cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3741
Views
38
Helpful
26
Replies

NAT Priority Question

mgregory
Level 1
Level 1

Hi, I have a 887W and would appreciate help sorting out a NAT question.

interface Dialer0

description $FW_OUTSIDE$

ip address 165.228.87.236 255.255.255.0

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static udp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static tcp 192.168.1.49 80 203.36.222.123 80 extendable

ip nat inside source static tcp 192.168.1.49 443 203.36.222.123 443 extendable

ip route 0.0.0.0 0.0.0.0 165.228.87.1

access-list 100 remark CCP_ACL Category=2
access-list 100 deny   tcp host 192.168.1.49 eq domain any
access-list 100 deny   udp host 192.168.1.49 eq domain any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

My question relates to only one server so it is included. I have about 10 servers in the LAN.

I have a secondary DNS in the WAN. When my DNS server sends out notify messages to the secondary DNS the secondary DNS receives the messages from Dialer0 (165.228.87.236) and rejects the notify messages because it expects the messages to come from 203.36.222.123

How do I change the NAT settings so that 192.1681.49 outgoing traffic will appear on the outside as 203.36.222.123

regards, Mark

26 Replies 26

Hi, it is part of a 3-bit subnet that terminates at 165.228.87.236

more info from my config

interface Dialer0

description $FW_OUTSIDE$

ip address 165.228.87.236 255.255.255.0

ip nat outside

ip virtual-reassembly interface Dialer0
description $FW_OUTSIDE$
ip address 165.228.87.236 255.255.255.0
ip nat outside
ip virtual-reassembly

ip nat inside source list 100 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static udp 192.168.1.49 53 203.36.222.123 53 extendable

ip nat inside source static tcp 192.168.1.49 80 203.36.222.123 80 extendable

ip nat inside source static tcp 192.168.1.49 443 203.36.222.123 443 extendable

ip route 0.0.0.0 0.0.0.0 165.228.87.1

access-list 100 remark CCP_ACL Category=2

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip 165.228.87.0 0.0.0.255 any

access-list 104 permit ip any host 192.168.1.49

The dialer0 interface IP is allocated by service provider ADSL2+. I do not think it can be changed.

I have a 3-bit subnet for the 203.36.222.120 to 127

Can I add this to the dialer interface? I would like to know how to do this.

How would this solve the problem?

regards, Mark

Mark,

The router will nat out an address that's on the external interface. You can nat out a different address on an ASA, but I don't think it's possible to do it with a router. I'd have to lab that up as I've never done it before. If you *cannot* do it, the only option that you have is to put your 203 address on your interface. It will fix the problem because now the router can nat out of the interface address that's physically on the dialer.

John

HTH, John *** Please rate all useful posts ***

Hi John,

the dialer0 is ADSL2+ so I do not think I can change the interface IP. I thought there would be some sort of priority happening for traffic going out but it appears that this is not the case. I read that using deny on the designated NAT would force the outgoing traffic to use the static NAT. This also appears to have not worked.

I'm at a loss for ideas to try. I would have thought that the 887W was up to this. It certainly cost a lot for a device that did not even come with a Gbps internal switch.

I appreciate your help today and if you have any new ideas, I would appreciate hearing them.

regards, Mark

Mark,

I'll try to lab this up today, but unfortunately I'm not seeing a way around it at the moment. If the provider gave you a block of IPs, they surely should expect you to be using them. Let me play around with it and I'll get back to you.

John

Please rate all useful posts...

HTH, John *** Please rate all useful posts ***

Hi John,

The 3-bit IP range works great for incoming traffic. I have 5 servers each with incoming ports from separate IP. The only issue is the outgoing notify messages from the primary DNS to the secondary DNS server which is outside the LAN on the internet. It must receive the notify messages from the primary DNS external IP.

Just one small catch.....

I cannot change the Dialer0 IP as it is allocated as part of the ADSL2+ setup - this is allocated by the service provider.

The trick will be to see if the outgoing port 53 can be forced to go out using an IP other than Dialer0.

regards, Mark

Mark,

I labbed it up and here's the problem with your config (I think). If I specify the source port and destination port, it doesn't work because outbound I'm using a high port which explains:

NAT: i: udp (192.168.1.49, 58582) -> (139.130.4.4, 53)

Can you do another test? Since all of these addresses go to the same public address, can you remove all of your nat statements and do a 1-1 nat?

ip inside source static 192.168.1.49 203.36.222.123 exten

Since the source port isn't 53, it's not hitting your nat statement and going out your regular pool.

See if that resolves the issue...

John

HTH, John *** Please rate all useful posts ***

Hi John,

I understand that you're suggesting that I remove all the NAT statements including the designated NAT statement for vlan1 and then do a static nat for 49 to 123

I would need an ACL to only permit port 53 tcp and udp access wouldn't I?

The problem is there are more than the 5 servers on the subnet and they need NAT through Dialer0.

I think I see what your suggesting. At the moment the ACL is permitting all traffic to access 49 but this is limited by the port translation.

Now your suggesting translate all of 49 to 123 and use ACL to limit what ports would be open.

I'm afraid that I would need advice on how to do this. My servers are live and I could take them offline for a while, but not too long.

It is also very late here and I will need to continue tomorrow.

regards, Mark

Mark,

I labbed it up and attached a diagram. You have the correct idea. Do a one-to-one nat on the one address. Everyone else will go out as the other address in the pool that you have:

R3 is natted out as 5.5.5.3 and R4 is natted out as 5.5.5.4. If you notice R1 and R2 are on the 172.12.0.0/24 network. I put a route to 5.5.5.0/24 on R1 pointing back to R2. This works as intended:

Running "debug ip packet" on R1 shows:

Pinging from R3:

*Mar  1 00:12:07.383: IP: tableid=0, s=5.5.5.3 (FastEthernet0/0), d=172.12.0.1 (FastEthernet0/0), routed via RIB

*Mar  1 00:12:07.387: IP: s=5.5.5.3 (FastEthernet0/0), d=172.12.0.1 (FastEthernet0/0), len 100, rcvd 3

*Mar  1 00:12:07.387: IP: tableid=0, s=172.12.0.1 (local), d=5.5.5.3 (FastEthernet0/0), routed via FIB

*Mar  1 00:12:07.391: IP: s=172.12.0.1 (local), d=5.5.5.3 (FastEthernet0/0), len 100, sending

Pinging From R4:

*Mar  1 00:13:03.179: IP: tableid=0, s=5.5.5.4 (FastEthernet0/0), d=172.12.0.1 (FastEthernet0/0), routed via RIB

*Mar  1 00:13:03.183: IP: s=5.5.5.4 (FastEthernet0/0), d=172.12.0.1 (FastEthernet0/0), len 100, rcvd 3

*Mar  1 00:13:03.183: IP: tableid=0, s=172.12.0.1 (local), d=5.5.5.4 (FastEthernet0/0), routed via FIB

*Mar  1 00:13:03.183: IP: s=172.12.0.1 (local), d=5.5.5.4 (FastEthernet0/0), len 100, sending

Here's a "debug ip nat" from R2:

*Mar  1 00:12:07.559: NAT*: s=192.168.234.3->5.5.5.3, d=172.12.0.1 [8]

*Mar  1 00:12:07.611: NAT*: s=172.12.0.1, d=5.5.5.3->192.168.234.3 [8]

*Mar  1 00:13:03.375: NAT*: s=192.168.234.4->5.5.5.4, d=172.12.0.1 [2]

*Mar  1 00:13:03.403: NAT*: s=172.12.0.1, d=5.5.5.4->192.168.234.4 [2]

And finally, here's the config on R2:

ip nat pool NATOnly3 5.5.5.3 5.5.5.3 prefix-length 24

ip nat inside source list NATOnly3 pool NATOnly3

ip nat inside source static 192.168.234.4 5.5.5.4

Extended IP access list NATOnly3

    10 permit ip 192.168.234.0 0.0.0.255 any (1 match)

I'm not denying the address 192.168.234.4 from the ACL, but as you can see above it works fine. From your perspective, if you'll remove all of the port translated static nats and just do the one-to-one, all of your stuff should work fine.

HTH,

John

HTH, John *** Please rate all useful posts ***

Hi John,

thank you for the ideas.

I'm going to work this through and see what happens.

One issue I see potentially is that I would need to exclude 49 from the subnet range to be able to do what you suggest. Your pool is only one IP? What happens when it is the class C that includes the IP of the static?

Are you able to use the same IP ranges that I have so it would be easier to see what is happening?

Hope your easter is going well.

regards, Mark

Mark,

I reset this up for you using the addresses that you have so you can see what it looks like. The topology is the same but the router names have changed because I set this up on a different system, so I'll attach a screenshot:

Here's the config on R7:

interface FastEthernet0/0

ip address 165.228.87.236 255.255.255.0

ip nat outside

interface FastEthernet0/1

ip address 192.168.1.7 255.255.255.0

ip nat inside

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static 192.168.1.49 203.36.222.123 extendable

Extended IP access list 101

    10 permit ip 192.168.1.0 0.0.0.255 any (2 matches)

Routers R8 and R9 have a default gateway that point to R7. There are no default routes on R6. R6 has a static route to the 203 address:

ip route 203.36.222.120 255.255.255.248 165.228.87.236

Running a debug on R7:

Ping from R8:

*Mar  1 00:30:15.139: NAT*: s=192.168.1.50->165.228.87.236, d=165.228.87.1 [46]

*Mar  1 00:30:15.163: NAT*: s=165.228.87.1, d=165.228.87.236->192.168.1.50 [46]

Ping from R9:

*Mar  1 00:30:56.407: NAT*: s=192.168.1.49->203.36.222.123, d=165.228.87.1 [18]

*Mar  1 00:30:56.415: NAT*: s=165.228.87.1, d=203.36.222.123->192.168.1.49 [18]

Running debugs on R6:

Ping from R8:

*Mar  1 00:30:15.571: IP: s=165.228.87.236 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), len 100, rcvd 3

*Mar  1 00:30:15.571: IP: tableid=0, s=165.228.87.1 (local), d=165.228.87.236 (FastEthernet0/0), routed via FIB

*Mar  1 00:30:15.575: IP: s=165.228.87.1 (local), d=165.228.87.236 (FastEthernet0/0), len 100, sending

*Mar  1 00:30:15.603: IP: tableid=0, s=165.228.87.236 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), routed via RIB

Ping from R9:

*Mar  1 00:30:56.835: IP: tableid=0, s=203.36.222.123 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), routed via RIB

*Mar  1 00:30:56.835: IP: s=203.36.222.123 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), len 100, rcvd 3

*Mar  1 00:30:56.835: IP: tableid=0, s=165.228.87.1 (local), d=203.36.222.123 (FastEthernet0/0), routed via FIB

*Mar  1 00:30:56.835: IP: s=165.228.87.1 (local), d=203.36.222.123 (FastEthernet0/0), len 100, sending

*Mar  1 00:30:56.847: IP: tableid=0, s=203.36.222.123 (FastEthernet0/0), d=165.228.87.1 (FastEthernet0/0), routed via RIB

You can see from the acl above that I'm not excluding the .49 address from the pool, but the static nat overrides dynamic nat.

Have a good Easter

John

HTH, John *** Please rate all useful posts ***

Hi John,

I will give this a go tomorrow, it is late here again.

How does the actual route to the next WAN device fit into this?

ip route 0.0.0.0 0.0.0.0 165.228.87.1

You may have mentioned it. I will spend some time tomorrow and have a look.

regards

mark

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco