Solved: NAT/port forwarding...

rudepeople · ‎08-26-2019

This is a continuation of this post...

So we have deployed into the colo this last weekend and everything is operational... mostly...

I have a stack of IPs for the equipment in the rack and I have assigned them to the router's gi0/0/0 port (as secondary).

I am trying to forward traffic to these IPs from the wan to the servers inside the LAN using the following commands:

ip nat inside source static udp 192.168.60.11 1194 interface GigabitEthernet0/0/0 1194
ip nat inside source static tcp 192.168.60.11 8000 interface GigabitEthernet0/0/0 8000
ip nat inside source static tcp 192.168.60.11 10000 interface GigabitEthernet0/0/0 10000
ip nat inside source static tcp 172.8.0.40 80 192.168.60.21 80 extendable
ip nat inside source static tcp 172.8.0.40 443 192.168.60.21 443 extendable

The first three (which just forward all traffic to those ports hitting the WAN regardless of IP) work fine. however, the next two (which should ONLY forward port 80 and 443 traffic pointed at 172.8.0.40) break the traffic connection to 192.168.60.21. once I wr that config, 192.168.60.21 becomes entirely unreachable, although it can still be pinged from the router.

When I do this:

no ip nat inside source static tcp 172.8.0.40 80 192.168.60.21 80 extendable
no ip nat inside source static tcp 172.8.0.40 443 192.168.60.21 443 extendable

The server becomes accessible again, but of course the ports are no longer forwarded...

what did I do wrong?

rudepeople · ‎08-26-2019

GOOD NEWS!

It looks like we just needed to flip the public and internal IPs.

this worked:

ip nat inside source static tcp 192.168.60.21 80 172.8.0.40 80 extendable
ip nat inside source static tcp 192.168.60.21 443 172.8.0.40 443 extendable

View solution in original post

Georg Pauwen · ‎08-26-2019

Hello,

is the 192.168.60.0 network the inside or the outside ? Right now you are using the same address space as inside AND outside, I suspect that is where the problem lies. Try to use NVI NAT, that is, instead of using 'ip nat inside/outside' on your interfaces, just use 'ip nat enable' on all interfaces where NAT has to occur. Also change the static NAT entries and leave the 'inside' and 'outside' keywords out.

If this isn't clear, post the full configuration of the router...

rudepeople · ‎08-26-2019

@Georg Pauwen wrote:
If this isn't clear, post the full configuration of the router...

I'm a noob when it comes to cisco routing (coming from ubiquiti)... so here's my config:

#sh run
Building configuration...


Current configuration : 4921 bytes
!
! Last configuration change at 18:40:58 UTC Mon Aug 26 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname router1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 [ommited]
enable password [ommited]
!
no aaa new-model
!
transport-map type persistent webui https-webui
 secure-server
!
transport-map type persistent webui http-webui
 server
!
transport-map type persistent webui http-https-webui
 server
 secure-server
!
!
!
!
!
!
!
!
!
!
!
!


ip name-server 208.67.222.222

!
ip dhcp pool 1
 utilization mark high 80 log
 utilization mark low 70 log
 network 192.168.60.0 255.255.255.0
 domain-name [ommited]
 default-router 192.168.60.1
 dns-server 208.67.222.222 8.8.8.8
 lease 30
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto 
[ommited]
!
spanning-tree extend system-id
!
username [ommited]
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description WAN000
 ip address xxx.xxx.xxx.40 255.255.255.240 secondary
 ip address xxx.xxx.xxx.37 255.255.255.240 secondary
 ip address xxx.xxx.xxx.38 255.255.255.240 secondary
 ip address xxx.xxx.xxx.39 255.255.255.240 secondary
 ip address xxx.xxx.xxx.41 255.255.255.240 secondary
 ip address xxx.xxx.xxx.42 255.255.255.240 secondary
 ip address xxx.xxx.xxx.43 255.255.255.240 secondary
 ip address xxx.xxx.xxx.44 255.255.255.240 secondary
 ip address xxx.xxx.xxx.45 255.255.255.240 secondary
 ip address xxx.xxx.xxx.46 255.255.255.240 secondary
 ip address xxx.xxx.xxx.36 255.255.255.240
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/1
 description WAN001
 ip address xxx.xxx.xxx.37 255.255.255.240
 ip nat inside
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 negotiation auto
!
interface Vlan1
 ip address 192.168.60.1 255.255.255.0
 ip nat inside
!
ip nat inside source static tcp 192.168.60.11 1194 interface GigabitEthernet0/0/0 1194
ip nat inside source static tcp 192.168.60.11 10000 interface GigabitEthernet0/0/0 10000
ip nat inside source static udp 192.168.60.11 1194 interface GigabitEthernet0/0/0 1194
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.33
!
!
access-list 1 permit 192.168.60.0 0.0.0.255
!
snmp-server community public RO
!
!
control-plane
!
!
line con 0
 password [ommited]
 login
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password [ommited]
 login
!
transport type persistent webui input https-webui
!
!
end

I *think* I found my solution here...

If I'm right, I just need to do this from a config line:

config t
no ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat pool NAT1 xxx.xxx.xxx.36 xxx.xxx.xxx.36 netmask 255.255.255.240
ip nat inside source list 1 pool NAT1 overload
exit
wr

The trouble is (a) I'm not positive I'm right, and (b) I'm nervous as heck changing my config like this (over telnet) will make the switch unreachable... it's 400 miles away in a colo...

Georg Pauwen · ‎08-26-2019

Hello,

below is what I had in mind (changes marked in bold). In your current configuration, your 192.168.60.0/24 network is a NAT inside network, so you can only use it in static NAT entries that have an address from the 192.168.60.0/24 network as the inside.

If you don't have access to the site locally in case something goes wrong, test in a lab before you deploy any changes. 400 miles is a long drive.

Building configuration...

Current configuration : 4921 bytes
!
! Last configuration change at 18:40:58 UTC Mon Aug 26 2019
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname router1
!
boot-start-marker
boot-end-marker
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 [ommited]
enable password [ommited]
!
no aaa new-model
!
transport-map type persistent webui https-webui
secure-server
!
transport-map type persistent webui http-webui
server
!
transport-map type persistent webui http-https-webui
server
secure-server
!
ip name-server 208.67.222.222
!
ip dhcp pool 1
utilization mark high 80 log
utilization mark low 70 log
network 192.168.60.0 255.255.255.0
domain-name [ommited]
default-router 192.168.60.1
dns-server 208.67.222.222 8.8.8.8
lease 30
!
subscriber templating
multilink bundle-name authenticated
!
crypto
[ommited]
!
spanning-tree extend system-id
!
username [ommited]
!
redundancy
mode none
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/0/0
description WAN000
ip address xxx.xxx.xxx.40 255.255.255.240 secondary
ip address xxx.xxx.xxx.37 255.255.255.240 secondary
ip address xxx.xxx.xxx.38 255.255.255.240 secondary
ip address xxx.xxx.xxx.39 255.255.255.240 secondary
ip address xxx.xxx.xxx.41 255.255.255.240 secondary
ip address xxx.xxx.xxx.42 255.255.255.240 secondary
ip address xxx.xxx.xxx.43 255.255.255.240 secondary
ip address xxx.xxx.xxx.44 255.255.255.240 secondary
ip address xxx.xxx.xxx.45 255.255.255.240 secondary
ip address xxx.xxx.xxx.46 255.255.255.240 secondary
ip address xxx.xxx.xxx.36 255.255.255.240
ip nat enable
negotiation auto
!
interface GigabitEthernet0/0/1
description WAN001
ip address xxx.xxx.xxx.37 255.255.255.240
ip nat enable
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Vlan1
ip address 192.168.60.1 255.255.255.0
ip nat enable
!
ip nat source static tcp 192.168.60.11 1194 interface GigabitEthernet0/0/0 1194
ip nat source static tcp 192.168.60.11 10000 interface GigabitEthernet0/0/0 10000
ip nat source static udp 192.168.60.11 1194 interface GigabitEthernet0/0/0 1194
ip nat source static tcp 172.8.0.40 80 192.168.60.21 80 extendable
ip nat source static tcp 172.8.0.40 443 192.168.60.21 443 extendable
ip nat source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.33
!
access-list 1 permit 192.168.60.0 0.0.0.255
!
snmp-server community public RO
!
control-plane
!
line con 0
password [ommited]
login
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password [ommited]
login
!
transport type persistent webui input https-webui
!
end

rudepeople · ‎08-26-2019

@Georg Pauwen wrote:
If you don't have access to the site locally in case something goes wrong, test in a lab before you deploy any changes. 400 miles is a long drive.

Thanks for the suggested config... yeah, I tried in a lab and I hit a fun little brick wall.

This is our first and only cisco router so I tried to use the packet tracer utility (cisco's Net Acadamy tool) to replicate the router and test... I have just now discovered a bit of a design flaw in their utility in that I cant assign a secondary IP to interfaces.

I just get "% Invalid input detected at '^' marker." pointing at "secondary"... so... I guess I'm rolling the dice unless someone has a better simulator for this?

EDIT: Actually, never mind. it looks like I can't directly enable nat on the interface anyway. I'm not sure if this is specific to the ISR4000 series, but the command fails. so I guess I'm back to this:

no ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip nat pool NAT1 xxx.xxx.xxx.36 xxx.xxx.xxx.36 netmask 255.255.255.240
ip nat inside source list 1 pool NAT1 overload

EDIT#2: that doesnt work either because I have to remove the Dynamic mappings first... which WILL take us offline. well crap.

Georg Pauwen · ‎08-26-2019

Hello,

Packet Tracer is not really a good tool to do real network testing. Are you familiar with GNS3 ? It is a free tool that uses real and fully functional IOS images...

Georg Pauwen · ‎08-26-2019

Actually, reading your original post, what exactly are you trying to accomplish ?

ip nat inside source static tcp 172.8.0.40 80 192.168.60.21 80 extendable
ip nat inside source static tcp 172.8.0.40 443 192.168.60.21 443 extendable

What are the 172 addresses, are these outside addresses and part of those secondary addresses assigned to the outside interface ?

rudepeople · ‎08-26-2019

@Georg Pauwen wrote:
Actually, reading your original post, what exactly are you trying to accomplish ?

ip nat inside source static tcp 172.8.0.40 80 192.168.60.21 80 extendable
ip nat inside source static tcp 172.8.0.40 443 192.168.60.21 443 extendable

What are the 172 addresses, are these outside addresses and part of those secondary addresses assigned to the outside interface ?

That's just me masking my actual WAN IPs. so yes, the 172.8.0.X Ip addresses *represent* the IPs of my WAN connection.

I guess I should also explain what I'm trying to accomplish here.

we have a group of roughly 10 usable IPs. On the other side of the router we have several servers serving web content. most of the content is served out on ports 80 and 443 and we want to specify which server to connect to based on which public IP is being used, without implicitly assigning public IPs to the servers. So basically we want all traffic direct at "172.8.0.40:80" to go to "192.168.60.21:80" and likewise, all traffic directed at "172.8.0.41:443" to go to "192.168.60.22:443"... make sense?

Georg Pauwen · ‎08-26-2019

Hello,

in that case, using the original configuration you posted, as far as I can tell all you have to do is exchange 'inside' to 'outside' in your static NAT entries. So:

ip nat inside source static tcp 172.8.0.40 80 192.168.60.21 80 extendable
ip nat inside source static tcp 172.8.0.40 443 192.168.60.21 443 extendable

needs to be:

ip nat outside source static tcp 172.8.0.40 80 192.168.60.21 80 extendable
ip nat outside source static tcp 172.8.0.40 443 192.168.60.21 443 extendable

rudepeople · ‎08-26-2019

@Georg Pauwen wrote:
Hello,
in that case, using the original configuration you posted, as far as I can tell all you have to do is exchange 'inside' to 'outside' in your static NAT entries. So:
...
ip nat outside source static tcp 172.8.0.40 80 192.168.60.21 80 extendable
ip nat outside source static tcp 172.8.0.40 443 192.168.60.21 443 extendable

No joy. the server becomes unreachable again...

rudepeople · ‎08-26-2019

GOOD NEWS!

It looks like we just needed to flip the public and internal IPs.

this worked:

ip nat inside source static tcp 192.168.60.21 80 172.8.0.40 80 extendable
ip nat inside source static tcp 192.168.60.21 443 172.8.0.40 443 extendable