Re: Static NAT fails with two public interfaces with different I

mvoss · ‎07-21-2008

Our client connects to our data center via RDP with a public address. They have two different ISPs and traffic is routed over each depending on its destination. Their RDP connections go out WAN1. When they are in their RDP sessions they cannot reach the static NAT for 172.18.127.10 which is on WAN1. Anyone can reach the static NAT when outside of the RDP connection. Am I missing a route or something?

gojericho0 · ‎07-22-2008

I do not see any static source mappings for RDP port 3389 connections? You may need this to assign a WAN1 address

Otherwise the source address you are trying to map looks like it may go out another interface based on your route-maps

Could you post a sh ip nat translation for with the Source IP you are trying this with?

mvoss · ‎07-22-2008

Users are connecting with RDP from the LAN side of the router to a remote data center. No one is trying to RDP in through this router. A user creates an RDP connection and while in that connection tries to go to the static web NAT but fails.

a.alekseev · ‎07-22-2008

ip access-list extended Internet

deny ip 172.18.127.0 0.0.0.255 63.123.252.0 0.0.0.255

deny ip 172.18.127.0 0.0.0.255 10.11.0.0 0.0.255.255

permit ip 172.18.127.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

mvoss · ‎07-22-2008

If I do that then I won't be able to establish the VPN to 63.123.252.12 via the internet interface.

gojericho0 · ‎07-22-2008

Your NAT with the RDP server matches your first NAT statement and it is overloading to a WAN2 address. It also matches the more specific static translation, but will never see it since NAT goes top to bottom and matches the first route map.

To fix you can deny the specific RDP server IP on the first route map, then permit the whole network in order to reach the below static nat statement on port 80

gojericho0 · ‎07-22-2008

It also looks like your 80 static nat entry is referring to source port and not destination port.

You may want to create a separate route-map for the RDP server in order to crate an extended access list for any destination to port 80

mvoss · ‎07-22-2008

I changed the ACL for the first route map to what is below but it still fails.

ip access-list extended Internet

deny ip 172.18.127.0 0.0.0.255 host 63.123.252.123

deny ip 172.18.127.0 0.0.0.255 10.11.0.0 0.0.255.255

permit ip 172.18.127.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

The static NAT to the web server is working from everywhere but within the RDP connection.

gojericho0 · ‎07-22-2008

Can you post your updated config as well?

mvoss · ‎07-23-2008

here it is - only one ACL has changed

gojericho0 · ‎07-22-2008

You should now see your NAT translation performing correctly

For the next part look at the static routes. The default routes are weighted so that anything non-specific will try to go through WAN2 connection first.

You could include in your rdp_server route map a next hop address pointing to WAN1 in order to force the connections.

mvoss · ‎07-23-2008

Why wouldn't traffic for 63.123.252.123 match the route "ip route 63.123.252.0 255.255.255.0 WAN1.WAN1.WAN1.41," even if it comes after the default route? Shouldn't the router look for the most specific route and use it, regardless of where it is in the config?

mvoss · ‎07-24-2008

Here is a trace from the router to the RDP server. The router is putting the traffic out the correct interface.

gem-nj_gem#trace

Protocol [ip]:

Target IP address: 63.123.252.123

Source address: 172.18.127.1

Numeric display [n]:

Timeout in seconds [3]:

Probe count [3]:

Minimum Time to Live [1]:

Maximum Time to Live [30]:

Port Number [33434]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Type escape sequence to abort.

Tracing the route to 63.123.252.123

1 ool-60381e29.static.optonline.net (WAN1.WAN1.WAN1.41) 0 msec 4 msec 0 msec

a.alekseev · ‎07-24-2008

no ip nat inside source static tcp 172.18.127.10 80 WAN1.WAN1.WAN1.42 80 extendable

no ip nat inside source static tcp 172.18.127.41 2500 WAN1.WAN1.WAN1.42 2500 extendable

no ip nat inside source static tcp 172.18.127.42 3001 WAN1.WAN1.WAN1.42 3001 extendable

no ip nat inside source static tcp 172.18.127.48 2500 WAN1.WAN1.WAN1.42 5001 extendable

no ip nat inside source static tcp 172.18.127.49 2500 WAN1.WAN1.WAN1.42 8192 extendable

ip nat inside source static tcp 172.18.127.10 80 interface FastEthernet4 80 extendable

ip nat inside source static tcp 172.18.127.41 2500 interface FastEthernet4 2500 extendable

ip nat inside source static tcp 172.18.127.42 3001 interface FastEthernet4 3001 extendable

ip nat inside source static tcp 172.18.127.48 2500 interface FastEthernet4 5001 extendable

ip nat inside source static tcp 172.18.127.49 2500 interface FastEthernet4 8192 extendable

mvoss · ‎07-24-2008

All of those NAT statements I have in the router work fine from outside of the RDP session. What is the benefit to pointing them to the interface name rather than the interface's IP? Yesterday I tried your suggestion with the 172.18.127.10 NAT and the result was the same - I can reach it from outside the RDP session but not inside.

Static NAT fails with two public interfaces with different ISPs