Trying to configure NAT/PAT after reading several articles - WHAT am I missing?

Discussion in 'Cisco' started by war_wheelan, Dec 15, 2005.

  1. war_wheelan

    war_wheelan Guest

    I DON'T KNOW IF ANYONE IS STILL LISTENING, BUT HERE GOES.

    The image upgrade failed because of an exception when loading so I
    reverted back to the original image file.

    Now I am trying to figure out why I haven't been able to connect to
    port 80 on my NATed IP. I modified the external ACL to allow 'any
    any' from my source IP. I also modified the internal ACL to allow "ip
    and icmp any any' bi-directionly. Lastly, I enabled debugging of
    packets from all interfaces and tried to connect to port 80 on the
    NATed IP.

    Here is the console output for the connection attempt:
    02:54:43: IP: s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200
    (FastEthernet0/1), g=192.168.1.200, len 48, forward
    02:54:43: TCP src=1823, dst=80, seq=2202593515, ack=0, win=65535
    SYN
    02:54:46: IP: s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200
    (FastEthernet0/1), g=192.168.1.200, len 48, forward
    02:54:46: TCP src=1823, dst=80, seq=2202593515, ack=0, win=65535
    SYN
    02:54:52: IP: s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200
    (FastEthernet0/1), g=192.168.1.200, len 48, forward
    02:54:52: TCP src=1823, dst=80, seq=2202593515, ack=0, win=65535
    SYN

    It looks like I am sending syn packets, but not receiving ack packets.
    Does anyone have any ideas why?
     
    war_wheelan, Dec 23, 2005
    #21
    1. Advertisements

  2. war_wheelan

    war_wheelan Guest

    All,

    The IOS upgrade was successful. It took me a while because I had to
    troubleshoot some hardware related errors. The system is now running
    'boot system flash:c2600-ik9s-mz.122-31'.

    Back tracking - I've configured a static NAT between 192.168.1.200 and
    71.125.24.85. I enabled debugging on the ACL and NAT. I then
    attempted to telnet to the NATed IP and received the following console
    output:

    02:02:01: NAT: o: tcp (66.114.71.62, 3702) -> (71.125.24.85, 80)
    [31798]
    02:02:01: NAT: s=66.114.71.62, d=71.125.24.85->192.168.1.200 [31798]
    02:02:01: IP: tableid=0, s=66.114.71.62 (FastEthernet0/0),
    d=192.168.1.200 (FastEthernet0/1), routed via RIB
    02:02:01: IP: s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200
    (FastEthernet0/1), g=192.168.1.200, len 48, forward
    02:02:01: TCP src=3702, dst=80, seq=3315073881, ack=0, win=16384
    SYN
    02:02:04: NAT: o: tcp (66.114.71.62, 3702) -> (71.125.24.85, 80)
    [31825]
    02:02:04: NAT: s=66.114.71.62, d=71.125.24.85->192.168.1.200 [31825]
    02:02:04: IP: tableid=0, s=66.114.71.62 (FastEthernet0/0),
    d=192.168.1.200 (FastEthernet0/1), routed via RIB
    02:02:04: IP: s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200
    (FastEthernet0/1), g=192.168.1.200, len 48, forward
    02:02:04: TCP src=3702, dst=80, seq=3315073881, ack=0, win=16384
    SYN
    02:02:10: NAT: o: tcp (66.114.71.62, 3702) -> (71.125.24.85, 80)
    [31865]
    02:02:10: NAT: s=66.114.71.62, d=71.125.24.85->192.168.1.200 [31865]
    02:02:10: IP: tableid=0, s=66.114.71.62 (FastEthernet0/0),
    d=192.168.1.200 (FastEthernet0/1), routed via RIB
    02:02:10: IP: s=66.114.71.62 (FastEthernet0/0), d=192.168.1.200
    (FastEthernet0/1), g=192.168.1.200, len 48, forward
    02:02:10: TCP src=3702, dst=80, seq=3315073881, ack=0, win=16384
    SYN

    I don't some research and it talks about a possible routing loop. My
    internal ACL permit ip and icmp any any while my external ACL only
    permits my home IP.

    DOES ANYONE HAVE ANY SUGGESTIONS?
     
    war_wheelan, Dec 28, 2005
    #22
    1. Advertisements

  3. war_wheelan

    Martin Kayes Guest

    Are you still running "ip access-group 192 in" on "interface
    FastEthernet0/1? It may be worth removing the access-group statement from
    the interface as it is pretty redundant anyway.

    The output of your debug implies one of two things, an incorrect gateway on
    192.168.1.200 or an ACL blocking its response.

    Regards,

    Martin
     
    Martin Kayes, Dec 28, 2005
    #23
  4. war_wheelan

    war_wheelan Guest

    Martin,

    Good to see that you are still listening. Thanks.

    Moving along, it seems that I was confused about the type of NATing
    that I needed to implement. I need to setup a group of static NATs so
    that we can connect to different services running on the same server
    i.e., 71.125.24.85 running ports 80, 4202 and 6501. I don't need PAT.

    Also I removed ACL 192 from the internal interface and everything is
    working as expected. As for your assumptions, the server(s) are
    connected to two networks and the default route is 192.168.2.1 not
    192.168.1.5 (routers fa 0/1 internal interface). We have a persistent
    route via 1.5 for network 71.125.24.0 and I verified that it works with
    tracert.
    ACL BLOCKING ITS RESPONSE - I removed all of the 'ip access-group'
    entries from the interface(s) and still couldn't connet to the NATed
    IP, but could telnet to the router from anywhere.

    Now I have a few questions/comments.

    I can telnet from the router to the IP address referenced by the NAT
    192.168.1.200:80
    I can ping the routers external interface from the Internet, but not
    the NATed IP .85.
    I can ping the routers NATed IP and the external interface from the
    internal network.

    Lastly, I have attached a subset of my current startup-config file for
    your review

    version 12.2
    boot system flash:c2600-ik9s-mz.122-31
    INTERFACE FASTETHERNET0/0
    description FISO BUSINESS OUTSIDE
    ip address 71.125.24.66 255.255.255.0
    ip access-group 151 in
    ip nat outside
    INTERFACE FASTETHERNET0/1
    description FISO BUSINESS INSIDE
    ip address 192.168.1.5 255.255.255.0
    ip access-group 193 out
    ip nat inside

    ip nat inside source static 192.168.1.200 71.125.24.85
    ip route 0.0.0.0 0.0.0.0 71.125.24.1

    ACCESS-LIST 151 REMARK ***** FE 0/0 FIOS BUSINESS EXTERNAL INBOUND
    CONNECTION *****
    access-list 151 permit ip host 66.114.71.62 any
    access-list 151 remark ** Anti-Spoofing Rules **
    access-list 151 deny ip host 0.0.0.0 any log-input
    access-list 151 deny ip 10.0.0.0 0.255.255.255 any log-input
    access-list 151 deny ip 172.16.0.0 0.15.255.255 any log-input
    access-list 151 deny ip 192.168.0.0 0.0.255.255 any log-input
    access-list 151 deny ip host 255.255.255.255 any log-input
    access-list 151 remark ** ICMP Rules **
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 echo-reply
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31
    administratively-prohibited
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 packet-too-big
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 traceroute
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 unreachable
    access-list 151 permit icmp any 71.125.24.64 0.0.0.31 time-exceeded
    access-list 151 remark ** Desktop Applet Settings **
    access-list 151 permit tcp any host 71.125.24.85 eq 80
    access-list 151 permit tcp any host 71.125.24.85 eq 4202
    access-list 151 permit tcp any host 71.125.24.85 eq 6501
    access-list 151 deny ip any any log-input
    ACCESS-LIST 193 REMARK ** FIOS BUSINESS OUTBOUND FROM SERVERS **
    access-list 193 permit icmp any any
    access-list 193 permit ip any any
     
    war_wheelan, Dec 29, 2005
    #24
  5. war_wheelan

    war_wheelan Guest

    Martin,

    I was thinking about your assumption that I had a routing problem and
    realized that I could reconfigure the server for testing.

    In order to test I reconfigured one of my server's default route to
    point to the FIOS Business network (192.168.1.5) and added a 'ip nat
    source static 192.168.1.125 71.125.24.86' to the router. I then tried
    to telnet to the NATed IP .86 and I was able to connect.

    I will test more tomorrow, but if test go well I will have to figure
    out how to set the server's routes such that it uses Internet
    connection HOME for outbound traffic and Internet connection BUSINESS
    for inbound traffic. The HOME connection's outbound speed is greater
    than the BUSINESS connection's. The reverse is true for the inbound
    traffic.

    I will let you know how things pan out.
     
    war_wheelan, Dec 29, 2005
    #25
  6. war_wheelan

    Martin Kayes Guest

    Excellent, sounds like a solution may be on the horizon. Let me know how it
    pans out.

    You may need to use policy based routing to achieve what you want, i.e. if
    the traffic is from a certain subnet or IP then set the next hop as the
    router IP that you want to sent it via.

    Regards,

    Martin
     
    Martin Kayes, Dec 29, 2005
    #26
  7. war_wheelan

    war_wheelan Guest

    Again I misunderstood my business objective. The HOME network will be
    used to talk to our production environment and the BUSINESS network
    will be used to talk to our clients.

    Once I fully understood my objectives, I switched the default route to
    the BUSINESS NATed network and added a persistent route to the HOME
    network.

    IT APPEARS THAT THINGS ARE WORKING PROPERLY NOW.

    In summary I experience ROUTING and ACL problems and didn't fully
    understand the objective(s).

    Thanks to all especially Martin.
     
    war_wheelan, Dec 29, 2005
    #27
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.