831 NAT Access System via Internet

Unanswered Question
Apr 14th, 2007

Hello all,

I'm having some diffuclty trying to setup our 831 to allow access to one of our systems via the Internet.

I have attempted this with setting up NAT.

I tried the following:

ip nat source static tcp 172.16.1.16 2000 interface ethernet 0 2000

Just to note we only have one IP address which is dynamic.

I'm not sure as of why I can't access the system. I have checked to make sure that the port number 2000 is accessible through our provider, which it is.

Attached is our configuration.

In advance I greatly appreciate the time taken to look at this post and reply,

WindigoSSC

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stephen.stack Sun, 04/15/2007 - 05:21

Hi,

Your config is quite elaborate. I can't really see anything that could be causing your internet clients to not connect to port 2000 on 172.16.1.16.

However, let's try a few things to troubleshoot the issue. And i won't assume anything.

1. can you connect to this port from within you the local subnet.

2. can you telnet this port from within your local subnet. i.e. /*windows command prompt */ telnet 172.16.1.16 2000

(if the response is a black screen on the command prompt - you have a sucessful connection)

3. remove the access list on interface ethernet 1, and then try a connection from the internet i.e. #no access-group 101 in (use telnet as above to test)

4. With the ACL on E1 removed try a static NAT to another port on a different host i.e. ip nat inside source static 172.16.1.15 80 inter eth 1 80 (connect to port 80 using telnet as above to test).

Let me know the results and we will take it from there. I'm sure the problem is easily resolved.

Regards

Stephen

windigossc Sun, 04/15/2007 - 10:37

Hi Stephen,

1.) Yes

2.) Telnet is disable on this system but I on the host machine I enable it trough the OS and I was able to telnet.

3.) Removed the ACL, unable to connect via telnet.

4.) Created a Static NAT on E1 to another host and was unable to connect.

I can access 172.16.1.16:2000 within our Intranet but not from the internet.

stephen.stack Sun, 04/15/2007 - 10:57

Hi,

This is good from a troubleshooting point of view. You can access the port from inside the LAN. And when you take the ACL away you cannot access the Port/2000. This means something else is wrong. A few more questions for you. (I promise we will nail this :) )

Why are your ACLs so large... do you know why the

...

access-list 101 permit ip host 172.16.2.238 172.0.0.0 0.255.255.255

access-list 101 permit ip host 172.16.2.239 172.0.0.0 0.255.255.255

...

and

...

access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.215

access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.216

...

are present? They seem long and cumbersome. Probably irrelevant anyway!!!

One thing i did notice is that you have not got a default route. Is this router used to connect to the internet? (may seem like a dumb Q... but i have to ask :) )

You need the following in your config... otherwise hosts do not know how to respond to internet requests.

router(config)#ip route 0.0.0.0 0.0.0.0 eth1

I think that maybve the answer. You should disable the ACL on E1 just while you are testing the connection to port 2000 after entering the above command.

Also, are you using an ADSL modem for connectivity here. If so then also add the following commands.

interface e0

ip tcp adjust-mss 1452

!

Interface e1

ip mtu 1492

The above commands fix a known issue with NAT, MTU's and ADSL on Cisco box's.

Let me know how this goes.

Regards

Stephen

windigossc Sun, 04/15/2007 - 11:26

I removed the ACL from on E1.

Added ip route 0.0.0.0 0.0.0.0 eth1.

The following lines where created from SDM when I setup the EasyVPN Server and IP Pool.

...

access-list 101 permit ip host 172.16.2.238 172.0.0.0 0.255.255.255

access-list 101 permit ip host 172.16.2.239 172.0.0.0 0.255.255.255

...

and

...

access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.215

access-list 104 deny ip 172.0.0.0 0.255.255.255 host 172.16.2.216

...

Where using cable from our ISP.

Actions

This Discussion