Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1331
Views
0
Helpful
5
Replies

NAT issues

T.Yermolenko
Level 1
Level 1

ā€Ž10-30-2011 06:20 PM - edited ā€Ž03-04-2019 02:06 PM

Hi all,

I have some annoying problem with NAT.

So the thing is: I have a public IP range (69.168.66.128/25) assigned to some clients in building. Than I have a private network (172.16.0.0) and in this network I have a web server. This server supposed  to be accessable from the web, so I wrote a static nat rule

ip nat inside source static tcp 172.16.10.13 80 69.168.66.207 80

This is working fine until  I have clients from 'inside' public range of 69.168.66.128/25 - they can ping this (69.168.66.207) ip address, but they can't connect to port 80 (web-server). I have no problems with 'Internet-clients' - NAT is working fine for them, the only problem is this range.

When I tried

ip nat traslations 

I'm getting good translations from Intrnet, and no translations from the inside public range.

It is possible, that it is not a NAT issue, cause  I'm using the NAT-on-a-stick (have only one interface on a router, couple of vlans - legacy confs...) So this process is setup just on one phys interface with a bunch of subifs.

Maybe I should try doing NAT throug the Loopback or throug the NVI? I realy can't see what is the difference...

Thanks.

Labels:
0 Helpful
5 Replies 5

Vaibhava Varma
Level 4
Level 4

ā€Ž10-30-2011 07:30 PM

Hi T.Yermolenko

How about the telnet to port 80 for 69.168.66.207. Does that go through ?

Can you apply an extened ACL and do a match for the Server and Port 80 and log it and see if we have matching packets ?

Personally I don't think NAT-on-a-stick will cause any issues if we have the right routing and NAT configs in place..

Regards

Varma

0 Helpful

T.Yermolenko
Level 1
Level 1
In response to Vaibhava Varma

ā€Ž10-30-2011 08:06 PM

Hi Varma,

The thing is - I can use web-server normally if I'm "in the Internet" But. I can't use it from any address in   69.168.66.128/25 network - though I can ping server's external IP (in this case  69.168.66.207) and get reply from it. But I can't connect to port 80. And when I check nat translations - there no any in table. Again, if I'm using any other source except 69.168.66.128/25  - its working perfect.

Taras

0 Helpful

Vaibhava Varma
Level 4
Level 4
In response to T.Yermolenko

ā€Ž10-31-2011 05:47 AM

Hi Taras

What about normal telnet to port 23 from 69.168.66.128/25 Subnet to 69.168.66.207..I think the NAT Translations are not seen as the Interface on which the packet sourced from 69.168.66.128/25 arrives is not a NATTed Interface...

If we enable ip nat outside on the 69.168.66.128/25 subnet we should be seeing the translations..

Meanwhile I am thinking what could be allowing ping response to the Private IP but restricting TCP 80 connections..

Regards

Varma

0 Helpful

fb_webuser
Level 6
Level 6

ā€Ž11-03-2011 05:18 PM

If I got it right, I think NVI should fix it, because when you did NAT you assigned your Internet interface the NAT outside, and the sub-interface connected to the private IP range the NAT inside so the sub-interface connected to the public IP range does not apply to the NAT rule you configured..

---

Posted by WebUser Ahmed Rasmy

0 Helpful

slicerpro
Level 1
Level 1

ā€Ž10-23-2019 07:34 AM - edited ā€Ž10-23-2019 07:35 AM

 
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card