Re: Strange NAT Behavior on 2851

clyde.wilson · ‎01-25-2013

So I have two networks that are connected together via a 2851 router running PAT as well as several static NATs. Their network is a 192.168.x.x addressing scheme and mine is 172.21.x.x addressing scheme. The other day the old router takes a dump and stops working (it was a 2600) so i get someone to run over and drop this 2851 in. Everything works just fine with the exception of 4 machines that communicate with a server exclusively on port 2000. Packet captures show the packets coming in from the 192.168.x.x address reaching the server but the packets the server sends out hit the router and just disappear. I've never seen anything like it. Anyone have any idea what might be going on. Any help would be greatly appreciated!

mahmoodmkl · ‎01-25-2013

HI

can you paste the config.

Abzal · ‎01-25-2013

Hi,

Configuration of 2851 would be very helpful.

Also output:

show ip route

Is default gateway on servers configured correctly?

Is there any ACL that might block ports?

Is there any firewall between routers?

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

clyde.wilson · ‎01-28-2013

Below is the config. the devices i am having issues with can communicate via ICMP, RDP and everything else except the app they run which uses port 2000. I have confirmed routing and there no firewalls or ACLs. When I do a packet capture I see the packets coming back from the server but they are not forwarded through the router back to the devices.

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname sr01-sah-mrmc

!

boot-start-marker

boot system flash:c2800nm-advipservicesk9-mz.151-4.M5.bin

boot-end-marker

!

logging buffered 4096

enable secret 5 XXXXXXX

!

no aaa new-model

!

dot11 syslog

ip source-route

!

ip cef

!

no ipv6 cef

!

multilink bundle-name authenticated

!

voice-card 0

!

crypto pki token default removal timeout 0

!

license udi pid CISCO2851 sn FTX1129A2A8

!

redundancy

!

interface GigabitEthernet0/0

ip address 192.168.2.11 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex full

speed 10

!

interface GigabitEthernet0/1

ip address 172.21.190.2 255.255.255.192

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Serial0/1/0

no ip address

shutdown

no fair-queue

!

router eigrp 2784

distribute-list 30 in GigabitEthernet0/1

network 172.20.0.0

network 172.21.0.0

no eigrp log-neighbor-changes

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip nat inside source static 10.2.0.19 172.21.190.39

ip nat inside source static 10.2.0.11 172.21.190.40

ip nat inside source static 10.2.0.12 172.21.190.41

ip nat inside source static 10.2.0.13 172.21.190.42

ip nat inside source static 10.2.0.14 172.21.190.43

ip nat inside source static 192.168.2.34 172.21.190.44

ip nat inside source static 192.168.2.35 172.21.190.45

ip nat inside source static 192.168.2.36 172.21.190.46

ip nat inside source static 192.168.2.37 172.21.190.47

ip nat inside source static 192.168.2.42 172.21.190.48

ip nat inside source static 192.168.2.8 172.21.190.49 extendable

ip nat inside source static 192.168.4.21 172.21.190.50

ip nat inside source static 192.168.4.22 172.21.190.51

ip nat inside source static 192.168.4.23 172.21.190.52

ip nat inside source static 192.168.4.27 172.21.190.53

ip nat inside source static 192.168.4.30 172.21.190.54

ip nat inside source static 192.168.4.41 172.21.190.55

ip nat inside source static 192.168.4.42 172.21.190.56 extendable

ip nat inside source static 192.168.4.43 172.21.190.57 extendable

ip nat inside source static 192.168.99.11 172.21.190.58

ip nat inside source static 10.2.0.15 172.21.190.59

ip nat inside source static 10.2.0.16 172.21.190.60

ip nat inside source static 10.2.0.17 172.21.190.61

ip nat inside source static 10.2.0.18 172.21.190.62

ip route 0.0.0.0 0.0.0.0 192.168.2.254

!

access-list 1 permit 192.168.14.0 0.0.0.255

access-list 1 permit 192.168.15.0 0.0.0.255

access-list 1 permit 192.168.16.0 0.0.0.255

access-list 1 permit 192.168.17.0 0.0.0.255

access-list 1 permit 192.168.18.0 0.0.0.255

access-list 1 permit 10.0.0.0 0.255.255.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.3.0 0.0.0.255

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 1 permit 192.168.5.0 0.0.0.255

access-list 1 permit 192.168.6.0 0.0.0.255

access-list 1 permit 192.168.7.0 0.0.0.255

access-list 1 permit 192.168.8.0 0.0.0.255

access-list 1 permit 192.168.13.0 0.0.0.255

access-list 30 deny 172.16.0.0 0.0.255.255

access-list 30 deny 172.17.0.0 0.0.255.255

access-list 30 deny 172.18.0.0 0.0.255.255

access-list 30 deny 172.19.0.0 0.0.255.255

access-list 30 deny 172.22.0.0 0.0.255.255

access-list 30 deny 172.23.0.0 0.0.255.255

access-list 30 deny 172.24.0.0 0.0.255.255

access-list 30 deny 172.25.0.0 0.0.255.255

access-list 30 deny 172.26.0.0 0.0.255.255

access-list 30 deny 172.27.0.0 0.0.255.255

access-list 30 deny 192.168.1.0 0.0.0.255

access-list 30 permit any

access-list 101 permit tcp any any eq 8888 log

access-list 101 permit udp any any eq 8888 log

access-list 101 permit tcp any any eq www log

access-list 101 permit ip any any

access-list 102 permit tcp any any eq 8888 log

access-list 102 permit udp any any eq 8888 log

access-list 102 permit tcp any any eq www log

access-list 102 permit ip any any

access-list 144 permit ip host 192.168.4.42 host 172.20.24.57

access-list 144 permit ip host 172.20.24.57 host 192.168.4.42

access-list 144 permit ip host 172.21.190.56 host 172.20.24.57

access-list 144 permit ip host 172.20.24.57 host 172.21.190.56

!

snmp-server community antvs5 RO

snmp-server community chevron RW

snmp-server location SAH Comm Room

snmp-server contact Network Services Team

!

control-plane

!

voice-port 0/0/0

!

voice-port 0/0/1

!

voice-port 0/0/2

!

voice-port 0/0/3

!

mgcp profile default

!

line con 0

password 7 XXXXXXX

login

line aux 0

line vty 0 4

password 7 XXXXXXX

login

transport input all

line vty 5 15

password 7 XXXXXXX

login

transport input all

!

scheduler allocate 20000 1000

ntp server 172.28.1.34

end

Abzal · ‎01-28-2013

Hi,

Can you show output:

show ip route

What is exactly server's IP address that you have problem with?

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

clyde.wilson · ‎01-28-2013

Our routing table is massive. several hundred routes. the address of the server is 172.20.24.57. below is a sh ip route for that subnet.

sr01-sah-mrmc#sh ip route 172.20.24.57

Routing entry for 172.20.24.0/22

Known via "eigrp 2784", distance 90, metric 2563584, type internal

Redistributing via eigrp 2784

Last update from 172.21.190.1 on GigabitEthernet0/1, 02:33:53 ago

Routing Descriptor Blocks:

* 172.21.190.1, from 172.21.190.1, 02:33:53 ago, via GigabitEthernet0/1

Route metric is 2563584, traffic share count is 1

Total delay is 100040 microseconds, minimum bandwidth is 1000000 Kbit

Reliability 255/255, minimum MTU 1500 bytes

Loading 34/255, Hops 4

sr01-sah-mrmc#

Abzal · ‎01-28-2013

Ok.

So if I understood you correctly there are 4 devices that cannot communicate with server 172.20.24.57?

If yes,

Check on router if it has route for that subnets.

sh ip route 192.168.x.x

Try to ping those machines from the router.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal