70
!
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
!
interface GigabitEthernet8
description ### WAN interface ###
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip access-group autosec_firewall_acl in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip inspect autosec_inspect in
ip virtual-reassembly in
!
interface Dialer1
ip address 81.150.26.30 255.255.255.248
ip access-group autosec_firewall_sec in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname C000332@hg28.btclick.com
ppp chap password 7 1414130502512628757A60
no cdp enable
!
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static udp 192.168.1.2 8000 81.150.26.63 8000 extendable
ip nat inside source static udp 192.168.1.3 8000 81.150.26.64 8000 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended autosec_firewall_acl
permit tcp 192.168.1.0 0.0.0.255 any
permit udp 192.168.1.0 0.0.0.255 any
permit icmp 192.168.1.0 0.0.0.255 any
deny ip any any log
!
ip access-list extended acl_firewall_sec
permit icmp any 81.150.26.24 0.0.0.7 unreachable
permit icmp any 81.150.26.24 0.0.0.7 echo-reply
permit icmp any 81.150.26.24 0.0.0.7 packet-too-big
permit icmp any 81.150.26.24 0.0.0.7 time-exceeded
permit icmp any 81.150.26.24 0.0.0.7 traceroute
permit icmp any 81.150.26.24 0.0.0.7 administratively-prohibited
permit icmp any 81.150.26.24 0.0.0.7 echo
permit udp any 81.150.26.24 0.0.0.7 eq 8000
deny ip any any log
!
access-list 1 permit 192.168.1.0 0.0.0.255

paul driver · ‎07-09-2019

Hello

@Georg Pauwen i see you have amended the cbac acl for icmp, - FYI though cbac has a icmp feature to call on just for this reason if you wanted to allow icmp

ip inspect name autosec_inspect icmp

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

paul driver · ‎07-08-2019

Hello

Your static nat configuration is okay however you have CBAC applied with unicast reverse path forwarding in strict mode.
If you amend the CBAC & uRPF access control lists to allow communication to these hosts then it should work, please apply the below changes and test again.

ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
permit udp any any eq 8000
deny ip any any

ip access-list extended 100
permit udp any any eq 8000

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

gary.cannell1 · ‎07-09-2019

I’ve implemented the changes as suggested and all appears to be working now.

Thank you for your time looking into this.

Best Regards

GaryC