Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > 1801 - PAT + NAT = NAT not working how I thought it should

Reply
Thread Tools

1801 - PAT + NAT = NAT not working how I thought it should

 
 
Steven Carr
Guest
Posts: n/a
 
      10-20-2007
OK the gist is:

3 vlans:
- VLAN1 Management
- VLAN2 Public IP space (82.71.110.224/2
- VLAN3 Private IP space (172.16.0.0/24)

The route obtains it's external IP via DHCP from the ISP - the address
it gets is 82.71.110.238 - this is also the same address as the gateway
for VLAN2 (I was informed this is the correct way to configure that
part, and that bit is working). VLAN3 is set as the inside NAT interface
and the outside NAT interface is set as Dialer0.

The clients in VLAN3 cannot "talk" to VLAN2 and vice versa but the IP
helper is working and DHCP is being dished out fine from VLAN2 -> VLAN3.

It's probably something to do with the firewall rules I have in place.
I've included my config below, can anyone see where I'm going wrong? and
if there is anything that am seriously missing can you point me in the
right direction.

Also what is the significance of the line:
> permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023

Without this DNS would not work - even though I have an permit statement
for the 2 DNS servers further down in the config.

Thanks in advance

Ste

----------

no service pad
no ip domain-lookup
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname net-gw
!
ip name-server 212.23.3.100
ip name-server 212.23.6.100
ip domain name dunelm.gpf.me.uk
!
ip cef
ip flow-top-talkers
top 10
sort-by bytes
!
clock timezone GMT 0
ntp server 82.71.110.226
!
boot-start-marker
boot-end-marker
!
enable password 0 xxxxxxxx
username admin privilege 15 password 0 xxxxxxxx
!
logging 82.71.110.228
archive
log config
logging enable
logging size 500
notify syslog
hidekeys
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
no ip route-cache
shutdown
!
interface FastEthernet1
spanning-tree portfast
description trunk link to loft-sw01 fa0/24 (vlan 2)
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,2,1002-1005
switchport mode trunk
duplex auto
speed auto
!
interface FastEthernet2
spanning-tree portfast
description trunk link to loft-sw01 fa0/23 (vlan 3)
switchport trunk encapsulation dot1q
switchport trunk native vlan 1
switchport trunk allowed vlan 1,3,1002-1005
switchport mode trunk
duplex auto
speed auto
!
interface FastEthernet3
spanning-tree portfast
shutdown
duplex auto
speed auto
!
interface FastEthernet4
spanning-tree portfast
shutdown
duplex auto
speed auto
!
interface FastEthernet5
spanning-tree portfast
shutdown
duplex auto
speed auto
!
interface FastEthernet6
spanning-tree portfast
shutdown
duplex auto
speed auto
!
interface FastEthernet7
spanning-tree portfast
switchport mode access
switchport access vlan 1
duplex auto
speed auto
!
interface FastEthernet8
spanning-tree portfast
description link to wireless ap
switchport mode access
switchport access vlan 3
duplex auto
speed auto
!
interface ATM0
no ip address
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no ip route-cache
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Vlan1
description Management VLAN
ip address 192.168.255.1 255.255.255.0
!
interface Vlan2
description Public VLAN
ip address 82.71.110.238 255.255.255.240
!
interface Vlan3
description Private VLAN
ip address 172.16.0.1 255.255.255.0
ip helper-address 82.71.110.226
ip helper-address 82.71.110.228
ip nat inside
!
interface Dialer0
description outside world
ip address negotiated
ip nat outside
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
no ip mask-reply
ip access-group inbound_firewall in
ip access-group outbound_firewall out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxx
ppp chap password 0 xxxxxxx
no cdp enable
!
ip route 0.0.0.0 0.0.0.0 Dialer0
dialer-list 1 protocol ip permit
access-list 1 permit 172.16.0.0 0.0.0.255
ip nat inside source list 1 interface Dialer0 overload
!
no ip access-list extended inbound_firewall
ip access-list extended inbound_firewall
!
! filter out the crud
remark deny own range
deny ip 82.71.110.224 0.0.0.15 any
remark deny spoof addresses
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
remark deny non-routables
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark icmp traffic
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any
remark allow established
permit tcp any 82.71.110.224 0.0.0.15 established
permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023
!
! hosts
remark cookiemonster.dunelm.gpf.me.uk
remark ssh
permit tcp any host 82.71.110.226 eq 22
remark mail
permit tcp any host 82.71.110.226 eq 25
permit tcp any host 82.71.110.226 eq 465
remark dns
permit tcp any host 82.71.110.226 eq 53
permit udp any host 82.71.110.226 eq 53
remark www
permit tcp any host 82.71.110.226 eq 80
permit tcp any host 82.71.110.226 eq 443
!
remark barkley.dunelm.gpf.me.uk
remark ssh
permit tcp any host 82.71.110.228 eq 22
remark mail
permit tcp any host 82.71.110.228 eq 25
remark dns
permit tcp any host 82.71.110.228 eq 53
permit udp any host 82.71.110.228 eq 53
remark www
permit tcp any host 82.71.110.228 eq 80
permit tcp any host 82.71.110.228 eq 443
!
!
no ip access-list extended outbound_firewall
ip access-list extended outbound_firewall
!
remark allow own range
permit ip 82.71.110.224 0.0.0.15 any
!
remark block any other traffic
deny ip any any
!
!
no ip http server
no ip http secure-server
!
snmp-server community xxxxxxxx RW
snmp-server community xxxxxxxx RO
snmp-server location Loft Cab
snmp-server contact xxxxxxxx
!
banner login ^

Unauthorised access prohibited - all access and commands are logged.

^
!
line con 0
login local
session-timeout 10
line vty 0 4
login local
session-timeout 10
transport input ssh
!
end



--
Steve Carr
http://gpf.me.uk


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHGeoyg6K71gPSyTARAt2DAJ9NJCbYtv0CUav2B8rtEL N+VAZz4ACbBVL5
rdvxDwUUWy5dHZTSSWXIZw4=
=n3Ee
-----END PGP SIGNATURE-----

 
Reply With Quote
 
 
 
 
Steven Carr
Guest
Posts: n/a
 
      10-20-2007
I dont mean PAT at all - I mean Routed - my brain is shot today....

--
Steve Carr
http://gpf.me.uk


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHGeqxg6K71gPSyTARAjwoAJ97/Ae3Y31PWkXMvuxTBAWC1eQrDQCfcKwS
7N0nwjohPStvgmIC6y2CVpo=
=93i5
-----END PGP SIGNATURE-----

 
Reply With Quote
 
 
 
 
Steven Carr
Guest
Posts: n/a
 
      10-20-2007
OK as it turns out it is actually all working (was actually a number of
ACL's within BIND preventing recursive lookups from the new private VLAN
addresses and misconfiguration in the DHCP scope giving out the wrong
gateway address (doh!))

But anyway with regards to my inbound and outbound firewall ACLs, is
there anything that is wrong or that I am missing + also the question
about that "permit udp" line

Thanks

Ste

----------

no ip access-list extended inbound_firewall
ip access-list extended inbound_firewall
!
! filter out the crud
remark deny own range
deny ip 82.71.110.224 0.0.0.15 any
remark deny spoof addresses
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
remark deny non-routables
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
remark icmp traffic
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
deny icmp any any
remark allow established
permit tcp any 82.71.110.224 0.0.0.15 established
permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023
!
! hosts
remark cookiemonster.dunelm.gpf.me.uk
remark ssh
permit tcp any host 82.71.110.226 eq 22
remark mail
permit tcp any host 82.71.110.226 eq 25
permit tcp any host 82.71.110.226 eq 465
remark dns
permit tcp any host 82.71.110.226 eq 53
permit udp any host 82.71.110.226 eq 53
remark www
permit tcp any host 82.71.110.226 eq 80
permit tcp any host 82.71.110.226 eq 443
!
remark barkley.dunelm.gpf.me.uk
remark ssh
permit tcp any host 82.71.110.228 eq 22
remark mail
permit tcp any host 82.71.110.228 eq 25
remark dns
permit tcp any host 82.71.110.228 eq 53
permit udp any host 82.71.110.228 eq 53
remark www
permit tcp any host 82.71.110.228 eq 80
permit tcp any host 82.71.110.228 eq 443
!
!
no ip access-list extended outbound_firewall
ip access-list extended outbound_firewall
!
remark allow own range
permit ip 82.71.110.224 0.0.0.15 any
!
remark block any other traffic
deny ip any any
!
!

--
Steve Carr
http://gpf.me.uk


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHGfhMg6K71gPSyTARAi5cAJ0RLkzKNdRpESRLqBx3yM 1QyPJ/igCgn6ez
nYDXQCJjkU5T4qItvyOM97g=
=0ysr
-----END PGP SIGNATURE-----

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      10-20-2007

For packets from inside, the router should perfom routing first then
NAT so not sure why packet do not make it to VLAN 2

to a debug ip icmp and ping from a host on VLAN 3 to host on VLAN 2
and see what output is display

also do a traceroute


display translations using sh ip nat translations to see if the
traffic between VLANS is being translated


 
Reply With Quote
 
Steven Carr
Guest
Posts: n/a
 
      10-20-2007
Merv wrote:
> For packets from inside, the router should perfom routing first then
> NAT so not sure why packet do not make it to VLAN 2
>
> to a debug ip icmp and ping from a host on VLAN 3 to host on VLAN 2
> and see what output is display
>
> also do a traceroute
>
>
> display translations using sh ip nat translations to see if the
> traffic between VLANS is being translated
>
>


Sorted that, it was a cockup else where with DHCP+DNS config. Can you
see any problems with the actual firewall rules I have in place (just
from a general security point of view), is there any others you can
think of to add, or any that shouldn't be there.

Thanks

Ste

--
Steve Carr
http://gpf.me.uk


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHGgp2g6K71gPSyTARAprqAJ9H9bmw71+i0ahhGv6PK4 XcxktvTQCfUu9c
7+2J8nhmUzOzX1Ktj5f+JVE=
=BAAp
-----END PGP SIGNATURE-----

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      10-20-2007

acl's for security look ok

use enable secret instead of enable password
ditto for username priv password - use username priv secret <>

no logging console ! disable console logging

 
Reply With Quote
 
Steven Carr
Guest
Posts: n/a
 
      10-20-2007
Hi Merv,

Really appreciate all of the help you provide on this newsgroup, can you
explain what this rule is for and why the 2 rules below it don't seem to
work, if I take the "permit udp any range..." rule out DNS stops working
completely, but shouldn't the 2 rules for DNS allow it to continue to
work. Just from my looking at it that rule says that any host can send
udp packets to ports 1-1023 from any port higher than 1023, which to me
seems like a whole for lots of traffic to potentially get through.

> permit udp any range 1 1023 82.71.110.224 0.0.0.15 gt 1023
> remark dns
> permit tcp any host 82.71.110.226 eq 53
> permit udp any host 82.71.110.226 eq 53


Thanks

Ste


--
Steve Carr
http://gpf.me.uk


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHGooag6K71gPSyTARAmHLAJ9t9VwN2j5xxI2xR8FH7n GCn8CfLACcDnBh
zCkOlbBQuOYTjuSy2MP3/04=
=2Cp8
-----END PGP SIGNATURE-----

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      10-21-2007

see Cisco doc "Transit Access Control Lists: Filtering at Your Edge"


!--- Permit legitimate business traffic.

access-list 110 permit tcp any 192.168.201.0 0.0.0.255 established
access-list 110 permit udp any range 1 1023 192.168.201.0 0.0.0.255 gt
1023



!--- Explicitly permit externally sourced traffic.
!--- These are incoming DNS queries.

access-list 110 permit udp any gt 1023 host <primary DNS server> eq 53

!-- These are zone transfer DNS queries to primary DNS server.

access-list 110 permit tcp host secondary DNS server gt 1023 host
primary DNS server eq 53

!--- Permit older DNS zone transfers.

access-list 110 permit tcp host secondary DNS server eq 53 host
primary DNS server eq 53

!--- Deny all other DNS traffic.

access-list 110 deny udp any any eq 53
access-list 110 deny tcp any any eq 53


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Re: How include a large array? Edward A. Falk C Programming 1 04-04-2013 08:07 PM
Cisco 1801 - ADSL/PPPoE - IPSec - Static NAT ---- 56K Dial Backup - NAT Overload skweetis Cisco 0 12-11-2006 04:33 PM
NAT and PAT on Cisco 1721 Not Working opietexas Cisco 0 07-06-2006 06:01 PM
NAT and PAT on Cisco 1721 Not Working opietexas Cisco 0 07-06-2006 05:14 PM
NAT/PAT not working in PIX 515 Natan Cisco 3 04-28-2006 01:53 PM



Advertisments