cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
688
Views
0
Helpful
1
Replies

Strange NAT problem

nemiath76
Level 1
Level 1

Hello,

I am facing a strange issue with a clients cisco.

Although the DMZ server 192.168.1.102 is accesible at the beggining after a few hours it stops allowing the connection.

firewall logging does not show any dropped packets.

When i telnet at port 80 from outside i get a responce from the apache server but the browser failes to connect.

I think this is a NAT issue. The external ip address of the server is 94.70.142.127.

Can someone provide me some feedback? Is there something wrong with my NAT configuration?

Building configuration...

Current configuration : 10709 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname DocNetR1

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 4096 informational

enable secret 5 $1$1i/v$8tduHDZEMmcY6sRWsNHyK0

enable password 7 12292504011C5C162E7A

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

!

aaa session-id common

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-2567543707

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2567543707

revocation-check none

rsakeypair TP-self-signed-2567543707

!

!

crypto pki certificate chain TP-self-signed-2567543707

certificate self-signed 01

  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32353637 35343337 3037301E 170D3133 30313137 31373436

  35325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35363735

  34333730 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100ABA4 B7FFF4F1 9FBE79D8 2CEBCA68 A14BE3AB DBF770C2 EB35A954 B271AE3E

  F8485837 F2E8566B 66E5EF6B BCFCDFA3 8F6F91F3 FD8E3015 879A67F5 85DD95F5

  C26875C0 2202CA6C CE95888F 545AB4F6 6F708A0E C65E78D1 60967480 5589F5EE

  80505E46 8767CE2C 37C994FE AB555AF0 BA4C4679 63FF7641 34FFF6EF 3EC38006

  46B90203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603

  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 F0DE8531

  8FB370C3 6B4AFEB4 B0CA4460 25F0329C 301D0603 551D0E04 160414F0 DE85318F

  B370C36B 4AFEB4B0 CA446025 F0329C30 0D06092A 864886F7 0D010104 05000381

  810014AE D4A40F54 38472D5E 51FCE972 4955931B 73955A1D 0B8E9CB2 082566C7

  C42DEEE0 5A6D888A 2BF00C84 54E3BB2E 45A96188 D61658F7 9EC8E8DA 94BDE65B

  15F653DA 7B4C65C5 A4E80574 91F5CFDC 2088EFCE C68A16B5 F0D26B22 3ACB07C7

  EC29AE31 1935FE46 A986CAFA 25124A89 B0EE97C9 7FB9A5AD F4D6D06F E5FFDBD1 0D17

      quit

no ip source-route

!

!

ip cef

no ip bootp server

ip name-server 195.170.0.1

ip inspect log drop-pkt

no ipv6 cef

!

!

!

!

username admin privilege 15 view root secret 5 $1$Lny5$et1FhWOpIKOOYRUtN89H10

!

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

!

class-map type inspect match-any WebService

match protocol http

match protocol https

class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1

match class-map WebService

match access-group name WebServer

class-map type inspect match-all ccp-cls--1

match access-group name tr-out-self

class-map type inspect match-any CCP-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-all ccp-cls--2

match access-group name tr-out-in

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any http-https-DMZ

match protocol http

match protocol https

class-map type inspect match-all sdm-cls--2

match class-map http-https-DMZ

match access-group name web_server

class-map type inspect match-any MySQLService

match protocol mysql

class-map type inspect match-all sdm-cls--1

match class-map MySQLService

match access-group name DMZtoMySQL

class-map type inspect match-any sr-dmz-in-dns

match protocol dns

class-map type inspect match-any sr-out-in-https

match protocol https

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-cls-sdm-policy-sdm-cls--1-1

match class-map sr-dmz-in-dns

match access-group name tr-dmz-in-dns

class-map type inspect match-all ccp-cls-ccp-policy-ccp-cls--2-1

match class-map sr-out-in-https

match access-group name tr-out-in-80

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1

  inspect

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect CCP-Voice-permit

  inspect

class class-default

  drop

policy-map type inspect sdm-policy-sdm-cls--1

class type inspect ccp-cls-sdm-policy-sdm-cls--1-1

  inspect

class type inspect sdm-cls--1

  inspect

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--1

class type inspect ccp-cls--1

  drop log

class class-default

  drop

policy-map type inspect sdm-policy-sdm-cls--2

class type inspect sdm-cls--2

  inspect

class class-default

  drop

policy-map type inspect ccp-policy-ccp-cls--2

class type inspect ccp-cls-ccp-policy-ccp-cls--2-1

  inspect

class type inspect ccp-cls--2

  drop log

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone security dmz-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security zp-dmz-to-outside source dmz-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security zp-outside-to-dmz source out-zone destination dmz-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-dmz-zone-in-zone source dmz-zone destination in-zone

service-policy type inspect sdm-policy-sdm-cls--1

zone-pair security sdm-zp-in-zone-dmz-zone source in-zone destination dmz-zone

service-policy type inspect sdm-policy-sdm-cls--2

zone-pair security sdm-zp-out-zone-self source out-zone destination self

service-policy type inspect ccp-policy-ccp-cls--1

zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone

service-policy type inspect ccp-policy-ccp-cls--2

!

!

!

interface Null0

no ip unreachables

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

encapsulation hdlc

shutdown

isdn termination multidrop

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

pvc 8/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

switchport access vlan 2

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1412

!

interface Vlan2

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security dmz-zone

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname dikt15@otenet.gr

ppp chap password 7 124D094E0A5E4953

ppp pap sent-username dikt15@otenet.gr password 7 0918425001505245

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

ip http access-class 2

ip http secure-server

!

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static 192.168.0.101 94.70.142.113

ip nat inside source static 192.168.1.102 94.70.142.127

!

ip access-list extended DMZtoMySQL

remark CCP_ACL Category=128

permit ip host 192.168.1.102 host 192.168.0.101

ip access-list extended VTY_incoming

remark CCP_ACL Category=1

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended WebServer

remark CCP_ACL Category=128

permit ip any host 192.168.1.102

ip access-list extended tr-dmz-in-dns

remark CCP_ACL Category=128

permit ip host 192.168.1.102 host 192.168.0.100

ip access-list extended tr-out-in

remark CCP_ACL Category=128

permit ip any any

ip access-list extended tr-out-in-80

remark CCP_ACL Category=128

permit ip any host 192.168.0.101

ip access-list extended tr-out-self

remark CCP_ACL Category=128

permit ip any any

ip access-list extended web_server

remark CCP_ACL Category=128

permit ip 192.168.0.0 0.0.0.255 host 192.168.1.102

!

logging trap notifications

logging 192.168.0.2

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 remark HTTP Access-class list

access-list 2 remark CCP_ACL Category=1

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 2 deny   any

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

!

control-plane

!

banner login ^CWARNING!!!This is a highly monitored private system. Access is prohibited!!^C

!

line con 0

login authentication local_authen

no modem enable

transport output telnet

line aux 0

login authentication local_authen

transport output telnet

line vty 0 4

access-class VTY_incoming in

password 7 08116C5D1A0E550516

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

1 Reply 1

Abzal
Level 7
Level 7

Hi,

Try to debug HTTP inspection

debug ip inspect http

I don't think that NAT could be a problem as you can succesfully telnet on 80 port.

Another option try change this

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect CCP-Voice-permit

  inspect

class class-default

  drop

to this

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  pass

class type inspect ccp-insp-traffic

  inspect

class type inspect CCP-Voice-permit

  inspect

class class-default

  drop

It will allow to pass return HTTP traffic from webserver.

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal