Trying to configure NAT/PAT after reading several articles - WHAT am I missing?

I have read several articles/postings on the use of NAT/PAT, but
haven't been able to get it to work. I want to setup static NATs and
use PAT to connect to specific services port IP/port number pairs. I
need to be able to connect to individual IP/port number pairs and
IP/Multiple port number pairs i.e. The same IP running muliple
services..

Here are the revelant configuration settings:

interface FastEthernet0/0
description INTERNET FACING INTERFACE
ip address 71.125.C.D 255.255.255.0
ip access-group 151 in
no ip directed-broadcast
full-duplex
no cdp enable
!
interface FastEthernet0/1
description INTERNAL INTERFACE VLAN 10
ip address 192.168.1.5 255.255.255.0
ip access-group 111 in
no ip redirects
no ip directed-broadcast
ip nat inside
no cdp enable
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.200 80 71.125.24.85 80
extendable
!
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255

 

Hi,

You need to change two parts of this line:
ip nat inside source list 1 interface FastEthernet0/1 overload
to be as follows:
ip nat inside source list NAT interface FastEthernet0/0 overload

and add the following to int E0/0:
interface FastEthernet0/0
ip nat outside


Regards,

Martin

 

Martin,

I made the changes that you suggested, but I still can't form a socket
connetion to port 80. I am attempting the connection as the PETER_HOME
entry in access-list 151. Also I can telnet to port 80 from an
internal box.

Attached is my routers current configuration.

CT_Router1#s config
Using 2052 out of 29688 bytes, uncompressed size = 3851 bytes
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
!
hostname CT_Router1
!
logging buffered 8192 debugging
aaa new-model
aaa authentication login default local
aaa authentication login AUTHEN_CON local
aaa authentication login AUTHEN_VTY local
enable secret 5 $1$bTzM$WNJgYiKLjclWl4NHuPbKc1
!
username ??? privilege 7 password 7 012726331A3C453B3B151D5940
username ??? password 7 14463C0F5D55
clock timezone EDT -5
clock summer-time EDT recurring
ip subnet-zero
no ip source-route
no ip finger
no ip domain-lookup
ip domain-name indii.net
ip name-server 151.202.0.84
ip name-server 151.198.0.38
!
no ip bootp server
!
!
!
!
interface FastEthernet0/0
description INTERNET FACING INTERFACE
ip address 71.125.C.D 255.255.255.0
ip access-group 151 in
no ip directed-broadcast
ip nat outside
full-duplex
no cdp enable
!
interface FastEthernet0/1
description INTERNAL INTERFACE VLAN 10
ip address 192.168.1.5 255.255.255.0
no ip redirects
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface Ethernet1/0
description INDSIDE INTERFACE
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
ntp disable
no cdp enable
!
ip nat inside source list nat interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.200 80 71.125.24.D 80
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 71.125.24.D
no ip http server
ip http authentication local
!
!
ip access-list standard NAT
permit 192.168.1.0 0.0.0.255
access-list 131 permit ip any any
access-list 131 remark * ICMP rules
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 echo-reply
access-list 131 permit icmp any 0.0.0.66 255.255.255.0
administratively-prohibited
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 packet-too-big
access-list 131 permit icmp any 63.251.25.64 0.0.0.31 traceroute
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 unreachable
access-list 131 permit icmp any 0.0.0.66 255.255.255.0 time-exceeded
access-list 131 deny ip any any log-input
access-list 151 remark * Peter Home
access-list 151 permit ip host 66.114.C.D any
access-list 151 remark * GLOBAL INBOUND RULES
access-list 151 remark * ANTI-SPOOFING RULES
access-list 151 deny ip host 0.0.0.0 any log-input
access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 151 deny ip host 255.255.255.255 any log-input
access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input
access-list 151 remark * ICMP rules
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 echo-reply
access-list 151 permit icmp any 71.125.24.66 0.0.0.28
administratively-prohibited
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 packet-too-big
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 traceroute
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 unreachable
access-list 151 permit icmp any 71.125.24.66 0.0.0.28 time-exceeded
access-list 151 remark * Desktop Applet Settings
access-list 151 permit tcp any host 71.125.24.85 eq www
access-list 151 permit tcp any host 71.125.24.85 eq 4202
access-list 151 permit tcp any host 71.125.24.85 eq 6501
access-list 151 deny ip any any log-input
no cdp run
!
line con 0
exec-timeout 60 0
login authentication AUTHEN_CON
transport input none
stopbits 1
line aux 0
line vty 0 4
exec-timeout 30 0
login authentication AUTHEN_VTY
transport input telnet
!
no scheduler allocate
end

 

At first glance it looks okay, however in your static statement you have the
word NAT in lower case rather than upper case; it should be upper case to
match the name of the access-list. Try this and let me know:

ip nat inside source list NAT interface FastEthernet0/0 overload

Regards,

Martin

 

I capitilized the word NAT on the 'ip nat inside' command, but still no
luck. I will try removing access-list 151, but I don't feel that this
is going to help.

