Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1429
Views
0
Helpful
1
Replies

NAT/PAT issue: Can't connect to server's routed IP from LAN

Michael Murray
Level 2
Level 2

‎09-14-2010 07:24 AM - edited ‎03-04-2019 09:46 AM

I have an 1841 router that is translating TCP port 1723 to an MS VPN server on the LAN. This works fine for external users connecting to 24.76.63.107 (WAN interface of router) but users on the LAN (192.168.1.0/24) cannot connect using the external IP address. I'm guessing this has something to do with using the same routed IP for the outgoing translation as well as the incoming translation. How can I configure the router so internal users can connect to the same server using the external IP address? It is useful for troubleshooting.

Thanks,

-mike

Labels:
Preview file
17 KB
0 Helpful
1 Reply 1

Michael Murray
Level 2
Level 2

‎09-14-2010 07:25 AM

Config might help....

version 12.4

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname RTR

!

boot-start-marker

boot-end-marker

!

card type t1 0 0

logging buffered 4096

!

no aaa new-model

clock timezone EST -5

clock summer-time EDT recurring

ip cef

!

!

!

!

no ip domain lookup

multilink bundle-name authenticated

!

!

archive

log config

  hidekeys

!

!

controller T1 0/0/0

framing esf

linecode b8zs

cablelength long 0db

channel-group 1 timeslots 1-24

!

!

!

!

interface FastEthernet0/0

description INTERNAL_LAN

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 24.76.63.107 255.255.255.248

ip access-group INBOUND in

ip access-group OUTBOUND out

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 24.76.63.105

!

ip http server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.1.3 25 24.76.63.107 25 extendable

ip nat inside source static tcp 192.168.1.3 80 24.76.63.107 80 extendable

ip nat inside source static tcp 192.168.1.7 1723 24.76.63.107 1723 extendable

ip nat inside source static 192.168.1.2 24.76.63.108

ip nat inside source static 192.168.1.20 24.76.63.109

!

ip access-list extended INBOUND

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 224.0.0.0 31.255.255.255 any

deny   ip host 255.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

deny   icmp any any

permit udp any eq domain host 24.76.63.107 gt 1023

permit udp any eq domain host 24.76.63.107 eq domain

permit tcp any 24.76.63.104 0.0.0.7 established

permit udp any range 1 1023 24.76.63.104 0.0.0.7 gt 1023

permit tcp any eq ftp-data 24.76.63.104 0.0.0.7 gt 1023

permit udp any gt 1023 24.76.63.104 0.0.0.7 gt 1023

permit tcp any host 24.76.63.107 eq 1723

permit tcp any host 24.76.63.107 eq www

permit tcp any host 24.76.63.107 eq smtp

permit tcp any host 24.76.63.108 eq www

permit tcp any host 24.76.63.109 eq www

permit tcp any host 24.76.63.107 eq telnet

permit gre any host 24.76.63.107

deny   ip any any log

ip access-list extended OUTBOUND

permit tcp host 192.168.1.3 any eq smtp

deny   tcp 192.168.1.0 0.0.0.255 any eq smtp log

deny   tcp 192.168.0.0 0.0.0.255 any eq smtp log

permit ip any any

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

!

!

control-plane

!

disable-eadi

alias exec sr show run

alias exec s show ip int br

alias exec srt show ip route

alias exec sri show run | i

alias exec srb show run | b

!

line con 0

logging synchronous

login local

line aux 0

line vty 0 4

exec-timeout 30 0

logging synchronous

login local

transport input telnet

line vty 5 15

login local

transport input telnet

!

scheduler allocate 20000 1000

ntp clock-period 17179867

ntp master 6

ntp server 209.114.111.1

ntp server 138.236.128.112

ntp server 149.20.68.17

ntp server 70.86.250.6

end

RTR#   

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card