Term Services Problem using 2500 Router and NAT

Discussion in 'Cisco' started by Kevin M. Saucier, Dec 28, 2003.

  1. Hello All,

    I have seen a bunch of posts of people that have problems setting up
    external access to their internal servers behind a NAT'd router. My
    problem is the opposite. Here is the situation:

    I am connecting from my house via DSL with a static IP going through a
    Cisco 2514 Router to my office going through their VPN setup. I have
    got my access list on the router setup to allow me to authenticate to
    the VPN server and all of the authentication process seems to work
    fine. The problems comes when I try to connect to any of the internal
    servers. I can't ping anything until I add a static mapping to my
    routers NAT access list. That line would be:

    ip nat inside source static 10.1.1.30 x.x.96.135

    10.1.1.30 is my desktop internal IP.
    x.x.96.135 is my Routers Public IP.

    Once I add that line, everything works fine and I can go about my day.
    The problem is that I don't like having a static mapping directly
    into my desktop at home.

    I'm somewhat new to setting up NAT and ACL's so any advice is
    appreciated. Since I'm already posting, I'm gonna go ahead and stick
    my ACL below. Any constuctive criticism is definitely appreciated.

    ACL assigned to "IN" on the external connection.

    ! The following entry allows pings.
    access-list 110 permit icmp any any
    !
    ! The following entries allow established traffic.
    access-list 110 permit udp any host x.x.96.135 gt 1023
    access-list 110 permit tcp any host x.x.96.135 gt 1023
    access-list 110 permit tcp any any established
    access-list 110 permit tcp any host x.x.96.135 gt 1023 established
    !
    ! The following entries allow SMTP traffic to the internal server.
    access-list 110 permit tcp any host x.x.96.135 eq smtp
    !
    ! The following entries are necessary for Web Traffic.
    access-list 110 permit tcp any host x.x.96.135 eq www
    access-list 110 permit tcp any host x.x.96.135 eq 443
    !
    ! The following entry allows DNS queries to the internal server.
    access-list 110 permit udp any host x.x.96.135 eq domain
    !
    ! The following entry provides Telnet access from Outside.
    access-list 110 permit tcp any host x.x.99.135 eq telnet
    !
    ! The following entries are necessary for VPN Access.
    access-list 110 permit udp any host x.x.99.135 eq 500
    access-list 110 permit udp x.x.206.241 0.0.0.0 any
    access-list 110 permit udp x.x.206.4 0.0.0.0 any
    access-list 110 permit ip x.x.0.0 0.0.255.255 any
    !
    ! The following entries deny RFC1518 IP Requests.
    access-list 110 deny ip 192.168.0.0 0.0.255.255 any
    access-list 110 deny ip 172.16.0.0 0.15.255.255 any
    access-list 110 deny ip 10.0.0.0 0.255.255.255 any
    !
    access-list 110 deny tcp any any log

    END ACL

    I am also posting my NAT static mappings. For some reason, my SMTP
    isn't working properly either. Any ideas are appreciated, again.

    ip nat inside source static tcp 10.1.1.40 80 x.x.96.135 80
    ip nat inside source static tcp 10.1.1.12 25 x.x.96.135 25
    ip nat inside source static tcp 10.1.1.40 53 x.x.96.135 53

    10.1.1.12 - EMail Server
    10.1.1.40 - WWW Server/DNS Server

    Here is the access list that is applied to the NAT Interface:

    access-list 10 deny 10.1.1.40 0.0.0.0
    access-list 10 deny 10.1.1.12 0.0.0.0
    access-list 10 permit 10.1.1.0 0.0.0.255
    ip nat inside source list 10 int e0 overload

    That should do it. As I said, everything seems to be working fine
    with NAT except for 2 things: I can't Term Serv into my office
    through the VPN and SMTP is not getting redirected to the EMail
    Server.

    Thanks in advance for anyone's help,

    Kevin M. Saucier
     
    Kevin M. Saucier, Dec 28, 2003
    #1
    1. Advertisements

  2. Kevin M. Saucier

    PES Guest

    By ip or hostname? It is possible that you are having an issue with your
    internal dns server not being able to successfully make requests based on
    the configuration.
    The first two entries of access-list 10 are denying everything from those
    hosts from the nat overload. This means if packets are sourced from
    10.1.1.40 (but not port 80 or 25) or 10.1.1.12 (but not port 25) they will
    fail. In other words, you will likely be able to access dns/mail/www from
    internet, but may not allow for certain connections in other direction
    because outbound connections are typically sourced from <=1024. Also, your
    static translations will always overwride the overload so you will not
    create any issues by removing the first two lines of access-list 10.
     
    PES, Dec 28, 2003
    #2
    1. Advertisements

  3. I am accessing the servers via IP address. I can not ping the IP
    Address at all until I set up the static mapping to my desktop. I
    haven't set up a HOSTS file or DNS to reflect my servers at work, I
    just keep track of the IP's.
    I had read somewhere that is was a good idea to put those lines in,
    but if they aren't necessary then that is one less point of failure
    when troubleshooting. Thanks for the advice.
     
    Kevin M. Saucier, Dec 28, 2003
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.