That is trully interesting situation, my riend =)

You said it's routing loop somewhere and you packet dies as soon as TTL expire.

Could you plese explain me at which area it happens?

I belive your sheme doesn't contain all devices you use. Your server and router are connected directly to your router?

And main question is which goal are you trying to reach? =)

-GRinch

By the way your configuration is correct too. I just cant understand one moment, are you trying NAT few devices with single address, or in last octet you have different numbers?

Please make a comand ping from your hosts and run debug ip nat. And let us see output of debugging.

-GRinch

grinch182 wrote:
I just cant understand one moment, are you trying NAT few devices with single address, or in last octet you have different numbers?
Please make a comand ping from your hosts and run debug ip nat. And let us see output of debugging. 
-GRinch    

Hi Grinch,

sorry about that. yes the numbers in the last octet are different. we have 5 public IPs and we port forward different ports from these to different hosts in our network. bascaly what im trying to achieve is this:

We have a domain name on the Internet. For example https://mail.company.com.au. and that resolves to one of those public IP addresses. On the old router (non Cisco) this was all well and good. we just set the portforward and from inside the network you could go to that address and it would still resolve and be NATed and work as you would expect it too. What is happening now is, when i go to that address from inside the netwrok, it just doesn't go anywhere. The DNS still resolves, but instead of being NATed correctly it seems to get stuck in some kind of loop then the TTL expires.

When I ping the address from VLAN 1 or from my workstation, the TTL expires. So I did a traceroute this is what i found happens:

Thornton#traceroute mail.company.com.au

Type escape sequence to abort.

Tracing the route to mail.company.com.au (2XX.2XX.3X.193)

  1 10.20.20.187 16 msec 20 msec 52 msec

  2 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 36 msec 32 msec 36 msec

  3 10.20.20.187 36 msec 32 msec 32 msec

  4 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 52 msec 52 msec 52 msec

  5 10.20.20.187 52 msec 48 msec 52 msec

  6 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 68 msec 64 msec 68 msec

  7 10.20.20.187 68 msec 68 msec 68 msec

  8 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 88 msec 88 msec 88 msec

  9 10.20.20.187 84 msec 80 msec 84 msec

10 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 104 msec 108 msec 108 msec

11 10.20.20.187 96 msec 120 msec 100 msec

12 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 120 msec 116 msec 120 msec

13 10.20.20.187 116 msec 116 msec 132 msec

14 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 152 msec 144 msec 132 msec

15 10.20.20.187 152 msec 128 msec 136 msec

16 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 152 msec 168 msec 152 msec

17 10.20.20.187 152 msec 152 msec 152 msec

18 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 172 msec 164 msec 184 msec

19 10.20.20.187 168 msec 168 msec 168 msec

20 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 184 msec 192 msec 180 msec

21 10.20.20.187 208 msec 196 msec 188 msec

22 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 204 msec 220 msec 204 msec

23 10.20.20.187 201 msec 200 msec 216 msec

24 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 240 msec 236 msec 248 msec

25 10.20.20.187 224 msec 216 msec 284 msec

26 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 236 msec 256 msec 256 msec

27 10.20.20.187 232 msec 328 msec 232 msec

28 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 260 msec 248 msec 256 msec

29 10.20.20.187 252 msec 248 msec 252 msec

30 1XX-6XX-1XX-247.static.tpgi.com.au (1XX.6XX.1XX.247) 292 msec 268 msec 268 msec

i can see the the TTL is expiring from the packet going into an endless loop, but i don't know why it is doing it. or how i can stop it.   i would show you a copy of the "sh ip nat translations" output but the one i grabbed lastnight didn't contain any of the translations relevant to what we are talking about here. (I didn't scroll down far enough is all)

I was wondering what that 10.20.20.187was. so i did a sh ip route and found this:

Thornton#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     1XX.0.0.0/32 is subnetted, 1 subnets

C       1XX.6XX.1XX.247 is directly connected, Dialer0

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C       10.10.5.0/24 is directly connected, Vlan1

C       10.20.20.187/32 is directly connected, Dialer0

S*   0.0.0.0/0 is directly connected, Dialer0

Thornton#

10.20.20.187 seems to only appear once the PPP connection comes up so I assume that it has something to do with PPP.  The other address that is X'd out is the Static IP of our internet connection that gets assigned through PPP negotiation.

thanks so much for the help here guys. it is much appreciated.

Do you use debug ip nat comand when tracering?

GRinch

I haven't yet, but I will do it tonight when everyone goes home.

I have been looking around a bit at different appoaches to this problem, I had heard of NAT Virtual Interface and then i found this:

http://inetpro.org/wiki/NAT:_access_outside_global_address_from_the_inside

This sounds like it will fit my scenario pretty well. so im going to give this ago tomorrow. I'll report back hear what i find if it works.

Hi Kyle,

What you are trying to do is not supported on IOS Routers. See the notes below:

** When sitting on the inside LAN segment, you cannot access the internal server 
 using its Public NATted ip. This is a NAT limitation with routers. You will 
 have to use the private ip to access that server.

Ping to that Public Ip from inside host might work because Router will respond back for 
that ping, not the actual server. And if we use "no-alias" keyword at the end of the static 
NAT statement, then even this ping would stop working. And again, this is an expected 
behaviour of router. 

Possible workarounds to accomplish the above requirement i.e access the internal 
server from the same LAN (pre-requisite for this is, use of FQDN to access the server. 
By using the public ip, there is no way we can accomplish this):
 
1. Use one to one static NAT translation for the private ip of the server which will enable 
DNS doctoring
2. Use an internal DNS server with the mapping of this website to the private ip
3. Change the host file on the PC's trying to access this server from inside (which generally 
is not a feasible solution as there could be many hosts in LAN)

Ref:

https://supportforums.cisco.com/docs/DOC-8936

I hope this helps.

Raga

Luis Diego Raga wrote:
Hi Kyle, 
What you are trying to do is not supported on IOS Routers. See the notes below: 
** When sitting on the inside LAN segment, you cannot access the internal server 
 using its Public NATted ip. This is a NAT limitation with routers. You will 
 have to use the private ip to access that server.

Hi Luis,

Bugger! that isnt what I wanted to hear. but thems the breaks i guess. I'll just have to do it with split DNS zones. I would have thought that NVI would have solved my issue though? or is that not something that isn't used on IOS routers?

Yeah I know ....

About the NVI, I cant really tell as I've never configured or seen it working, perhaps it is worth giving it a try.

Here's another doc that talks about it:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html

Have a good one.

Raga