02-14-2012 08:39 PM - edited 03-07-2019 04:56 AM
Hello,
I'm trying to configure a simple static NAT rule for a webserver on my 877 router but it's not working and I'm not sure why.
I have a nat overload rule based on a route-map for internet access that works fine, so the internet (at least outbound) appears to work.
The router can also ping/telnet to the port on the webserver that I need, so the path is in place.
Essentially the nat rules are:
ip nat inside source static tcp 172.31.33.3 80 dialer0 80
ip nat inside source static tcp 172.31.33.3 443 dialer0 443
I have also tried using the actual external Ip address in place of 'dialer0' but to no avail.
I can see the actual nat translations appear in 'show ipnat translations.'
The default gateway for 172.31.33.3 is actually the router, 172.31.33.2, so it's only 1 hop. I have an allow any rule on the dialer interface at the moment for testing, there is no ACL on the vlan interface (with ip 172.31.33.2).
Is there something I am missing? How best to debug this, are there NAT debug command (I couldn't see any).
02-15-2012 12:38 AM
Hi,
You should do this:
ip nat inside source static tcp 172.31.33.3 80 dialer0 80
ip nat inside source static tcp 172.31.33.3 443 dialer0 443
Concerning the debug: debug ip nat
Regards.
Alain
02-15-2012 02:39 PM
My apologies, that's actually a typo as I re-wrote the command rather than copying them.
I've updated the original post. I'll investigate the nat debugging and post some results.
02-15-2012 04:12 PM
Well upon using the debug command it seemed the NAT rule is working it's just not communicating properly with it's intended destination.
I tested out connecting up a device onto the router with a subnet/vlan unique to that device and the nat rule worked fine to that, I could access it externally.
So now I'm left with working out why it's not connecting. The 172.31.33.3 address is routed to a different router first. I can access both the other router and the destination IP/ports from the NATing router. My only ACL on the NATing router that is in place currently is a permit ip any any rule on the external interface and a NAT overload route-map group for internet access.
Could it be ACLs on the original router? (there are a few on there NAT overload rules and outbound/inbound restrictions on the dialer interface (I'm moving it over to the new router)). Do I need to add an ACL somewhere something like a 'permit tcp any host 172.31.33.3 80' on the old router?
How do I best debug this?
Thank you.
02-15-2012 04:39 PM
Does the other routers involved in this have a route to your subnet?
Eugen
02-15-2012 04:54 PM
Yeah, I can ping from the webserver to both routers, and other subnets on both routers. I also tried setting up a NAT rule to another subnet on the 2nd router but the same thing happened (and there is proper connectivity there).
It's something to do with NATing to that other router it seems. Any debugging tips?
02-15-2012 07:58 PM
If I understand correctly, your set up is like this:
WebServer(your local LAN) -->router-->router-->router-->PC(destination LAN). Is this assumption correct?
02-15-2012 08:04 PM
Not quite, it's like this (where the dot is the interface it comes in/goes out on and the @ is the nat rule):
WebServer-->Subint.Router.Subint-->VlanIP.Router@.ADSL(Static IP)--->Internet--->RemoteClient
So it should go, for example:
Client types in http://1.2.3.4
1.2.3.4-->External ADSL Interface (Rtr1)-->NAT 172.31.33.3--->Route to 172.31.14.1 (int on Rtr2)--->Route to 172.31.33.1 (subint on Rtr2)--->Send to webserver
02-15-2012 08:19 PM
You have only 2 routers between server and Internet, is that correct?
I assume that all subnets have /24 mask, is that correct?
Your server has an ip in 172.31.33.0 subnet with default gateway of 172.31.33.1, is that correct?
02-15-2012 09:24 PM
Yes, all subnets are /24.
And yes, that's the IP and gateway setup I'm using.
2 Routers total
02-15-2012 09:45 PM
Does this look like your set up?
02-15-2012 09:59 PM
Almost, the 172.31.33.3 address isn't actually on the interface on the ADSL router, that's the webserver IP address (instead of 172.31.33.10). I may have mislead you above as I stated that it NATs to that in the diagram, but I meant more that's where the NAT rule is. The inside interface of the ADSL router is 172.31.14.248 (the vlan 1 IP address) which is how it talks to the 2nd router.
So in that diagram if you replace 172.31.33.3 with 172.31.14.248 and replace 172.31.33.10 with 172.31.33.3 then that's the setup, with the NAT rule on the ADSL router.
I am able to NAT across an intermediary router right?
02-15-2012 10:19 PM
Ok.
Try this on ADSL
ip route 0.0.0.0 0.0.0.0 dialer0 (or outside int)
ip route 172.31.33.0 255.255.255.0 172.31.14.1
ip nat source static 172.31.33.3 x.x.x.x (public ip on outside int)
On LAN router
ip route 0.0.0.0 0.0.0.0 172.31.14.248
02-16-2012 07:28 PM
Yes the outside interface is the dialer interface and the inside interfaces are the VLANs on the router
eugen barticel wrote:
Ok.
Try this on ADSL
ip route 0.0.0.0 0.0.0.0 dialer0 (or outside int)
ip route 172.31.33.0 255.255.255.0 172.31.14.1
ip nat source static 172.31.33.3 x.x.x.x (public ip on outside int)
On LAN router
ip route 0.0.0.0 0.0.0.0 172.31.14.248
Ah, I see what you did there...
Yes this actually makes it work, once I add the default route on the other router (everything else was always in place). It would seem the packets are not going in the same path as they are going out.
However the whole reason we got this new router is so that we could set the default route on the other router to be our production ASA (this 2nd router is a redundancy link and will be used for VPN) so this doesn't suite my needs.
However as we now know the problem how can I get around it?
Could I, for example, change the NAT rule to be something like 172.31.34.3, make a subinterface on the 2nd router with that IP, mark it as 'ip nat outside', then NAT from 172.31.34.3 to 172.31.33.3 on the 2nd router? So you basically nat to hop to the first router, then nat to hop to the webserver. Is my logic off here?
02-16-2012 08:24 PM
Which router are you going to use for VPN? ADSL or LAN?
If you don't want a default route on LAN router you can create a more specific static route
ip route 172.31.33.3 255.255.255.255 172.31.14.248 and then use acl to permit or block other ip addresses
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide