Are my NAT statements right? Ok.. what did I do wrong?

justinkarl · ‎12-12-2007

Hi there, all:

I'm a bit rusty on the IOS stuff and I'm setting up a small office of ours to share an internet connection for the client PC's and also forward outside connections to a few servers we have on the inside... (using a 2611 w/ IOS 12.3) I thought I did this right, but apparently since I haven't used anything since 12.0, I've screwed the pooch. Can you guys and gals have a look at my config and tell me what I've done wrong?

Current configuration : 2075 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname REMAX

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$rD#############yh8e/

enable password 7 1#############35

!

no aaa new-model

ip subnet-zero

no ip source-route

ip tcp timestamp

ip tcp path-mtu-discovery

!

ip name-server 68.87.64.146

ip name-server 68.87.75.194

ip dhcp excluded-address 10.1.10.150 10.1.10.255

ip dhcp excluded-address 10.1.10.0 10.1.10.50

!

ip dhcp pool 0

network 10.1.10.0 255.255.255.0

default-router 10.1.10.1

dns-server 68.87.64.146

!

no ip bootp server

ip cef

!

interface Ethernet0/0

description LAN

ip address 10.1.10.1 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

full-duplex

no cdp enable

no mop enabled

!

interface Ethernet0/1

description WAN

ip address 70.91.###.157 255.255.255.252

ip access-group 101 in

no ip redirects

no ip proxy-arp

ip nat outside

full-duplex

no cdp enable

!

ip nat inside source list 100 interface Ethernet0/1 overload

ip nat inside source static tcp 10.1.10.11 21 interface Ethernet0/1 21

ip nat inside source static tcp 10.1.10.11 22 interface Ethernet0/1 22

ip nat inside source static tcp 10.1.10.11 80 interface Ethernet0/1 80

ip nat inside source static tcp 10.1.10.250 3389 interface Ethernet0/1 3389

ip nat inside source static udp 10.1.10.250 3389 interface Ethernet0/1 3389

ip nat inside source static tcp 10.1.10.21 3306 interface Ethernet0/1 3306

no ip http server

ip classless

no ip forward-protocol udp netbios-ns

no ip forward-protocol udp netbios-dgm

ip route 0.0.0.0 0.0.0.0 70.91.###.158

!

access-list 100 permit ip 10.1.10.0 0.0.0.255 any

access-list 101 deny tcp any any range 0 ftp-data

access-list 101 deny tcp any any range telnet 24

access-list 101 deny tcp any any range 26 finger

access-list 101 deny tcp any any range 81 pop2

access-list 101 permit ip any any

no cdp run

!

line con 0

line aux 0

line vty 0 4

password ############

login

!

end

Richard Burts · ‎12-13-2007

Justin

I have looked through the configuration focusing especially on the address translation and find only one obvious issue, you have this translation:

ip nat inside source static tcp 10.1.10.11 21 interface Ethernet0/1 21

which will forward the FTP control port to an inside device. But since your inbound access list is denying FTP data, then FTP will not work

access-list 101 deny tcp any any range 0 ftp-data

Without knowing more about your network we can not tell if 10.1.10.11 is the right device to get SSH and HTTP etc.

Perhaps you can clarify a bit about what is not working? If we understood the symptoms better we might be able to make better suggestions about a solution.

HTH

Rick

HTH

Rick

justinkarl · ‎12-13-2007

Hi, Rick:

I appreciate your help... and yes, that range in 101 shouldn't include FTP... But that's not the issue. The issue is that there isn't ANY forwarding happening, FTP, SSH, HTTP, or otherwise... All of the inside clients get out to the internet ok, and I can access the router from the inside and outside fine, but outside requests are not getting forwarded through the router. Yes, I've checked my servers to make sure they're awake and accepting requests ;)

Any further ideas?

Thanks!

-Justin K.

Richard Burts · ‎12-13-2007

Justin

Thanks for the additional explanation. My next suggestion would be to change ACL 100 which currently permits everything to be translated dynamically. How about putting statements into ACL 100 which will deny the ports that you want to statically translate?

HTH

Rick

HTH

Rick