Trying to configure NAT/PAT after reading several articles - WHAT am I missing?

Discussion in 'Cisco' started by war_wheelan, Dec 15, 2005.

  1. war_wheelan

    war_wheelan Guest

    I have read several articles/postings on the use of NAT/PAT, but
    haven't been able to get it to work. I want to setup static NATs and
    use PAT to connect to specific services port IP/port number pairs. I
    need to be able to connect to individual IP/port number pairs and
    IP/Multiple port number pairs i.e. The same IP running muliple
    services..

    Here are the revelant configuration settings:

    interface FastEthernet0/0
    description INTERNET FACING INTERFACE
    ip address 71.125.C.D 255.255.255.0
    ip access-group 151 in
    no ip directed-broadcast
    full-duplex
    no cdp enable
    !
    interface FastEthernet0/1
    description INTERNAL INTERFACE VLAN 10
    ip address 192.168.1.5 255.255.255.0
    ip access-group 111 in
    no ip redirects
    no ip directed-broadcast
    ip nat inside
    no cdp enable
    !
    !
    ip nat inside source list 1 interface FastEthernet0/1 overload
    ip nat inside source static tcp 192.168.1.200 80 71.125.24.85 80
    extendable
    !
    ip access-list standard NAT
    permit 192.168.1.0 0.0.0.255
     
    war_wheelan, Dec 15, 2005
    #1
    1. Advertisements

  2. war_wheelan

    Martin Kayes Guest

    Hi,

    You need to change two parts of this line:
    ip nat inside source list 1 interface FastEthernet0/1 overload
    to be as follows:
    ip nat inside source list NAT interface FastEthernet0/0 overload

    and add the following to int E0/0:
    interface FastEthernet0/0
    ip nat outside


    Regards,

    Martin
     
    Martin Kayes, Dec 15, 2005
    #2
    1. Advertisements

  3. war_wheelan

    war_wheelan Guest

    Martin,

    I made the changes that you suggested, but I still can't form a socket
    connetion to port 80. I am attempting the connection as the PETER_HOME
    entry in access-list 151. Also I can telnet to port 80 from an
    internal box.

    Attached is my routers current configuration.

    CT_Router1#s config
    Using 2052 out of 29688 bytes, uncompressed size = 3851 bytes
    !
    version 12.0
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service compress-config
    !
    hostname CT_Router1
    !
    logging buffered 8192 debugging
    aaa new-model
    aaa authentication login default local
    aaa authentication login AUTHEN_CON local
    aaa authentication login AUTHEN_VTY local
    enable secret 5 $1$bTzM$WNJgYiKLjclWl4NHuPbKc1
    !
    username ??? privilege 7 password 7 012726331A3C453B3B151D5940
    username ??? password 7 14463C0F5D55
    clock timezone EDT -5
    clock summer-time EDT recurring
    ip subnet-zero
    no ip source-route
    no ip finger
    no ip domain-lookup
    ip domain-name indii.net
    ip name-server 151.202.0.84
    ip name-server 151.198.0.38
    !
    no ip bootp server
    !
    !
    !
    !
    interface FastEthernet0/0
    description INTERNET FACING INTERFACE
    ip address 71.125.C.D 255.255.255.0
    ip access-group 151 in
    no ip directed-broadcast
    ip nat outside
    full-duplex
    no cdp enable
    !
    interface FastEthernet0/1
    description INTERNAL INTERFACE VLAN 10
    ip address 192.168.1.5 255.255.255.0
    no ip redirects
    no ip directed-broadcast
    ip nat inside
    no cdp enable
    !
    interface Ethernet1/0
    description INDSIDE INTERFACE
    ip address 192.168.30.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip directed-broadcast
    no ip proxy-arp
    ntp disable
    no cdp enable
    !
    ip nat inside source list nat interface FastEthernet0/0 overload
    ip nat inside source static tcp 192.168.1.200 80 71.125.24.D 80
    extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 71.125.24.D
    no ip http server
    ip http authentication local
    !
    !
    ip access-list standard NAT
    permit 192.168.1.0 0.0.0.255
    access-list 131 permit ip any any
    access-list 131 remark * ICMP rules
    access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo
    access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo-reply
    access-list 131 permit icmp any 0.0.0.66 255.255.255.0
    administratively-prohibited
    access-list 131 permit icmp any 0.0.0.66 255.255.255.0 packet-too-big
    access-list 131 permit icmp any 63.251.25.64 0.0.0.31 traceroute
    access-list 131 permit icmp any 0.0.0.66 255.255.255.0 unreachable
    access-list 131 permit icmp any 0.0.0.66 255.255.255.0 time-exceeded
    access-list 131 deny ip any any log-input
    access-list 151 remark * Peter Home
    access-list 151 permit ip host 66.114.C.D any
    access-list 151 remark * GLOBAL INBOUND RULES
    access-list 151 remark * ANTI-SPOOFING RULES
    access-list 151 deny ip host 0.0.0.0 any log-input
    access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input
    access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input
    access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input
    access-list 151 deny ip host 255.255.255.255 any log-input
    access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input
    access-list 151 remark * ICMP rules
    access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo
    access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo-reply
    access-list 151 permit icmp any 71.125.24.66 0.0.0.28
    administratively-prohibited
    access-list 151 permit icmp any 71.125.24.66 0.0.0.28 packet-too-big
    access-list 151 permit icmp any 71.125.24.66 0.0.0.28 traceroute
    access-list 151 permit icmp any 71.125.24.66 0.0.0.28 unreachable
    access-list 151 permit icmp any 71.125.24.66 0.0.0.28 time-exceeded
    access-list 151 remark * Desktop Applet Settings
    access-list 151 permit tcp any host 71.125.24.85 eq www
    access-list 151 permit tcp any host 71.125.24.85 eq 4202
    access-list 151 permit tcp any host 71.125.24.85 eq 6501
    access-list 151 deny ip any any log-input
    no cdp run
    !
    line con 0
    exec-timeout 60 0
    login authentication AUTHEN_CON
    transport input none
    stopbits 1
    line aux 0
    line vty 0 4
    exec-timeout 30 0
    login authentication AUTHEN_VTY
    transport input telnet
    !
    no scheduler allocate
    end
     
