NAT inside config problem

carpovalexandru123 · ‎05-19-2011

Hello Cisco comunity

I am trying to configure NAT to route trafic from outside port to an inside webserver but i keep failing. After a month of reading forums i decided to ask for help here.

The inside/outside interfaces are defined and working.

I tryed to route trafic received on outside interface on port 5555 to an internal webserver on port 80 but failed. Here is the command i used:

ip nat inside source static tcp <ip_of_webserver> 80 interface fastEthernet 0/0 5555

fa0/0 is the outside interface

fa0/1 is the inside interface

do i need to route trafic from fa0/0 to fa0/1 and then from fa0/1 to my webserver? Do i need to setup an ACL?

Any help would be apreciated.

Thotsaphon Lueangwattanaphong · ‎05-19-2011

Hi,

When you're trying to access this server from the internet , please post the output "show ip nat translation | inc ".

Toshi

cadet alain · ‎05-19-2011

Hi Toshi,

This is a static NAT so the entry will always be in the NAT table even if there is no traffic.

To verify if it's NAT the problem then a debug ip nat would be more appropriate IMHO.

Is there an ACL on the outside interface or is there ZBF configured on the router?

I think a running config would be helpful here.

Regards.

Alain.

Don't forget to rate helpful posts.

Thotsaphon Lueangwattanaphong · ‎05-19-2011

Hi Alian,

"This is a static NAT so the entry will always be in the NAT table even if there is no traffic." You're right. However, we will see new entries if there are connections connecting to the router.

F.e.

Router#sh ip nat translations | inc 172.17.1.22
tcp 202.x.y.z:80 172.17.1.22:80 203.a.b.c:49155 203.a.b.c:49155 <--- Incoming Connection
tcp 202.x.y.z:80 172.17.1.22:80 --- --- <---- Static Entry

That's why I ask for the output. However, it's a good idea to post the current configuration on the router.

Toshi

cadet alain · ‎05-19-2011

Hi Toshi,

You're right. I thought about it after I posted.

Regards.

Alain.

Don't forget to rate helpful posts.

carpovalexandru123 · ‎05-19-2011

Hi

show ip nat translations shows:

Pro Inside global Inside local Outside local Outside global

tcp fa0/0:5555 webserver_ip:80 --- ---

debug ip nat crashed my router and i had to restart it

i'll post some of my runing config, i will try to remove some of the irelevant info:

!

crypto pki trustpoint

enrollment selfsigned

serial-number none

ip-address none

revocation-check crl

rsakeypair _RSAKey 512

!

crypto pki certificate chain

certificate self-signed 01

quit

!

crypto isakmp policy 100

encr aes

authentication pre-share

group 2

crypto isakmp key address

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto map outside-map 10 ipsec-isakmp

set peer

set transform-set ESP-3DES-MD5

match address

!

interface FastEthernet0/0

ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map outside-map

!

interface FastEthernet0/1

description $ES_LAN$

ip address

ip access-group acl_out in

ip nbar protocol-discovery

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

service-policy input SDM-QoS-Policy-1

!

ip http server

no ip http secure-server

ip dns server

ip nat inside source list 122 interface FastEthernet0/0 overload

ip nat inside source static tcp 80 interface FastEthernet0/0 5555

!

ip access-list extended acl_out

remark SDM_ACL Category=17

permit ip any host

permit tcp host any eq smtp

deny tcp any any eq smtp

permit ip any any

ip access-list extended

permit ip

!

access-list 122 permit ip host

!

end

carpovalexandru123 · ‎05-19-2011

Ok, i tested from outside to connect to fa0/0:5555. the output is below

tcp fa0/0:5555 :80 92.85.253.180:59626 92.85.253.180:59626

aparently NAT works. So what is my problem then? The page requested from outside wasn't displayed.

Thotsaphon Lueangwattanaphong · ‎05-19-2011

Hi,

1. You can access this server via local lan. Right? Please check the server by using "netstat -an". Is there connections from 92.85.253.180?

2. Please post detailed ACL of interesting traffic for crypto map.

HTH,

Toshi

carpovalexandru123 · ‎05-19-2011

That's all there is to post about cryptomap. The only thing i haven't posted was the map name and the peer ip. Is there anything else you think i haven't posted?

netstat -an doesn't show the request from outside.

Jon Marshall · ‎05-19-2011

Is the webserver IP on the same subnet as the fa0/1 interface IP ?

If not does the device that routes for the web server have a default route pointing back to this router ?

Also, as Toshi suggested, can you post the actual acl details for the crypto map.

Jon

cadet alain · ‎05-19-2011

Have you tried disabling firewall on server?

Is the service up on the router netstat -a -p tcp should output port 80 listening

Could you sniff your interface.

Regards.

Alain.

Don't forget to rate helpful posts.

carpovalexandru123 · ‎05-19-2011

fa0/1 is on a diferent subnet than my webserver.

The layout is basicaly:

router->switch->ISA server->switch->webserver

The firewall on the webserver is disabled. Port 80 is listening. Maybe my ISA server is blocking the trafic?

Jon Marshall · ‎05-19-2011

carpovalexandru123 wrote:

fa0/1 is on a diferent subnet than my webserver.

The layout is basicaly:

router->switch->ISA server->switch->webserver

The firewall on the webserver is disabled. Port 80 is listening. Maybe my ISA server is blocking the trafic?

Is your ISA server acting as a router then ?

Check the ISA server settings, is it doing any firewalling ?

Jon

cadet alain · ‎05-19-2011

Yes you can look for that possibility.

You can mirror traffic(loca SPAN) coming from isa server to switch port to another port connected to a pc where youinstall a sniffer and see if you have the syn packets.

Regards.

Alain.

Don't forget to rate helpful posts.

carpovalexandru123 · ‎05-19-2011

Yes, i am using some policies on ISA but i have a rule in my ISA firewall that basicaly says allow all tcp trafic port 5555 from external/anywhere to webserver_ip for all users.