07-05-2007 07:04 AM - edited 03-05-2019 05:09 PM
Hi,
I'm configuring a 1841 router with 4-port FE WIC card.
Interface FE0/1 is outside and FE0/0/0 (WIC) is used for LAN connection.
I'm using dinamic NAT for LAN users access to Internet and static NAT to connect to internal servers from external network.
In my test configuration, I cannot connect to LAN (192.168.0.0/24) from external network. Dinamic NAT, though, is working fine.
My config follows. Am I missing something? Hope someone can help me.
Thanks in advance.
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
ip address 192.168.0.6 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.1 23 interface FastEthernet0/1 23
ip nat inside source static tcp 192.168.0.5 5900 interface FastEthernet0/1 5900
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.18 0.0.0.128
!
07-05-2007 08:22 AM
I guess "ip nat inside source.." needs to be replaced with "ip nat outside source.." since you want to check the packets that are entering inside the network and replace the source ip from 192.168.0.1 with f0/1 interface's ip.
Reason:-
With the inside source cli the packets are checked when there are going from inside to outside and source ip is changed and when a packet is going from outside to inside the destination is changed.
Now the packets destination address is checked which can never be 0.1.
HTH,
Radhika
07-05-2007 09:41 AM
Can you use a seperate ip for the static nats instead of the fastethernet and check
Narayan
07-05-2007 10:12 AM
This will not work.You cannot have the same IP for dynamic nat and static nat. You cannot use the dynamic NAT and Static on the same interface IP. You need some free IP from the 192.168.2.x range to sttaic NAT your servers to the free addreses and being access by out side.
Do the folliwing with free IP's.
ip nat inside source static 192.168.0.1 192.168.2.10
ip nat inside source static 192.168.0.5 5900 192.168.2.11 5900
This should work for you ..
HTH,Please rate if it does.
-amit singh
07-06-2007 12:47 AM
Hi
I can't see anything wrong with this config. Sorry to ask the obvious but when you try and connect to the internal LAN server ie 192.168.0.1 you are telnetting to 192.168.2.2 aren't you.
I setup this in our lab as i wasn't sure whether the static nat commands would work with interface rather than the explicit IP but it all works fine.
Could you go from inside to out and then try connecting to one of your internal servers and post the output of a "sh ip nat translations".
Edit - I used a 2621 router with 12.3(4)T4.
Amit, the attached doc suggests that you can use the same IP address for both dynamic and static translations ( see last example at bottom ).
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
Are you saying it is not supported on later versions ?
HTH
Jon
07-06-2007 02:03 AM
Hi,
Thanks for you fast responses.
Amit, I tried natting to free IP from 192.168.2.x range with no result.
Jon, when I try to connect to an internal server from network 192.168.2.x, this is the output of sh ip nat translations.
TR13#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 192.168.2.2:23 192.168.0.1:23 192.168.2.65:2695 192.168.2.65:2695
tcp 192.168.2.2:23 192.168.0.1:23 --- ---
tcp 192.168.2.2:5900 192.168.0.5:5900 --- ---
Also, checking debug logs with SDM, I found entries apparently doing the static translations, but no response from internal servers. After a while, the appear as expired translations:
11:30:50.281 expiring 192.168.2.2 (192.168.0.1) tcp 23 (23)
11:29:50.105 s=192.168.2.65,d=192.168.2.2->192.168.0.1 [20447]
11:29:44.089 s=192.168.2.65,d=192.168.2.2->192.168.0.1 [20413]
11:29:41.105 s=192.168.2.65,d=192.168.2.2->192.168.0.1 [20401]
-Albert
07-06-2007 02:59 AM
Albert
It looks to me like your NAT is working. I get similiar results in my NAT table.
2600_connect#sh ip nat trans
Pro Inside global Inside local Outside local Outside global
1) icmp 172.16.1.9:4388 10.15.1.2:4388 10.5.1.1:4388 10.5.1.1:4388
2) tcp 172.16.1.9:23 10.15.1.3:23 172.16.1.10:62274 172.16.1.10:62274
3) tcp 172.16.1.9:23 10.15.1.3:23 --- ---
Line 1) is a dynamic translation from inside to outside for ping.
Line 2) is the dynamic entry builti when i telnet from outside (172.16.1.10)
to 172.16.1.9 (which gets Natted to 10.15.1.3)
Line 3) is the permanent static translation that gets entered when from the
config line "ip nat source static tcp 10.15.1.3 23 interface fa0/1 23"
Relevant Router config
======================
interface FastEthernet0/0
description Connection to CR02
ip address 10.15.1.1 255.255.255.240
ip nat inside
ip pim dense-mode
no ip route-cache
speed 100
full-duplex
!
interface FastEthernet0/1
description Connection to P1
ip address 172.16.1.9 255.255.255.248
ip nat outside
ip pim dense-mode
no ip route-cache
speed 100
full-duplex
!
router eigrp 20
redistribute connected
redistribute static
network 10.0.0.0
network 172.16.0.0
no auto-summary
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.15.1.3 23 interface FastEthernet0/1 23
ip classless
access-list 1 permit 10.15.1.0 0.0.0.15
=====================
Are you sure it is a natting problem ?
Jon
07-06-2007 05:40 AM
I think so. Telnet and other services are working OK when accessed from local network.
I checked proposed configurations with different IPs for static NAT. I also tried it using only FE interfaces 0/0 and 0/1, just in case it was problem of added switch card. Nothing works.
Any other idea?
07-07-2007 09:28 AM
Sorry I did not check the source ip addresses in the nat cli previously. I thought you were using some outside address which needs to be converted into inside address.
Can you turn on the debug commands and check if everything is working fine.
May be try adding
ip nat inside source static 192.168.0.1 int fastethernet.. overload
and turn on debug ip icmp , debug ip nat commands, then ping to the internal network and see how the packets are sent.
Also can you check if there an internal router with ip 192.168.0.1?
[When I was configuring on my internal device with a different ip by mistake and then I was not able to telnet to the device]
Thanks,
Radhika
07-19-2007 04:29 AM
Hi,
Finally the problem was not in the router, but in internal servers I was using for tests. They had not configured internal router IP as default gateway, so there was no response to the router. With correct gateway configuration, NAT is working OK.
Thanks Radhika, Jon and the others for your advice and suggestions.
Albert
07-07-2007 10:19 AM
Hi Albert
In addtion to Radhika's suggestions what OS does the server run. If windows you could use ethereal/wireshark or the Windows Netmon too. If Linux tcpdump, Solaris snoop etc.
All of the above are packet capture tools. If you could start one up on the server you might be able to see if packets are actually coming from the router after being natted.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide