Re: IP NAT help

zeroasylum · ‎01-15-2018

I have a Cisco 867VAE-W I was hoping someone would be able to look at my current config and help me to get NAT from outside my network to ip cctv cameras and remoted desktop functionality to work.
I just can seem to get it to work. I have internet access in and out no issues with that but cant get NAT to specific IP's and ports to work.
I have tried the following ip nat inside source static TCP 192.168.1.15 3389 interface Dialer0 3389 and it does appear in the nat translations but does not work. When I execute the command show ip nat translations it does appear but does not work. Some advice and help would be welcome.

I have pasted the config below which I got and modified slightly from my ISP

Thanks

Zeroasylum

! Last configuration change at 05:21:42 UTC Tue Jan 9 2018 by admin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco-867
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
no aaa new-model
ppp packet throttle 100 1 5
wan mode dsl
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.2
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.253
!
ip dhcp pool ccp-pool
import all
network 192.168.1.0 255.255.255.0
default-router 10.10.10.1
dns-server 203.12.160.35 203.12.160.36
lease 0 2
!
!
!
ip domain name iinet.net.au
ip name-server 203.0.178.191
ip name-server 203.215.29.191
ip cef
no ipv6 cef
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
!
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3884120332
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3884120332
revocation-check none
rsakeypair TP-self-signed-3884120332
!
!
crypto pki certificate chain TP-self-signed-3884120332
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383834 31323033 3332301E 170D3138 30313039 30303136
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383431
32303333 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C5DA EE73D753 9F9E67F8 84D46687 DDC8A167 0BDF25AD F3B8C701 94B704EF
324B1B72 75FBECD7 EB3DE70F F5D0393B 826AF8ED C6E7733B 6DE594AE 8350C580
5656126C BAD5A190 1537144A 0BB90776 08FDF466 442C35B1 574397C7 3AF1ED4C
5A973557 309F60B8 576AFF26 08F4C396 23F292DB C291A211 147F96C6 547D12FE
21B70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1419871C AFA4433A E4B82A40 F984B2E7 49A4C0D9 F7301D06
03551D0E 04160414 19871CAF A4433AE4 B82A40F9 84B2E749 A4C0D9F7 300D0609
2A864886 F70D0101 05050003 8181007B F6406FF3 218DD905 AC066B94 C745C5A2
876A4C29 2EAEC56A 926B5873 53607D9F 687DF263 218D1668 ABD12BCE E88A2E07
88D4F9F3 AB922998 0AF6205C DE88DC3E F1D959A9 F8587446 D1665CA0 BBB70357
E56B5F93 C7103505 53FB569D 878BC6C1 613A5400 AEC5A536 2F22FDBB 22A6AB67
115E93CE 49759659 7404D87C E69941
        quit
!
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network local_cws_net
!
object-group network local_lan_subnets
any
!
object-group network vpn_remote_subnets
any
!
username admin privilege 15 secret 5 $1$7D9Y$B60lQY8ApWbPGJQxiTPCg/
username iinet privilege 15 secret 5 $1$nFkx$2l3hAH4AWNrJ9nOh/h4GZ1
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
   F3020301 0001
quit
!
!
controller VDSL 0
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description pppoe_0_8_35
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Ethernet0
description -- iiNet FTTN : VDSL2 --
ip address dhcp
ip mtu 1452
ip nat outside
ip virtual-reassembly in
no cdp enable
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
ip tcp adjust-mss 1412
shutdown
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description $ETH_LAN$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXXXXXX password XXXXXXXX
ppp ipcp dns request
no cdp enable
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
no ip nat service sip tcp port 5060
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source list nat-list interface Ethernet0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Ethernet0
!
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
!
dialer-list 1 protocol ip permit
mac-address-table aging-time 10
no cdp run
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 199 permit ip any any
!
!
line con 0
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input ssh
!
scheduler allocate 60000 1000
!
end

paul driver · ‎01-15-2018

Helloi

Can you confirm the current setup regards your external wan access?

I see you have to default routes pointing to your dialier and a physical interface and the NAT configuration relating to them.

FYI - you shouldn't use an acl with any any for nat as it could consume unnecessary cpu process, As such its recommend to specify the actual prefix/subnet to be translated

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Mikolaj Moryto · ‎01-15-2018

Hi,

1. For RDP to work you will need to rules. RDP uses both TCP 3389 and UDP 3389 so you will need to create two entries. The one you mentioned looks correct but you are missing the one for UDP.

2. It looks like you have two external interfaces so when you create NAT rules for single interface only, you need to connect to the IP for the interface you created rules for. For instance, if you created NAT rules for RDP for Dialer 0, you can’t connect to the RDP using Ethernet 0 public IP. You didn’t mention how you connect so keep that in mind.

3. For cameras, you need to create separate rules for ports they use. If you have multiple cameras listening on the same port, you need to create rules which will use different public ports if you want to have access to all of them at the same time.

Thank you,

Mikolaj

**** PLEASE RATE IF USEFUL. ****

zeroasylum · ‎01-15-2018

Thank you everyone for the reply's. I am connecting using ADSL on the internal modem. The config was given to me by my ISP and I think it is designed so that they can use it if people are not connecting using the inbuilt ADSL/VDSL modem and instead have a cable modem connected to the wan GE2 port.

I think I may have to start again as this config seems to be a bit of a hack and also as Paul pointed out has an ANY to ANY NAT which is not recommended. Would anyone have a basic config to get me up and running.

Also in the future I will be getting an FTTC connection so will need that wan ge2 port to function as will be connecting that to a separate device to get internet access.

THanks

Zeroasylum

paul driver · ‎01-16-2018

Hello

@zeroasylum wrote:

I Think I may have to start again as this config seems to be a bit of a hack and also as Paul pointed out has an ANY to ANY NAT which is not recommended. Would anyone have a basic config to get me up and running.

Zeroasylum

Inline with the configuration already applied, and your wish to a RDP into the network for host 192.168.1.15. try this:

conf t
no zone security LAN
no zone security WAN
no zone security VPN
no zone security DMZ
no ip nat inside source list nat-list interface Ethernet0 overload
no ip route 0.0.0.0 0.0.0.0 Ethernet0
no ip route 0.0.0.0 0.0.0.0 dialer0
no access-list 199

access-list 199 permit ip 192.168.1.0 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 dialer 0 dhcp
ip nat inside source static tcp 192.168.1.15 3389 interface Dialer0 3389
ip nat inside source list 199 interface dialer 0 overload

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul