Hi,

route-map NAT permit 10
 match ip address 100
!
!
access-list 100 deny   ip 192.168.10.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 deny   ip 192.168.20.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any

Hello

I am not sure I understand the logic of this access list regards NATting, are you trying to prohibit nat between these two private subnets? , if so I am on the understanding nat wont occur for the inside nat for these  internal subnets anyway.

have you tried just a using a standard acl for your nat source list?

no ip nat inside source route-map NAT interface GigabitEthernet0/0 overload
no access-list 100

access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.20.0 0.0.0.255
access-list 1 permit 192.168.30.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload

res

Paul

Hi,

Those networks are outside and they cannot be nated.

I also tried with the ACL only instead of the ROUTE-MAP, but the result is the same.

The problem is not on the outbound (outbound is working fine) the problem is inbound, the traffic reaches the router but it is not being sent to the server inside.

Regards

You need to check your routing my friend.

for the server to be natted it needs reachability to the nat router and vice versa. I have simulated it and it works for me with two commands

R4-------------R3---------IN----------R1----------OUT------------R2

ip nat inside source list TEST interface FastEthernet0/0 overload    -----------> outside interface
ip nat inside source static tcp 192.168.10.4 23 interface FastEthernet0/0 2333

So the outside router is telnetting to R4 from its loopback even and translation takes place.

Insid router R4 can easliy reach the loopback when I launch a ping

R4 and R3 need a default route through their respective gateways .

See the debug when R2 telnets R4 via its loopback 1.1.1.1

R1(config)#
*Mar  1 00:25:31.023: NAT*: o: tcp (1.1.1.1, 41375) -> (193.201.205.1, 2333) [52686]
*Mar  1 00:25:31.023: NAT*: o: tcp (1.1.1.1, 41375) -> (193.201.205.1, 2333) [52686]
*Mar  1 00:25:31.023: NAT*: TCP s=41375, d=2333->23
*Mar  1 00:25:31.023: NAT*: s=1.1.1.1, d=193.201.205.1->192.168.10.4 [52686]
*Mar  1 00:25:31.071: NAT*: i: tcp (192.168.10.4, 23) -> (1.1.1.1, 41375) [10270]
*Mar  1 00:25:31.071: NAT*: TCP s=23->2333, d=41375
*Mar  1 00:25:31.071: NAT*: s=192.168.10.4->193.201.205.1, d=1.1.1.1 [10270]

R4 now pinging outside router R2

*Mar  1 00:31:35.227: NAT: [0] Allocated Port for 192.168.10.4 -> 193.201.205.1: wanted 7 got 7
*Mar  1 00:31:35.231: NAT*: i: icmp (192.168.10.4, 7) -> (193.201.205.2, 7) [24]
*Mar  1 00:31:35.231: NAT*: i: icmp (192.168.10.4, 7) -> (193.201.205.2, 7) [24]
*Mar  1 00:31:35.231: NAT*: s=192.168.10.4->193.201.205.1, d=193.201.205.2 [24]
*Mar  1 00:31:35.243: NAT*: o: icmp (193.201.205.2, 7) -> (193.201.205.1, 7) [24]
*Mar  1 00:31:35.243: NAT*: s=193.201.205.2, d=193.201.205.1->192.168.10.4 [24]
 

let me know if this helps

 

Hi,

With the "sh ip nat trans" I can see it's there:

#sh ip nat trans

Pro Inside global         Inside local          Outside local         Outside global
tcp xxx.xxx.xxx.xxx:3389    192.168.10.10:3389    yyy.yyy.yyy.yyy:45378    yyy.yyy.yyy.yyy:45378

I have also created a ACL applied on the outside allowing the traffic to 3389 and I can see the hits on the ACL going up.

The "debug ip nat" will give me a lot of traffic and it's not easy to check because I have more than 100 hosts inside using NAT to access internet.

Regards

Is it possible to see the ACL? You can do "debug ip nat <access-list>" to filter debug output.

Obvious question but can you see 192.168.10.10 from the router and is it listening on TCP port 3389?

Right now there is no ACL.

The router can ping 192.168.10.10 and 3389 is listening, from the router:

#telnet 192.168.10.10 3389
Trying 192.168.10.10, 3389 ... Open

The debug:

*May 30 09:58:16.915: NAT*: s=x.x.x.x, d=y.y.y.y->192.168.10.10 [3985]
*May 30 09:58:17.915: NAT*: s=x.x.x.x, d=y.y.y.y->192.168.10.10 [3986]

x.x.x.x -> the public IP outside the network

y.y.y.y -> the public IP of the router at int g0/0

I just labbed this up quickly in GNS3 and it worked OK using your config. Do you have a route on 192.168.10.10 that allows it to return the traffic back to wherever the RDP session is coming from? Can you run wireshark on the end host to see it if receives anything?

I'm not able to run wireshark, I'm working remotely...

The server only has one interface connected, with 192.168.10.10/24 with gateway 192.168.10.254.

I also tested using a NAT for a switch inside the network, using telnet.

I can access the switch from the router and validated that everything is configured properly, but I cannot access the switch from outside, the behaviour is the same.

I simulated it again - the first time I did this I did not configure dot1q trunking on the LAN side. With dot1q trunking configured I replicate the same as what you see - the router and host can see each other but I cannot get all the way through from a host on the outside. A bit of wiresharking shows the SYN from the host on the outside goes through the router, the server returns a SYN / ACK but when it traverses the router the source address remains the same (192.168.10.10) rather than being translated to the router WAN interface IP adddress. 

Strangely, if I connect remove the dot1q from the router interface and just have both the router and the server as access ports in VLAN10 it works normally. No idea why this would be the case - is this something you can try?

I need to go there personally. Remotely is not easy to change that, I might lose connectivity to the switch.

I put the dot1q config back in place and change the nat statement to be:

ip nat inside source static tcp 192.168.10.10 23 10.10.10.1 23 extendable

i.e. I referenced the actual public IP address rather than the interface and it worked again. Don't really understand why though...