cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
331
Views
20
Helpful
7
Replies
johnny_5
Beginner

NAT problem???

I'm trying to get to my Apache web server that I have successfully set up on my network from the outside using the public IP 12.218.xxx.xx2

I can get to the server via 192.168.2.32 on my network with no issue.

Shouldn't using "extendable" allow users to access it or do I need to specify the port ID/number?

I have included part of the config below.

Any help would be appreciated, thanks

 

interface FastEthernet0/0
 ip address 12.218.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 service-policy output physical
 !
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/1.1
 description  LAN
 encapsulation dot1Q 1 native
 ip address 192.168.2.254 255.255.254.0
 ip access-group 120 in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly

!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.218.xxx.xxx
ip route 10.5.5.0 255.255.255.0 10.5.1.1
ip route 10.10.0.0 255.255.255.0 172.17.0.5
ip route 10.10.200.0 255.255.255.0 172.17.0.5
ip route 10.14.0.0 255.255.0.0 192.168.2.1

!
ip flow-top-talkers
 top 20
 sort-by bytes
 cache-timeout 3000
!
ip nat inside source list 2 interface FastEthernet0/0 overload
ip nat inside source static 192.168.2.32 12.218.xxx.xx2 extendable
!
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 10.5.5.0 0.0.0.255
access-list 2 permit 10.5.1.0 0.0.0.255
access-list 2 permit 10.27.131.0 0.0.0.255
access-list 2 permit 10.27.129.0 0.0.0.255
access-list 2 permit 172.17.0.0 0.0.0.255
access-list 2 permit 192.168.50.0 0.0.0.255
access-list 2 permit 12.218.xxx.xxx 0.0.0.7
access-list 120 permit tcp host 192.168.2.23 any eq smtp
access-list 120 permit tcp host 192.168.2.27 any eq smtp
access-list 120 permit tcp host 192.168.3.201 any eq smtp
access-list 120 permit tcp host 192.168.2.13 any eq smtp
access-list 120 deny   tcp any any eq smtp
access-list 120 permit ip 192.168.2.0 0.0.1.255 any
access-list 120 permit ip 10.27.131.0 0.0.0.255 any
access-list 120 permit ip 10.27.129.0 0.0.0.255 any
access-list 120 permit ip 10.27.130.0 0.0.0.255 any
access-list 120 permit ip 10.10.200.0 0.0.0.255 any
access-list 120 permit ip 10.10.0.0 0.0.0.255 any
access-list 120 permit ip 172.17.0.0 0.0.0.255 any
access-list 120 permit udp any any eq bootps
access-list 120 permit udp any any eq bootpc
access-list 120 permit ip 192.168.50.0 0.0.0.255 any
access-list 120 permit ip host 12.218.xxx.xx2 any
access-list 120 permit ip any host 12.218.xxx.xx2

access-list 150 permit ip any 192.168.50.0 0.0.0.255
access-list 150 permit ip 192.168.50.0 0.0.0.255 any

 

7 REPLIES 7
Jon Marshall
VIP Community Legend

John

If the issue is that you want your internal clients to be able to access the server on it's public IP then it is nothing to do with the "extendable" keyword.

If that is the problem then personally if at all possible I would always have internal clients using the internal IP address although this does assume you have internal DNS.

However if you do want that you can use something called NAT loopback to try and solve your problem.

I have never used it and it can be tricky to say the least to setup according to the comments in the following thread but I think with IOS this is your only option -

https://supportforums.cisco.com/discussion/11734176/nat-loopback

if that is not your issue then please clarify.

Jon

Thanks for the replies.

To clarify  - the web server was set up just to get the routing working. Eventually the IP address will be assigned to a report printer for external customers to be able to print off reports for test purposes. Our test involved getting the internal IP to reply - which worked.

The main usage will by the external customers using the public IP 12.218.xxx.xx2.

I thought there may be an issue with the ACLs I have put on the router?

rizwanr74

I will add your "ip nat inside..."line indicating port 80...should I remove the 2 ACL entries in order for this to work?

 

 

 

Hi John,

 

That is correct you don't need them, besides you have more explicit permit lines for internal subnets to any and so internal to external nat will allow return traffic to come back.  

access-list 120 permit ip host 12.218.xxx.xx2 any
access-list 120 permit ip any host 12.218.xxx.xx2

 

Hope that answers your question

 

I removed the 2 entries form the access list 120.

Modified the NAT statement but am still having no luck hitting the site from the outside.Still investigating here.

Hi John,

 

Please try these lines.

 

ip inspect name FW tcp
ip inspect name FW udp

access-list 101 permit tcp any host 12.218.xxx.xx2 eq 80


interface FastEthernet0/0
  ip inspect FW in
  ip access-group 101 in

 

If this does not work, you may want to check with your ISP, to find out whether there is a routing problem from their side.

 

thanks

Rizwan Rafeek.

 

 

In theory what we added to the router should have worked. Luckily I had another 1900 here and used that IP on the interface along with the  rest of the commands and ACLs.

It worked right away believe it or not so I don't know what exactly is the problem with main GW router. We are continuing to investigate

 

Thanks for all your help!

rizwanr74
Rising star

You might want to narrow down to port level translation rather than allowing all ports through IP to IP translation.

 

ip nat inside source static tcp 192.168.2.32 80 12.218.xxx.xx2 ​ 80 extendable

 

it is ok to keep IP to IP internally.

 

Hope this helps.

 

thanks