cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1216
Views
0
Helpful
2
Replies

How to exclude NAT to occur ?

danail-petrov
Level 1
Level 1

Dear colleagues,

I'm using Cisco 2811 for gateway router in our office. It's not a big deal, just a few services but now I'm experiencing the following problem.

I've got dedicated range of IPv4 addresses which are provided by local ISP. I'm using one of these addresses to create static translations from outside-to-inside (I have a mail,web and dns server that must be reached from all over the world). Moreover, I've installed cisco eazyvpn to terminate our mobile users who travel with their notebooks, phones and etc. I'm mentioning the EasyVPN because it's the primary reason to use cisco's 'ip nat enable' feature instead of 'ip nat inside/outside' applied on interface (Because I want all the network traffic generated from mobile users to be translated by our router. Since there is no other way to make `inside` interface `outside` (because all the traffic is comming/going through the WAN interface where the crypto map is applyed) I have to use the NVI interface for that purpose. Also, I have to use PPtP for devices that don't support Cisco's VPN service and this is the main problem! Everything works fine, except one thing - static translation!

Let me introduce you my current configuration:

interface FastEthernet0/0.301 (WAN LINK)

encapsulation dot1Q 301

ip address X.X.X.X 255.255.255.X

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat enable

ip virtual-reassembly

no cdp enable

crypto map IPSec

interface FastEthernet0/1.302 (LAN LINK)

bandwidth 100

encapsulation dot1Q 302

ip address 192.168.20.1 255.255.255.0

ip nbar protocol-discovery

ip nat enable

ip virtual-reassembly

interface Virtual-Template1 (PPTP IF)

ip address 192.168.25.1 255.255.255.254

ip mtu 1460

ip virtual-reassembly

ip tcp adjust-mss 1400

ip nat enable

ip ospf network point-to-point

ip ospf 100 area 0

load-interval 30

keepalive 3600 168

compress mppc

ppp encrypt mppe auto

ppp authentication ms-chap ms-chap-v2

end

NAT config:

ip nat source list office interface FastEthernet0/0.301 overload

ip nat source static tcp 192.168.20.5 8888 interface FastEthernet0/0.301 8888

Router#show ip nat nvi translations

Pro Source global Source local Destin local Destin global

tcp X.X.X.X:8888 192.168.20.5:8888 --- ---

Now, when I log into VPN using PPTP, I'm recieving ip address 192.168.25.34. Whit this address, I'm trying to open the following URL:

http://192.168.20.5:8888

And the result actually is my real problem:

border#show ip nat nvi translations verbose

tcp X.X.X.X:8888 192.168.20.5:8888 192.168.25.34:2507 192.168.25.34:2507

create 00:00:40, use 00:00:19 timeout:300000, left 00:00:40,

flags:

extended, limited, nvi-entry, use_count: 0, entry-id: 131634, lc_entries: 0

tcp X.X.X.X:8888 192.168.20.5:8888 192.168.25.34:2510 192.168.25.34:2510

create 00:00:19, use 00:00:10 timeout:300000, left 00:00:49,

flags:

extended, limited, nvi-entry, use_count: 0, entry-id: 131669, lc_entries: 0

tcp X.X.X.X:8888 192.168.20.5:8888 192.168.25.34:2511 192.168.25.34:2511

create 00:00:16, use 00:00:06 timeout:300000, left 00:00:53,

flags:

extended, limited, nvi-entry, use_count: 0, entry-id: 131671, lc_entries: 0

tcp X.X.X.X:8888 192.168.20.5:8888 --- ---

create 23:33:09, use 00:00:16 timeout:0, timing-out,

flags:

The router didn't route my request but actually is trying to do NAT because of 'ip nat enable' rule on both interfaces (Virtual-X and Fa0/0.301) And nothing happen! The page timed out!

border#show ip nat nvi statistics

NAT Enabled interfaces:

FastEthernet0/0.301, FastEthernet0/1.302, Virtual-Template1

Virtual-Access3

So my question is, how to handle with this? In PIX/ASA there is a nonat rule (zero rule) which can perfectly be used here but unfortunately this is not a firewall. So I hope that you've got my issue and I really hope that someone can give me a clue!

2 Replies 2

danail-petrov
Level 1
Level 1

Any piece of advice? Anyone? C'mon guys there should be something to be done ...

BR,

Danail Petrov

Guys,

I'm wondering, did you understood my issue in question? Maybe the reason for this "silence" is because of wrong description/explanation? If so - please, let me know!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco