Static NAT fails on a 876

katsulis · ‎01-25-2011

I am facing a very weird situation with a certain 876 device.

What I am trying to accomplish is to access an internal FTP server from outside

I am setting up a simple configuration (dialer0 outside, vlan1 inside, with or without firewall - I've tried both cases) by using CPexpress to avoid typing mistakes (after resetting this 876 router) and even if the

"ip nat inside source list 1 interface Dialer0 overload

access-list 1 permit 192.168.100.0 0.0.0.255 "

works (so the internet access from inside to outside works) the

" ip nat inside source static tcp 192.168.100.10 21 interface Dialer0 21 "

doesn’t (the static NAT is not working).

I changed IOS (I have used the c870-adventerprisek9-mz.124-15.T9.bin (it came with device), the c870-adventerprisek9-mz.124-15.T7.bin, the c870-advsecurityk9-mz.124-15.T12.bin, and the c870-advipservicesk9-mz.124-24.T3.bin) but still it doesn’t work.

Same code and same IOSes same ADSL, same network with other 876 and 877 devices (I have 4 of them) works fine.

The very strange thing is that all other operations of this device seems normal (so I can't believe that it's a faulty device).

Any idea what can cause this behavior?

Find attached the running configuration

Message was edited by: Vassilis Katsulis Another thing I've noticed in this certain device after some additional tests, two or three weeks after my original post, is that everything works fine with static NAT when using VLAN3 as an outside interface instead of using Dialer0. I was sure that it was not an issue of IOS version or IOS commands in configuration but this came to verify my original belief. This issue still puzzles me because I haven't found a solution yet and still I can't be sure for a somehow faulty device.

Collin Clark · ‎01-25-2011

How is your FTP server setup? What are the errors you're seeing on the client? I recently ran into this same problem and needed to open the FTP Control port (TCP 20).

katsulis · ‎01-25-2011

Hi Collin, thank you for your interest

My FTP server is configured for passive FTP connections and the FTP client shows that is trying to connect until it times out.

Right now as we speak, my FTP server works fine with another 876 router using the same code and the same ADSL line. So I guess there is no need to focus on the server side (I have also tried one 877 and one sr520 with no problem with exactly the same setup and many IOSes)

The issue is with a specific 876 that seems to work fine except this. Of course it's very weird but as I said I can't believe that it's faulty because I have used it a lot with many configurations (except static nat) without any other problem.

Regards

cadet alain · ‎01-26-2011

Hi,

if you're using passive FTP it won't work with only static NAT for port 21( control port) only as the server will send the client the data port on which it must connect( >1023) so you need to port forward all ports > 1023 on the server and use stateful firewall or alloww all connections from client to this natted address on port > 1023

Regards.

Alain.

Don't forget to rate helpful posts.

katsulis · ‎01-26-2011

Hi Alain

The dynamic opening of ports is done by the zone firewall with the "inspect" argument (look at the attachment with the full running configuration). There you'll find out that neither 443 port forwarding works.

The same running configuration is working successfully right now with the same network (same server etc) but with another 876 router.

The issue here is to find out why's the specific 876 router (the specific device) has this behavior. Server is working fine, the router's script is good.

Thank you for your interest

cadet alain · ‎01-26-2011

Hi,

Sorry hadn't looked at complete config.

Regards.

Alain.

Don't forget to rate helpful posts.