Problems with NAT

Unanswered Question
Apr 23rd, 2007
User Badges:

I configured a router to perform NAT to allow outside traffic into an internal web server that only accepts connections on port 443. Here are my configs (ip addresses have obviously been changed):



interface FastEthernet0/0



ip address 10.32.15.102 255.255.255.0

ip nat inside

duplex auto

speed auto


!


interface FastEthernet0/1


ip address 12.x.x.x.255.255.248

ip nat outside

duplex auto

speed auto


!


ip nat inside source list 1 interface FastEthernet0/1 overload


ip nat inside source static tcp 10.32.15.88 443 12.10.206.206 443 extendable


ip http server


ip classless


ip route 0.0.0.0 0.0.0.0 12.10.206.206


!


!


access-list 1 permit 10.32.15.0 0.0.0.255



When I debug while trying to connect to https://12.10.206.206, this is what I get:



Router#term mon


Router#


*Jun 6 23:13:46.780: NAT: o: tcp (67.127.21.179, 21421) -> (12.10.206.206, 443)


[3029]


*Jun 6 23:13:46.780: NAT: s=67.127.21.179, d=12.10.206.206->10.32.15.88 [3029]


*Jun 6 23:13:52.796: NAT: o: tcp (67.127.21.179, 21421) -> (12.10.206.206, 443)


[3038]


*Jun 6 23:13:52.796: NAT: s=67.127.21.179, d=12.10.206.206->10.32.15.88 [3038]


Router#sh ip nat trans


Pro Inside global Inside local Outside local Outside global


tcp 12.10.206.206:1034 10.32.15.110:1034 207.46.107.63:1863 207.46.107.63:1863


tcp 12.10.206.206:443 10.32.15.88:443 67.127.21.179:21421 67.127.21.179:2142


1


tcp 12.10.206.206:1439 10.32.15.110:1439 63.236.56.237:80 63.236.56.237:80


tcp 12.10.206.206:443 10.32.15.88:443 67.127.21.177:1241 67.127.21.177:1241


tcp 12.10.206.206:2491 10.32.15.110:2491 209.62.180.190:80 209.62.180.190:80


tcp 12.10.206.206:50676 10.32.15.202:50676 66.150.208.55:80 66.150.208.55:80


tcp 12.10.206.206:2529 10.32.15.110:2529 69.22.138.49:80 69.22.138.49:80


tcp 12.10.206.206:443 10.32.15.88:443 --- ---


tcp 12.10.206.206:2062 10.32.15.110:2062 207.46.107.63:1863 207.46.107.63:1863


tcp 12.10.206.206:2115 10.32.15.110:2115 67.29.128.42:80 67.29.128.42:80


tcp 12.10.206.206:2118 10.32.15.110:2118 67.29.128.42:80 67.29.128.42:80


tcp 12.10.206.206:2743 10.32.15.109:2743 207.46.107.63:1863 207.46.107.63:1863


udp 12.10.206.206:123 10.32.15.240:123 192.43.244.18:123 192.43.244.18:123


Router#




Does NAT look like it?s doing what it?s suppose to do? The web server is not managed by my company, so I don?t know what kind of securities are on it.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
mahmoodmkl Mon, 04/23/2007 - 10:53
User Badges:
  • Gold, 750 points or more

Hi


Can u point u r default route to the next hop of u r ISP than pointing it to u r fastethernet interface.


Thanks

Mahmood

stanleyjhan Mon, 04/23/2007 - 12:37
User Badges:

Sorry, I changed that IP address by accident. The original default should point to the next hop.


Does the configuration look correct?

leighharrison Tue, 04/24/2007 - 12:19
User Badges:
  • Gold, 750 points or more

Hey there!


The command:-

ip nat inside source static tcp 10.32.15.88 443 12.10.206.206 443 extendable


Reads: On the interface labelled "inside" when a packet from 10.32.15.88 on port 443, translate it to 12.10.206.206 on port 443.


To get the web server 12.10.206.206 viewable from the outside you need to have a translation telling the router what to do when a packet arrives on the outside interface (which will be someone trying to find the server)


To that end, put in the command:-

ip nat outside source static tcp 12.10.206.206 443 10.32.15.88 443 ext


This will tell the router how to translate packets hitting the "outside" interface on port 443.


Hope that makes some sense! Your syntax was pretty good, it was just the wrong way round!


Best Regards

LH


** Please rate all posts **

stanleyjhan Tue, 04/24/2007 - 13:52
User Badges:

I'm not sure I understand.


This is where I got my syntax from: http://www.cisco.com/warp/public/794/827spat.html


It shows an example of mapping an outside address to an internal webserver.


Perhaps there is something in my ISP router configuration that is prohibiting this? I have my ISP router, which connects to the fa0/1 interface. The fa0/0 interface connects directly to a switch where our webserver resides.


I need users to connect to https://12.10.206.206 (fa0/1 interface), and have this translated to 10.32.15.88 (webserver).


Please help!!!

leighharrison Wed, 04/25/2007 - 00:58
User Badges:
  • Gold, 750 points or more

Hi there,


Paste in this command and see what happens:-

ip nat outside source static tcp 12.10.206.206 443 10.32.15.88 443 ext

(change the 12.10.206.206 to your real address)


LH


** Please rate all post **

stanleyjhan Wed, 04/25/2007 - 10:38
User Badges:

When I pasted this command in, it actually halted activity. The 10.32.15.x switch started blinking rapidly, and users were not able to reach the internet.


What I found puzzling was that when I physically disconnected the fa0/0 port (router to 10.32.15.x switch), I was still able to ping 10.32.15.88.


It seems like this command was doing some sort of translation to a 10.32.15.88 that wasn't even connected!


I'm more lost than ever...

leighharrison Thu, 04/26/2007 - 00:28
User Badges:
  • Gold, 750 points or more

Hi there,


I think I get what you're trying to do.


You want to make the webserver on the f0/0 side of the router accessible to the world out of the f0/1 interface.


If that's the case, then the nat statements that you had in there should do the trick, without having to put anything on for the outside nat.


The default gateway that you've got is wrong as it points to your own interface! That needs to be changed to the next hop address.


Regards,

LH


** Please rate all posts **

stanleyjhan Thu, 04/26/2007 - 08:06
User Badges:

Thanks for the help. I accidently changed the default gateway when I edited the post to secure my IP addresses. I originally had it pointing to the next hop.


I guess my configurations are correct. Could there be a problem with the ISP router? Some sort of firewall or security? Or could the problem be on the webserver end?

leighharrison Fri, 04/27/2007 - 00:09
User Badges:
  • Gold, 750 points or more

Hi there,


Looking at the debug that you posted, there are references to port 443, so it should be ok.


If you use a sniffer on the web server then you should be able to see if the packet is coming in to the router or not. Check out wireshark (it's open source) http://www.wireshark.org


Have a go, and let me know how it goes.


Regards,

LH


** Please rate all posts **

Actions

This Discussion