Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
668
Views
0
Helpful
3
Replies

PAT interfers with Web Server Access over L2 tunnel

Go to solution
clyde.a.huffman.ctr@mail.mil
Level 3
Level 3

‎01-04-2019 11:28 AM - edited ‎03-05-2019 11:09 AM

I'm working on a network to accomplish 3 things:

1) NAT overload to the internet

2) L2 tunnels to remote users

3) PAT subcontractors to the Web server on the outside interface with port mapping

PROBLEM STATEMENT

Everything is working except the PAT (ip nat inside source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080) stops the remote user (over the L2 tunnel) from accessing the web server.  If I remove t he PAT,  Web access for the remote user is good.  See the tcpdump on the Web Server showing http coming in but not getting out (note length 0 shows that the hand-shake fails).

QUESTION

How can I change to PAT to allow normal access to the Web Server over L2.

L3_PAT_conflict_crop.png

This is the test configuration I'm using to simulate the WAN.  Attached are the two configurations and the tcpdump.

Labels:
Preview file
11 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
clyde.a.huffman.ctr@mail.mil
Level 3
Level 3
In response to luis_cordova

‎01-04-2019 01:13 PM - edited ‎01-04-2019 01:28 PM

My mistake again.  The problem is there. 

If I leave the REMOTE_OUTSIDE_IN_ACL but remove the nat ((ip nat inside source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080)) the web server access is good through the tunnel.....

View solution in original post

0 Helpful
3 Replies 3

Go to solution
luis_cordova
VIP Alumni
VIP Alumni

‎01-04-2019 11:51 AM

hi clyde.a.huffman.ctr@mail.mil,

 

Query:
In the public inetrface you have this ACL configured:

interface GigabitEthernet0/0
 description OUTSIDE
 ip address 192.168.168.235 255.255.255.0
 ip access-group REMOTE_OUTSIDE_IN_ACL in
 ip nat outside

 

ip access-list extended REMOTE_OUTSIDE_IN_ACL
 permit tcp host 192.168.168.140 host 192.168.168.235 eq 8080
 deny   tcp any host 192.168.168.235 eq 8080
 deny   udp any host 192.168.168.235 eq 8080
 permit ip any any

In it, you only allow traffic from host 192.168.168.140.
Is this ACL the one blocking the traffic?

 

Regards

 

 

0 Helpful

Go to solution
clyde.a.huffman.ctr@mail.mil
Level 3
Level 3
In response to luis_cordova

‎01-04-2019 01:13 PM - edited ‎01-04-2019 01:28 PM

My mistake again.  The problem is there. 

If I leave the REMOTE_OUTSIDE_IN_ACL but remove the nat ((ip nat inside source static tcp 192.168.175.66 80 interface GigabitEthernet0/0 8080)) the web server access is good through the tunnel.....

0 Helpful

Go to solution
luis_cordova
VIP Alumni
VIP Alumni
In response to clyde.a.huffman.ctr@mail.mil

‎01-04-2019 01:20 PM

Hi clyde.a.huffman.ctr@mail.mil,

 

I'm glad I helped you.

 

Regards

0 Helpful
Customers Also Viewed These Support Documents