cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2918
Views
0
Helpful
24
Replies
Highlighted
Beginner

Cisco 877 NAT, what am I missing?

Hello,

I'm trying to configure a simple static NAT rule for a webserver on my 877 router but it's not working and I'm not sure why.

I have a nat overload rule based on a route-map for internet access that works fine, so the internet (at least outbound) appears to work.

The router can also ping/telnet to the port on the webserver that I need, so the path is in place.

Essentially the nat rules are:

ip nat inside source static tcp 172.31.33.3 80 dialer0 80

ip nat inside source static tcp 172.31.33.3 443 dialer0 443

I have also tried using the actual external Ip address in place of 'dialer0' but to no avail.

I can see the actual nat translations appear in 'show ipnat translations.'

The default gateway for 172.31.33.3 is actually the router, 172.31.33.2, so it's only 1 hop. I have an allow any rule on the dialer interface at the moment for testing, there is no ACL on the vlan interface (with ip 172.31.33.2).

Is there something I am missing? How best to debug this, are there NAT debug command (I couldn't see any).

24 REPLIES 24
Highlighted

The VPN will go on the ADSL router (the one with the NAT rule).

We do want a default route on the LAN router, but we want it to be to our production ASA (which has our links to other sites and our main internet feed). That's why I was saying you have a NAT rule on a dummy IP on the LAN router, so that you can follow the same path out as it comes in (is that possible).

Can you please explain how that route would work (you put it on the LAN router I assume?) Wouldn't that just cause a routing problem as it would send packets destined to for 172.31.33.3 to the wrong router?

Highlighted

Yes for both static and default routes on LAN change 172.31.14.248 to match the ip of ASA and then ASA will forward it.

Highlighted

Sorry I'm not exactly sure what you mean. Are you saying set the default route of the LAN router to be to the ASA, and then put a route in the ASA like this:

172.31.33.3 255.255.255.255 172.31.14.248.

So this would mean the full path would be:

Client-->Internet-->ADSL Router-->Lan Router-->Web Server-->Lan Router-->ASA-->Lan Router-->ADSL Router-->Internet-->Client

Or do you mean something completely different?

Highlighted

There are 2 options you can go from client to server

1. client -->internet-->adsl-->lan-->webserver  -this is like my topology

2. client -->internet-->adsl-->asa-->lan-->webserver  -if you need to use the ASA and is between lan and adsl you need to configure it accordingly.

Highlighted

Hmmm. I can see how they are both done, but I was hoping more along the lines of having the default route for the LAN be to the ASA, but traffic coming in via the ADSL natting to the webserver then going back out via the ADSL and not going to the ASA.

Would my double NAT idea work do you think?

Highlighted

Only for server access you can use

client -->internet -->adsl -->lan -->webserver

for all other traffic

clients -->internet -->adsl -->asa -->lan --pc

Highlighted

I'm not entirely sure what you mean by that...

Just to clarify I don't want the traffic coming in the ADSL to go to the ASA, I just want the default route to that.

Traffic going to the webserver from the ADSL I want to path out the way it came in.

Highlighted

Thats what I meant. Your traffic for default route goes to ASA, and all traffic coming to webserver goes directly to it without asa.

on LAN router you will have

ip route 0.0.0.0 0.0.0.0 ASA ip

ip route 172.13.33.3 255.255.255.0 ADSL ip

on ADSL you will have

you have acl to permit traffic for webserver going out the interface connected to LAN router.

and other acl to direct all other traffic to ASA.

Highlighted

I added the route on the lan router as follows:

ip route 172.31.33.3 255.255.255.255

But it had no effect. The 172.31.33.3/24 subnet is locally connected to the LAN router so wouldn't that take precedence?

Besides, correct me if I'm wrong, but the problem is outbound, I think it reaches the webserver fine but then when the packet goes back out it goes back out the wrong way. As such I need to change the outbound destination packet.

Can I write an outside NAT rule somehow to modify the source IP on the inbound packet to be the outside local address (ie the ADSL IP) rather than the outside global address? Then a simple route of 255.255.255.255 would fix that.

Highlighted
Beginner

This might be stupid question but you have 'ip nat inside' and 'ip nat outside' on your interface right?

Content for Community-Ad