NAT weirdness

Discussion in 'Cisco' started by Mikhael47, Apr 25, 2006.

  1. Mikhael47

    Mikhael47 Guest

    I have a 1811 using NAT to get our internal services out to the
    internet. I have 2 dns servers on the inside of our network that serve
    public queries.

    I have a class c (provided by my ISP) for my outside interface. I have
    the last 11 addresses setup in a pool to allow my workstations to surf
    the net. I have setup static (one to one) mappings for several
    services inside (e-mail, www, DNS).

    My DNS servers are on different class-c networks inside.



    -Secondary DNS xxx.xxx.216.107
    /
    - classC1 xxx.xxx.216.0
    /
    Internet --1811
    \
    - classC2 xxx.xxx.217.0
    \
    -Primary
    DNS xxx.xxx.217.183

    On classC1, I have an external address natted to xxx.xxx.216.107
    (secondary DNS)
    On classC2 I have an external address natted to xxx.xxx.217.183
    (primary DNS)

    As long as I have the nat statement on classC1 working, DNS works
    properly. If I remove the classC1 staic nat, I can no longer reach the
    primary DNS server. If I try and create an extended NAT translation,
    it fails. I can not reach the primary or secondary server.

    If I run debugs on the NAT, I can see that incoming DNS queries are
    going to xxx.xxx.217.183.

    I've pasted a copy of my config (less the un-interesting bits).

    show run
    Building configuration...

    Current configuration : 13392 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname xxxxxxxx
    !
    boot-start-marker
    boot system flash c181x-advipservicesk9-mz.124-4.T1.bin
    boot-end-marker
    !
    logging buffered 8192 debugging
    logging console critical
    enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    no ip source-route
    !
    !
    no ip cef
    !
    !
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name xxxxxxxxxx.com
    ip name-server 198.235.216.131
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    !
    !
    crypto pki trustpoint TP-self-signed-6512184
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-6512184
    revocation-check none
    rsakeypair TP-self-signed-6512184
    !
    !
    crypto pki certificate chain TP-self-signed-6512184
    certificate self-signed 01
    xxxxxxxxxxxxxxxxxxxxxxxxxxx
    quit
    username xxxxxxx privilege 15 secret 5 xxxxxxxx
    username xxxxxxx privilege 15 secret 5 xxxxxxxx
    username xxxxxxx privilege 15 password 7 xxxxxxxx
    !
    !
    !
    crypto isakmp policy 1
    hash md5
    authentication pre-share
    lifetime 14400
    crypto isakmp key xxxxx address xx.xx..xx no-xauth
    crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
    crypto isakmp client configuration address-pool local ourpool
    !
    crypto ipsec security-association lifetime seconds 14400
    !
    crypto ipsec transform-set trans1 esp-des esp-md5-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set trans1
    !
    !
    crypto map intmap client configuration address initiate
    crypto map intmap client configuration address respond
    crypto map intmap 5 ipsec-isakmp
    set peer xx.xx.xx.xx
    set transform-set trans1
    match address 130
    crypto map intmap 10 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface FastEthernet0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    duplex auto
    speed auto
    no cdp enable
    !
    interface FastEthernet1
    description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
    ip address xx.xx.xx.xx 255.255.255.0
    ip access-group 103 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    speed 100
    full-duplex
    no cdp enable
    crypto map intmap
    !
    interface FastEthernet2
    no cdp enable
    !
    interface FastEthernet3
    no cdp enable
    !
    interface FastEthernet4
    no cdp enable
    !
    interface FastEthernet5
    no cdp enable
    !
    interface FastEthernet6
    no cdp enable
    !
    interface FastEthernet7
    no cdp enable
    !
    interface FastEthernet8
    no cdp enable
    !
    interface FastEthernet9
    no cdp enable
    !
    interface Dot11Radio0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
    36.0 48.0 54.0
    station-role root
    no cdp enable
    !
    interface Dot11Radio1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
    station-role root
    no cdp enable
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
    ip address xx.xx.xx.xx7.185 255.255.255.0 secondary
    ip address xx.xx.xx.xx6.185 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    interface Async1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    encapsulation slip
    !
    ip local pool ourpool 10.2.5.1 10.2.5.254
    ip classless
    ip forward-protocol spanning-tree
    ip forward-protocol udp netbios-ss
    ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx.1
    ip route 10.2.3.0 255.255.255.0 xx.xx.xx.xx6.46
    ip route 10.2.4.0 255.255.255.0 xx.xx.xx.xx6.165
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat translation timeout 1440
    ip nat pool ott-tcom-pool xx.xx.xx.xx.244 xx.xx.xx.xx.254 netmask
    255.255.255.0
    ip nat inside source route-map nonat pool ott-tcom-pool overload
    ip nat inside source static xx.xx.xx.xx7.183 xx.xx.xx.xx.5
    ip nat inside source static xx.xx.xx.xx6.179 xx.xx.xx.xx.6
    ip nat inside source static xx.xx.xx.xx6.26 xx.xx.xx.xx.7
    ip nat inside source static xx.xx.xx.xx6.17 xx.xx.xx.xx.8
    ip nat inside source static xx.xx.xx.xx6.38 xx.xx.xx.xx.9
    ip nat inside source static xx.xx.xx.xx6.10 xx.xx.xx.xx.10
    ip nat inside source static tcp xx.xx.xx.xx6.43 25 xx.xx.xx.xx.43 25
    extendable
    ip nat inside source static tcp xx.xx.xx.xx6.43 53 xx.xx.xx.xx.43 53
    extendable
    ip nat inside source static tcp xx.xx.xx.xx6.43 25 xx.xx.xx.xx.43 1525
    extendable
    ip nat inside source static xx.xx.xx.xx6.43 xx.xx.xx.xx.43
    ip nat inside source static xx.xx.xx.xx6.64 xx.xx.xx.xx.64
    ip nat inside source static xx.xx.xx.xx6.107 xx.xx.xx.xx.183
    !
    logging trap debugging
    logging xx.xx.xx.xx6.162
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 103 permit udp host 198.235.216.131 eq domain host
    xx.xx.xx.xx.4
    access-list 103 permit udp host 67.69.164.98 eq 4000 any
    access-list 103 permit udp host 204.225.163.189 eq non500-isakmp any
    access-list 103 permit udp host 207.236.49.181 eq 10001 any
    access-list 103 permit udp host 209.121.207.198 eq non500-isakmp any
    access-list 103 permit udp host 209.121.207.198 any eq 1031
    access-list 103 permit udp host 209.121.207.198 any eq 1030
    access-list 103 permit udp host 204.225.163.189 any eq 1030
    access-list 103 permit udp host 162.89.0.37 eq 10000 any
    access-list 103 permit tcp any host xx.xx.xx.xx.9 eq www
    access-list 103 permit udp any eq domain any
    access-list 103 permit udp any any eq domain
    access-list 103 permit tcp any any established
    access-list 103 permit tcp any any eq 1723
    access-list 103 permit gre any any
    access-list 103 permit esp any any
    access-list 103 permit ahp any any
    access-list 103 permit tcp any host xx.xx.xx.xx.10 eq smtp
    access-list 103 permit tcp any host xx.xx.xx.xx.10 eq 1525
    access-list 103 permit tcp any host xx.xx.xx.xx.10 eq 443
    access-list 103 permit tcp any host xx.xx.xx.xx.64 eq smtp
    access-list 103 permit tcp any host xx.xx.xx.xx.64 eq 1525
    access-list 103 permit tcp any host xx.xx.xx.xx.64 eq 443
    access-list 103 permit tcp any host xx.xx.xx.xx.64 eq pop3
    access-list 103 permit tcp any host xx.xx.xx.xx.64 eq 143
    access-list 103 permit tcp any host xx.xx.xx.xx.4 eq 22
    access-list 103 permit tcp any host xx.xx.xx.xx.43 eq smtp
    access-list 103 permit tcp any host xx.xx.xx.xx.183 eq domain
    access-list 103 permit udp any host xx.xx.xx.xx.183 eq domain
    access-list 103 permit udp any host xx.xx.xx.xx.5 eq domain
    access-list 103 permit tcp any host xx.xx.xx.xx.5 eq domain
    access-list 103 permit udp any any eq isakmp
    access-list 103 permit udp any eq isakmp any
    access-list 103 permit udp any any eq non500-isakmp
    access-list 103 permit icmp any any echo-reply
    access-list 103 permit icmp any any time-exceeded
    access-list 103 permit icmp any any unreachable
    access-list 103 permit icmp any any
    access-list 103 deny ip 172.16.0.0 0.15.255.255 any
    access-list 103 deny ip 192.168.0.0 0.0.255.255 any
    access-list 103 deny ip 127.0.0.0 0.255.255.255 any
    access-list 103 deny ip host 255.255.255.255 any
    access-list 103 deny ip host 0.0.0.0 any
    access-list 103 deny ip any any log
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 103 deny ip 10.0.0.0 0.255.255.255 any
    access-list 103 deny ip xx.xx.xx.xx6.0 0.0.0.255 any
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 103 remark auto generated by SDM firewall configuration
    access-list 103 remark SDM_ACL Category=1
    access-list 110 deny ip xx.xx.xx.xx6.0 0.0.0.255 192.168.3.0
    0.0.0.255
    access-list 110 deny ip xx.xx.xx.xx7.0 0.0.0.255 192.168.3.0
    0.0.0.255
    access-list 110 permit ip xx.xx.xx.xx6.0 0.0.0.255 any
    access-list 110 permit ip xx.xx.xx.xx7.0 0.0.0.255 any
    access-list 130 permit ip xx.xx.xx.xx6.0 0.0.0.255 192.168.3.0
    0.0.0.255
    access-list 130 permit ip xx.xx.xx.xx7.0 0.0.0.255 192.168.3.0
    0.0.0.255
    no cdp run
    !
    route-map nonat permit 10
    match ip address 110
    !
    !
    !
    !
    control-plane
    Mikhael47, Apr 25, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Daniel Bell

    Browser-blocking weirdness.

    Daniel Bell, Aug 9, 2003, in forum: Firefox
    Replies:
    2
    Views:
    1,498
    Daniel Bell
    Aug 11, 2003
  2. Drude

    Weirdness with FireFox

    Drude, Feb 19, 2005, in forum: Firefox
    Replies:
    2
    Views:
    423
    Poly-poly man
    Feb 19, 2005
  3. Poly-poly man

    Weirdness.

    Poly-poly man, Mar 2, 2005, in forum: Firefox
    Replies:
    1
    Views:
    572
    Leonidas Jones
    Mar 2, 2005
  4. Axel Hagedorn

    Pix501 and MTU Weirdness

    Axel Hagedorn, Feb 11, 2004, in forum: Cisco
    Replies:
    0
    Views:
    461
    Axel Hagedorn
    Feb 11, 2004
  5. Dan Shalinsky

    PIX Static NAT Weirdness

    Dan Shalinsky, Aug 24, 2007, in forum: Cisco
    Replies:
    0
    Views:
    409
    Dan Shalinsky
    Aug 24, 2007
Loading...

Share This Page