05-23-2011 10:13 PM - edited 03-07-2019 12:38 AM
I'm looking for a bit of inspiration here gentlemen. I have a Cisco 877 router that refuses to play nice with me in regards to NAT.
Here is the config file, its a clean config written from scratch in the CLI then exported.
-------------------------------------------------
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname AIR877-R1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
no logging console
enable secret 5 <PASSWORD>
!
no aaa new-model
!
dot11 syslog
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.25
ip dhcp excluded-address 192.168.2.110 192.168.2.125
!
ip dhcp pool LAN-DHCP
network 192.168.2.0 255.255.255.0
domain-name hotel.local
default-router 192.168.2.1
dns-server <ISPDNS1> <ISPDNS2>
lease 0 2
!
ip dhcp pool SysnetServer
host 192.168.2.2 255.255.255.0
hardware-address <MAC>
!
ip dhcp pool IntellexDVR
host 192.168.2.3 255.255.255.0
hardware-address <MAC>
!
ip domain name aiporthotel.local
ip inspect name IPFW-OUT tcp timeout 3600
ip inspect name IPFW-OUT udp timeout 15
ip inspect name IPFW-OUT cuseeme
ip inspect name IPFW-OUT ftp
ip inspect name IPFW-OUT tftp
ip inspect name IPFW-OUT rcmd
ip inspect name IPFW-OUT realaudio
ip inspect name IPFW-OUT smtp
ip inspect name IPFW-OUT h323
ip inspect name IPFW-OUT dns
ip inspect name IPFW-OUT https
ip inspect name IPFW-OUT icmp
ip inspect name IPFW-OUT imap
ip inspect name IPFW-OUT pop3
ip inspect name IPFW-OUT netshow
ip inspect name IPFW-OUT sqlnet
ip inspect name IPFW-OUT streamworks
ip inspect name IPFW-OUT vdolive
ip inspect name IPFW-IN smtp max-data 1048576
ip inspect name IPFW-IN pop3
ip inspect name IPFW-IN pop3s
ip inspect name IPFW-IN imap
ip inspect name IPFW-IN imaps
!
multilink bundle-name authenticated
!
username <USERNAME> privilege 15 secret 5 <PASSWORD>
!
archive
log config
hidekeys
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip access-group IPFW-ACL-IN in
ip mtu 1492
ip nat outside
ip inspect IPFW-IN in
ip inspect IPFW-OUT out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname <USERNAME>
ppp chap password 7 <PASSWORD>
ppp pap sent-username <USERNAME> password 7 <PASSWORD>
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface Dialer0 overload
ip nat inside source static tcp 192.168.2.2 3389 <Static Internet IP> 3389 extendable
ip nat inside source static tcp 192.168.2.3 5000 <Static Internet IP> 5000 extendable
ip nat inside source static tcp 192.168.2.3 5001 <Static Internet IP> 5001 extendable
ip nat inside source static tcp 192.168.2.3 5002 <Static Internet IP> 5002 extendable
ip nat inside source static tcp 192.168.2.3 5003 <Static Internet IP> 5003 extendable
ip nat inside source static tcp 192.168.2.2 5631 <Static Internet IP> 5631 extendable
ip nat inside source static tcp 192.168.2.2 5632 <Static Internet IP> 5632 extendable
ip nat inside source static tcp 192.168.2.110 9000 <Static Internet IP> 9000 extendable
ip nat inside source static tcp 192.168.2.111 9001 <Static Internet IP> 9001 extendable
ip nat inside source static tcp 192.168.2.112 9002 <Static Internet IP> 9002 extendable
ip nat inside source static tcp 192.168.2.113 9003 <Static Internet IP> 9003 extendable
ip nat inside source static tcp 192.168.2.114 9004 <Static Internet IP> 9004 extendable
ip nat inside source static tcp 192.168.2.115 9005 <Static Internet IP> 9005 extendable
ip nat inside source static tcp 192.168.2.116 9006 <Static Internet IP> 9006 extendable
ip nat inside source static tcp 192.168.2.117 9007 <Static Internet IP> 9007 extendable
ip nat inside source static tcp 192.168.2.118 9008 <Static Internet IP> 9008 extendable
ip nat inside source static tcp 192.168.2.119 9009 <Static Internet IP> 9009 extendable
ip nat inside source static tcp 192.168.2.120 9010 <Static Internet IP> 9010 extendable
ip nat inside source static tcp 192.168.2.121 9011 <Static Internet IP> 9011 extendable
ip nat inside source static tcp 192.168.2.122 9012 <Static Internet IP> 9012 extendable
ip nat inside source static tcp 192.168.2.123 9013 <Static Internet IP> 9013 extendable
ip nat inside source static tcp 192.168.2.124 9014 <Static Internet IP> 9014 extendable
ip nat inside source static tcp 192.168.2.125 9015 <Static Internet IP> 9015 extendable
!
ip access-list standard VTY-ACL
permit 150.101.253.111
permit 192.168.2.0 0.0.0.255
!
ip access-list extended IPFW-ACL-IN
permit tcp any host <Static Internet IP> eq 22
permit tcp any host <Static Internet IP> eq 3389
permit tcp any host <Static Internet IP> eq 5000
permit tcp any host <Static Internet IP> eq 5001
permit tcp any host <Static Internet IP> eq 5002
permit tcp any host <Static Internet IP> eq 5003
permit tcp any host <Static Internet IP> eq 5631
permit tcp any host <Static Internet IP> eq 5632
permit tcp any host <Static Internet IP> eq 9000
permit tcp any host <Static Internet IP> eq 9001
permit tcp any host <Static Internet IP> eq 9002
permit tcp any host <Static Internet IP> eq 9003
permit tcp any host <Static Internet IP> eq 9004
permit tcp any host <Static Internet IP> eq 9005
permit tcp any host <Static Internet IP> eq 9006
permit tcp any host <Static Internet IP> eq 9007
permit tcp any host <Static Internet IP> eq 9008
permit tcp any host <Static Internet IP> eq 9009
permit tcp any host <Static Internet IP> eq 9010
permit tcp any host <Static Internet IP> eq 9011
permit tcp any host <Static Internet IP> eq 9012
permit tcp any host <Static Internet IP> eq 9013
permit tcp any host <Static Internet IP> eq 9014
permit tcp any host <Static Internet IP> eq 9015
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit gre any any
deny ip any any
ip access-list extended NAT-ACL
permit ip 192.168.2.0 0.0.0.255 any
!
logging trap debugging
no cdp run
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class VTY-ACL in
password 7 <PASSWORD>
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
-------------------------------------------------
So everything is working, including NAT from LAN hosts to the internet. The frustrating part is the port translation from the public internet IP to a static host on the LAN. The funny thing is, RDP on port 3389 works perfectly everytime, the rest dont work at all. I have tried using the following method to declare a port translation instead of the one on the config and I get the same result;
ip nat inside source static tcp 192.168.2.125 9015 interface Dialer0 9015
When I enable NAT debugging I can see the translations happening correctly, but my browser just times out (the device I am testing is a NAS drive with a web interface on port 9015, I can access it within the local network fine).
I need a fresh set of eyes here I think. Any assistance would be appeciated.
Solved! Go to Solution.
06-14-2011 12:24 AM
05-23-2011 11:32 PM
Hi,
Can you add this command to your config: ip inspect log drp-packet and see if you have any message when trying to communicate with your NAS.
Regards.
Alain.
05-23-2011 11:51 PM
I added the ip inspect log drop-pkt command, cleared the logging buffer, and then tried a couple of times to access the NAS. There was nothing logged in relation to my connection attempts.
05-24-2011 04:18 PM
Here is some more information when I try to access the NAS:
AIR877-R1#clear log
Clear logging buffer [confirm]
AIR877-R1#debug ip nat detailed
IP NAT detailed debugging is on
AIR877-R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
AIR877-R1#
AIR877-R1#show log
Log Buffer (4096 bytes):
NAT*: o: tcp (
NAT*: o: tcp (
NAT*: s=
NAT*: o: tcp (
NAT*: s=
NAT*: o: tcp (
NAT*: s=
AIR877-R1#
06-14-2011 12:24 AM
Resolution Summary
Issue on 3rd Party switch.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide