11-27-2021 02:49 AM
Hello,
I'm running C8000v 17.6.1a and found that PAT to connected addresses works but inside addresses visible over ospf from L3 switch not working. NAT to outside networks from the same network works fine. Any ideas how to make PAT to non-connected networks work? Here is my config:
ip nat inside source static tcp 100.123.0.1 25 1.1.1.1 25 extendable ! connected ip nat inside source static udp 10.255.255.2 22 1.1.1.1 2222 extendable ! known via ospf ! COBALT-RTR#sh ip route 100.123.0.1 Routing entry for 100.123.0.0/25 Known via "connected", distance 0, metric 0 (connected, via interface) Redistributing via bgp 65123 Advertised by bgp 65123 route-map RD-OUT Routing Descriptor Blocks: * directly connected, via GigabitEthernet2 Route metric is 0, traffic share count is 1 COBALT-RTR#sh ip route 10.255.255.2 Routing entry for 10.255.255.0/27 Known via "ospf 65123", distance 110, metric 2, type inter area Redistributing via bgp 65123 Advertised by bgp 65123 route-map RD-OUT Last update from 100.123.0.253 on GigabitEthernet4, 1w0d ago Routing Descriptor Blocks: * 100.123.0.253, from 100.123.15.11, 1w0d ago, via GigabitEthernet4 Route metric is 2, traffic share count is 1
Regards,
Maxim
11-27-2021 05:02 AM
Hello,
odd. Does dynamic NAT/PAT work with these remote hosts ?
11-27-2021 05:14 AM
You mean this?
ip nat inside source list NAT interface BDI1 overload
Yes NAT from inside to outside works.
11-27-2021 05:39 AM
Hello,
post your running config, maybe we can spot something...
11-27-2021 05:49 AM
Here is NAT related config, 1.1.1.1 is IP on BDI1 assigned by DHCP.
COBALT-RTR#sh run int bdi1 Building configuration... Current configuration : 183 bytes ! interface BDI1 description #-- WAN L3 mac-address 0050.56a0.d9d7 ip address dhcp ip nbar protocol-discovery ip nat outside load-interval 30 no mop enabled no mop sysid end COBALT-RTR#sh run int g4 Building configuration... Current configuration : 314 bytes ! interface GigabitEthernet4 description #-- COBALT Interconnect mtu 9000 ip address 100.123.0.254 255.255.255.248 ip nbar protocol-discovery ip nat inside load-interval 30 negotiation auto cdp enable no mop enabled no mop sysid service-policy output SHAPE-LAN end COBALT-RTR#sh run int g2 Building configuration... Current configuration : 310 bytes ! interface GigabitEthernet2 description #-- Internal ip address 100.123.0.126 255.255.255.128 ip nbar protocol-discovery ip nat inside load-interval 30 negotiation auto cdp enable no mop enabled no mop sysid service-policy output SHAPE-LAN end COBALT-RTR#sh run | i ip nat ip nat inside ip nat inside ip nat outside no ip nat service all-algs ip nat inside source static tcp 100.123.0.1 25 1.1.1.1 25 extendable ip nat inside source static tcp 100.123.0.1 53 1.1.1.1 53 extendable ip nat inside source static udp 100.123.0.1 53 1.1.1.1 53 extendable ip nat inside source static tcp 100.123.0.5 80 1.1.1.1 80 extendable ip nat inside source static udp 10.255.255.2 22 1.1.1.1 2222 extendable ip nat inside source static tcp 10.255.255.25 32400 1.1.1.1 32400 extendable ip nat inside source static udp 10.255.255.2 51402 1.1.1.1 51402 extendable ip nat inside source static udp 10.255.255.3 51403 1.1.1.1 51403 extendable ip nat inside source list NAT interface BDI1 overload COBALT-RTR#sh access-l NAT Extended IP access list NAT 10 deny ip any 10.0.0.0 0.255.255.255 20 deny ip any 172.16.0.0 0.15.255.255 30 deny ip any 192.168.0.0 0.0.255.255 40 deny ip any 100.123.0.0 0.0.15.255 50 deny ip host 100.123.0.16 any log 60 permit ip 100.123.0.0 0.0.15.255 any 70 permit ip 10.255.255.0 0.0.0.255 any 80 permit ip 172.31.254.0 0.0.0.255 any COBALT-RTR#
11-27-2021 05:18 AM
Hello
Is the internal host 10.255.255.2 open for port 2222
from within your internal network are you able to connect to
telnet 10.255.255.2 2222
11-27-2021 05:39 AM
Sure it listens for ssh but on 22 port. If I connect to wan ip from outside I don't see attempts in nat debug.
11-27-2021 06:01 AM - edited 11-27-2021 06:03 AM
Hello
Okay if you can externally ssh to 1.1.1.1 2222 and you obtain connection to that specific internal host I would say it’s working,
Lastly i don’t see this internal host being denied in the NAT acl which I would expect it to be as it has its own static NAT entry so it doesn’t need to be allowed
11-27-2021 06:10 AM
That is the problem - with debug ip nat 1 detailed I don't see any events when trying to telnet on router IP port 2222. IP from which I trying to connect is permitted in acl 1.
Do you mean I need to put deny tcp 10.255.255.2 22 any into acl NAT?
11-27-2021 07:36 AM - edited 11-27-2021 07:40 AM
Hello
Do you see anything in the nat translation table?
sh ip nat translations
Also regards the nat acl yes i would deny that host within that acl as you have a static nat statement so i nat doesn’t need to call upon the acl for unless that is you want that host to initiate other dynamic pat connections if so leave it being allowed.
11-27-2021 08:24 AM - edited 11-27-2021 08:29 AM
Of course there are translations - users and servers connect to the Internet through this router. I see translation rules for working and not working translations but don't see active not working translations:
COBALT-RTR#sh ip nat translations | i :25 tcp 1.1.1.1:25 100.123.0.1:25 --- --- tcp 1.1.1.1:25 100.123.0.1:25 193.163.125.7:39915 193.163.125.7:39915 udp 1.1.1.1:51402 10.255.255.2:51402 93.81.216.198:25717 93.81.216.198:25717 COBALT-RTR#sh ip nat translations | i :22 udp 1.1.1.1:2222 10.255.255.2:22 --- ---
I put deny rule 5 deny tcp host 10.255.255.2 eq 22 any but there are no changes.
11-27-2021 09:02 AM
Hello
@Maxim Denisov wrote:
but don't see active not working translations:
You will not see any "active not working translations" if nothing is initiated for them as they are dynamically created, The only "active not working translations " you will see are static ones.
11-27-2021 09:05 AM
I know, I have started telnet to 2222 port a second before issuing sh ip nat translations.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide