Port Forwarding (static PAT) not working

Unanswered Question
Nov 14th, 2008

Hi,

Hopefully someone will be able to help me with this one.

I'm trying to setup some static PAT rules so that certain external trafic such as SMTP gets forwarded to a particular internal server.

Bit of background on my setup.

I have 4 ADSL lines which are not bonded and therefore have each have their own public IP address.

CEF and NAT is setup and outgoing traffic is being load balanced over the 4 lines on a stream by stream basis.

The problem is I have tried couple variants of setting up PAT but cant get anything to work.

Here's what I have tried

assuming my internal servers ip address is 192.168.1.10

and my public ip addresses are 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4

Focusing on getting it to work for any line

interface FastEthernet0/0

ip address 192.168.1.6 255.255.255.0

ip nat inside

duplex auto

speed auto

no mop enabled

!

interface ATM0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 4

!

!

interface ATM0/1/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface ATM0/2/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/2/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 2

!

!

interface ATM0/3/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/3/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 3

!

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 4

dialer-group 1

no cdp enable

.................

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

.................

!

interface Dialer2

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 2

dialer-group 1

no cdp enable

.................

!

interface Dialer3

ip address negotiated

ip nat outside

ip access-group 6 out

ip access-group 160 in

encapsulation ppp

dialer pool 3

dialer-group 1

no cdp enable

.................

!

!

ip nat inside source static tcp 192.168.1.10 25 interface Dialer3 25

ip nat inside source route-map rmd0 interface Dialer0 overload

ip nat inside source route-map rmd1 interface Dialer1 overload

ip nat inside source route-map rmd2 interface Dialer2 overload

ip nat inside source route-map rmd3 interface Dialer3 overload

access-list 6 permit 192.168.1.0 0.0.0.255

! Block spoofing of our IP address

access-list 160 deny ip 192.168.1 0.0.0.255 any

! Allow incomming SMTP access to our server

access-list 160 permit tcp any host 10.10.10.1 eq 25

route-map rmd3 permit 10

match ip address 6

match interface Dialer3

!

route-map rmd2 permit 10

match ip address 6

match interface Dialer2

!

route-map rmd1 permit 10

match ip address 6

match interface Dialer1

!

route-map rmd0 permit 10

match ip address 6

match interface Dialer0

where line

ip nat inside source static tcp 192.168.1.10 25 interface Dialer3 25

I have also tried

ip nat inside source static tcp 192.168.1.10 25 10.10.10.1 25 extendable

but didn't work either

Any one got any bright ideas where I'm going wrong?

TIA.

Lee

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 11/15/2008 - 02:02

Hello Lee,

dialer3 is a nat outside interface I don't think that access-list 6 out is matching if packets are already natted you will not see any source in range 192.168.1.0/24 .

I would change:

int dialer3

no ip access-group 6 out

access-list 6 is also used inside the route-maps.

I would change access-list 6 so that the server never matches in the route-maps

access-list 6 deny host 192.168.1.10

access-list 6 permit 192.168.1.0 0.0.0.255

try with these changes

Hope to help

Giuseppe

l33h3lluk Mon, 11/17/2008 - 03:12

Hi Giuseppe,

If I do this wouldn't this stop the server from connecting to the internet?

I think i did try something similar (without the deny line on the servers address) and it was crashing clients not to be able to connect to the internet when they used this line.

I assume you would leave line

interface Dialer3

ip access-group 160 in

Do I also need to apply any ACL's on the FastEthernet0/0 interface to allow traffic in for the SMTP server?

TIA,

Lee

Giuseppe Larosa Mon, 11/17/2008 - 05:29

Hello Lee,

my concerns were the following:

a) avoid to have an ACL that shouldn't match in outbound on dialer3 logic interface.

b) be sure that ip address of the server has no chances to get translated in the other NAT commands using the different route-maps because you need consistency in server translation to be reached from outside.

There are several examples of ACLs or extended ACLs used for NAT with the logic suggested for acl 6 in previous post.

In my opinion I would remove acl 160 too at least during testing.

Hope to help

Giuseppe

l33h3lluk Mon, 11/17/2008 - 06:50

Hi Giuseppe,

Sorry I don't quite follow what you mean.

Ultimately I want to replicate the PAT on all 4 lines so the server could be accessed using any one of the 4 lines.

Could you give any examples please?

TIA,

Lee

l33h3lluk Tue, 11/18/2008 - 08:33

Hi,

Previously I have tried without any ACL set on the Dialer interface, this just results in the incoming traffic being blocked.

If I configure just an ACL such 160 mentioned previously and set this on the Dialer in interface like so

interface Dilaer3

ip access-group 160 in

this results in other traffic being blocked, when used get put on this line through load balancing they cannot connect the internet.

Am I correct in thinking that this is because when no ACL's are specified on a interface then traffic is being permited because of my route-map rules however when you specify a ACL on an interface this overrides the route-map ACL and does an implicit deny on all traffic except those match the interface's ACL. Hope that makes sense.

So how do I fix this. Must be a common thing to set up PAT.

Thanks,

Lee

Giuseppe Larosa Thu, 11/20/2008 - 05:52

Hello Lee,

>> PAT on all 4 lines so the server could be accessed using any one of the 4 lines.

I don't think you can achieve this: you can map the server socket (ip address + TCP port) to one line public address but not to all of them at the same time.

This is why having 4 lines of 2Mbps is not same as having 1 line of 8 Mbps

Best Regards

Giuseppe

l33h3lluk Thu, 11/20/2008 - 06:08

I would have thought it would be given that each line would use a different public IP + port no combination.

i.e.

10.10.10.1:25

10.10.10.2:25

10.10.10.3:25

10.10.10.4:25

then given this I could connect to any one of these public IP adddress

At the end of the day this is what I'm trying to achieve however for now I would be good to just get it working one line then think about if I can or cant do multiple lines but even this is proving not straight forward.

I'm not sure where I'm going wrong.

TIA,

Lee

Actions

This Discussion