04-13-2010 09:21 AM - edited 03-04-2019 08:08 AM
Hi All,
i've been struggling a little bit with internal services (as WWW) to be accessible from my external public ip address. I've remved firewall and particular configuration and left "only" nat, i'm interested in let 10.0.102.8: 80 to be accessible with MY.PUBLIC.IP.43
and from a first debug you can see that i get a NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80), is that a problem ?
blackDevil#ter mon
blackDevil#
*Apr 13 15:31:25.369: NAT*: s=202.150.214.34, d=MY.PUBLIC.IP.43->10.0.102.8 [23023]
*Apr 13 15:31:26.525: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:31:31.625: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [3337]
*Apr 13 15:31:32.217: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [53004]
*Apr 13 15:31:34.621: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [3338]
*Apr 13 15:31:35.213: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [53005]
*Apr 13 15:31:40.349: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:31:40.349: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:31:40.621: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [3339]
*Apr 13 15:31:41.213: NAT*: s=192.251.226.206, d=MY.PUBLIC.IP.43->10.0.102.8 [53006]
*Apr 13 15:31:50.957: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [58527]
*Apr 13 15:31:51.581: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [59608]
*Apr 13 15:31:53.965: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [63773]
*Apr 13 15:31:54.173: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:31:54.497: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [64711]
*Apr 13 15:31:54.685: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:31:57.217: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [4206]
*Apr 13 15:31:57.245: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:31:57.821: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [5397]
*Apr 13 15:31:58.269: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:32:00.317: NAT: expiring MY.PUBLIC.IP.46 (MY.PUBLIC.IP.43) tcp 445 (445)
*Apr 13 15:32:01.045: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [10949]
*Apr 13 15:32:03.577: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [15228]
*Apr 13 15:32:04.237: NAT*: s=79.140.39.227, d=MY.PUBLIC.IP.43->10.0.102.8 [16314]
*Apr 13 15:32:10.045: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:32:10.557: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:32:12.553: NAT*: s=202.150.214.34, d=MY.PUBLIC.IP.43->10.0.102.8 [16841]
*Apr 13 15:32:15.553: NAT*: s=202.150.214.34, d=MY.PUBLIC.IP.43->10.0.102.8 [16842]
*Apr 13 15:32:21.553: NAT*: s=202.150.214.34, d=MY.PUBLIC.IP.43->10.0.102.8 [16843]
*Apr 13 15:32:24.893: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:32:25.405: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:32:40.765: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
*Apr 13 15:32:41.277: NAT: expiring MY.PUBLIC.IP.43 (10.0.102.8) tcp 80 (80)
and from:
blackDevil#show ip nat translations
Pro Inside global Inside local Outside local Outside global
udp MY.PUBLIC.IP.43:500 10.0.102.7:500 --- ---
udp MY.PUBLIC.IP.43:1701 10.0.102.7:1701 --- ---
tcp MY.PUBLIC.IP.43:1723 10.0.102.7:1723 --- ---
tcp MY.PUBLIC.IP.43:3283 10.0.102.7:3283 --- ---
udp MY.PUBLIC.IP.43:3283 10.0.102.7:3283 --- ---
udp MY.PUBLIC.IP.43:4500 10.0.102.7:4500 --- ---
tcp MY.PUBLIC.IP.43:80 10.0.102.8:80 71.235.179.213:63300 71.235.179.213:63300
tcp MY.PUBLIC.IP.43:80 10.0.102.8:80 123.125.66.127:51337 123.125.66.127:51337
tcp MY.PUBLIC.IP.43:80 10.0.102.8:80 --- ---
where it seem that everything is working fine ? i also thought it could be a further problem, maybe with routing over vlan? but the following command shows that the 10.0.102.8 is reachable and the local network works fine:
blackDevil# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is MY.PUBLIC.IP.41 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via MY.PUBLIC.IP.41
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.0.101.0/24 is directly connected, GigabitEthernet0/1
L 10.0.101.1/32 is directly connected, GigabitEthernet0/1
C 10.0.102.0/24 is directly connected, GigabitEthernet0/1.2
L 10.0.102.10/32 is directly connected, GigabitEthernet0/1.2
C 10.0.104.0/24 is directly connected, GigabitEthernet0/1.1
L 10.0.104.1/32 is directly connected, GigabitEthernet0/1.1
MY.PUBLIC.IP.0/24 is variably subnetted, 4 subnets, 3 masks
S MY.PUBLIC.IP.0/24 [1/0] via MY.PUBLIC.IP.41
C MY.PUBLIC.IP.40/29 is directly connected, GigabitEthernet0/0
L MY.PUBLIC.IP.43/32 is directly connected, GigabitEthernet0/0
L MY.PUBLIC.IP.46/32 is directly connected, GigabitEthernet0/0
here is my configuration:
Building configuration...
Current configuration : 11932 bytes
!
! Last configuration change at 15:40:40 UTC Tue Apr 13 2010 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname blackDevil
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 6 log
logging buffered 51200 warnings
logging console critical
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
ip domain list mydomain.org
ip domain name mydomain.org
ip host cisco 10.0.102.10
ip name-server 24.29.99.35
ip name-server 24.29.99.36
ip name-server 10.0.102.7
no ip port-map kazaa2 port tcp description Kazaa Version 2
ip port-map user-min-latse port tcp 2007
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1794697833
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1794697833
revocation-check none
rsakeypair TP-self-signed-1794697833
!
!
crypto pki certificate chain TP-self-signed-1794697833
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373934 36393738 3333301E 170D3130 30333130 31343136
35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37393436
39373833 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CDC1 FB9E542B 2447E740 1AF77128 CF11AE6C 5DB8610D 639BB7F6 13F019A0
53218DCE 059F98A7 B5487050 A01A54D6 EDE5F9B2 246BE43E 9808E990 0616D536
D9AEEB8A 9C5473C8 293E8B99 4EA1D3DB ED86E05E A83E84D3 F60C034C 3A79753C
F9BAB07F 3F05B924 52DE95A9 99FCB393 A2F615F0 9AEE16CA 6DCF7B92 E912344C
8CA50203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
--More--
*Apr 13 15:40:40.645: %SYS-5-CONFIG_I: Configured from console by admin on vty0 (10. 551D1104 18301682 14626C61 636B4465 76696C2E 74726163 652E6F72 67301F06
03551D23 04183016 80147F0B 29A1AEDB 3BEA0E2D 567A3F89 78FAB4F2 26FB301D
0603551D 0E041604 147F0B29 A1AEDB3B EA0E2D56 7A3F8978 FAB4F226 FB300D06
092A8648 86F70D01 01040500 03818100 1E4463DF 53EF474E C59E4538 BF22C986
14B0603D 5CB2B996 6AAACB09 4C8CD72E F1236E4E 77D9DA37 DAB7D888 30841A97
83569319 C5A1D770 7F4F2D0B AC306E16 20D68FF6 9AA995F5 0CF46251 7065DFC1
D61752DA 8311EA33 9C9DD18B 73714CE4 BE63640D 2B8A59E3 40C6B878 A507516D
597D2949 6D2ADC44 55982E53 C0951A14
quit
license udi pid CISCO1941/K9 sn FTX1406782P
!
!
username admin privilege 15 secret 5 $dsgsdfgsdfgsdfgsdfgsfgd.
!
redundancy
!
!
!
!
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ETH-WAN$$FW_OUTSIDE$
ip address MY.PUBLIC.IP.43 255.255.255.248 secondary
ip address MY.PUBLIC.IP.46 255.255.255.248
ip broadcast-address MY.PUBLIC.IP.47
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description $FW_INSIDE$
ip address 10.0.101.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1.1
description DMZ$FW_DMZ$
encapsulation dot1Q 4
ip address 10.0.104.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.2
description MZ (mydomain ny private zone)$FW_INSIDE$
encapsulation dot1Q 2
ip address 10.0.102.10 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 2 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.0.102.8 80 MY.PUBLIC.IP.43 80 extendable
ip nat inside source static udp 10.0.102.7 500 MY.PUBLIC.IP.43 500 extendable
ip nat inside source static udp 10.0.102.7 1701 MY.PUBLIC.IP.43 1701 extendable
ip nat inside source static tcp 10.0.102.7 1723 MY.PUBLIC.IP.43 1723 extendable
ip nat inside source static tcp 10.0.102.201 2007 MY.PUBLIC.IP.43 2007 extendable
ip nat inside source static tcp 10.0.102.7 3283 MY.PUBLIC.IP.43 3283 extendable
ip nat inside source static udp 10.0.102.7 3283 MY.PUBLIC.IP.43 3283 extendable
ip nat inside source static udp 10.0.102.7 4500 MY.PUBLIC.IP.43 4500 extendable
ip default-network MY.PUBLIC.IP.41
ip route 0.0.0.0 0.0.0.0 MY.PUBLIC.IP.41 permanent
!
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host MY.PUBLIC.IP.46
ip access-list extended min-internal-server
permit ip any host MY.PUBLIC.IP.43
!
access-list 1 permit 10.0.102.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.0.104.0 0.0.0.255
access-list 2 permit 10.0.102.0 0.0.0.255
access-list 2 permit any
access-list 3 permit MY.PUBLIC.IP.43
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.0.102.7
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.0.102.201
access-list 104 permit ip 0.0.0.0 255.255.255.0 any
access-list 105 permit ip any host 10.0.102.8
access-list 105 permit tcp any MY.PUBLIC.IP.40 0.0.0.7 eq www
access-list 105 permit tcp any 10.0.102.0 0.0.0.255 eq www
access-list 105 permit ip any any
access-list 106 remark for services to MacOSX server like vpn
access-list 106 permit ip any host 10.0.102.7
access-list 107 remark for services to latse calendar
access-list 107 permit ip any host 10.0.102.201
access-list 195 permit ip 0.0.0.56 255.255.255.0 any
access-list 2000 permit 80 any 0.0.0.3 255.255.255.248
!
!
!
!
!
!
control-plane
!
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
04-13-2010 04:38 PM
The problem is you have configured the same ip address as the router secondary ip address.
Remove that secondary ip address from gig0/0, that should work.
04-14-2010 06:14 AM
Thank you for your reply, actually as you can see in the configuration gig0/0 has 2 different addresses:
MY.PUBLIC.IP.43
MY.PUBLIC.IP.46
the configuration of the router is working, the problem was on the routing parameters of the server behind (http service), shame on me !!
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide