10-23-2011 10:24 AM - edited 03-04-2019 02:01 PM
Hey all!
I configured lot of cisco 800 routers but this one is giving me a hard time... with NAT
It is a Cisco 892 connected to dual WAN PPP for load balancing with CEF, has IPSEC set up,... simple enough and everything works! But NAT to access the router from global side to local inside network doesn't! I can't even ssh/telnet becouse of that.
I've changed the passwords and all that and i've cleared some rubish like static DHCP bindings, ppp Dialer redundancy,...
I'm in Germany but am leaving next day, remote access doesn't work like I said so pleeeese help somebody! Thanks!
Current configuration : 6994 bytes
!
! Last configuration change at 19:03:08 CET Sun Oct 23 2011 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$nv..fsefs3fsw3sfs3f
!
no aaa new-model
!
!
!
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint companyx
enrollment selfsigned
serial-number
revocation-check crl
!
!
crypto pki certificate chain companyx
certificate self-signed 01
30820277 308201E0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
42314030 12060355 0405130B 46435A31 35333843 35514330 2A06092A 864886F7
0D010902 161D726F 75746572 2E6F6666 6963652E 6D616467 656E6975 7365732E
6E657430 1E170D31 31313032 33313435 3032395A 170D3230 30313031 30303030
30305A30 42314030 12060355 0405130B 46435A31 35333843 35514330 2A06092A
864886F7 0D010902 fsfesfse 75746572 2E6F6666 6963652E 6D616467 656E6975
7365732E 6E657430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
02818100 C246BD9A 5BDA3724 C6B086D3 69996DCB 59F9A115 7A70531D D23B65B0
DC6F19D6 F25DEF9D 15850298 B0AB0603 0C11DBEC D1F0E52F 048CEDFF 7C57DF03
9544856F 498F50FF F656D8BF B2655209 B447DD80 6307736E D4C1AA6C BE753B45
EA094DDB 50BBFCBD 1C95BD11 B70055D3 BC90AFCA 1E3E96B5 BED51DEE 5D9EF881
6EAFD515 02030100 01A37D30 7B300F06 03551D13 fsfsv8sf 05300301 01FF3028
0603551D 11042130 1F821D72 6F757465 722E6F66 66696365 2E6D6164 67656E69
75736573 2E6E6574 301F0603 551D2304 18301680 1405D015 631E3A65 6E6E4853
45C5ECD5 42737DDE 83301D06 03551D0E 04160414 05D01563 1E3A656E 6E485345
C5ECD542 737DDE83 300D0609 2A864886 F70D0101 04050003 8181001C 7D61E7FB
B9581E7C 8399B379 318419FD 9ACBC341 FC071834 77882502 7BF830D6 1BB35CE4
6E8C932A 38937809 686F6FE2 7A0166EF 2C88D898 D85D7499 35B36B87 28EEEBAF
E34E7FE3 E8918EA2 D56570D7 A6274CA0 FC7099AF F974B591 0E91A30D 0635A21D
19A84CBB 7C18A6AB A2976CD6 139028A2 A64F8BB2 3673F361 378C
DB
quit
ip source-route
!
!
ip dhcp excluded-address 192.168.235.201 192.168.235.255
ip dhcp excluded-address 192.168.235.1 192.168.235.100
ip dhcp excluded-address 192.168.11.201 192.168.11.255
!
ip dhcp pool LAN
import all
network 192.168.235.0 255.255.255.0
default-router 192.168.235.3
domain-name office.companyx.net
dns-server 192.168.235.3
lease 3
!
!
ip cef
ip domain name office.companyx.net
ip name-server 217.237.151.142
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO892-K9 sn FCZ1538C5QC
!
!
username admin privilege 15 secret 5 fseiljhfseifhs
!
!
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key vpn_pass1 address 212.13.232.126
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map arne1 1 ipsec-isakmp
description Tunnel to 212.13.232.126 (Arne)
set peer 212.13.232.126
set transform-set ESP-3DES-SHA
match address 151
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
!
interface FastEthernet0
description LAN
!
!
interface FastEthernet1
description VOIP
switchport access vlan 2
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description WAN02
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 2
no cdp enable
!
!
interface GigabitEthernet0
description WAN01
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
!
interface Vlan1
description LAN
ip address 192.168.235.3 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Vlan2
description VOIP
ip address 192.168.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Dialer1
description PPoE for T-Home modem (white)
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname companyx_pass1
ppp chap password 0 535353
ppp pap sent-username companyx_pass1 password 0 535353
crypto map arne1
!
!
interface Dialer2
description PPoE for Linksys/Cisco modem (black)
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname companyx_pass2
ppp chap password 0 955253
ppp pap sent-username companyx_pass2 password 0 955253
!
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source route-map dialer1-rm interface Dialer1 overload
ip nat inside source route-map dialer2-rm interface Dialer2 overload
ip nat inside source static tcp 192.168.235.3 22 217.92.124.141 22 extendable
ip nat inside source static tcp 192.168.235.3 23 217.92.124.141 23 extendable
ip nat inside source static tcp 192.168.235.9 80 217.92.124.141 80 extendable
ip nat inside source static tcp 192.168.235.10 443 217.92.158.191 443 extendable
ip nat inside source static tcp 192.168.235.10 3389 217.92.158.191 3389 extendable
ip nat inside source static tcp 192.168.235.10 9000 217.92.158.191 9000 extendable
ip nat inside source static udp 192.168.235.10 9000 217.92.158.191 9000 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
!
access-list 121 deny ip 192.168.235.0 0.0.0.255 192.168.105.0 0.0.0.255 log
access-list 121 deny ip 192.168.235.0 0.0.0.255 192.168.234.0 0.0.0.255 log
access-list 121 deny ip 192.168.235.0 0.0.0.255 192.168.233.0 0.0.0.255 log
access-list 121 deny ip 192.168.235.0 0.0.0.255 192.168.240.0 0.0.0.255 log
access-list 121 permit ip 192.168.235.0 0.0.0.255 any log
access-list 121 permit ip host 217.92.124.141 any log
access-list 121 permit ip host 217.92.158.191 any log
access-list 121 permit ip any any log
access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.105.0 0.0.0.255
access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.234.0 0.0.0.255
access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.233.0 0.0.0.255
access-list 151 permit ip 192.168.235.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 171 permit ip any any log
!
!
!
!
route-map dialer1-rm permit 10
match ip address 121
match interface Dialer1
!
route-map dialer2-rm permit 10
match ip address 121
match interface Dialer2
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
logging synchronous
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
10-23-2011 10:26 AM
Oh yea, and when i check: show ip nat translations is says there is some NATing going on... from the right address!
Pro Inside global Inside local Outside local Outside global
tcp 217.92.124.141:22 192.168.235.3:22 178.25.80.236:7703 178.25.80.236:7703
tcp 217.92.124.141:22 192.168.235.3:22 --- ---
tcp 217.92.124.141:23 192.168.235.3:23 --- ---
tcp 217.92.124.141:80 192.168.235.9:80 --- ---
tcp 217.92.158.191:443 192.168.235.10:443 --- ---
10-23-2011 10:45 AM
Hi,
logging buffered debug
logging buffered 100000
access-list 101 permit tcp any any eq 23
access-list 101 permit tcp any eq 23 any
debug ip packet detail 101
debug ip nat 101
Then telnet to your router from an outside address not from inside ! accessing outside address from inside won't work
Regards.
Alain.
10-23-2011 10:52 AM
Where did you find access-list 101? you mean 121?
And debug ip nat only goes for basic access lists 1-99
i did telnet from outside to inside... that's why there is an ip 178.25.80.236
10-23-2011 12:36 PM
Hi,
No I meant , create an ACL 101 you apply to debug to limit debug output and effect on CPU.
I didn't remember the ACL for NAT was only standard.
so let's forget about NAT for now and just do the debug ip packet detail 101.