    war_wheelan, Dec 15, 2005
    #3
  4. war_wheelan

    Martin Kayes Guest

    At first glance it looks okay, however in your static statement you have the
    word NAT in lower case rather than upper case; it should be upper case to
    match the name of the access-list. Try this and let me know:

    ip nat inside source list NAT interface FastEthernet0/0 overload

    Regards,

    Martin
     
    Martin Kayes, Dec 15, 2005
    #4
  5. war_wheelan

    war_wheelan Guest

    I capitilized the word NAT on the 'ip nat inside' command, but still no
    luck. I will try removing access-list 151, but I don't feel that this
    is going to help.

    I will get back to you later.
     
    war_wheelan, Dec 15, 2005
    #5
  6. war_wheelan

    war_wheelan Guest

    I also removed all access-list from all interfaces and still couldn't
    connect.

    Does anyone have any ideas?
     
    war_wheelan, Dec 16, 2005
    #6
  7. war_wheelan

    Martin Kayes Guest

    To do NAT is as simple as setting 'ip nat outside', 'ip nat inside',
    access-list... and the static statement.

    I have never tried using an Standard access-list for the NAT rules, I always
    use advanced - maybe that is the last remaining problem, try changing it to
    this instead:

    ip access-list extended NAT
    permit ip 192.168.1.0 0.0.0.255 any

    If that fails to work then go to the conventional access-list format:
    'access-list 100 permit.....'


    Regards,

    Martin
     
    Martin Kayes, Dec 16, 2005
    #7
  8. war_wheelan

    war_wheelan Guest

    I tried both forms of the access-list (extended and access-list 100
    permit' with no luck. I believe that the format of my configuraiton is
    correct (ip nat inside, ip nat outside, ip nat inside source list 185
    interface FastEthernet0/0 overload, ip nat inside source static tcp
    192.168.1.200 80 71.125.24.D 80 extendable and ip access-list 185
    permit ip 192.168.1.0 0.0.0.255 any) yet it isn't working.

    I don't know where to go from here.
     
    war_wheelan, Dec 16, 2005
    #8
  9. war_wheelan

    Martin Kayes Guest

    Can you give me the name of your IOS image from the show version output
    please. I will check it for functionality and known bugs.

    Regards,

    Martin
     
    Martin Kayes, Dec 16, 2005
    #9
  10. war_wheelan

    war_wheelan Guest

    The System image file name is "flash:c2600-i-mz.120-3.T3".

    I really appreciate your efforts. With my limited experience with
    Cisco I probably couldn't resolve this on my own.
     
    war_wheelan, Dec 16, 2005
    #10
  11. war_wheelan

    war_wheelan Guest

    Martin,

    I setup an access-list on interface fastethernet 0/1 (192.168.1.5)
    allowing port 80 to be forwarded to 192.168.1.200 which is the
    destination of the static NAT. Each time I telnet to the NATed ip the
    number of matches for the access-list increases.

    Any thoughts?
     
    war_wheelan, Dec 18, 2005
    #11
  12. war_wheelan

    war_wheelan Guest

    Martin,

    I enabled NAT debugging and noticed the following. I looks like I try
    to connect to the proper IP address (71.125.24.85) on port 80, but I
    receive a response from 71.125.24.66.

    Is this the reason why I am unable to connect?

    3d17h: NAT: o: tcp (66.114.71.62, 4226) -> (71.125.24.85, 80) [53023]
    3d17h: NAT: o: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6679]
    3d17h: NAT: i: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6679]
    3d17h: NAT: o: tcp (66.114.71.62, 4226) -> (71.125.24.85, 80) [53033]
    3d17h: NAT: o: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6680]
    3d17h: NAT: i: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6680]
    3d17h: NAT: o: tcp (66.114.71.62, 4226) -> (71.125.24.85, 80) [53043]
    3d17h: NAT: o: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6681]
    3d17h: NAT: i: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6681]
     
    war_wheelan, Dec 19, 2005
    #12
  13. Possibly, but probably not in this case.
    Notice that when you create the connection to 71.125.24.85
    port 80, from port 4226, that you get an ICMP back from the other host
    with respect to that outgoing port 4226. This suggests that the other
    end is sending either an ICMP Redirect or an ICMP Network Unavailable;
    ICMP port unavailable is not out of the question but is less unlikely.

    71.125.24.66 and 71.125.24.85 are both within the same network block.

    When I traceroute to 71.125.24.85 I see it looping at 71.125.24.66
    so it seems likely that 71.125.24.66 is a router or firewall.


    Ah, I just dug out some older messages from you. Your problem is that
    you are using the wrong netmask in some of your statements.
    For example, you have

    access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input

    but you don't want 0.0.0.28 as your netmask, because it is a bitmask,
    not a number of IP addresses. Your assigned block goes up to .95 so
    you want 0.0.0.31 as your mask; if you don't want a couple of hosts
    accessed, then either deny traffic to them before the permit, or else
    use netmasks that are based upon powers of 2, such as,

    access-list 151 permit ip 71.125.24.66 0.0.0.1 whatever
    access-list 151 permit ip 71.125.24.68 0.0.0.3 whatever
    access-list 151 permit ip 71.125.24.72 0.0.0.7 whatever
    access-list 151 permit ip 71.125.24.80 0.0.0.15 whatever
     
    Walter Roberson, Dec 19, 2005
    #13
  14. war_wheelan

    war_wheelan Guest

    I corrected the routing and netmask problem with my access-list, but I
    still can't connect to IP address 71.125.24.85 on port 80. I have
    three access-list configured on the router one for each of the
    interfaces - fa0/0 151 Internet facing, fa0/1 192 internal and NAT 101.
    When I attempt to connect to port 80 on .85 I matches an entry in
    access-list 151, but it doesn't connect.

    Previously I said that a connection attempt to port 80 on .85 matched
    an entry on ACL 192, but I am not able to recreate this behavior.

    HERE IS MY CURRENT INTERFACES AND ACLs FOR REFERENCE
    CT_Router1#s config
    !
    version 12.0
    !
    interface FastEthernet0/0
    description INTERNET FACING INTERFACE
    ip address 71.125.24.66 255.255.255.0
    ip access-group 151 in
    no ip directed-broadcast
    ip nat outside
    full-duplex
    no cdp enable
    !
    interface FastEthernet0/1
    description INTERNAL INTERFACE VLAN 10
    ip address 192.168.1.5 255.255.255.0
    ip access-group 192 in
    no ip redirects
    no ip directed-broadcast
    ip nat inside
    no cdp enable
    !
    !
    ip nat inside source list 101 interface FastEthernet0/1 overload
    ip nat inside source static tcp 192.168.1.200 80 71.125.24.85 80
    extendable
    ip route 0.0.0.0 0.0.0.0 71.125.24.6
    !
    access-list 101 remark ** DEFINES THE PRIVATE NETWORK FOR NATing **
    access-list 101 permit tcp 192.168.1.0 0.0.0.255 any
    access-list 151 remark ***** FastEthernet 0/0 INBOUND Access-List *****
    access-list 151 remark ** PETER HOME **
    access-list 151 permit ip host 66.114.71.62 any
    access-list 151 remark ** GLOBAL INBOUND RULES **
    access-list 151 remark ** ANTI-SPOOFING RULES **
    access-list 151 deny ip host 0.0.0.0 any log-input
    access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input
    access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input
    access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input
    access-list 151 deny ip host 255.255.255.255 any log-input
    access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input
    access-list 151 remark ** ICMP RULES **
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo-reply
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31
    administratively-prohibited
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 packet-too-big
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 traceroute
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 unreachable
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 time-exceeded
    access-list 151 remark ** DESKTOP APPLET SETTINGS **
    access-list 151 permit tcp any 71.125.24.64 0.0.0.31 eq www
    access-list 151 permit tcp any 71.125.24.64 0.0.0.31 eq 4202
    access-list 151 permit tcp any 71.125.24.64 0.0.0.31 eq 6501
    access-list 151 remark ** NETWORK TIME PROTOCOL (NTP) SETTINGS **
    access-list 151 permit udp host 204.34.198.40 eq ntp host 71.125.24.66
    eq ntp
    access-list 151 permit udp host 204.34.198.41 eq ntp host 71.125.24.66
    eq ntp
    access-list 151 deny ip any any log-input
    access-list 192 remark ***** FastEthernet 0/1 OUTBOUND Access-List
    *****
    access-list 192 permit tcp host 192.168.1.200 any eq www
    access-list 192 permit tcp 192.168.1.0 0.0.0.255 any
     
    war_wheelan, Dec 19, 2005
    #14
  15. Not on that line. But that's just anti-spoofing.

    You aren't permitting any icmp there, so ping packets would not be
    allowed out.
     
    Walter Roberson, Dec 19, 2005
    #15
  16. war_wheelan

    war_wheelan Guest

    Three points -

    One - I documented the current behavior when attempting to connect to
    port 80 on NATed IP .85. I pointed out where the hits were on the ACLs
    so that we might be able to figure out why I haven't been able to
    connect to port 80 on NATed IP .85.

    Two - When you wrote "Not on that line. But that's just anti-spoofing",
    I didn't make any changses that I know of to anti-spoofing??

    Three - The ICMP reference - are you talking about ACL 192?? If so,
    would that affect my primary objective of forming a connection on port
    80 on NATed IP .85 or would it prevent pinging the internal subnet?
    When I ping .85 from the Internet, I do recevie ICMP replies, but I do
    acknowledge that I can't ping the router from the internal network or
    the internal network from the router. I will modify the ACL so that I
    do receive replies.
     
    war_wheelan, Dec 20, 2005
    #16
  17. war_wheelan

    Martin Kayes Guest

    Sorry for the quiet patch form myself. I have been away for a few days.

    I did a bug lookup on your IOS version and it does have some NAT related
    problems including: 'NAT fails if CEF is enabled on the router' - try
    disabling CEF if you don't need it

    Looking at the number of NAT bugs known is IP IOS image 120-3.T3 I would
    give serious thought to upgrading to a newer image.

    Regards,

    Martin
     
    Martin Kayes, Dec 20, 2005
    #17
  18. war_wheelan

    war_wheelan Guest

    I checked the router and I don't believe that cef is enabled. When in
    'config t' mode, I typed 'no cef' and it didn't exist.

    Also I will upgrade the IOS image in a day or so. I will let you know
    what happens.

    Thanks,
    Peter
     
    war_wheelan, Dec 20, 2005
    #18
  19. When you have an access list applied to an outside interface, and that
    access list blocks [outside] packets whose -source- IP is one of your
    internal addresses, then that is "anti-spoofing". You fixed the netmask
    on all of your anti-spoofing lines except the one I pointed out.
     
    Walter Roberson, Dec 21, 2005
    #19
  20. war_wheelan

    war_wheelan Guest

    Walter,

    I didn't know what you were talking about until I realized that I
    couldn't ping the router interfaces from the router. I modified the
    external ACL and now I can ping. This modification also helped the NAT
    stuff get further, but it is still not working.

    The reason that I didn't understand your comments was because I was
    focusing on the ACLs for the internal interface and not the external.
    I guess that I got myself confused.

    As for the NAT problem, I have enabled dubugging on the ACL and will
    also install a sniffer on the server. With ACL debugging turned on I
    have made some progress or at lease understand the problem better.

    Currently, I am trying to upgrade the IOS image to a newer revision. I
    have TFTP working, but when I download the image it's size is 64K while
    the original is 3MB.

    More to come.
     
    war_wheelan, Dec 22, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.