I have some annoying problem with NAT.
So the thing is: I have a public IP range (220.127.116.11/25) assigned to some clients in building. Than I have a private network (172.16.0.0) and in this network I have a web server. This server supposed to be accessable from the web, so I wrote a static nat rule
ip nat inside source static tcp 172.16.10.13 80 18.104.22.168 80
This is working fine until I have clients from 'inside' public range of 22.214.171.124/25 - they can ping this (126.96.36.199) ip address, but they can't connect to port 80 (web-server). I have no problems with 'Internet-clients' - NAT is working fine for them, the only problem is this range.
When I tried
ip nat traslations
I'm getting good translations from Intrnet, and no translations from the inside public range.
It is possible, that it is not a NAT issue, cause I'm using the NAT-on-a-stick (have only one interface on a router, couple of vlans - legacy confs...) So this process is setup just on one phys interface with a bunch of subifs.
Maybe I should try doing NAT throug the Loopback or throug the NVI? I realy can't see what is the difference...
How about the telnet to port 80 for 188.8.131.52. Does that go through ?
Can you apply an extened ACL and do a match for the Server and Port 80 and log it and see if we have matching packets ?
Personally I don't think NAT-on-a-stick will cause any issues if we have the right routing and NAT configs in place..
The thing is - I can use web-server normally if I'm "in the Internet" But. I can't use it from any address in 184.108.40.206/25 network - though I can ping server's external IP (in this case 220.127.116.11) and get reply from it. But I can't connect to port 80. And when I check nat translations - there no any in table. Again, if I'm using any other source except 18.104.22.168/25 - its working perfect.
What about normal telnet to port 23 from 22.214.171.124/25 Subnet to 126.96.36.199..I think the NAT Translations are not seen as the Interface on which the packet sourced from 188.8.131.52/25 arrives is not a NATTed Interface...
If we enable ip nat outside on the 184.108.40.206/25 subnet we should be seeing the translations..
Meanwhile I am thinking what could be allowing ping response to the Private IP but restricting TCP 80 connections..
If I got it right, I think NVI should fix it, because when you did NAT you assigned your Internet interface the NAT outside, and the sub-interface connected to the private IP range the NAT inside so the sub-interface connected to the public IP range does not apply to the NAT rule you configured..
Posted by WebUser Ahmed Rasmy