Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1350
Views
5
Helpful
4
Replies

877 Router NAT issue

Go to solution
jaredp
Level 1
Level 1

‎05-23-2011 10:13 PM - edited ‎03-07-2019 12:38 AM

I'm looking for a bit of inspiration here gentlemen. I have a Cisco 877 router that refuses to play nice with me in regards to NAT.

Here is the config file, its a clean config written from scratch in the CLI then exported.

-------------------------------------------------

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname AIR877-R1
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
no logging console
enable secret 5 <PASSWORD>
!
no aaa new-model
!
dot11 syslog
ip cef
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.25
ip dhcp excluded-address 192.168.2.110 192.168.2.125
!
ip dhcp pool LAN-DHCP
   network 192.168.2.0 255.255.255.0
   domain-name hotel.local
   default-router 192.168.2.1
   dns-server <ISPDNS1> <ISPDNS2>

   lease 0 2
!
ip dhcp pool SysnetServer
   host 192.168.2.2 255.255.255.0
   hardware-address <MAC>

!
ip dhcp pool IntellexDVR
   host 192.168.2.3 255.255.255.0
   hardware-address <MAC>

!
ip domain name aiporthotel.local
ip inspect name IPFW-OUT tcp timeout 3600
ip inspect name IPFW-OUT udp timeout 15
ip inspect name IPFW-OUT cuseeme
ip inspect name IPFW-OUT ftp
ip inspect name IPFW-OUT tftp
ip inspect name IPFW-OUT rcmd
ip inspect name IPFW-OUT realaudio
ip inspect name IPFW-OUT smtp
ip inspect name IPFW-OUT h323
ip inspect name IPFW-OUT dns
ip inspect name IPFW-OUT https
ip inspect name IPFW-OUT icmp
ip inspect name IPFW-OUT imap
ip inspect name IPFW-OUT pop3
ip inspect name IPFW-OUT netshow
ip inspect name IPFW-OUT sqlnet
ip inspect name IPFW-OUT streamworks
ip inspect name IPFW-OUT vdolive
ip inspect name IPFW-IN smtp max-data 1048576
ip inspect name IPFW-IN pop3
ip inspect name IPFW-IN pop3s
ip inspect name IPFW-IN imap
ip inspect name IPFW-IN imaps
!
multilink bundle-name authenticated
!
username <USERNAME> privilege 15 secret 5 <PASSWORD>
!
archive
log config
  hidekeys
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/35
  oam-pvc manage
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
interface Dialer0
ip address negotiated
ip access-group IPFW-ACL-IN in
ip mtu 1492
ip nat outside
ip inspect IPFW-IN in
ip inspect IPFW-OUT out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname <USERNAME>
ppp chap password 7 <PASSWORD>
ppp pap sent-username <USERNAME> password 7 <PASSWORD>
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface Dialer0 overload
ip nat inside source static tcp 192.168.2.2 3389 <Static Internet IP> 3389 extendable
ip nat inside source static tcp 192.168.2.3 5000 <Static Internet IP> 5000 extendable
ip nat inside source static tcp 192.168.2.3 5001 <Static Internet IP> 5001 extendable
ip nat inside source static tcp 192.168.2.3 5002 <Static Internet IP> 5002 extendable
ip nat inside source static tcp 192.168.2.3 5003 <Static Internet IP> 5003 extendable
ip nat inside source static tcp 192.168.2.2 5631 <Static Internet IP> 5631 extendable
ip nat inside source static tcp 192.168.2.2 5632 <Static Internet IP> 5632 extendable
ip nat inside source static tcp 192.168.2.110 9000 <Static Internet IP> 9000 extendable
ip nat inside source static tcp 192.168.2.111 9001 <Static Internet IP> 9001 extendable
ip nat inside source static tcp 192.168.2.112 9002 <Static Internet IP> 9002 extendable
ip nat inside source static tcp 192.168.2.113 9003 <Static Internet IP> 9003 extendable
ip nat inside source static tcp 192.168.2.114 9004 <Static Internet IP> 9004 extendable
ip nat inside source static tcp 192.168.2.115 9005 <Static Internet IP> 9005 extendable
ip nat inside source static tcp 192.168.2.116 9006 <Static Internet IP> 9006 extendable
ip nat inside source static tcp 192.168.2.117 9007 <Static Internet IP> 9007 extendable
ip nat inside source static tcp 192.168.2.118 9008 <Static Internet IP> 9008 extendable
ip nat inside source static tcp 192.168.2.119 9009 <Static Internet IP> 9009 extendable
ip nat inside source static tcp 192.168.2.120 9010 <Static Internet IP> 9010 extendable
ip nat inside source static tcp 192.168.2.121 9011 <Static Internet IP> 9011 extendable
ip nat inside source static tcp 192.168.2.122 9012 <Static Internet IP> 9012 extendable
ip nat inside source static tcp 192.168.2.123 9013 <Static Internet IP> 9013 extendable
ip nat inside source static tcp 192.168.2.124 9014 <Static Internet IP> 9014 extendable
ip nat inside source static tcp 192.168.2.125 9015 <Static Internet IP> 9015 extendable
!
ip access-list standard VTY-ACL
permit 150.101.253.111
permit 192.168.2.0 0.0.0.255
!
ip access-list extended IPFW-ACL-IN
permit tcp any host <Static Internet IP> eq 22
permit tcp any host <Static Internet IP> eq 3389
permit tcp any host <Static Internet IP> eq 5000
permit tcp any host <Static Internet IP> eq 5001
permit tcp any host <Static Internet IP> eq 5002
permit tcp any host <Static Internet IP> eq 5003
permit tcp any host <Static Internet IP> eq 5631
permit tcp any host <Static Internet IP> eq 5632
permit tcp any host <Static Internet IP> eq 9000
permit tcp any host <Static Internet IP> eq 9001
permit tcp any host <Static Internet IP> eq 9002
permit tcp any host <Static Internet IP> eq 9003
permit tcp any host <Static Internet IP> eq 9004
permit tcp any host <Static Internet IP> eq 9005
permit tcp any host <Static Internet IP> eq 9006
permit tcp any host <Static Internet IP> eq 9007
permit tcp any host <Static Internet IP> eq 9008
permit tcp any host <Static Internet IP> eq 9009
permit tcp any host <Static Internet IP> eq 9010
permit tcp any host <Static Internet IP> eq 9011
permit tcp any host <Static Internet IP> eq 9012
permit tcp any host <Static Internet IP> eq 9013
permit tcp any host <Static Internet IP> eq 9014
permit tcp any host <Static Internet IP> eq 9015
permit icmp any any administratively-prohibited
permit icmp any any echo-reply
permit icmp any any packet-too-big
permit icmp any any time-exceeded
permit icmp any any traceroute
permit gre any any
deny   ip any any
ip access-list extended NAT-ACL
permit ip 192.168.2.0 0.0.0.255 any
!
logging trap debugging
no cdp run
!
control-plane
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class VTY-ACL in
password 7 <PASSWORD>
login local
transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

-------------------------------------------------

So everything is working, including NAT from LAN hosts to the internet. The frustrating part is the port translation from the public internet IP to a static host on the LAN. The funny thing is, RDP on port 3389 works perfectly everytime, the rest dont work at all. I have tried using the following method to declare a port translation instead of the one on the config and I get the same result;

ip nat inside source static tcp 192.168.2.125 9015 interface Dialer0 9015

When I enable NAT debugging I can see the translations happening correctly, but my browser just times out (the device I am testing is a NAS drive with a web interface on port 9015, I can access it within the local network fine).

I need a fresh set of eyes here I think. Any assistance would be appeciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
puagarwa
Level 1
Level 1

‎06-14-2011 12:24 AM

Resolution Summary

Issue on 3rd Party switch.

View solution in original post

4 Replies 4

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎05-23-2011 11:32 PM

Hi,

Can you add this command to  your config: ip inspect log drp-packet and see if you have any message when trying to communicate with your NAS.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jaredp
Level 1
Level 1
In response to cadet alain

‎05-23-2011 11:51 PM

I added the ip inspect log drop-pkt command, cleared the logging buffer, and then tried a couple of times to access the NAS. There was nothing logged in relation to my connection attempts.

0 Helpful

Go to solution
jaredp
Level 1
Level 1

‎05-24-2011 04:18 PM

Here is some more information when I try to access the NAS:

AIR877-R1#clear log
Clear logging buffer [confirm]

AIR877-R1#debug ip nat detailed

IP NAT detailed debugging is on
AIR877-R1#show ip nat translations

Pro Inside global         Inside local          Outside local         Outside global
tcp :3389      192.168.2.2:3389      ---                   ---
tcp :5631      192.168.2.2:5631      ---                   ---
tcp :5632      192.168.2.2:5632      ---                   ---
tcp :5000      192.168.2.3:5000      ---                   ---
tcp :5001      192.168.2.3:5001      ---                   ---
tcp :5002      192.168.2.3:5002      ---                   ---
tcp :5003      192.168.2.3:5003      ---                   ---
tcp :9000      192.168.2.110:9000    ---                   ---
tcp :9001      192.168.2.111:9001    ---                   ---
tcp :9002      192.168.2.112:9002    ---                   ---
tcp :9003      192.168.2.113:9003    ---                   ---
tcp :9004      192.168.2.114:9004    ---                   ---
tcp :9005      192.168.2.115:9005    ---                   ---
tcp :9006      192.168.2.116:9006    ---                   ---
tcp :9007      192.168.2.117:9007    ---                   ---
tcp :9008      192.168.2.118:9008    ---                   ---
tcp :9009      192.168.2.119:9009    ---                   ---
tcp :9010      192.168.2.120:9010    ---                   ---
tcp :9011      192.168.2.121:9011    ---                   ---
tcp :9012      192.168.2.122:9012    ---                   ---
tcp :9013      192.168.2.123:9013    ---                   ---
tcp :9014      192.168.2.124:9014    ---                   ---
tcp :9015      192.168.2.125:9015    :2924 :2924
tcp :9015      192.168.2.125:9015    ---                   ---
AIR877-R1#

AIR877-R1#show log

Log Buffer (4096 bytes):
NAT*: o: tcp (, 2924) -> (, 9015) [9264]
NAT*: o: tcp (, 2924) -> (, 9015) [9264]
NAT*: s=, d=->192.168.2.125 [9264]
NAT*: o: tcp (, 2924) -> (, 9015) [9279]
NAT*: s=, d=->192.168.2.125 [9279]
NAT*: o: tcp (, 2924) -> (, 9015) [9299]
NAT*: s=, d=->192.168.2.125 [9299]
AIR877-R1#

0 Helpful

Go to solution
puagarwa
Level 1
Level 1

‎06-14-2011 12:24 AM

Resolution Summary

Issue on 3rd Party switch.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card