Re: NAT to internet works - to DMZ fails - WHY?

jerry.roy · ‎10-23-2004

Can anyone tell me why NAT to my DMZ fails?

interface FastEthernet0

ip address xx.100.97.194 255.255.255.248

ip nat outside

duplex auto

speed auto

no cdp enable

!

interface FastEthernet1

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet2

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet3

switchport access vlan 3

no ip address

no cdp enable

!

interface FastEthernet4

switchport access vlan 3

no ip address

no cdp enable

!

interface Vlan2

ip address xx.145.181.66 255.255.255.224

ip nat outside

!

interface Vlan3

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Vlan1

description $ETH-SW-LAUNCH$

ip address 10.10.10.1 255.255.255.248

ip tcp adjust-mss 1452

!

interface Async1

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 xx.100.97.193

ip nat inside source list 1 interface FastEthernet0 overload

ip nat inside source list 2 interface Vlan2 overload

ip nat inside source static tcp 192.168.1.3 1220 xx.145.181.66 1220 extendable

ip nat inside source static tcp 192.168.1.7 4599 xx.145.181.66 4599 extendable

ip nat inside source static tcp 192.168.1.3 6401 xx.145.181.66 6401 extendable

ip nat inside source static tcp 192.168.1.3 10000 xx.45.181.66 10000 extendable

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 permit 192.168.1.0 0.0.0.255

Thanks,

Jerry

lgijssel · ‎10-25-2004

Helo Jerry,

The question WHY it does not work should probably be answered by someone who is deeply involved in IOS programming. It is obvious what you want to achieve but you setup will not work.

Instead, this issue should be solved using route-maps. I found the following URL on the forum searching for the keywords "nat" and "conditional"

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

You might need to make your own adjustments but this is how it should be done.

Regards,

Leo

dnewell24 · ‎10-25-2004

Network 192.168.1.0 is going with the first nat inside statement. Which is...

ip nat inside source list 1 interface FastEthernet0 overload

Access list 1 permits network 192.168.1.0. So the second Nat inside statement would never be used.

If you were to switch this statement around you would get the reverse effect.

I'm unable to try this is a lab envirmoment but you could give try using an extended access-list with this.

Example

ip nat inside source list 101 interface FastEthernet0 overload

ip nat inside source list 102 interface Vlan2 overload

access-list 101 deny ip 192.168.1.0 0.0.0.255 xx.145.181.66 0.0.0.31

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 xx.145.181.66 0.0.0.31

Let us know if it works!!

jerry.roy · ‎10-25-2004

Nope, doesnt work. Users on LAN can get to the DMZ only after I have ping a host on the DMZ and populated the Arp cache on the cisco. I tested with an end user today and they could not ping anything and I proceeded to ping each host on dmz one by one and after I did this they were able to reach the hosts. I expect as soon as the arp cache times out or a reboot happens, it would fail.

Can anyone make this work in my environment? I am totally confused on local and global definitions for nat. Do I have to assigne additional space to make this work?

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml#routemap

dnewell24 · ‎10-26-2004

Where did you ping from?

What configuration does this work with?

jerry.roy · ‎10-29-2004

I pinged from the router itself to populate the arp cache. An end user on the LAN (192.168.1.0/24) was only able to reach hosts after I ping the host first from the 1711 router. I have decided to change my direction and NAT to internet and Route to DMZ and Now THIS doesnt even work Can you see a probelm with this config?

version 12.3

no parser cache

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

!

hostname LFL-1711-LAN

!

boot-start-marker

boot system flash c1700-k9o3sy7-mz.123-7.T.bin

boot-end-marker

!

logging buffered 51200 warnings

!

username admin password 1234

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

aaa authentication login ssh local

aaa session-id common

ip subnet-zero

!

no ip domain lookup

ip domain name forless.com

ip dhcp excluded-address 192.168.1.1 192.168.1.20

!

ip dhcp pool 192.168.1.0/24

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

domain-name forless.com

dns-server 63.147.112.162 204.8.143.122 63.145.181.67 63.145.181.77

!

ip cef

ip audit po max-events 100

no vlan accounting

no ftp-server write-enable

!

no crypto isakmp enable

!

interface FastEthernet0

ip address 67.100.97.194 255.255.255.248

ip access-group Wan_2_Local in

ip nat outside

duplex auto

speed auto

no cdp enable

!

interface FastEthernet1

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet2

switchport access vlan 2

no ip address

no cdp enable

!

interface FastEthernet3

switchport access vlan 3

no ip address

no cdp enable

!

interface FastEthernet4

switchport access vlan 3

no ip address

no cdp enable

!

interface Vlan2

ip address 63.145.181.66 255.255.255.224

!

interface Vlan3

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Vlan1

description $ETH-SW-LAUNCH$

no ip address

ip tcp adjust-mss 1452

!

interface Async1

no ip address

!

ip classless

ip route 0.0.0.0 0.0.0.0 67.100.97.193

ip route 10.10.0.64 255.255.255.224 63.145.181.65

ip route 10.10.10.64 255.255.255.224 63.145.181.65

no ip http server

ip http authentication local

no ip http secure-server

ip nat inside source list NAT interface FastEthernet0 overload

!

ip access-list extended NAT

permit ip 192.168.1.0 0.0.0.255 any

no cdp run