cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3740
Views
38
Helpful
26
Replies

NAT Priority Question

mgregory
Level 1
Level 1

Hi, I have a 887W and would appreciate help sorting out a NAT question.

interface Dialer0

description $FW_OUTSIDE$

ip address 165.228.87.236 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static udp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static tcp 192.168.1.49 80 203.36.222.123 80 extendable

ip nat inside source static tcp 192.168.1.49 443 203.36.222.123 443 extendable

ip route 0.0.0.0 0.0.0.0 165.228.87.1

access-list 100 remark CCP_ACL Category=2
access-list 100 deny   tcp host 192.168.1.49 eq domain any
access-list 100 deny   udp host 192.168.1.49 eq domain any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

My question relates to only one server so it is included. I have about 10 servers in the LAN.

I have a secondary DNS in the WAN. When my DNS server sends out notify messages to the secondary DNS the secondary DNS receives the messages from Dialer0 (165.228.87.236) and rejects the notify messages because it expects the messages to come from 203.36.222.123

How do I change the NAT settings so that 192.1681.49 outgoing traffic will appear on the outside as 203.36.222.123

regards, Mark

26 Replies 26

darren.g
Level 5
Level 5

Mark Gregory wrote:

Hi, I have a 887W and would appreciate help sorting out a NAT question.

interface Dialer0

description $FW_OUTSIDE$

ip address 165.228.87.236 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static udp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static tcp 192.168.1.49 80 203.36.222.123 80 extendable

ip nat inside source static tcp 192.168.1.49 443 203.36.222.123 443 extendable

ip route 0.0.0.0 0.0.0.0 165.228.87.1

access-list 100 remark CCP_ACL Category=2

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

My question relates to only one server so it is included. I have about 10 servers in the LAN.

I have a secondary DNS in the WAN. When my DNS server sends out notify messages to the secondary DNS the secondary DNS receives the messages from Dialer0 (165.228.87.236) and rejects the notify messages because it expects the messages to come from 203.6.222.123

How do I change the NAT settings so that 192.1681.49 outgoing traffic will appear on the outside as 203.36.222.123

regards, Mark

Where is this 203.36.222.123 address?

You can't tell your router to NAT outbound traffic to an IP address which isn't configured on its external interface. And, since your external interface is 165.228.87.236, you're out of luck.

It'd be far easier for you to configure your secondary DNS to accept messages from the 165 address than to try and play silly buggers with your NAT configuration.

Cheers.

Hi Darren, thank you for the reply. The IP 203.36.222.123 is part of a 3 bit subnet that terminates at Dialer0.So Dialer0 has a single IP provided by the ISP and also a 3-bit subnet that I use for my servers. There is no other interface or way from the WAN to the LAN.

I have no control over the secondary DNS and therefore need to resolve this issue locally.

regards, Mark

Mark Gregory wrote:

Hi Darren, thank you for the reply. The IP 203.36.222.123 is part of a 3 bit subnet that terminates at Dialer0.So Dialer0 has a single IP provided by the ISP and also a 3-bit subnet that I use for my servers. There is no other interface or way from the WAN to the LAN.

I have no control over the secondary DNS and therefore need to resolve this issue locally.

regards, Mark

Ahhh, OK - so you do have those IP addresses somewhere. I assume they're routed to the IP of dialer0 by the ISP?

To NAT to this address, you need to have the router aware of the subnet - you have to configure it somewhere so the router knows it can route/NAT to/from this address.

Off the top of my head, I can't suggest a method to do this - I do it on my ASA firewalls, but I've never done this on a small router - not sure if the DMZ functionality is supported on the 887W, but have a look at this document

http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xr/dmz_port.html#wp1050856

and see if you can configure a DMZ and connect your DNS to that.

Because they're "live' addresses, you really shoudln't have to NAT them - can you maybe configure your internal DNS server with a second NIC and connect that into the DMZ configured above? Or even just move your DNZ server into the DMZ process above and have your internal devices point to the "live" IP address (since once you configure the DMZ the router should know how to route to it, and lookups/management should work OK)?

Sorry I can't offer more. I can't think of a way to do what you want with NAT.

Hi Darren, thank you for the answer. I will hope that someone with more NAT experience can help. I don't want to setup a DMZ, I just need the static commands to override the overload command as it is not doing so now.

regards,

Mark

mgregory
Level 1
Level 1

Hi, anyone have any ideas how to get this to work correctly please.

regards, Mark

Mark,

Can you run "debug ip nat" and do a dns query from that box so we can see if the router is even translating it? At first sight, I think your acl is overriding your static. If you remove the deny entry from your acl 100 for dns it should work. But if you don't want to do that, you can do a debug first on nat. What I think you'll find is that you're not seeing anything from that address on that port because it's not being natted in the first place. As a test, can you remove those lines from the acl?

John

HTH, John *** Please rate all useful posts ***

Hi John,

I had removed the deny lines a week ago, as they appear to be doing nothing and the problem persists.

I logged into the router using ssh, ran "enable" and then"debug ip nat". I went to the dns server and did a dns lookup on an external dns server. how do I see the results of the debug ip nat?

regards, Mark

You'll need to type:

term mon

Then do your debug. After you're done, you'll type "term no mon" to get back to the prompt. Be careful if you have a lot of traffic though. You can create an acl and apply it for just that one host like this:

access-list 10 permit host 192.168.1.49

debug ip nat 10

HTH, John *** Please rate all useful posts ***

Are u using an address from 203.36.222.123 range on your DNS server ?

if you are using an address from above range on your DNS then just route the traffic to dialer 0 and there is no need for natting as it is a public address and route able via internet.

HTH

Hi, As the problem states at the top..... I have a 3 bit range for my servers. I use this range for the DNS server. The IP 203.36.222.123 is public yes, but I cannot use this for the servers. This IP changes periodically.

Surely a $1300 cisco 887W (which is one of the worst devices I have every purchased - where is the gigabit 4 port switch?)

can do what I need?

This is quite frustrating as it should be working.

I would appreciate assistance.

regards, Mark

I'm using putty and the buffer does not appear very long. I have a lot of DNS traffic going to the DNS server. I have tried to capture the dns lookup from the dns server to an external DNS server.

Apr  6 10:47:25.967: NAT: Translation of UDP DNS src 139.130.4.4, dst 165.228.87.236

Apr  6 10:47:25.967: NAT: Dns type of Response

Apr  6 10:47:25.967:    : dns len=256, id=25, aa=0, tc=0, rd=1, ra=1

Apr  6 10:47:25.967:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.967:    : ancount=6, nscount=4, arcount=4

Apr  6 10:47:25.967:      query name is

www.google.com

, qtype=1,

Apr  6 10:47:25.967: Answer section:

Apr  6 10:47:25.967:    Name='www.google.com'

Apr  6 10:47:25.967:    RR type=5,, ttl=319239, data length=8

Apr  6 10:47:25.967:      CNAME='www.l.google.com'

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.49

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.50

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.51

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.52

Apr  6 10:47:25.967:    Name='www.l.google.com'

Apr  6 10:47:25.967:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.967:      IP=74.125.237.48

Apr  6 10:47:25.967: Authority section:

Apr  6 10:47:25.967:    Name='google.com'

Apr  6 10:47:25.967:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.967:      NS='ns3.google.com'

Apr  6 10:47:25.967:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns2.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns4.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns1.google.com'

Apr  6 10:47:25.971: Additional record section:

Apr  6 10:47:25.971:    Name='ns1.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232973, data length=4

Apr  6 10:47:25.971:      IP=216.239.32.10

Apr  6 10:47:25.971:    Name='ns2.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232879, data length=4

Apr  6 10:47:25.971:      IP=216.239.34.10

Apr  6 10:47:25.971:    Name='ns3.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232879, data length=4

Apr  6 10:47:25.971:      IP=216.239.36.10

Apr  6 10:47:25.971:    Name='ns4.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232973, data length=4

Apr  6 10:47:25.971:      IP=216.239.38.10

Apr  6 10:47:25.971: NAT (UDP-DNS): After Translation

Apr  6 10:47:25.971: NAT: Translation of UDP DNS src 139.130.4.4, dst 165.228.87.236

Apr  6 10:47:25.971: NAT: Dns type of Response

Apr  6 10:47:25.971:    : dns len=256, id=25, aa=0, tc=0, rd=1, ra=1

Apr  6 10:47:25.971:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.971:    : ancount=6, nscount=4, arcount=4

Apr  6 10:47:25.971:      query name is

www.google.com

, qtype=1,

Apr  6 10:47:25.971: Answer section:

Apr  6 10:47:25.971:    Name='www.google.com'

Apr  6 10:47:25.971:    RR type=5,, ttl=0, data length=8

Apr  6 10:47:25.971:      CNAME='www.l.google.com'

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.49

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.50

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.51

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.52

Apr  6 10:47:25.971:    Name='www.l.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=46, data length=4

Apr  6 10:47:25.971:      IP=74.125.237.48

Apr  6 10:47:25.971: Authority section:

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns3.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns2.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns4.google.com'

Apr  6 10:47:25.971:    Name='google.com'

Apr  6 10:47:25.971:    RR type=2,, ttl=232946, data length=6

Apr  6 10:47:25.971:      NS='ns1.google.com'

Apr  6 10:47:25.971: Additional record section:

Apr  6 10:47:25.971:    Name='ns1.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232973, data length=4

Apr  6 10:47:25.971:      IP=216.239.32.10

Apr  6 10:47:25.971:    Name='ns2.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232879, data length=4

Apr  6 10:47:25.971:      IP=216.239.34.10

Apr  6 10:47:25.971:    Name='ns3.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232879, data length=4

Apr  6 10:47:25.971:      IP=216.239.36.10

Apr  6 10:47:25.971:    Name='ns4.google.com'

Apr  6 10:47:25.971:    RR type=1,, ttl=232973, data length=4

Apr  6 10:47:25.971:      IP=216.239.38.10

Apr  6 10:47:25.971: NAT: s=139.130.4.4, d=165.228.87.236->192.168.1.49 [22175]

Apr  6 10:47:25.975:  mapping pointer available mapping:0

Apr  6 10:47:25.975: NAT: [0] Allocated Port for 192.168.1.49 -> 165.228.87.236: wanted 58582 got 58582

Apr  6 10:47:25.995: NAT: i: udp (192.168.1.49, 58582) -> (139.130.4.4, 53) [31742]

Apr  6 10:47:25.995: NAT (UDP-DNS): Before Translation

Apr  6 10:47:25.995: NAT: Translation of UDP DNS src 192.168.1.49, dst 139.130.4.4

Apr  6 10:47:25.995: NAT: Dns type of Query

Apr  6 10:47:25.995:    : dns len=20, id=26, aa=0, tc=0, rd=1, ra=0

Apr  6 10:47:25.995:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.995:    : ancount=0, nscount=0, arcount=0

Apr  6 10:47:25.995: NAT (UDP-DNS): After Translation

Apr  6 10:47:25.995: NAT: Translation of UDP DNS src 192.168.1.49, dst 139.130.4.4

Apr  6 10:47:25.995: NAT: Dns type of Query

Apr  6 10:47:25.995:    : dns len=20, id=26, aa=0, tc=0, rd=1, ra=0

Apr  6 10:47:25.995:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.995:    : ancount=0, nscount=0, arcount=0

Apr  6 10:47:25.995: NAT: s=192.168.1.49->165.228.87.236, d=139.130.4.4 [31742]

Apr  6 10:47:26.011: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [9110]

Apr  6 10:47:26.011: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [9110]

Apr  6 10:47:26.011: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [9111]

Apr  6 10:47:26.015: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [9111]

Apr  6 10:47:26.015: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32192]

Apr  6 10:47:26.015: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32192]

Apr  6 10:47:26.023: NAT: o: udp (139.130.4.4, 53) -> (165.228.87.236, 58582) [24151]

Apr  6 10:47:26.023: NAT (UDP-DNS): Before Translation

Apr  6 10:47:26.023: NAT: Translation of UDP DNS src 139.130.4.4, dst 165.228.87.236

Apr  6 10:47:26.023: NAT: Dns type of Response

Apr  6 10:47:26.023:    : dns len=90, id=26, aa=0, tc=0, rd=1, ra=1

Apr  6 10:47:26.023:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:26.023:    : ancount=1, nscount=1, arcount=0

Apr  6 10:47:26.023:      query name is

www.google.com

, qtype=28,

Apr  6 10:47:26.023: Answer section:

Apr  6 10:47:26.023:    Name='www.google.com'

Apr  6 10:47:26.023:    RR type=5,, ttl=319239, data length=8

Apr  6 10:47:26.023:      CNAME='www.l.google.com'

Apr  6 10:47:26.023: Authority section:

Apr  6 10:47:26.023:    Name='l.google.com'

Apr  6 10:47:26.023:    RR type=6,, ttl=574, data length=38

Apr  6 10:47:26.023:      MNAME='ns3.google.com'

Apr  6 10:47:26.023:      RNAME='dns-admin.google.com'

Apr  6 10:47:26.023:      SERIAL=1481899l, REFRESH=900l, RETRY=900, EXPIRE=1800l, MINIMUM=60l

Apr  6 10:47:26.023: Additional record section:

Apr  6 10:47:26.023: NAT (UDP-DNS): After Translation

Apr  6 10:47:26.023: NAT: Translation of UDP DNS src 139.130.4.4, dst 165.228.87.236

Apr  6 10:47:26.023: NAT: Dns type of Response

Apr  6 10:47:26.023:    : dns len=90, id=26, aa=0, tc=0, rd=1, ra=1

Apr  6 10:47:26.023:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:26.023:    : ancount=1, nscount=1, arcount=0

Apr  6 10:47:26.023:      query name is

www.google.com

, qtype=28,

Apr  6 10:47:26.023: Answer section:

Apr  6 10:47:26.023:    Name='www.google.com'

Apr  6 10:47:26.023:    RR type=5,, ttl=0, data length=8

Apr  6 10:47:26.023:      CNAME='www.l.google.com'

Apr  6 10:47:26.023: Authority section:

Apr  6 10:47:26.023:    Name='l.google.com'

Apr  6 10:47:26.023:    RR type=6,, ttl=574, data length=38

Apr  6 10:47:26.023:      MNAME='ns3.google.com'

Apr  6 10:47:26.023:      RNAME='dns-admin.google.com'

Apr  6 10:47:26.023:      SERIAL=1481899l, REFRESH=900l, RETRY=900, EXPIRE=1800l, MINIMUM=60l

Apr  6 10:47:26.023: Additional record section:

Apr  6 10:47:26.023: NAT: s=139.130.4.4, d=165.228.87.236->192.168.1.49 [24151]

Apr  6 10:47:26.891: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [9715]

Apr  6 10:47:26.891: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [9715]

Apr  6 10:47:26.891: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [9716]

Apr  6 10:47:26.891: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [9716]

Apr  6 10:47:26.891: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [10945]

Apr  6 10:47:26.891: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [10945]

Apr  6 10:47:26.891: NAT*: i: tcp (192.168.1.88, 60867) -> (203.36.222.122, 443) [32204]

Apr  6 10:47:26.891: NAT*: s=192.168.1.88->165.228.87.236, d=203.36.222.122 [32204]

Apr  6 10:47:26.891: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32205]

Apr  6 10:47:26.891: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32205]

Apr  6 10:47:26.891: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32206]

Apr  6 10:47:26.891: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32206]

Apr  6 10:47:26.891: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32207]

Apr  6 10:47:26.891: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32207]

Apr  6 10:47:27.683: NAT*: o: tcp (165.228.87.236, 60867) -> (203.36.222.122, 443) [32204]

Apr  6 10:47:27.683: NAT*: s=165.228.87.236, d=203.36.222.122->192.168.1.50 [32204]

Apr  6 10:47:27.683: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [11943]

Apr  6 10:47:27.683: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [11943]

Apr  6 10:47:27.683: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32208]

Apr  6 10:47:27.683: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32208]

Apr  6 10:47:27.683: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32209]

Apr  6 10:47:27.683: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32209]

Apr  6 10:47:28.375: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [13913]

Apr  6 10:47:28.375: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [13913]

Apr  6 10:47:28.375: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [14615]

Apr  6 10:47:28.375: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [14615]

Apr  6 10:47:28.375: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32223]

Apr  6 10:47:28.375: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32223]

Apr  6 10:47:28.375: NAT: expiring 165.228.87.236 (192.168.1.88) udp 57435 (57435)

Apr  6 10:47:29.307: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [15934]

Apr  6 10:47:29.307: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [15934]

Apr  6 10:47:29.307: NAT*: i: udp (192.168.1.88, 57435) -> (58.96.69.61, 24618) [32225]

Apr  6 10:47:29.307: NAT*: s=192.168.1.88->165.228.87.236, d=58.96.69.61 [32225]

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32226]

Apr  6 10:47:29.311: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32226]

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32227]

Apr  6 10:47:29.311: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32227]

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60868) -> (65.55.142.37, 443) [32228]

Apr  6 10:47:29.311: NAT*: s=192.168.1.88->165.228.87.236, d=65.55.142.37 [32228]

Apr  6 10:47:29.311:  mapping pointer available mapping:0

Apr  6 10:47:29.311: NAT: [0] Allocated Port for 192.168.1.88 -> 165.228.87.236: wanted 60869 got 60869

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60869) -> (65.54.240.230, 443) [32229]

Apr  6 10:47:29.311: NAT*: i: tcp (192.168.1.88, 60869) -> (65.54.240.230, 443) [32229]

Apr  6 10:47:29.311: NAT*: s=192.168.1.88->165.228.87.236, d=65.54.240.230 [32229]

Apr  6 10:47:29.863: NAT*: o: tcp (65.55.142.37, 443) -> (165.228.87.236, 60868) [18124]

Apr  6 10:47:29.863: NAT*: s=65.55.142.37, d=165.228.87.236->192.168.1.88 [18124]

Apr  6 10:47:29.863: NAT*: o: tcp (65.54.240.230, 443) -> (165.228.87.236, 60869) [30297]

Mark,

Did you take your deny lines out? Here's what I'm seeing:

Apr  6 10:47:25.995: NAT: i: udp (192.168.1.49, 58582) -> (139.130.4.4, 53) [31742]

Apr  6 10:47:25.995: NAT (UDP-DNS): Before Translation

Apr  6 10:47:25.995: NAT: Translation of UDP DNS src 192.168.1.49, dst 139.130.4.4

Apr  6 10:47:25.995: NAT: Dns type of Query

Apr  6 10:47:25.995:    : dns len=20, id=26, aa=0, tc=0, rd=1, ra=0

Apr  6 10:47:25.995:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.995:    : ancount=0, nscount=0, arcount=0

Apr  6 10:47:25.995: NAT (UDP-DNS): After Translation

Apr  6 10:47:25.995: NAT: Translation of UDP DNS src 192.168.1.49, dst 139.130.4.4

Apr  6 10:47:25.995: NAT: Dns type of Query

Apr  6 10:47:25.995:    : dns len=20, id=26, aa=0, tc=0, rd=1, ra=0

Apr  6 10:47:25.995:    : opcode=0, rcode=0, qdcount=1

Apr  6 10:47:25.995:    : ancount=0, nscount=0, arcount=0

Apr  6 10:47:25.995: NAT: s=192.168.1.49->165.228.87.236, d=139.130.4.4 [31742]

You're being natted out as 165.228.87.236. Can you do me a favor? From the 192.168.1.49 server, can you go to www.whatismyip.com and see if it's the 203 address that you have above? Or does that address also show you as 165.228.87.236?

HTH, John *** Please rate all useful posts ***

Hi,

from the 49 server the IP is seen as 165.228.87.236 by whatsmyip.com

yes I took the deny lines out.

regards, Mark

Mark,

The reason for that test is because you also have a static for port 80. It doesn't look like you're going out as 203.x.x.x. How is the provider giving you the 203 address?

*Edit* I noticed that you have the address statically set on the dialer interface. Do you have a block in the 203 range? If so, you should try to put the 203 address on that interface and your problem should be resolved.

John

HTH, John *** Please rate all useful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco