static NAT not working

Unanswered Question
Jul 5th, 2007

Hi,

I'm configuring a 1841 router with 4-port FE WIC card.

Interface FE0/1 is outside and FE0/0/0 (WIC) is used for LAN connection.

I'm using dinamic NAT for LAN users access to Internet and static NAT to connect to internal servers from external network.

In my test configuration, I cannot connect to LAN (192.168.0.0/24) from external network. Dinamic NAT, though, is working fine.

My config follows. Am I missing something? Hope someone can help me.

Thanks in advance.

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$

ip address 10.10.10.1 255.255.255.248

duplex auto

speed auto

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.2.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface Vlan1

ip address 192.168.0.6 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

!

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.0.1 23 interface FastEthernet0/1 23

ip nat inside source static tcp 192.168.0.5 5900 interface FastEthernet0/1 5900

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.0.18 0.0.0.128

!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
Loading.
dradhika Thu, 07/05/2007 - 08:22

I guess "ip nat inside source.." needs to be replaced with "ip nat outside source.." since you want to check the packets that are entering inside the network and replace the source ip from 192.168.0.1 with f0/1 interface's ip.

Reason:-

With the inside source cli the packets are checked when there are going from inside to outside and source ip is changed and when a packet is going from outside to inside the destination is changed.

Now the packets destination address is checked which can never be 0.1.

HTH,

Radhika

royalblues Thu, 07/05/2007 - 09:41

Can you use a seperate ip for the static nats instead of the fastethernet and check

Narayan

Amit Singh Thu, 07/05/2007 - 10:12

This will not work.You cannot have the same IP for dynamic nat and static nat. You cannot use the dynamic NAT and Static on the same interface IP. You need some free IP from the 192.168.2.x range to sttaic NAT your servers to the free addreses and being access by out side.

Do the folliwing with free IP's.

ip nat inside source static 192.168.0.1 192.168.2.10

ip nat inside source static 192.168.0.5 5900 192.168.2.11 5900

This should work for you ..

HTH,Please rate if it does.

-amit singh

Jon Marshall Fri, 07/06/2007 - 00:47

Hi

I can't see anything wrong with this config. Sorry to ask the obvious but when you try and connect to the internal LAN server ie 192.168.0.1 you are telnetting to 192.168.2.2 aren't you.

I setup this in our lab as i wasn't sure whether the static nat commands would work with interface rather than the explicit IP but it all works fine.

Could you go from inside to out and then try connecting to one of your internal servers and post the output of a "sh ip nat translations".

Edit - I used a 2621 router with 12.3(4)T4.

Amit, the attached doc suggests that you can use the same IP address for both dynamic and static translations ( see last example at bottom ).

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

Are you saying it is not supported on later versions ?

HTH

Jon

piotrlit07 Fri, 07/06/2007 - 02:03

Hi,

Thanks for you fast responses.

Amit, I tried natting to free IP from 192.168.2.x range with no result.

Jon, when I try to connect to an internal server from network 192.168.2.x, this is the output of sh ip nat translations.

TR13#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 192.168.2.2:23 192.168.0.1:23 192.168.2.65:2695 192.168.2.65:2695

tcp 192.168.2.2:23 192.168.0.1:23 --- ---

tcp 192.168.2.2:5900 192.168.0.5:5900 --- ---

Also, checking debug logs with SDM, I found entries apparently doing the static translations, but no response from internal servers. After a while, the appear as expired translations:

11:30:50.281 expiring 192.168.2.2 (192.168.0.1) tcp 23 (23)

11:29:50.105 s=192.168.2.65,d=192.168.2.2->192.168.0.1 [20447]

11:29:44.089 s=192.168.2.65,d=192.168.2.2->192.168.0.1 [20413]

11:29:41.105 s=192.168.2.65,d=192.168.2.2->192.168.0.1 [20401]

-Albert

Jon Marshall Fri, 07/06/2007 - 02:59

Albert

It looks to me like your NAT is working. I get similiar results in my NAT table.

2600_connect#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

1) icmp 172.16.1.9:4388 10.15.1.2:4388 10.5.1.1:4388 10.5.1.1:4388

2) tcp 172.16.1.9:23 10.15.1.3:23 172.16.1.10:62274 172.16.1.10:62274

3) tcp 172.16.1.9:23 10.15.1.3:23 --- ---

Line 1) is a dynamic translation from inside to outside for ping.

Line 2) is the dynamic entry builti when i telnet from outside (172.16.1.10)

to 172.16.1.9 (which gets Natted to 10.15.1.3)

Line 3) is the permanent static translation that gets entered when from the

config line "ip nat source static tcp 10.15.1.3 23 interface fa0/1 23"

Relevant Router config

======================

interface FastEthernet0/0

description Connection to CR02

ip address 10.15.1.1 255.255.255.240

ip nat inside

ip pim dense-mode

no ip route-cache

speed 100

full-duplex

!

interface FastEthernet0/1

description Connection to P1

ip address 172.16.1.9 255.255.255.248

ip nat outside

ip pim dense-mode

no ip route-cache

speed 100

full-duplex

!

router eigrp 20

redistribute connected

redistribute static

network 10.0.0.0

network 172.16.0.0

no auto-summary

ip nat inside source list 1 interface FastEthernet0/1 overload

ip nat inside source static tcp 10.15.1.3 23 interface FastEthernet0/1 23

ip classless

access-list 1 permit 10.15.1.0 0.0.0.15

=====================

Are you sure it is a natting problem ?

Jon

piotrlit07 Fri, 07/06/2007 - 05:40

I think so. Telnet and other services are working OK when accessed from local network.

I checked proposed configurations with different IPs for static NAT. I also tried it using only FE interfaces 0/0 and 0/1, just in case it was problem of added switch card. Nothing works.

Any other idea?

dradhika Sat, 07/07/2007 - 09:28

Sorry I did not check the source ip addresses in the nat cli previously. I thought you were using some outside address which needs to be converted into inside address.

Can you turn on the debug commands and check if everything is working fine.

May be try adding

ip nat inside source static 192.168.0.1 int fastethernet.. overload

and turn on debug ip icmp , debug ip nat commands, then ping to the internal network and see how the packets are sent.

Also can you check if there an internal router with ip 192.168.0.1?

[When I was configuring on my internal device with a different ip by mistake and then I was not able to telnet to the device]

Thanks,

Radhika

piotrlit07 Thu, 07/19/2007 - 04:29

Hi,

Finally the problem was not in the router, but in internal servers I was using for tests. They had not configured internal router IP as default gateway, so there was no response to the router. With correct gateway configuration, NAT is working OK.

Thanks Radhika, Jon and the others for your advice and suggestions.

Albert

Jon Marshall Sat, 07/07/2007 - 10:19

Hi Albert

In addtion to Radhika's suggestions what OS does the server run. If windows you could use ethereal/wireshark or the Windows Netmon too. If Linux tcpdump, Solaris snoop etc.

All of the above are packet capture tools. If you could start one up on the server you might be able to see if packets are actually coming from the router after being natted.

Jon

Actions

This Discussion