11-23-2007 02:49 AM - edited 03-05-2019 07:35 PM
Hello,
I have a problem with bidirectional NAT on cisco IOS routers.
I need to convert the next telnet session via NAT :
Client is on Outside interface :
Client 172.16.186.100 => Telnet 172.16.186.11 (2501) => Cisco 1721 (fasteth0.1) => Static translate to 172.16.187.12 (23)=> Dynamic translate Source ip (192.168.253.201 - 1st) => on inside nat side (192.168.253.201 - 172.16.187.12 (23) => to system.
The nat translation seems to work, but my sessions is not working :
*Mar 1 01:38:08.937: NAT: TCP s=58560, d=2501->23
*Mar 1 01:38:08.937: NAT: s=172.16.186.100->192.168.253.201, d=172.16.186.11 [4888]
*Mar 1 01:38:08.937: NAT: s=192.168.253.201, d=172.16.186.11->172.16.187.12 [4888]
*Mar 1 01:38:08.937: NAT: installing alias for address 192.168.253.201
*Mar 1 01:38:11.922: NAT: o: tcp (172.16.186.100, 58560) -> (172.16.186.11, 2501) [4889]
The next packets are seen on the Nat router :
Mar 1 01:40:18.501: NAT: o: tcp (172.16.186.100, 58581) -> (172.16.186.11, 2501) [4951]
*Mar 1 01:40:18.501: NAT: TCP s=58581, d=2501->23
*Mar 1 01:40:18.501: NAT: s=172.16.186.100->192.168.253.201, d=172.16.186.11 [4951]
*Mar 1 01:40:18.501: NAT: s=192.168.253.201, d=172.16.186.11->172.16.187.12 [4951]
*Mar 1 01:40:18.505: IP: tableid=0, s=192.168.253.201 (Ethernet0/1), d=172.16.187.12 (Ethernet0/0), routed via FIB
*Mar 1 01:40:18.505: IP: s=192.168.253.201 (Ethernet0/1), d=172.16.187.12 (Ethernet0/0), g=192.168.253.254, len 48, forward
*Mar 1 01:40:18.505: TCP src=58581, dst=23, seq=1575932375, ack=0, win=8192 SYNall
Translating "unall"...domain server (255.255.255.255)
*Mar 1 01:40:18.513: IP: tableid=0, s=172.16.187.12 (Ethernet0/0), d=192.168.253.201 (Ethernet0/0), routed via RIB
*Mar 1 01:40:18.517: IP: s=172.16.187.12 (Ethernet0/0), d=192.168.253.201 (Ethernet0/0), len 44, rcvd 3
*Mar 1 01:40:18.517: TCP src=23, dst=58581, seq=42810732, ack=1575932376, win=4128 ACK SYN
*Mar 1 01:40:18.517: IP: tableid=0, s=192.168.253.201 (local), d=172.16.187.12 (Ethernet0/0), routed via FIB
*Mar 1 01:40:18.517: IP: s=192.168.253.201 (local), d=172.16.187.12 (Ethernet0/0), len 40, sending
*Mar 1 01:40:18.521: TCP src=58581, dst=23, seq=1575932376, ack=0, win=0 RST
When i remove the line :
ip nat outside source list 100 pool Inside-Nat
everything is working ok. I need the source address translation on the inside interface.
Have somebody have an idee whats going wrong ???
Thx.
Janwillem Varossieau
The next configuration is tested :
interface Ethernet0/1
ip address 172.16.186.10 255.255.255.0
ip nat outside
!
interface Ethernet0/0
ip address 192.168.253.200 255.255.255.0
ip nat inside
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.186.3
ip route 172.16.187.0 255.255.255.0 192.168.253.254
ip nat pool Inside-Nat 192.168.253.201 192.168.253.250 netmask 255.255.255.0
ip nat inside source static tcp 172.16.187.12 23 172.16.186.11 2501 extendable
ip nat outside source list 100 pool Inside-Nat
!
!
access-list 4 permit 172.16.187.0 0.0.0.255
access-list 100 permit ip 172.16.186.0 0.0.0.255 host 172.16.187.12
access-list 100 permit ip 172.16.186.0 0.0.0.255 host 172.16.186.11
11-29-2007 09:11 AM
It's not possible to have 2 ISPs terminate on the firewall.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/tsd_products_support_series_home.html
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800b6e1a.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide