some static NAT 's works others do not.

Unanswered Question
Aug 6th, 2007

i have a router with some static nat statements that point to our web sites. however some websites work perfectly and some do not. they a natted the same and have worked before. one of our server admins updated the nic driver and after reboot the server isnt reachable from the web - he rolled back the change.

i can see the traffic hitting the acl and i can see it getting natted.

this one works - ip nat inside source static tcp 10.10.11.21 80 65.x.x.21 80 extendable

this one doesnt work - ip nat inside source static tcp 10.10.11.13 80 65.x.x.227 80 extendable

output from sh acl - permit tcp any host 65.x.x.x eq www (48 matches)

any ideas - im stumped?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Mon, 08/06/2007 - 11:16

Hi Jerry

Without wishing to state the obvious can you ping the servers 10.x.x.x address from the router.

You could try clearing the arp cache and the nat translation for that server but if it all wokrd before the update i would be going back to the server guys.

Jon

jerry.mcrae Mon, 08/06/2007 - 11:22

yea i can ping the 10.10.11.13.

output from sh ip nat trans - (Pro Inside global)tcp 65.x.x.227:80 (inside local) 10.10.11.13:80 (Outside local)65.x.129.214:1326 (Outside global)65.x.129.214:1326

if i try to telnet from command prompt 65.x.x.227 80 i can see the acl hits and nat trans but i cant connect.

jerry.mcrae Tue, 08/07/2007 - 11:37

we added a totally new server and natted that box and it doesnt work either - however one web server behind the same ethernet interface works fine.

ill attach the running config.

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime localtime show-timezone

service password-encryption

!

hostname NOC-NAT-3600

!

boot system flash c3620-io3-mz.122-31.bin

logging buffered 5000 debugging

logging monitor alerts

!

username privilege 15 password xxx

username privilege 15 password xxx

username privilege 15 password xxx

username k privilege 15 password xxx

ip subnet-zero

!

!

no ip domain-lookup

!

ip audit notify log

ip audit po max-events 100

!

!

!

interface Ethernet0/0

description connected to Internet

ip address 65.x.x.2 255.255.255.0

ip access-group VailNet in

ip nat outside

full-duplex

!

interface Ethernet0/1

description connected to Private

ip address 10.10.11.2 255.255.255.0

ip nat inside

full-duplex

!

router eigrp 100

network 10.10.11.0 0.0.0.255

auto-summary

no eigrp log-neighbor-changes

!

ip nat inside source list 1 interface Ethernet0/0 overload

ip nat inside source static tcp 10.10.11.13 80 65.x.x.145 80 extendable

ip nat inside source static tcp 10.10.11.13 80 65.x.x.153 80 extendable

ip nat inside source static tcp 10.10.11.13 80 65.x.x.231 80 extendable

ip nat inside source static tcp 10.10.11.21 80 65.x.x.21 80 extendable -works

ip nat inside source static tcp 10.10.11.21 21 65.x.x.21 21 extendable -works

ip nat inside source static tcp 10.10.11.21 20 65.x.x.21 20 extendable -works

ip nat inside source static tcp 10.10.11.13 80 65.x.x.227 80 extendable

ip nat inside source static tcp 10.10.11.33 8080 65.x.x.241 8080 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet0/0

ip route 192.168.10.0 255.255.255.0 172.16.1.5

ip route 192.168.11.0 255.255.255.0 172.16.1.5

ip route 192.168.12.0 255.255.255.0 172.16.1.5

ip route 192.168.13.0 255.255.255.0 172.16.1.5

ip route 192.168.14.0 255.255.255.0 172.16.1.5

ip route 192.168.15.0 255.255.255.0 172.16.1.5

ip route 192.168.16.0 255.255.255.0 172.16.1.5

no ip http server

!

!

ip access-list standard TELNET

remark ACL for TELNET

permit 172.16.0.0 0.0.255.255 log

permit 172.17.0.0 0.0.255.255

permit 172.19.0.0 0.0.255.255

permit 172.21.0.0 0.0.255.255

permit 10.10.0.0 0.0.255.255

deny any

!

ip access-list extended VailNet

remark Traffic From Vailnet

permit tcp any host 65.xx.21 eq www

permit tcp any host 65.xx.21 eq ftp-data

permit tcp any host 65.xx.21 eq ftp

permit tcp any host 65.xx.241 eq 8080

permit tcp any host 65.xx.227 eq www

permit tcp any host 65.xx.227 eq telnet

permit tcp any host 65.xx.153 eq www

permit tcp any host 65.xx.241 eq www

permit tcp any host 65.xx.231 eq www

logging 172.16.1.31

access-list 1 permit 192.168.0.0 0.0.255.255

access-list 1 permit 10.10.0.0 0.0.255.255

access-list 1 permit 172.16.0.0 0.0.255.255

access-list 1 permit 172.17.0.0 0.0.255.255

access-list 1 permit 172.18.0.0 0.0.255.255

access-list 1 permit 172.19.0.0 0.0.255.255

access-list 1 permit 172.20.0.0 0.0.255.255

access-list 1 permit 172.21.0.0 0.0.255.255

access-list 1 permit 172.24.0.0 0.0.255.255

access-list 1 permit 172.26.0.0 0.0.255.255

snmp-server x

snmp-server x

snmp-server host 172.16.1.15 x

banner motd ^C Web Farm NAT Router ^C

!

line con 0

exec-timeout 60 0

login local

line aux 0

line vty 0 4

access-class TELNET in

exec-timeout 60 0

login local

!

end

jerry.mcrae Wed, 08/08/2007 - 15:23

there was nothing wrong with the router or the nat - the default gateway was pointed to the wrong router - not the nat router.

deveshkumar Sun, 08/12/2007 - 19:58

Hi,

Clear the mac/ Arp in router as well as switch it is connected to ...

if switch is not managebal reboot it..

This will get the things working..i hope..

Paolo Bevilacqua Sun, 08/12/2007 - 20:18

Hi Devesh,

I see that you are a new member to this forum and I welcome you here.

At the same time I suggest that you use the most care in reading the full thread before answering, as in this case the issue had been solved already as the original poster indicated.

This to maintain the highest possible level in the NetProf forums. Thanks again!

Actions

This Discussion