Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
463
Views
0
Helpful
3
Replies

problems with NAT?!

jurinho123456
Level 1
Level 1

‎12-15-2010 05:13 AM - edited ‎03-06-2019 02:32 PM

hi!

i have a vpn problem with nat.

some servers in our network have an external IP address, and they are nat'd like:

"ip nat inside source static 172.17.0.66 outside_address_A"

vpn tunnel is working ok for the stations that doesn't have an external address,

but from servers that have external ip, i can't ping other side.

From other side,i can ping our router GW, but there is no reply if i try to ping one of servers.

i created acc list as follows(which should permit vpn traffic from being nat'd):

ip access-list extended NO-NAT
  deny   ip 172.17.0.0 0.0.127.255 172.19.237.0 0.0.0.15 log
  permit ip 172.17.0.0 0.0.127.255 any

and still,there is no ping reply.

what's wrong?

please help....

here is the router config...

crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
lifetime 8000
crypto isakmp key 6 KEY address PARTNER_GW no-xauth
!
!
crypto ipsec transform-set myset esp-aes esp-md5-hmac
!
crypto ipsec profile vpn
description vpn
set security-association lifetime seconds 2000
set security-association idle-time 2000
set transform-set myset
set pfs group2
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to PARTNER_GW
set peer PARTNER_GW
set security-association lifetime seconds 2000
set transform-set myset
set pfs group2
match address 104


interface FastEthernet0
ip address OUR_GW 255.255.255.240
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
ip address 172.17.0.1 255.255.128.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip nat inside source route-map NO-NAT interface FastEthernet 0 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0 overload
ip nat inside source static 172.17.0.66 address_A
ip nat inside source static 172.17.0.55 address_B
ip nat inside source static 172.17.0.65 address_C
ip nat inside source static 172.17.0.67 address_D
ip nat inside source static 172.17.0.69 address_E
ip nat inside source static 172.17.0.60 address_F
ip nat inside source static 172.17.0.10 address_G
ip nat inside source static 172.17.0.56 address_H
!
ip access-list extended NO-NAT
deny   ip 172.17.0.0 0.0.127.255 172.19.237.0 0.0.0.15 log
permit ip 172.17.0.0 0.0.127.255 any

access-list 104 remark vpn
access-list 104 remark SDM_ACL Category=4
access-list 104 remark vpn
access-list 104 permit ip 172.17.0.0 0.0.127.255 172.19.237.0 0.0.0.15 log
access-list 104 remark vpn
access-list 104 permit ip 172.19.237.0 0.0.0.15 172.17.0.0 0.0.127.255 log
access-list 105 remark SDM_ACL Category=2
access-list 105 deny   ip host 172.17.0.10 any
access-list 105 remark vpn
access-list 105 deny   ip 172.19.237.0 0.0.0.15 172.17.0.0 0.0.127.255 log
access-list 105 remark vpn
access-list 105 deny   ip 172.17.0.0 0.0.127.255 172.19.237.0 0.0.0.15 log
access-list 105 permit ip 172.17.0.0 0.0.127.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 105
!
route-map NO-NAT permit 10
match ip address NO-NAT

thx for help!

Labels:
0 Helpful
3 Replies 3

cadet alain
VIP Alumni
VIP Alumni

‎12-15-2010 05:41 AM

Hi,

ip nat inside source route-map NO-NAT interface FastEthernet 0 overload

It is for hosts in your LAN initiating a connection not for outside hosts trying to connect to your servers.

ip nat inside source static 172.17.0.66 address_A

you should change these to static PAT:  e.g  ip nat inside source static tcp 172.17.0.66 80  address_A  80  if you want to port forward http

Tell us if it works.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

jurinho123456
Level 1
Level 1
In response to cadet alain

‎12-16-2010 12:51 AM

Hello!

if i apply changes as you said:

"ip nat inside source static 172.17.0.66 address_A"

                                       to

"ip nat inside source static tcp 172.17.0.66 80  address_A  80"

that would be ok if that computer is only an web server...what if it is a web server,a mail server,and PC (all in one)?

from that computer i need to be able to surf the internet,to connect remotely on it from home,also to connect on others computers...

i need full functionality on that station...

is there a way to include all ports in one step?

something like "ip nat inside source static tcp 172.17.0.66 21,23,80,22,1053  address_A  21,23,80,22,1053"

or

"ip nat inside source static tcp 172.17.0.66 all  address_A  all" ?

172.17.0.66 is a development PC, while other adresses are router to IBM as400 machines (on them i need only few protocols)

thx for help!

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to jurinho123456

‎12-16-2010 01:16 AM

Hi,

is there a way to include all ports in one step?

No you have to do multiple statements, one for each service.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card