cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3014
Views
0
Helpful
13
Replies

NAT problems (load balancing with CEF, IPSEC,... working)

matej.pisek
Level 1
Level 1

Hey all!

I configured lot of cisco 800 routers but this one is giving me a hard time... with NAT

It is a Cisco 892 connected to dual WAN PPP for load balancing with CEF, has IPSEC set up,... simple enough and everything works! But NAT to access the router from global side to local inside network doesn't! I can't even ssh/telnet becouse of that.

I've changed the passwords and all that and i've cleared some rubish like static DHCP bindings, ppp Dialer redundancy,...

I'm in Germany but am leaving next day, remote access doesn't work like I said so pleeeese help somebody! Thanks!

Current configuration : 6994 bytes

!

! Last configuration change at 19:03:08 CET Sun Oct 23 2011 by admin

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$nv..fsefs3fsw3sfs3f

!

no aaa new-model

!

!

!

clock timezone CET 1

clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00

!

crypto pki trustpoint companyx

enrollment selfsigned

serial-number

revocation-check crl

!

!

crypto pki certificate chain companyx

certificate self-signed 01

  30820277 308201E0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  42314030 12060355 0405130B 46435A31 35333843 35514330 2A06092A 864886F7

  0D010902 161D726F 75746572 2E6F6666 6963652E 6D616467 656E6975 7365732E

  6E657430 1E170D31 31313032 33313435 3032395A 170D3230 30313031 30303030

  30305A30 42314030 12060355 0405130B 46435A31 35333843 35514330 2A06092A

  864886F7 0D010902 fsfesfse 75746572 2E6F6666 6963652E 6D616467 656E6975

  7365732E 6E657430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189

  02818100 C246BD9A 5BDA3724 C6B086D3 69996DCB 59F9A115 7A70531D D23B65B0

  DC6F19D6 F25DEF9D 15850298 B0AB0603 0C11DBEC D1F0E52F 048CEDFF 7C57DF03

  9544856F 498F50FF F656D8BF B2655209 B447DD80 6307736E D4C1AA6C BE753B45

  EA094DDB 50BBFCBD 1C95BD11 B70055D3 BC90AFCA 1E3E96B5 BED51DEE 5D9EF881

  6EAFD515 02030100 01A37D30 7B300F06 03551D13 fsfsv8sf 05300301 01FF3028

  0603551D 11042130 1F821D72 6F757465 722E6F66 66696365 2E6D6164 67656E69

  75736573 2E6E6574 301F0603 551D2304 18301680 1405D015 631E3A65 6E6E4853

  45C5ECD5 42737DDE 83301D06 03551D0E 04160414 05D01563 1E3A656E 6E485345

  C5ECD542 737DDE83 300D0609 2A864886 F70D0101 04050003 8181001C 7D61E7FB

  B9581E7C 8399B379 318419FD 9ACBC341 FC071834 77882502 7BF830D6 1BB35CE4

  6E8C932A 38937809 686F6FE2 7A0166EF 2C88D898 D85D7499 35B36B87 28EEEBAF

  E34E7FE3 E8918EA2 D56570D7 A6274CA0 FC7099AF F974B591 0E91A30D 0635A21D

  19A84CBB 7C18A6AB A2976CD6 139028A2 A64F8BB2 3673F361 378C

  DB

        quit

ip source-route

!

!

ip dhcp excluded-address 192.168.235.201 192.168.235.255

ip dhcp excluded-address 192.168.235.1 192.168.235.100

ip dhcp excluded-address 192.168.11.201 192.168.11.255

!

ip dhcp pool LAN

   import all

   network 192.168.235.0 255.255.255.0

   default-router 192.168.235.3

   domain-name office.companyx.net

   dns-server 192.168.235.3

   lease 3

!

!

ip cef

ip domain name office.companyx.net

ip name-server 217.237.151.142

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO892-K9 sn FCZ1538C5QC

!

!

username admin privilege 15 secret 5 fseiljhfseifhs

!

!

ip ssh version 2

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key vpn_pass1 address 212.13.232.126

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map arne1 1 ipsec-isakmp

description Tunnel to 212.13.232.126 (Arne)

set peer 212.13.232.126

set transform-set ESP-3DES-SHA

match address 151

!

!

!

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

isdn termination multidrop

!

!

interface FastEthernet0

description LAN

!

!

interface FastEthernet1

description VOIP

switchport access vlan 2

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description WAN02

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 2

no cdp enable

!

!

interface GigabitEthernet0

description WAN01

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

!

interface Vlan1

description LAN

ip address 192.168.235.3 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Vlan2

description VOIP

ip address 192.168.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

!

interface Dialer1

description PPoE for T-Home modem (white)

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname companyx_pass1

ppp chap password 0 535353

ppp pap sent-username companyx_pass1 password 0 535353

crypto map arne1

!

!

interface Dialer2

description PPoE for Linksys/Cisco modem (black)

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 2

dialer-group 2

ppp authentication chap pap callin

ppp chap hostname companyx_pass2

ppp chap password 0 955253

ppp pap sent-username companyx_pass2 password 0 955253

!

!

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source route-map dialer1-rm interface Dialer1 overload

ip nat inside source route-map dialer2-rm interface Dialer2 overload

ip nat inside source static tcp 192.168.235.3 22 217.92.124.141 22 extendable

ip nat inside source static tcp 192.168.235.3 23 217.92.124.141 23 extendable

ip nat inside source static tcp 192.168.235.9 80 217.92.124.141 80 extendable

ip nat inside source static tcp 192.168.235.10 443 217.92.158.191 443 extendable

ip nat inside source static tcp 192.168.235.10 3389 217.92.158.191 3389 extendable

ip nat inside source static tcp 192.168.235.10 9000 217.92.158.191 9000 extendable

ip nat inside source static udp 192.168.235.10 9000 217.92.158.191 9000 extendable

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 0.0.0.0 0.0.0.0 Dialer2

!

access-list 121 deny   ip 192.168.235.0 0.0.0.255 192.168.105.0 0.0.0.255 log

access-list 121 deny   ip 192.168.235.0 0.0.0.255 192.168.234.0 0.0.0.255 log

access-list 121 deny   ip 192.168.235.0 0.0.0.255 192.168.233.0 0.0.0.255 log

access-list 121 deny   ip 192.168.235.0 0.0.0.255 192.168.240.0 0.0.0.255 log

access-list 121 permit ip 192.168.235.0 0.0.0.255 any log

access-list 121 permit ip host 217.92.124.141 any log

access-list 121 permit ip host 217.92.158.191 any log

access-list 121 permit ip any any log

access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.105.0 0.0.0.255

access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.234.0 0.0.0.255

access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.233.0 0.0.0.255

access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.240.0 0.0.0.255

access-list 171 permit ip any any log

!

!

!

!

route-map dialer1-rm permit 10

match ip address 121

match interface Dialer1

!

route-map dialer2-rm permit 10

match ip address 121

match interface Dialer2

!

!

!

control-plane

!

!

!

line con 0

logging synchronous

login local

line aux 0

line vty 0 4

logging synchronous

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

13 Replies 13

matej.pisek
Level 1
Level 1

Oh yea, and when i check: show ip nat translations is says there is some NATing going on... from the right address!

Pro Inside global      Inside local       Outside local      Outside global

tcp 217.92.124.141:22  192.168.235.3:22   178.25.80.236:7703 178.25.80.236:7703

tcp 217.92.124.141:22  192.168.235.3:22   ---                ---

tcp 217.92.124.141:23  192.168.235.3:23   ---                ---

tcp 217.92.124.141:80  192.168.235.9:80   ---                ---

tcp 217.92.158.191:443 192.168.235.10:443 ---                ---

Hi,

logging buffered debug

logging buffered 100000

access-list 101 permit tcp any any eq 23

access-list 101 permit tcp any eq 23 any

debug ip packet detail 101

debug ip nat 101

Then  telnet to your router from an outside address  not from inside ! accessing outside address from inside won't work

Regards.

Alain.

Don't forget to rate helpful posts.

Where did you find access-list 101? you mean 121?

And debug ip nat only goes for basic access lists 1-99

i did telnet from outside to inside... that's why there is an ip 178.25.80.236

Hi,

No I meant , create an ACL 101 you apply to debug to limit debug output and effect on CPU.

I didn't remember the ACL for NAT was only standard.

so let's forget about NAT for now and just do the debug ip packet detail 101.

Regards.

Alain.

Don't forget to rate helpful posts.

Could this be becouse of CEF maybe? Just a question Magicly port 22 and 23 are working but only to router itself.

ok i set up ACL 101 but for port 3389 (RDP) which is static NAT translated to 192.168.235.10. Nothing comes out... Should i put this access-list to some interface or nar route-map?

ct 23 20:38:58.987:  IP: s=192.168.10.2, d=224.0.0.1, pak 861FDD30 consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Mad-Leipzig#

Oct 23 20:39:01.079:  IP: s=192.168.235.9, d=224.0.0.22, pak 861FF34C consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Oct 23 20:39:01.179:  IP: s=192.168.235.117, d=239.255.255.250, pak 861FEEE0 consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Mad-Leipzig#

Mad-Leipzig#

Oct 23 20:39:03.599:  IP: s=192.168.235.10, d=224.0.0.22, pak 862004FC consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Oct 23 20:39:04.051:  IP: s=192.168.235.41, d=224.0.5.128, pak 85310774 consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Hi,

all this output is for multicast traffic  not for the unicast RDP.

I wasn't sure it was gonna work with CEF because debugs are only for process switched packets like packets going to or coming from the router but apparently even if we do this to the public IP it's still traffic traversing the router and so debug won't give out anything.

But I suppose you didn't configure any ACL for the debug otherwise it would have been empty so to see the correct traffic with the debug you'll have to disable CEF per interface with no ip route-cache cef interface command and run the debug with the ACL.

I'm gonna reread your config to see if I find out something which could explain the problem.

Regards.

Alain.

Don't forget to rate helpful posts.

ok with CEF off on interface Dialer 1 and 2...

Oct 23 20:51:18.011: IP: s=178.25.80.236 (Dialer2), d=217.92.158.191, len 52, input feature

Oct 23 20:51:18.011:     TCP src=14463, dst=3389, seq=532325913, ack=0, win=8192 SYN, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Oct 23 20:51:18.011: IP: s=178.25.80.236 (Dialer2), d=217.92.158.191, len 52, input feature

Oct 23 20:51:18.011:     TCP src=14463, dst=3389, seq=532325913, ack=0, win=8192 SYN, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Oct 23 20:51:18.011: IP: s=178.25.80.236 (Dialer2), d=217.92.158.191, len 52, input feature

Oct 23 20:51:18.011:     TCP src=14463, dst=3389, seq=532325913, ack=0, win=8192 SYN, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

Oct 23 20:51:18.011: IP: s=178.25.80.236 (Dialer2), d=217.92.158.191, len 52, input feature

Oct 23 20:51:18.011:     TCP src=14463, dst=3389, seq=532325913, ack=0, win=8192 SYN, Virtual Fragment Reass

mtu 0, fwdchk FALS

All the rest of the log is attached...

It's all about CEF...

ip cef - and both dialers connected

from outside . can't telnet to static routes, can ping

from inside - can access internet, packets OK

no ip cef - and both dialers connected

from outside . can telnet to static routes, can't ping

from inside - can access internet, packets are getting lost

Hi,

Maybe you could try to enter static PAT entries for both outside interfaces and if you havaen't got any delay or out of order sensitive apps like VoIP tell the router to load-balance per packet with global config command ip load-sharing per-packet because CEF does src-dst IP load-sharing by default.

Let us know if it solved problem.

Regards.

Alain.

Don't forget to rate helpful posts.

i do have VoIP on vlan 2 =/

Btw what is this... ?

ip cef load-sharing algorithm include-ports source destination

Hi,

http://blog.ioshints.info/2006/12/per-port-cef-load-sharing.html

Maybe this could do the trick for you but  I would still configure static PAT entries for each outside interface pointing to same inside IP.

Alain.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card