Regards.
Alain.
10-23-2011 01:35 PM
Could this be becouse of CEF maybe? Just a question Magicly port 22 and 23 are working but only to router itself.
ok i set up ACL 101 but for port 3389 (RDP) which is static NAT translated to 192.168.235.10. Nothing comes out... Should i put this access-list to some interface or nar route-map?
10-23-2011 01:40 PM
ct 23 20:38:58.987: IP: s=192.168.10.2, d=224.0.0.1, pak 861FDD30 consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Mad-Leipzig#
Oct 23 20:39:01.079: IP: s=192.168.235.9, d=224.0.0.22, pak 861FF34C consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 23 20:39:01.179: IP: s=192.168.235.117, d=239.255.255.250, pak 861FEEE0 consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Mad-Leipzig#
Mad-Leipzig#
Oct 23 20:39:03.599: IP: s=192.168.235.10, d=224.0.0.22, pak 862004FC consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 23 20:39:04.051: IP: s=192.168.235.41, d=224.0.5.128, pak 85310774 consumed in input feature , packet consumed, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
10-23-2011 01:45 PM
Hi,
all this output is for multicast traffic not for the unicast RDP.
I wasn't sure it was gonna work with CEF because debugs are only for process switched packets like packets going to or coming from the router but apparently even if we do this to the public IP it's still traffic traversing the router and so debug won't give out anything.
But I suppose you didn't configure any ACL for the debug otherwise it would have been empty so to see the correct traffic with the debug you'll have to disable CEF per interface with no ip route-cache cef interface command and run the debug with the ACL.
I'm gonna reread your config to see if I find out something which could explain the problem.
Regards.
Alain.
10-23-2011 01:53 PM
ok with CEF off on interface Dialer 1 and 2...
Oct 23 20:51:18.011: IP: s=178.25.80.236 (Dialer2), d=217.92.158.191, len 52, input feature
Oct 23 20:51:18.011: TCP src=14463, dst=3389, seq=532325913, ack=0, win=8192 SYN, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 23 20:51:18.011: IP: s=178.25.80.236 (Dialer2), d=217.92.158.191, len 52, input feature
Oct 23 20:51:18.011: TCP src=14463, dst=3389, seq=532325913, ack=0, win=8192 SYN, Dialer i/f override(12), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 23 20:51:18.011: IP: s=178.25.80.236 (Dialer2), d=217.92.158.191, len 52, input feature
Oct 23 20:51:18.011: TCP src=14463, dst=3389, seq=532325913, ack=0, win=8192 SYN, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
Oct 23 20:51:18.011: IP: s=178.25.80.236 (Dialer2), d=217.92.158.191, len 52, input feature
Oct 23 20:51:18.011: TCP src=14463, dst=3389, seq=532325913, ack=0, win=8192 SYN, Virtual Fragment Reass
mtu 0, fwdchk FALS
All the rest of the log is attached...
10-24-2011 02:46 AM
It's all about CEF...
ip cef - and both dialers connected
from outside . can't telnet to static routes, can ping
from inside - can access internet, packets OK
no ip cef - and both dialers connected
from outside . can telnet to static routes, can't ping
from inside - can access internet, packets are getting lost
10-24-2011 04:13 AM
Hi,
Maybe you could try to enter static PAT entries for both outside interfaces and if you havaen't got any delay or out of order sensitive apps like VoIP tell the router to load-balance per packet with global config command ip load-sharing per-packet because CEF does src-dst IP load-sharing by default.
Let us know if it solved problem.
Regards.
Alain.
10-24-2011 05:40 AM
i do have VoIP on vlan 2 =/
Btw what is this... ?
ip cef load-sharing algorithm include-ports source destination
10-24-2011 05:52 AM
Hi,
http://blog.ioshints.info/2006/12/per-port-cef-load-sharing.html
Maybe this could do the trick for you but I would still configure static PAT entries for each outside interface pointing to same inside IP.
Alain.
10-25-2011 12:06 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide