Cisco NAT by port - challenging question

Discussion in 'Cisco' started by nick.milako, Nov 24, 2009.

  1. nick.milako

    nick.milako

    Joined:
    Nov 24, 2009
    Messages:
    1
    Hey all,

    My goal is to forward all traffic from an inside LAN that requests port 21 to an external (internet) IP address.

    I've been told to look into policy based routing and NAT, and after about 20 hours of researching and testing, I've learned so much.

    Anyway, I'm trying to test the following simple configuration and I CANNOT get NAT to work for the life of me. Any ideas why not?

    Topology:
    hxxp://imgur.com/eooK3.jpg

    Configuration:
    Router#show ip nat statistics
    Total active translations: 0 (0 static, 0 dynamic; 0 extended)
    Outside interfaces:
    FastEthernet1/0, FastEthernet2/0
    Inside interfaces:
    FastEthernet0/0
    Hits: 28 Misses: 5
    Expired translations: 5
    Dynamic mappings:
    -- Inside Destination
    access-list 111 pool hello refcount 0
    pool hello: netmask 255.255.255.0
    start 5.5.5.0 end 5.5.5.50
    type rotary, total addresses 51, allocated 0 (0%), misses 0

    Summary: C0 is 192.168.2.2, F0/0
    C1 is 192.168.3.2, F1/0
    C2 is 192.168.4.2, F2/0


    Access List
    Router#show access-lists
    Extended IP access list 111
    permit tcp any any


    At this point, I initiate a TCP connection from C0 to C1. The NAT should kick in on interface F0/0 (C0's inside interface), and translate the destination IP from C1 (192.168.3.2) to 5.5.5.0 (from the pool, invalid address but I just want to see it translated). However, NAT does NOTHING. Even though the access list was MATCHED. Here's the outcome of NAT debug:

    Router#
    03:20:29: NAT: i: tcp (192.168.2.2, 1081) -> (192.168.3.2, 80) [3471]
    03:20:29: NAT: o: tcp (192.168.3.2, 80) -> (192.168.2.2, 1081) [383]
    03:20:29: NAT: o: tcp (192.168.3.2, 80) -> (192.168.2.2, 1081) [385]
    03:20:29: NAT: i: tcp (192.168.2.2, 1081) -> (192.168.3.2, 80) [3476]

    And when I check access list again, I see that the match was indeed made:
    Router#show access-lists
    Extended IP access list 111
    permit tcp any any (2 matches)


    Why isn't NAT kicking in even while the access-list is being matched? I'm so stumped, been stuck here for hours.

    Any help would really be appreciated, thanks so much!

    -Nick
    nick.milako, Nov 24, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Matthew
    Replies:
    3
    Views:
    820
    Eugene
    May 9, 2006
  2. skweetis
    Replies:
    0
    Views:
    1,160
    skweetis
    Dec 11, 2006
  3. sameat@gmail.com

    Challenging Network Upgrade

    sameat@gmail.com, Apr 4, 2007, in forum: Cisco
    Replies:
    0
    Views:
    339
    sameat@gmail.com
    Apr 4, 2007
  4. Jon.R.Kibler@gmail.com

    ip nat translation port-timeout -- WHICH port?

    Jon.R.Kibler@gmail.com, Jul 30, 2008, in forum: Cisco
    Replies:
    1
    Views:
    1,004
    News Reader
    Jul 30, 2008
  5. Mary
    Replies:
    0
    Views:
    1,266
Loading...

Share This Page