Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
731
Views
0
Helpful
2
Replies

WAN NAT not working when source IP is from LAN

Timothy Quinn
Level 1
Level 1

‎02-23-2011 06:46 PM - edited ‎03-04-2019 11:32 AM

Good Day,

I have configured my Cisco 881 and it is quite stable but now I am working on some minor details.

I have several Public WAN IP addresses which are NATing to internal web server. When I go to the WAN IP at port 80 from the Internet, the NAT works fine and it maps perfectly to the internal Web server. However, when I try the same same WAN IP from the LAN which contains the web server, the Router blocks the traffic and I get nothing back.

I have verified that I can get to the Inernet from the LAN but it seems that I cannot go bfrom the LAN to the Internet and back into the LAN via NAT.

Any ideas on where I should look and how to troubleshoot?

Warning: I'm a IOS N00b

Labels:
0 Helpful
2 Replies 2

Dennis Mink
VIP Alumni
VIP Alumni

‎02-23-2011 06:58 PM

Can you provide the configuration please

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Timothy Quinn
Level 1
Level 1
In response to Dennis Mink

‎02-23-2011 08:26 PM

Here is my config (cleaned)

FYI - The Loopback0 is redundant and I have been planning on removing it. I don't think that is the problem but maybe...


Building configuration...

Current configuration : 12802 bytes
!
! Last configuration change at 17:41:34 PCTime Mon Feb 21 2011 by tquinn
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname sjpc1_g
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-15289216
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-15289216
revocation-check none
rsakeypair TP-self-signed-15289216
!
!
crypto pki certificate chain TP-self-signed-15289216
ip source-route
!
!
ip dhcp excluded-address 192.168.50.1 192.168.50.9
ip dhcp excluded-address 192.168.50.50 192.168.50.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.1
   dns-server 4.2.2.1 4.2.2.2
!
!
ip cef
no ip bootp server
ip domain name mydomain.com
ip name-server 4.2.2.1
ip name-server 4.2.2.2
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn XXXXXXXXXX
!
!
username admin privilege 15 view root secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
crypto ctcp port 10000
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group sjpc1vnet1
key XXXXXXXXXXXXXXXXXXXXXXXXXX
dns 4.2.2.1 4.2.2.2
pool SDM_POOL_1
acl 150
save-password
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dyn-map 10
set transform-set ESP-3DES-SHA
!
!
crypto map vpn client authentication list ciscocp_vpn_xauth_ml_1
crypto map vpn isakmp authorization list ciscocp_vpn_group_ml_1
crypto map vpn client configuration address respond
crypto map vpn 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback0
ip address 10.30.99.99 255.255.255.0
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 69.68.67.94 255.255.255.0 secondary
ip address 69.68.67.96 255.255.255.0 secondary
ip address 69.68.67.93 255.255.255.0 secondary
ip address 69.68.67.95 255.255.255.0 secondary
ip address 69.68.66.37 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpn
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
ip local pool SDM_POOL_1 172.16.10.1 172.16.10.254
ip forward-protocol nd
no ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool PASSIVEFTP 192.168.50.210 192.168.50.210 netmask 255.255.255.0 type rotary
ip nat inside source static tcp 192.168.50.101 443 interface FastEthernet4 30443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.50.100 902 69.68.66.37 902 route-map SDM_RMAP_6 extendable
ip nat inside source static udp 192.168.50.100 902 69.68.66.37 902 route-map SDM_RMAP_4 extendable
ip nat inside source static tcp 192.168.50.201 9001 69.68.66.37 9001 route-map SDM_RMAP_7 extendable
ip nat inside source static tcp 192.168.50.100 22 69.68.66.37 20022 route-map SDM_RMAP_8 extendable
ip nat inside source static tcp 192.168.50.100 443 69.68.66.37 20443 route-map SDM_RMAP_5 extendable
ip nat inside source static tcp 192.168.50.101 22 69.68.66.37 30022 route-map SDM_RMAP_11 extendable
ip nat inside source static tcp 192.168.50.210 3389 69.68.66.37 53389 route-map SDM_RMAP_3 extendable
ip nat inside source static tcp 192.168.50.240 3389 69.68.66.37 54389 route-map SDM_RMAP_13 extendable
ip nat inside source static tcp 192.168.50.220 80 69.68.67.93 80 route-map SDM_RMAP_10 extendable
ip nat inside source static tcp 192.168.50.220 443 69.68.67.93 443 route-map SDM_RMAP_12 extendable
ip nat inside source static tcp 192.168.50.210 80 69.68.67.94 80 route-map SDM_RMAP_2 extendable
ip nat inside source static tcp 192.168.50.210 80 69.68.67.96 80 route-map SDM_RMAP_9 extendable
ip nat inside destination list PASSIVEACL pool PASSIVEFTP
ip route 0.0.0.0 0.0.0.0 69.68.66.1
!
ip access-list extended PASSIVEACL
remark Standard FTP Data and Comms
permit tcp any any range ftp-data ftp
remark Extra Ports for Passive Use Only
permit tcp any any range 48000 49999
!
logging trap debugging
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 172.16.10.0 0.0.0.255
access-list 2 permit 192.168.50.0 0.0.0.255
access-list 2 permit any
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp any host 69.68.67.93 eq www
access-list 100 permit tcp any host 69.68.67.94 eq www
access-list 100 permit tcp any host 69.68.67.95 eq www
access-list 100 permit tcp any host 69.68.67.96 eq www
access-list 100 permit ip 172.16.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 permit udp any host 69.68.66.37 eq non500-isakmp
access-list 100 permit udp any host 69.68.66.37 eq isakmp
access-list 100 permit esp any host 69.68.66.37
access-list 100 permit ahp any host 69.68.66.37
access-list 100 permit tcp any host 69.68.66.37 eq 53389
access-list 100 permit tcp any host 69.68.66.37 eq www
access-list 100 permit tcp any host 69.68.66.37 eq 20443
access-list 100 permit tcp any host 69.68.66.37 eq 20022
access-list 100 permit udp any host 69.68.66.37 eq 902
access-list 100 permit tcp any host 69.68.66.37 eq 902
access-list 100 permit tcp any host 69.68.66.37 eq 9001
access-list 100 permit tcp any host 69.68.66.37 eq 22
access-list 100 permit tcp any host 69.68.66.37 eq 443
access-list 100 permit tcp any host 69.68.66.37 eq cmd
access-list 100 deny   tcp any host 69.68.66.37 eq telnet
access-list 100 deny   udp any host 69.68.66.37 eq snmp
access-list 100 permit ip any any
access-list 100 permit tcp any gt 1023 host 69.68.66.37 eq ftp
access-list 100 permit tcp any gt 1023 host 69.68.66.37 eq ftp-data
access-list 100 permit tcp any host 69.68.66.37 range 48000 49999
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 172.16.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp 172.16.10.0 0.0.0.255 host 192.168.50.1 eq 22
access-list 102 permit tcp 192.168.50.0 0.0.0.255 host 192.168.50.1 eq 22
access-list 102 permit tcp 172.16.10.0 0.0.0.255 host 192.168.50.1 eq 443
access-list 102 permit tcp 192.168.50.0 0.0.0.255 host 192.168.50.1 eq 443
access-list 102 permit tcp 172.16.10.0 0.0.0.255 host 192.168.50.1 eq cmd
access-list 102 permit tcp 192.168.50.0 0.0.0.255 host 192.168.50.1 eq cmd
access-list 102 permit tcp 192.168.50.0 0.0.0.255 host 192.168.50.1 eq telnet
access-list 102 deny   tcp any host 192.168.50.1 eq 22
access-list 102 deny   tcp any host 192.168.50.1 eq www
access-list 102 deny   tcp any host 192.168.50.1 eq 443
access-list 102 deny   tcp any host 192.168.50.1 eq cmd
access-list 102 deny   udp any host 192.168.50.1 eq snmp
access-list 102 permit ip any any
access-list 103 remark NAT ACL
access-list 103 remark CCP_ACL Category=18
access-list 103 deny   tcp host 192.168.50.240 eq 3389 any
access-list 103 deny   tcp host 192.168.50.220 eq www any
access-list 103 deny   tcp host 192.168.50.220 eq 443 any
access-list 103 deny   tcp host 192.168.50.101 eq 22 any
access-list 103 deny   ip 192.168.50.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 103 permit ip 192.168.50.0 0.0.0.255 any
access-list 103 deny   tcp host 192.168.50.210 eq 3389 any
access-list 103 deny   tcp host 192.168.50.210 eq www any
access-list 103 deny   tcp host 192.168.50.100 eq 443 any
access-list 103 deny   tcp host 192.168.50.100 eq 22 any
access-list 103 deny   udp host 192.168.50.100 eq 902 any
access-list 103 deny   tcp host 192.168.50.100 eq 902 any
access-list 103 deny   tcp host 192.168.50.201 eq 9001 any
access-list 104 remark CCP_ACL Category=2
access-list 104 deny   ip host 192.168.50.210 172.16.10.0 0.0.0.255
access-list 104 permit tcp host 192.168.50.210 eq www any
access-list 105 remark CCP_ACL Category=2
access-list 105 deny   ip host 192.168.50.210 172.16.10.0 0.0.0.255
access-list 105 permit tcp host 192.168.50.210 eq 3389 any
access-list 106 remark CCP_ACL Category=2
access-list 106 deny   ip host 192.168.50.100 172.16.10.0 0.0.0.255
access-list 106 permit udp host 192.168.50.100 eq 902 any
access-list 107 remark CCP_ACL Category=2
access-list 107 deny   ip host 192.168.50.100 172.16.10.0 0.0.0.255
access-list 107 permit tcp host 192.168.50.100 eq 443 any
access-list 108 remark CCP_ACL Category=2
access-list 108 deny   ip host 192.168.50.100 172.16.10.0 0.0.0.255
access-list 108 permit tcp host 192.168.50.100 eq 902 any
access-list 109 remark CCP_ACL Category=2
access-list 109 deny   ip host 192.168.50.201 172.16.10.0 0.0.0.255
access-list 109 permit tcp host 192.168.50.201 eq 9001 any
access-list 110 remark CCP_ACL Category=2
access-list 110 deny   ip host 192.168.50.100 172.16.10.0 0.0.0.255
access-list 110 permit tcp host 192.168.50.100 eq 22 any
access-list 111 remark CCP_ACL Category=2
access-list 111 deny   ip host 192.168.50.210 172.16.10.0 0.0.0.255
access-list 111 permit tcp host 192.168.50.210 eq www any
access-list 112 remark CCP_ACL Category=2
access-list 112 deny   ip host 192.168.50.220 172.16.10.0 0.0.0.255
access-list 112 permit tcp host 192.168.50.220 eq www any
access-list 113 remark CCP_ACL Category=2
access-list 113 deny   ip host 192.168.50.101 172.16.10.0 0.0.0.255
access-list 113 permit tcp host 192.168.50.101 eq 22 any
access-list 113 deny   ip host 192.168.50.220 172.16.10.0 0.0.0.255
access-list 113 permit tcp host 192.168.50.220 eq 22 any
access-list 114 remark CCP_ACL Category=2
access-list 114 deny   ip host 192.168.50.220 172.16.10.0 0.0.0.255
access-list 114 permit tcp host 192.168.50.220 eq 443 any
access-list 115 remark CCP_ACL Category=2
access-list 115 deny   ip host 192.168.50.240 172.16.10.0 0.0.0.255
access-list 115 permit tcp host 192.168.50.240 eq 3389 any
access-list 150 remark Split Tunnel
access-list 150 permit ip 192.168.50.0 0.0.0.255 172.16.10.0 0.0.0.255
no cdp run

!
!
!
!
route-map SDM_RMAP_11 permit 1
match ip address 113
!
route-map SDM_RMAP_10 permit 1
match ip address 112
!
route-map SDM_RMAP_13 permit 1
match ip address 115
!
route-map SDM_RMAP_12 permit 1
match ip address 114
!
route-map SDM_RMAP_4 permit 1
match ip address 106
!
route-map SDM_RMAP_5 permit 1
match ip address 107
!
route-map SDM_RMAP_6 permit 1
match ip address 108
!
route-map SDM_RMAP_7 permit 1
match ip address 109
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
route-map SDM_RMAP_3 permit 1
match ip address 105
!
route-map SDM_RMAP_8 permit 1
match ip address 110
!
route-map SDM_RMAP_9 permit 1
match ip address 111
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Use a good password buddy!
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 101 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card