Re: Help me setup NAT

aleks222 · ‎03-13-2019

Very simple network

client -> Cisco 881 -> ISP

bit more details

client(192.168.0.12) -> Vlan1(192.168.0.3, ip nat inside) -> Dialer0(90.157.26.245, ip nat outside) -> ISP

The configuration is enclosed at the bottom.

The problem is as follows:
Ping from the router is successfully transmitted through NAT

cisco.k259#ping 8.8.8.8 source 192.168.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/44 ms
cisco.k259#
Mar 13 16:57:56.436: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1657]
Mar 13 16:57:56.480: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.480: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1658]
Mar 13 16:57:56.524: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.524: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1659]
Mar 13 16:57:56.568: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.568: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1660]
Mar 13 16:57:56.612: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.612: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1661]
Mar 13 16:57:56.656: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]

ping from the client does not go through NAT (no answer at all)
C:\>ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
cisco.k259#
Mar 13 16:58:44.073: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8632]
Mar 13 16:58:48.706: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8633]
Mar 13 16:58:53.706: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8634]
Mar 13 16:58:58.706: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8635]

Can someone point out the cause of the problem and how to fix it?

Running config

cisco.k259#show run
Building configuration...

Current configuration : 7255 bytes
!
! Last configuration change at 22:08:00 GMT Mon Mar 11 2019 by atest
! NVRAM config last updated at 14:43:41 GMT Sun Mar 10 2019 by atest
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname cisco.k259
!
boot-start-marker
boot-end-marker
!
!
logging discriminator FAN-FAIL severity drops 3 facility drops FAN mnemonics drops FAN_FAILED
logging buffered discriminator FAN-FAIL
no logging console
logging monitor discriminator FAN-FAIL
enable secret 5 $1$WSti$mDMsh6sXY2iguEI/Mchiy1
enable password xxxxxxxx_
!
no aaa new-model
memory-size iomem 10
clock timezone GMT 5 0
!
crypto pki trustpoint TP-self-signed-3690135629
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3690135629
revocation-check none
rsakeypair TP-self-signed-3690135629
!
!
crypto pki certificate chain TP-self-signed-3690135629
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
quit
!

!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.7
!
ip dhcp pool k259
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.3
domain-name k259
dns-server 192.168.0.12 8.8.8.8
lease 0 2
!
!
!
ip domain name k259
ip name-server 192.168.0.12
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
!
vpdn enable
!
vpdn-group PPTP_CLIENT
description Rostelecom ISP
request-dialin
protocol pptp
pool-member 1
initiate-to ip 10.0.0.1
!
cts logging verbose
license udi pid CISCO881W-GN-E-K9 sn FCZ164190LZ
!
!
username atest privilege 15 secret 4 6in4Lru2ZZ8N8cUij4q7JvPlkL..hsURCkjm.d4NOR2
!
!
!
!
no cdp run
!
!

!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 10.0.47.132 255.255.255.0
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 10.10.11.1 255.255.255.0
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.0.3 255.255.255.0
ip address 192.168.0.5 255.255.255.0 secondary
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
!
interface Dialer0
description $ETH-WAN$
mtu 1436
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1360
dialer pool 1
dialer idle-timeout 0
dialer string 123
dialer persistent
dialer vpdn
ppp authentication ms-chap-v2 callin
ppp chap hostname 90.157.26.245
ppp chap password 0 XXXXXXXXXX
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:
!
no ip ftp passive
ip dns server
ip nat translation max-entries all-host 400
ip nat inside source static tcp 192.168.0.12 3389 interface Dialer0 3389
ip nat inside source list 101 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 3
ip route 10.0.0.1 255.255.255.255 10.0.47.1
ip route 10.10.11.0 255.255.255.0 wlan-ap0
!
dialer-list 1 protocol ip permit
!
snmp-server community k259 RO
access-list 1 remark internet
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.0.0 0.0.0.15
access-list 101 remark internet2
access-list 101 remark CCP_ACL Category=2
access-list 101 remark test 2
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 remark WAN rule
access-list 150 remark CCP_ACL Category=1
access-list 150 remark WAN rule entry
access-list 150 permit ip any any
!
vstack
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
^C
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class 23 in
privilege level 15
password xxxxxxxx
login local
transport input telnet ssh
!
ntp master
ntp update-calendar
ntp server ntp2.stratum2.ru
!
end

Dennis Mink · ‎03-13-2019

Are you able to connect to the internet and is it just icmp you are having a problem with. In which case put an access list on you dialer inbound allowing icmp echo replies.

Please remember to rate useful posts, by clicking on the stars below.

aleks222 · ‎03-14-2019

Could you give a more specific example of an access list? And where exactly to install it?
I am not well versed in Ios.

aleks222 · ‎03-15-2019

So, gentlemens, the problem was at CEF.

no ip cef

Brings NAT to the working state.

paul driver · ‎03-14-2019

Hello

@aleks222 wrote:

Very simple network

client -> Cisco 881 -> ISP

bit more details

client(192.168.0.12) -> Vlan1(192.168.0.3, ip nat inside) -> Dialer0(90.157.26.245, ip nat outside) -> ISP

The configuration is enclosed at the bottom.

The problem is as follows:
Ping from the router is successfully transmitted through NAT

cisco.k259#ping 8.8.8.8 source 192.168.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/44 ms
cisco.k259#
Mar 13 16:57:56.436: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1657]
Mar 13 16:57:56.480: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.480: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1658]
Mar 13 16:57:56.524: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.524: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1659]
Mar 13 16:57:56.568: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.568: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1660]
Mar 13 16:57:56.612: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]
Mar 13 16:57:56.612: NAT: s=192.168.0.5->90.157.26.245, d=8.8.8.8 [1661]
Mar 13 16:57:56.656: NAT*: s=8.8.8.8, d=90.157.26.245->192.168.0.5 [0]

ping from the client does not go through NAT (no answer at all)
C:\>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)

cisco.k259#
Mar 13 16:58:44.073: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8632]
Mar 13 16:58:48.706: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8633]
Mar 13 16:58:53.706: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8634]
Mar 13 16:58:58.706: NAT*: s=192.168.0.12->90.157.26.245, d=8.8.8.8 [8635]

Looks like nat is working, Check to make sure you dont have any software FW on the client negating echo-reply, for testing tuning the client FW off and try again.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

aleks222 · ‎03-14-2019

There is no firewall on the client.

Through another router (not cisco) the client, without any configuration changes, successfully makes ping.

In the debug log you can clearly see that the ping request reached the router. But the answer is gone somewhere.

aleks222 · ‎03-14-2019

I am grateful for your advice, but do not assume that I do not understand anything in setting up the network.
I have problems not with the network, not with an understanding of the mechanisms of the network.
I have a problem with configuring the specific instance of the cisco router.

Therefore, instead of trivial advice, great benefit would be provided by tips or links to manuals "how to trace the packet path on the router and determine the reason for which it does not reach the destination."