NAT Issues

Robert Craig · ‎10-30-2012

Hey people. I am trying to do some simple NAT'ing (at least I think it's simple) between the WAN and my LAN. My provider gives me three ip's right now and I want to use at least two of them. One of them is already assigned to the WAN interface, but the other two I know I need to do a static nat in order to host any statements. Below is my config with relevant pieces. Does anyone see what I am missing?

interface FastEthernet0/0

description WAN Connection via COX

ip address X.X.209.53 255.255.255.224

ip nat outside

ip inspect FW out

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

interface FastEthernet0/1.2

description VLAN 2 - Data

encapsulation dot1Q 2

ip address 192.168.15.1 255.255.255.192

ip nat inside

ip virtual-reassembly

This is what I have right now.

ip nat source static tcp 192.168.16.5 25 X.X.209.53 25 extendable <<-Took this out because it wasn't needed

ip nat source static 192.168.15.14 X.X.209.54 <<--Sharepoint Portal

ip nat inside source static tcp 192.168.16.5 25 interface FastEthernet0/0 25

ip nat inside source static tcp 192.168.16.5 443 interface FastEthernet0/0 443

ip nat inside source route-map LAN-TO-WAN-NO-NAT interface FastEthernet0/0 overload

The way I am looking at it, I should be able to ping the 209.54 address and browse to it form the web, but I can't. There is no firewall right now. The two statements that use F0/0 work great, but I was only able to make it work on that IP with that statement. When I tried

ip nat source static tcp 192.168.16.5 25 X.X.209.53 25 extendable

It wouldn't work. Am I missing something? I don't want the entire IP open to the public, I just want to open up holes for 443 and 80. But, I guess I don't understand how to put in the statements and which blank is for what IP. Any help is appreciated.

Robert Craig · ‎10-30-2012

Well, I made some progress. I figured out that I had to have a static nat statement for both inside and outside.

So, I had to have this.

ip nat inside source static tcp 192.168.15.14 443 X.X.209.54 443

ip nat outside source static tcp X.X.209.54 443 192.168.15.14 443

So, to me, I need to define what happens when the traffic goes into the "nat cloud" in either direction. I kind of get that. However, if that is the case, why does this work?

ip nat inside source static tcp 192.168.16.5 443 interface FastEthernet0/0 443

I can delete everything else, (minus the overload line) and requests inbound from the internet will work on 443. I don't understand the requirement in one scenario but not the other.

Julio Carvajal · ‎10-30-2012

Hello Robert,

Actually you do not need to do both statements ( Ip nat inside and Ip nat outside)

So let's start from here ( You want to be able to access port 443 on ip address X.X.209.54

So all we need is:

ip nat inside source static tcp 192.168.15.14 443 x.x209.54 443

That's all we need to make the translation work! because of Proxy-Arp

Can you do a show ip nat translations | include :443 and provide us the ouptut??

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Robert Craig · ‎10-31-2012

OK, will do. I'll change the statements to reflect only the inside direction and test it. I'll run that command as well and give you the output. Let me ask you this, in the example of

ip nat inside source static tcp 192.168.16.5 25 interface FastEthernet0/0 25

It works that way for X.X.209.53 (ip of F0/0). However, if I change the above statement to use the IP instead of F0/0, it fails. Whats the difference?

Julio Carvajal · ‎10-31-2012

Hello,

It should not fail as the router uses Proxy arp!

We will need to determine if the traffic is indeed reaching the router,

do the following

ip access-list extended test_in

permit tcp any host ip_instead_of_f0/0 eq 25

permit ip any any

interface FastEthernet0/0

ip access-group test_in in

Then try to connect and provide the

show access-list test_in

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Robert Craig · ‎11-04-2012

OK, sorry for the wait. Below is what the original config looked like.

ip nat inside source static tcp 192.168.16.5 25 interface FastEthernet0/0 25

ip nat inside source static tcp 192.168.16.5 443 interface FastEthernet0/0 443

ip nat inside source route-map LAN-TO-WAN-NO-NAT interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.15.14 443 X.X.209.54 443 extendable

ip nat outside source static X.X.209.54 443 192.168.15.14 443 extendable

Then I removed the last line

ip nat inside source static tcp 192.168.16.5 25 interface FastEthernet0/0 25

ip nat inside source static tcp 192.168.16.5 443 interface FastEthernet0/0 443

ip nat inside source route-map LAN-TO-WAN-NO-NAT interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.15.14 443 X.X.209.54 443 extendable

Then I used that access list to catch the traffic

tcp X.X.209.53:1088 X.X.209.54:1088 216.82.2.9:443 216.82.2.9:443

tcp X.X.209.53:3072 X.X.209.54:3072 216.82.2.9:443 216.82.2.9:443

tcp X.X.209.53:4928 X.X.209.54:4928 216.82.2.9:443 216.82.2.9:443

tcp X.X.209.54:443 192.168.15.14:443 180.94.81.139:51067 180.94.81.139:51067

tcp X.X.209.54:443 192.168.15.14:443 180.94.81.139:51068 180.94.81.139:51068

tcp X.X.209.54:443 192.168.15.14:443 --- ---

tcp X.X.209.53:16 192.168.15.66:443 192.168.1.9:55896 192.168.1.9:55896

tcp X.X.209.53:443 192.168.16.5:443 109.235.205.50:60574 109.235.205.50:60574

tcp X.X.209.53:443 192.168.16.5:443 --- ---

So I guess my next test is to change the statements from F0/0 to the IP on the interface. I would think it would still work. Agreed?