Cisco 837 NAT not working, what am I doing wrong?

Discussion in 'Cisco' started by Arnoud Helmantel, May 26, 2005.

  1. Hi,

    I have been trying to get my 837 onto the Internet and opening a few
    ports so that the webserver can be reached from the outside world, but
    for some reason no traffic will pass the NAT...

    I can get onto the Internet fine, but no machine can reach the webserver
    on the inside...

    Can someone please take a look at my config and tell me what goes wrong
    here?

    Thanks,

    Arnoud

    PS: I know, it will need some more tuning and closing down, but I want
    to get it running first...


    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    !
    hostname cisco837
    !
    enable password XXXXXXXX
    !
    username XXXXXXXX privilege 15 secret 5 XXXXXXXX
    username XXXXXXXX privilege 15 password 0 XXXXXXXX
    clock timezone Eindhvn 1
    no aaa new-model
    ip subnet-zero
    !
    no ip domain lookup
    ip ips po max-events 100
    no ftp-server write-enable
    !
    bridge irb
    !
    interface Ethernet0
    ip address 10.210.6.249 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    no ip route-cache
    no keepalive
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip route-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0 8/48
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer0
    ip address negotiated
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username XXXXXXXX password 0 XXXXXXXX
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    ip route 212.206.95.0 255.255.255.0 10.210.6.254
    !
    ip http server
    ip http secure-server
    !
    ip nat inside source list 101 interface Dialer0 overload
    ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
    no-alias
    ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
    no-alias
    !
    access-list 101 permit ip any any
    dialer-list 1 protocol ip permit
    !
    !
    control-plane
    !
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    transport preferred all
    transport output all
    stopbits 1
    line aux 0
    transport preferred all
    transport output all
    line vty 0 4
    exec-timeout 120 0
    login local
    transport preferred all
    transport input telnet ssh
    transport output none
    !
    scheduler max-task-time 5000
    sntp server 17.254.0.28
    end

    --
    Please use my first and last name in the address & remove '.invalid'
    Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'
     
    Arnoud Helmantel, May 26, 2005
    #1
    1. Advertising

  2. Could the "ip http server" command be causing this issue? ie is the
    router attempting to intercept the incoming http request?

    Regards,
    Steve
    www.networking-forum.com
     
    www.networking-forum.com, May 26, 2005
    #2
    1. Advertising

  3. www.networking-forum.com <> wrote:

    > Could the "ip http server" command be causing this issue? ie is the
    > router attempting to intercept the incoming http request?


    Ah, no, I already turned that off, but I tried it with a lot of
    different inbound ports as well; same problem...

    Arnoud

    --
    Please use my first and last name in the address & remove '.invalid'
    Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'
     
    Arnoud Helmantel, May 26, 2005
    #3
  4. I do not too much about Dialer interfaces but it looks OK, and also the
    NAT. I wonder if your ISP knows the public IP that you are assigning
    staticaly to the webserver with the NAT:

    ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
    no-alias
    ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
    no-alias

    What I mean, it is if your ISP have a route to the ext-ip to your
    router.

    -as
     
    arturo.servin, May 26, 2005
    #4
  5. Arnoud Helmantel

    S W Guest

    "Arnoud Helmantel" <> wrote in message
    news:1gx6shp.1q45ioz1nnqt86N%...
    > Hi,
    >
    > I have been trying to get my 837 onto the Internet and opening a few
    > ports so that the webserver can be reached from the outside world, but
    > for some reason no traffic will pass the NAT...
    >
    > I can get onto the Internet fine, but no machine can reach the webserver
    > on the inside...
    >
    > Can someone please take a look at my config and tell me what goes wrong
    > here?
    >
    > Thanks,
    >
    > Arnoud
    >
    > PS: I know, it will need some more tuning and closing down, but I want
    > to get it running first...
    >
    >
    > version 12.3
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > no service password-encryption
    > !
    > hostname cisco837
    > !
    > enable password XXXXXXXX
    > !
    > username XXXXXXXX privilege 15 secret 5 XXXXXXXX
    > username XXXXXXXX privilege 15 password 0 XXXXXXXX
    > clock timezone Eindhvn 1
    > no aaa new-model
    > ip subnet-zero
    > !
    > no ip domain lookup
    > ip ips po max-events 100
    > no ftp-server write-enable
    > !
    > bridge irb
    > !
    > interface Ethernet0
    > ip address 10.210.6.249 255.255.255.0
    > ip nat inside
    > ip virtual-reassembly
    > no ip route-cache
    > no keepalive
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > no ip route-cache
    > no atm ilmi-keepalive
    > dsl operating-mode auto
    > pvc 0 8/48
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > !
    > interface FastEthernet1
    > no ip address
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet2
    > no ip address
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet3
    > no ip address
    > duplex auto
    > speed auto
    > !
    > interface FastEthernet4
    > no ip address
    > duplex auto
    > speed auto
    > !
    > interface Dialer0
    > ip address negotiated
    > ip nat outside
    > ip virtual-reassembly
    > encapsulation ppp
    > dialer pool 1
    > dialer-group 1
    > ppp authentication pap callin
    > ppp pap sent-username XXXXXXXX password 0 XXXXXXXX
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    > ip route 212.206.95.0 255.255.255.0 10.210.6.254
    > !
    > ip http server
    > ip http secure-server
    > !
    > ip nat inside source list 101 interface Dialer0 overload
    > ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
    > no-alias
    > ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
    > no-alias
    > !
    > access-list 101 permit ip any any
    > dialer-list 1 protocol ip permit
    > !
    > !
    > control-plane
    > !
    > !
    > line con 0
    > exec-timeout 120 0
    > no modem enable
    > transport preferred all
    > transport output all
    > stopbits 1
    > line aux 0
    > transport preferred all
    > transport output all
    > line vty 0 4
    > exec-timeout 120 0
    > login local
    > transport preferred all
    > transport input telnet ssh
    > transport output none
    > !
    > scheduler max-task-time 5000
    > sntp server 17.254.0.28
    > end
    >
    > --
    > Please use my first and last name in the address & remove '.invalid'
    > Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'


    What do you think about using the Web set-up interface (CRWS)? What you want
    to do could be sorted out in a couple of minutes using CRWS! Or is that
    'cheating'?!

    Regards
    SW
     
    S W, May 26, 2005
    #5
  6. S W <> wrote:

    > "Arnoud Helmantel" <> wrote in message
    > news:1gx6shp.1q45ioz1nnqt86N%...
    > > Hi,
    > >
    > > I have been trying to get my 837 onto the Internet and opening a few
    > > ports so that the webserver can be reached from the outside world, but
    > > for some reason no traffic will pass the NAT...
    > >
    > > I can get onto the Internet fine, but no machine can reach the webserver
    > > on the inside...
    > >
    > > Can someone please take a look at my config and tell me what goes wrong
    > > here?
    > >
    > > Thanks,
    > >
    > > Arnoud
    > >
    > > PS: I know, it will need some more tuning and closing down, but I want
    > > to get it running first...
    > >
    > >
    > > version 12.3
    > > no service pad
    > > service timestamps debug uptime
    > > service timestamps log uptime
    > > no service password-encryption
    > > !

    >
    > What do you think about using the Web set-up interface (CRWS)? What you want
    > to do could be sorted out in a couple of minutes using CRWS! Or is that
    > 'cheating'?!
    >
    > Regards
    > SW


    Hah, good idea, but... There is no way I have found that it will run in
    a browser under Mac OS X... It might work with Windows, but alas...

    Arnoud

    --
    Please use my first and last name in the address & remove '.invalid'
    Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'
     
    Arnoud Helmantel, May 26, 2005
    #6
  7. arturo.servin <> wrote:

    > I do not too much about Dialer interfaces but it looks OK, and also the
    > NAT. I wonder if your ISP knows the public IP that you are assigning
    > staticaly to the webserver with the NAT:
    >
    > ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
    > no-alias
    > ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
    > no-alias
    >
    > What I mean, it is if your ISP have a route to the ext-ip to your
    > router.
    >
    > -as


    I checked, and yes, the IP I set is correct. It is the IP assigned to me
    by my ISP, and it is static.

    Arnoud

    --
    Please use my first and last name in the address & remove '.invalid'
    Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'
     
    Arnoud Helmantel, May 26, 2005
    #7
  8. Arnoud Helmantel

    S W Guest

    "Arnoud Helmantel" <> wrote in message
    news:1gx713c.1ml9hgjcxaw1sN%

    >> What do you think about using the Web set-up interface (CRWS)? What you
    >> want
    >> to do could be sorted out in a couple of minutes using CRWS! Or is that
    >> 'cheating'?!
    >>
    >> Regards
    >> SW

    >
    > Hah, good idea, but... There is no way I have found that it will run in
    > a browser under Mac OS X... It might work with Windows, but alas...
    >
    > Arnoud


    Ahh! So its not really much use to you then. I was interested in your
    problem, because I have the opposite problem. I need to do stuff on the 837
    that I can't do using the CRWS (set up an Access control list and also set a
    static route). And I don't know how to do this using CLI.
    I don't think Cisco make it easy to learn the CLI. I've looked on their web
    site, registered, but still I can't find a basic how-to list or a reference
    manual of commands. If you know of one, please let me know!

    Regards
    SW
     
    S W, May 26, 2005
    #8
  9. S W <> wrote:

    > "Arnoud Helmantel" <> wrote in message
    > news:1gx713c.1ml9hgjcxaw1sN%
    >
    > >> What do you think about using the Web set-up interface (CRWS)? What you
    > >> want
    > >> to do could be sorted out in a couple of minutes using CRWS! Or is that
    > >> 'cheating'?!
    > >>
    > >> Regards
    > >> SW

    > >
    > > Hah, good idea, but... There is no way I have found that it will run in
    > > a browser under Mac OS X... It might work with Windows, but alas...
    > >
    > > Arnoud

    >
    > Ahh! So its not really much use to you then. I was interested in your
    > problem, because I have the opposite problem. I need to do stuff on the 837
    > that I can't do using the CRWS (set up an Access control list and also set a
    > static route). And I don't know how to do this using CLI.
    > I don't think Cisco make it easy to learn the CLI. I've looked on their web
    > site, registered, but still I can't find a basic how-to list or a reference
    > manual of commands. If you know of one, please let me know!
    >
    > Regards
    > SW


    I picked up a copy of "Cisco IOS in a Nutshell" by O'Reilly, and it is
    quite a big help. Sadly a lot of books on Cisco equipment focus on the
    higher-end routers, and only casually mention topics like NAT or setting
    up a 'simple' ADSL router...

    Setting up static routes is an easy part: (from my config)

    ip route 212.206.95.0 255.255.255.0 10.210.6.254

    this sets up: the network 212.206.95.xxx can be reached through router
    10.210.6.254.

    Yes, there is a lot of information on Cisco's site, but finding the part
    you need, in normal, understandable English is quite a task...

    Arnoud

    --
    Please use my first and last name in the address & remove '.invalid'
    Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'
     
    Arnoud Helmantel, May 27, 2005
    #9
  10. * Arnoud Helmantel <> wrote:
    > ip nat inside source static tcp 10.210.6.1 22 [ext-ip] 22 extendable
    > no-alias
    > ip nat inside source static tcp 10.210.6.1 80 [ext-ip] 80 extendable
    > no-alias


    Try

    ip nat inside source static tcp 10.210.6.1 22 interface Dialer 0 22 ext
    ip nat inside source static tcp 10.210.6.1 80 interface Dialer 0 80 ext


    Christian
     
    Christian Zeng, May 27, 2005
    #10
  11. Arnoud Helmantel

    Guest

    It is a struggle to get started for sure.

    Being a smart ass I tried
    "reference manual of commands" in the cisco
    search but did not get much.

    http://www.cisco.com/en/US/products...configuration_guide_book09186a008007c965.html
    May be a good place to start as a sort of canned intro.

    Search for [command reference 12.3 mainline] leads to:

    http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_command_reference_list.html
    http://www.cisco.com/en/US/products...stallation_and_configuration_guides_list.html


    12.3T (Extra features, may be needed for 837)
    This may be only the additional "T" features or it may be a complete
    guide.
    http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/prod_command_reference_list.html
    http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/tsd_products_support_configure.html
     
    , May 27, 2005
    #11
  12. Arnoud Helmantel <> wrote:

    > Hi,
    >
    > I have been trying to get my 837 onto the Internet and opening a few
    > ports so that the webserver can be reached from the outside world, but
    > for some reason no traffic will pass the NAT...
    >
    > I can get onto the Internet fine, but no machine can reach the webserver
    > on the inside...
    >
    > Can someone please take a look at my config and tell me what goes wrong
    > here?
    >
    > Thanks,
    >
    > Arnoud
    >
    > PS: I know, it will need some more tuning and closing down, but I want
    > to get it running first...
    >
    >



    Ok, thanks all for thinking along with me, but... ahem... the config I
    posted worked just fine... oops :)

    If only I had remembered to change the router/gateway address on the
    machine I was trying to reach after I installed the new router <<blush>>
    :-D

    That sure helped a lot...

    Arnoud

    --
    Please use my first and last name in the address & remove '.invalid'
    Mijn voor- en achternaam gebruiken in het adres zonder '.invalid'
     
    Arnoud Helmantel, May 27, 2005
    #12
  13. Arnoud Helmantel

    S W Guest

    <> wrote in message
    news:...
    > It is a struggle to get started for sure.
    >
    > Being a smart ass I tried
    > "reference manual of commands" in the cisco
    > search but did not get much.
    >
    > http://www.cisco.com/en/US/products...configuration_guide_book09186a008007c965.html
    > May be a good place to start as a sort of canned intro.
    >
    > Search for [command reference 12.3 mainline] leads to:
    >
    > http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_command_reference_list.html
    > http://www.cisco.com/en/US/products...stallation_and_configuration_guides_list.html
    >
    >
    > 12.3T (Extra features, may be needed for 837)
    > This may be only the additional "T" features or it may be a complete
    > guide.
    > http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/prod_command_reference_list.html
    > http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/tsd_products_support_configure.html
    >


    Thanks a lot! I don't know how I missed the first one, but that seems to be
    exactly what I need.

    Regards
    SW
     
    S W, May 28, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,730
    Confused
    Jul 9, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,633
  3. Richard Antony Burton
    Replies:
    0
    Views:
    6,177
    Richard Antony Burton
    Jan 5, 2004
  4. Replies:
    4
    Views:
    4,172
  5. Steven Carr
    Replies:
    7
    Views:
    762
Loading...

Share This Page