Solved: Re: Static Nat problem

catalin.stan · ‎03-17-2011

Hello everyone,

I’m having trouble with static nat on my Cisco 861. The dynamic nat is working fine, but I can’t seem to find the problem with the static one. I’ve posted below the configuration that I currently have on my router. Can someone please give me an idea?

Thank you

interface FastEthernet0

switchport access vlan 101

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

ip address 9x.xxx.xxx.xxx 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Vlan101

description #lan 172#

ip address 172.16.16.250 255.255.255.0

!

ip forward-protocol nd

no ip http server

ip http authentication local

no ip http secure-server

!

ip nat pool wifi_lan 9x.xxx.xxx.xxx 9x.xxx.xxx.xxx netmask 255.255.255.252

ip nat inside source list nat_acl pool wifi_lan overload

ip nat inside source static tcp 192.168.1.1 80 9x.xxx.xxx.xxx 80 extendable

ip nat inside source static udp 192.168.1.101 38101 9x.xxx.xxx.xxx 38101 extendable

ip route 0.0.0.0 0.0.0.0 9x.xxx.xxx.xxx

!

ip access-list extended nat_acl

permit ip 192.168.1.0 0.0.0.255 any

Calin C. · ‎03-17-2011

Hello,

If you have the web server hosted on a linux machine, then this simple trick will tell you if the router forward the packets correctly:

-from an external location do a "telnet 9.x.x.x 80"

-on the web server use tcpdump to listen on your interface and see if any packet arrive there while you're doing the telnet on port 80

If you have a windows platform for your web server, you can do the same with Wireshark.

Second, maybe this is not a NAT problem. Did you check the reachability between your web server and an outside destination? Is the gateway on the server set correctly?

Good luck and let us know the result of the test above.

Cheers,

Calin

View solution in original post

Latchum Naidu · ‎03-17-2011

Hi,

What is the exact problem you are facing, the config looks ok.

Is nating not happening with the below config?
Have you see by giving command "sh ip nat tra"?

Clear the nat tra in global with command "clear ip nat tra fo" and check.

However please remove the extendable work in the NAT statement and see.

Please rate the helpfull posts.
Regards,
Naidu.

catalin.stan · ‎03-17-2011

Hi,

Thank you for your reply.

Static nat isn't working, dynamic nat it's ok.

I've used #clear ip nat tran fo

After that the #sh ip nat trans looks like this:

Pro Inside global Inside local Outside local Outside global

tcp 9x.xxx.xxx.xxx:80 192.168.1.1:80 --- ---

tcp 9x.xxx.xxx.xxx:38101 192.168.1.101:38101 --- ---

udp 9x.xxx.xxx.xxx:51731 192.168.1.110:51731 8.8.8.8:53 8.8.8.8:53

udp 9x.xxx.xxx.xxx:51731 192.168.1.110:51731 91.192.234.1:53 91.192.234.1:53

udp 9x.xxx.xxx.xxx:51731 192.168.1.110:51731 91.192.234.2:53 91.192.234.2:53

tcp 9x.xxx.xxx.xxx:53125 192.168.1.110:53125 95.101.22.64:443 95.101.22.64:443

udp 9x.xxx.xxx.xxx:56770 192.168.1.110:56770 8.8.8.8:53 8.8.8.8:53

The "extendable" I can't remove it. I haven't typed it in the first place (it just comes up after i give the command "ip nat inside source static tcp 192.168.1.1 80 9x.xxx.xxx.xxx 80")

Latchum Naidu · ‎03-17-2011

Hi,

By default the extendable wont come untill we manually specify that.
Try to remove the NAT statement if possible and add again without extendable word like below...

no ip nat inside source static tcp 192.168.1.1 80 9x.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.1.1 80 9x.xxx.xxx.xxx 80

Please rate the helpfull posts.
Regards,
Nadiu.

catalin.stan · ‎03-17-2011

I've done that but the extandable still comes up.

Could it be a restricton from the IOS version or the hardware version of my Cisco?

Cisco 861 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
Processor board ID FCZ1450C3KW

5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO861-K9 FCZ1450C3KW

License Information for 'c860-data'
License Level: advsecurity Type: Permanent
Next reboot license Level: advsecurity

Latchum Naidu · ‎03-17-2011

Hi,

No problem with hardware, what ios version do you have on the router.

If possible please have the following ios on the router and do what i suggested in my previous post.

c861-advipservicesk9-mz.124-15.T1.bin

Please rate the helpfull posts.

Regards,

Nadiu.

catalin.stan · ‎03-17-2011

c860-universalk9-mz.150-1.M4.bin

This is my IOS version. Unfortunately this is the only IOS version that I have.

I've done what you've sugested in your previous post and the "extendable" still comes up.

cadet alain · ‎03-17-2011

Hi,

What tests did you do to ascertain your static NAT isn't working?

Have you got ACLs or firewall features configured on the router?

Regards.

Alain

Don't forget to rate helpful posts.

catalin.stan · ‎03-17-2011

Hi,

No acl or firewall configured.

I’ve tried to access both the web server and rdc from an outside network and it’s not working.

RDC works, from inside the network, when I type 192.168.1.101:38101 but it doesn’t with public IP.

Also web server works with the local IP (192.168.1.1).

Calin C. · ‎03-17-2011