Solved: The outside router (connected

BHconsultants88 · ‎02-19-2017

Hi everyone

I've pasted the configuration from a Cisco 1941 below and sure I haven't missed anything but wanted a second (expert) opinion

Everything seems to be working fine except that traffic from 185.2 network is not reaching the natted LAN IP of 1.1.1.97. Outbound, it works absolutely fine, however not inbound. The traceroute fails at 2.2.2.2 (outside interface of this router) so I'm leaning towards an outside NAT problem.

Could you somebody take a look, as it's really baffling me.

Thank you

Current configuration : 4598 bytes
!
! Last configuration change at 22:20:37 UTC Sat Feb 18 2017 by admin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BOATHOUSE
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!
aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
!
aaa session-id common
ethernet lmi ce
!
!
!
!
!
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FGL204221LZ
!
!
username admin privilege 15 password 7
!
redundancy
!
!
!
interface Loopback0
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Outside
ip address 2.2.2.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
description House LAN
ip address 1.1.1.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool DOCK 10.10.10.20 10.10.10.254 netmask 255.255.255.0
ip nat inside source list 10 pool DOCK
ip nat inside source static 1.1.1.97 10.10.10.42
ip route 0.0.0.0 0.0.0.0 2.2.2.1
ip route 172.6.0.0 255.255.0.0 1.1.1.254
ip tacacs source-interface Loopback0
!
ip access-list standard Hub
permit 185.2.0.0 0.0.255.255
permit 10.100.0.0 0.0.255.255
permit 10.101.0.0 0.0.0.255
permit 45.50.0.0 0.0.31.255
ip access-list standard customer-nets-out
permit 10.10.10.0 0.0.0.255
!
!
snmp-server community public RO
tacacs server 10.200.68.90
tacacs server 10.200.68.91
access-list 10 remark NAT Pool for Dockstation
access-list 10 permit 172.6.0.0 0.0.255.255
access-list 10 permit 1.1.1.0 0.0.0.255
access-list 61 permit 10.100.66.77
access-list 61 permit 10.100.66.145
access-list 61 permit 10.100.66.133
access-list 66 deny any
!
!
!
control-plane
!
!
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec level 0 terminal monitor
privilege exec level 0 terminal
privilege exec level 0 show running-config
privilege exec level 0 show configuration
privilege exec level 0 show
privilege exec level 0 clear ip accounting
privilege exec level 0 clear ip
privilege exec level 0 clear
banner login ^CCC
*****************************************************************
* Use of this network is restricted to authorized users. *
* User activity is monitored and recorded by system *
* personnel. Anyone using this network expressly consents *
* to such monitoring and recording. BE ADVISED, if possible *
* criminal activity is detected, system records, along with *
* certain personal information, may be provided to law *
* enforcement officials. *
*****************************************************************
BOAT ^C
!
line con 0
exec-timeout 15 0
privilege level 15
password 7
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 15 0
privilege level 15
transport input all
line vty 5 15
exec-timeout 15 0
privilege level 15
transport input none
!
scheduler allocate 20000 1000
!
end

Masoud Pourshabanian · ‎02-21-2017

You do not have to remove it. I just wanted to say that having 10.10 is not mandatory..

After adding the deny statement, clear IP nat translation * and delete and reconfigure your stating NAT, The reason is if there is dynamic NAT, you router does not add the static NAT in the NAT table.

Masoud

View solution in original post

Georg Pauwen · ‎02-19-2017

Hello,

I doubt even your outbound NAT is working. You are trying to translate to inside addresses, that is, you are trying to translate 1.1.1.0/24 to 10.10.10.0/24, which is the inside address range.

For your NAT to work, the outside interface GigabitEthernet0/0 must have an IP address from the 10.10.10.0/24 address range.

BHconsultants88 · ‎02-19-2017

The outside router (connected to GigabitEthernet0/0) is 2.2.2.1. This router has a static route of:

10.10.10.0 255.255.255.0 via 2.2.2.2

Would this not be sufficient or would I need to specify an internal IP on outside interface as well?

BHconsultants88 · ‎02-19-2017

In addition to the above, please see entry of IP Nat trans

tcp 10.10.10.42:58326 1.1.1.97:58326 185.2.88.42:80 185.2.88.42:80

Doesn't this prove that outbound traffic is being natted correctly?

Georg Pauwen · ‎02-19-2017

What are you trying to accomplish ? Both 10.10.10.0/24 and 2.2.2.0 are private addresses, so NAT between those address ranges is not needed. Is 185.2.88.42 a valid public address ? Your next hop router with IP address 2.2.2.1 is the one connected to the Internet on the outside ?? If so, that is where you need to configure the NAT.

Masoud Pourshabanian · ‎02-19-2017

Hello,

Your configuration says,

1- If a packet arrives with source of 10.10.10.0/24, forward it to 2.2.2.1 with no change.

2- if a packet comes with source of 1.1.1.0/24, forward it to 2.2.2.1 and change the source address to 10.10.10.20-254

3- if a packet comes with source of 172.6.0.0/16 , forward it to 2.2.2.1 and change the source address to 10.10.10.20-254

4- if a packet comes with destination of 10.10.10.42 from outside, change the destination to 1.1.1.97

If you intend to do these, your configuration is correct, otherwise you need to change.

You do not need to configure 10.10.10.* on you router. You can completely remove it as long as you have return route on the next router.

There is only one issue. You are confusing your router. It may cause problem.

You have static NAT: ip nat inside source static 1.1.1.97 10.10.10.42

and 1.1.1.97 is in your access-list : access-list 10 permit 1.1.1.0 0.0.0.255

You need to remove 1.1.1.97 from the access-list

access-list 10 deny 1.1.1.97

access-list 10 permit 1.1.1.0 0.0.0.255

Hope it helps,

Masoud

BHconsultants88 · ‎02-21-2017

Masoud, thank you so much. That's exactly what my configuration is saying.

The problem is with point 4. Traffic from outside is not being natted to inside 1.1.1.97

Your suggestion

"You do not need to configure 10.10.10.* on you router. You can completely remove it as long as you have return route on the next router."

I will try this now. I will also add the deny statement for 1.1.1.97 on the ACL

Thanks for your help and I will feedback shortly.

Masoud Pourshabanian · ‎02-21-2017

You do not have to remove it. I just wanted to say that having 10.10 is not mandatory..

After adding the deny statement, clear IP nat translation * and delete and reconfigure your stating NAT, The reason is if there is dynamic NAT, you router does not add the static NAT in the NAT table.

Masoud

BHconsultants88 · ‎03-19-2017

Hi Masoud, thanks very much for your help with this one. It worked a treat. Would you mind giving me some pointers on: https://supportforums.cisco.com/discussion/13248851/asa-vpn-query

For some reason, I'm unable to get connectivity

NAT on 1942 router