I will get back to you later.

 

I also removed all access-list from all interfaces and still couldn't
connect.

Does anyone have any ideas?

 

To do NAT is as simple as setting 'ip nat outside', 'ip nat inside',
access-list... and the static statement.

I have never tried using an Standard access-list for the NAT rules, I always
use advanced - maybe that is the last remaining problem, try changing it to
this instead:

ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any

If that fails to work then go to the conventional access-list format:
'access-list 100 permit.....'


Regards,

Martin

 

I tried both forms of the access-list (extended and access-list 100
permit' with no luck. I believe that the format of my configuraiton is
correct (ip nat inside, ip nat outside, ip nat inside source list 185
interface FastEthernet0/0 overload, ip nat inside source static tcp
192.168.1.200 80 71.125.24.D 80 extendable and ip access-list 185
permit ip 192.168.1.0 0.0.0.255 any) yet it isn't working.

I don't know where to go from here.

 

Can you give me the name of your IOS image from the show version output
please. I will check it for functionality and known bugs.

Regards,

Martin

 

The System image file name is "flash:c2600-i-mz.120-3.T3".

I really appreciate your efforts. With my limited experience with
Cisco I probably couldn't resolve this on my own.

 

Martin,

I setup an access-list on interface fastethernet 0/1 (192.168.1.5)
allowing port 80 to be forwarded to 192.168.1.200 which is the
destination of the static NAT. Each time I telnet to the NATed ip the
number of matches for the access-list increases.

Any thoughts?

 

Martin,

I enabled NAT debugging and noticed the following. I looks like I try
to connect to the proper IP address (71.125.24.85) on port 80, but I
receive a response from 71.125.24.66.

Is this the reason why I am unable to connect?

3d17h: NAT: o: tcp (66.114.71.62, 4226) -> (71.125.24.85, 80) [53023]
3d17h: NAT: o: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6679]
3d17h: NAT: i: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6679]
3d17h: NAT: o: tcp (66.114.71.62, 4226) -> (71.125.24.85, 80) [53033]
3d17h: NAT: o: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6680]
3d17h: NAT: i: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6680]
3d17h: NAT: o: tcp (66.114.71.62, 4226) -> (71.125.24.85, 80) [53043]
3d17h: NAT: o: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6681]
3d17h: NAT: i: icmp (71.125.24.66, 80) -> (66.114.71.62, 4226) [6681]

 

Possibly, but probably not in this case.

Notice that when you create the connection to 71.125.24.85
port 80, from port 4226, that you get an ICMP back from the other host
with respect to that outgoing port 4226. This suggests that the other
end is sending either an ICMP Redirect or an ICMP Network Unavailable;
ICMP port unavailable is not out of the question but is less unlikely.

71.125.24.66 and 71.125.24.85 are both within the same network block.

When I traceroute to 71.125.24.85 I see it looping at 71.125.24.66
so it seems likely that 71.125.24.66 is a router or firewall.


Ah, I just dug out some older messages from you. Your problem is that
you are using the wrong netmask in some of your statements.
For example, you have

access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input

but you don't want 0.0.0.28 as your netmask, because it is a bitmask,
not a number of IP addresses. Your assigned block goes up to .95 so
you want 0.0.0.31 as your mask; if you don't want a couple of hosts
accessed, then either deny traffic to them before the permit, or else
use netmasks that are based upon powers of 2, such as,

access-list 151 permit ip 71.125.24.66 0.0.0.1 whatever
access-list 151 permit ip 71.125.24.68 0.0.0.3 whatever
access-list 151 permit ip 71.125.24.72 0.0.0.7 whatever
access-list 151 permit ip 71.125.24.80 0.0.0.15 whatever

 

I corrected the routing and netmask problem with my access-list, but I
still can't connect to IP address 71.125.24.85 on port 80. I have
three access-list configured on the router one for each of the
interfaces - fa0/0 151 Internet facing, fa0/1 192 internal and NAT 101.
When I attempt to connect to port 80 on .85 I matches an entry in
access-list 151, but it doesn't connect.

Previously I said that a connection attempt to port 80 on .85 matched
an entry on ACL 192, but I am not able to recreate this behavior.

HERE IS MY CURRENT INTERFACES AND ACLs FOR REFERENCE
CT_Router1#s config
!
version 12.0
!
interface FastEthernet0/0
description INTERNET FACING INTERFACE
ip address 71.125.24.66 255.255.255.0
ip access-group 151 in
no ip directed-broadcast
ip nat outside
full-duplex
no cdp enable
!
interface FastEthernet0/1
description INTERNAL INTERFACE VLAN 10
ip address 192.168.1.5 255.255.255.0
ip access-group 192 in
no ip redirects
no ip directed-broadcast
ip nat inside
no cdp enable
!
!
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.200 80 71.125.24.85 80
extendable
ip route 0.0.0.0 0.0.0.0 71.125.24.6
!
access-list 101 remark ** DEFINES THE PRIVATE NETWORK FOR NATing **
access-list 101 permit tcp 192.168.1.0 0.0.0.255 any
access-list 151 remark ***** FastEthernet 0/0 INBOUND Access-List *****
access-list 151 remark ** PETER HOME **
access-list 151 permit ip host 66.114.71.62 any
access-list 151 remark ** GLOBAL INBOUND RULES **
access-list 151 remark ** ANTI-SPOOFING RULES **
access-list 151 deny ip host 0.0.0.0 any log-input
access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input
access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input
access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input
access-list 151 deny ip host 255.255.255.255 any log-input
access-list 151 deny ip 71.125.24.66 0.0.0.28 any log-input
access-list 151 remark ** ICMP RULES **
access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo
access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo-reply
access-list 151 permit icmp any 71.125.24.64 0.0.0.31
administratively-prohibited
access-list 151 permit icmp any 71.125.24.64 0.0.0.31 packet-too-big
access-list 151 permit icmp any 71.125.24.64 0.0.0.31 traceroute
access-list 151 permit icmp any 71.125.24.64 0.0.0.31 unreachable
access-list 151 permit icmp any 71.125.24.64 0.0.0.31 time-exceeded
access-list 151 remark ** DESKTOP APPLET SETTINGS **
access-list 151 permit tcp any 71.125.24.64 0.0.0.31 eq www
access-list 151 permit tcp any 71.125.24.64 0.0.0.31 eq 4202
access-list 151 permit tcp any 71.125.24.64 0.0.0.31 eq 6501
access-list 151 remark ** NETWORK TIME PROTOCOL (NTP) SETTINGS **
access-list 151 permit udp host 204.34.198.40 eq ntp host 71.125.24.66
eq ntp
access-list 151 permit udp host 204.34.198.41 eq ntp host 71.125.24.66
eq ntp
access-list 151 deny ip any any log-input
access-list 192 remark ***** FastEthernet 0/1 OUTBOUND Access-List
*****
access-list 192 permit tcp host 192.168.1.200 any eq www
access-list 192 permit tcp 192.168.1.0 0.0.0.255 any

 

Not on that line. But that's just anti-spoofing.

You aren't permitting any icmp there, so ping packets would not be
allowed out.

 

Three points -

One - I documented the current behavior when attempting to connect to
port 80 on NATed IP .85. I pointed out where the hits were on the ACLs
so that we might be able to figure out why I haven't been able to
connect to port 80 on NATed IP .85.

Two - When you wrote "Not on that line. But that's just anti-spoofing",
I didn't make any changses that I know of to anti-spoofing??

Three - The ICMP reference - are you talking about ACL 192?? If so,
would that affect my primary objective of forming a connection on port
80 on NATed IP .85 or would it prevent pinging the internal subnet?
When I ping .85 from the Internet, I do recevie ICMP replies, but I do
acknowledge that I can't ping the router from the internal network or
the internal network from the router. I will modify the ACL so that I
do receive replies.

 

Sorry for the quiet patch form myself. I have been away for a few days.

I did a bug lookup on your IOS version and it does have some NAT related
problems including: 'NAT fails if CEF is enabled on the router' - try
disabling CEF if you don't need it

Looking at the number of NAT bugs known is IP IOS image 120-3.T3 I would
give serious thought to upgrading to a newer image.

Regards,

Martin

 

I checked the router and I don't believe that cef is enabled. When in
'config t' mode, I typed 'no cef' and it didn't exist.

Also I will upgrade the IOS image in a day or so. I will let you know
what happens.

Thanks,
Peter

 

When you have an access list applied to an outside interface, and that
access list blocks [outside] packets whose -source- IP is one of your
internal addresses, then that is "anti-spoofing". You fixed the netmask
on all of your anti-spoofing lines except the one I pointed out.

 

Walter,

I didn't know what you were talking about until I realized that I
couldn't ping the router interfaces from the router. I modified the
external ACL and now I can ping. This modification also helped the NAT
stuff get further, but it is still not working.

The reason that I didn't understand your comments was because I was
focusing on the ACLs for the internal interface and not the external.
I guess that I got myself confused.

As for the NAT problem, I have enabled dubugging on the ACL and will
also install a sniffer on the server. With ACL debugging turned on I
have made some progress or at lease understand the problem better.

Currently, I am trying to upgrade the IOS image to a newer revision. I
have TFTP working, but when I download the image it's size is 64K while
the original is 3MB.

More to come.