Port Forwarding (static PAT) not working

Unanswered Question
Nov 14th, 2008
User Badges:

Hi,

Hopefully someone will be able to help me with this one.


I'm trying to setup some static PAT rules so that certain external trafic such as SMTP gets forwarded to a particular internal server.


Bit of background on my setup.


I have 4 ADSL lines which are not bonded and therefore have each have their own public IP address.


CEF and NAT is setup and outgoing traffic is being load balanced over the 4 lines on a stream by stream basis.


The problem is I have tried couple variants of setting up PAT but cant get anything to work.


Here's what I have tried


assuming my internal servers ip address is 192.168.1.10

and my public ip addresses are 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4


Focusing on getting it to work for any line


interface FastEthernet0/0

ip address 192.168.1.6 255.255.255.0

ip nat inside

duplex auto

speed auto

no mop enabled

!


interface ATM0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/0/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 4

!

!

interface ATM0/1/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/1/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface ATM0/2/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/2/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 2

!

!

interface ATM0/3/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0/3/0.1 point-to-point

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 3

!

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 4

dialer-group 1

no cdp enable

.................

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

.................

!

interface Dialer2

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 2

dialer-group 1

no cdp enable

.................

!

interface Dialer3

ip address negotiated

ip nat outside


ip access-group 6 out

ip access-group 160 in



encapsulation ppp

dialer pool 3

dialer-group 1

no cdp enable

.................

!



!

ip nat inside source static tcp 192.168.1.10 25 interface Dialer3 25


ip nat inside source route-map rmd0 interface Dialer0 overload

ip nat inside source route-map rmd1 interface Dialer1 overload

ip nat inside source route-map rmd2 interface Dialer2 overload

ip nat inside source route-map rmd3 interface Dialer3 overload


access-list 6 permit 192.168.1.0 0.0.0.255


! Block spoofing of our IP address

access-list 160 deny ip 192.168.1 0.0.0.255 any


! Allow incomming SMTP access to our server

access-list 160 permit tcp any host 10.10.10.1 eq 25


route-map rmd3 permit 10

match ip address 6

match interface Dialer3

!

route-map rmd2 permit 10

match ip address 6

match interface Dialer2

!

route-map rmd1 permit 10

match ip address 6

match interface Dialer1

!

route-map rmd0 permit 10

match ip address 6

match interface Dialer0




where line

ip nat inside source static tcp 192.168.1.10 25 interface Dialer3 25


I have also tried


ip nat inside source static tcp 192.168.1.10 25 10.10.10.1 25 extendable


but didn't work either


Any one got any bright ideas where I'm going wrong?


TIA.


Lee

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 11/15/2008 - 02:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Lee,

dialer3 is a nat outside interface I don't think that access-list 6 out is matching if packets are already natted you will not see any source in range 192.168.1.0/24 .

I would change:

int dialer3

no ip access-group 6 out


access-list 6 is also used inside the route-maps.

I would change access-list 6 so that the server never matches in the route-maps


access-list 6 deny host 192.168.1.10

access-list 6 permit 192.168.1.0 0.0.0.255


try with these changes


Hope to help

Giuseppe

l33h3lluk Mon, 11/17/2008 - 03:12
User Badges:

Hi Giuseppe,


If I do this wouldn't this stop the server from connecting to the internet?

I think i did try something similar (without the deny line on the servers address) and it was crashing clients not to be able to connect to the internet when they used this line.


I assume you would leave line


interface Dialer3

ip access-group 160 in


Do I also need to apply any ACL's on the FastEthernet0/0 interface to allow traffic in for the SMTP server?


TIA,


Lee

Giuseppe Larosa Mon, 11/17/2008 - 05:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Lee,

my concerns were the following:


a) avoid to have an ACL that shouldn't match in outbound on dialer3 logic interface.


b) be sure that ip address of the server has no chances to get translated in the other NAT commands using the different route-maps because you need consistency in server translation to be reached from outside.


There are several examples of ACLs or extended ACLs used for NAT with the logic suggested for acl 6 in previous post.



In my opinion I would remove acl 160 too at least during testing.


Hope to help

Giuseppe


l33h3lluk Mon, 11/17/2008 - 06:50
User Badges:

Hi Giuseppe,

Sorry I don't quite follow what you mean.


Ultimately I want to replicate the PAT on all 4 lines so the server could be accessed using any one of the 4 lines.


Could you give any examples please?


TIA,


Lee

l33h3lluk Tue, 11/18/2008 - 08:33
User Badges:

Hi,


Previously I have tried without any ACL set on the Dialer interface, this just results in the incoming traffic being blocked.


If I configure just an ACL such 160 mentioned previously and set this on the Dialer in interface like so


interface Dilaer3

ip access-group 160 in


this results in other traffic being blocked, when used get put on this line through load balancing they cannot connect the internet.


Am I correct in thinking that this is because when no ACL's are specified on a interface then traffic is being permited because of my route-map rules however when you specify a ACL on an interface this overrides the route-map ACL and does an implicit deny on all traffic except those match the interface's ACL. Hope that makes sense.


So how do I fix this. Must be a common thing to set up PAT.


Thanks,


Lee

Giuseppe Larosa Thu, 11/20/2008 - 05:52
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Lee,


>> PAT on all 4 lines so the server could be accessed using any one of the 4 lines.


I don't think you can achieve this: you can map the server socket (ip address + TCP port) to one line public address but not to all of them at the same time.


This is why having 4 lines of 2Mbps is not same as having 1 line of 8 Mbps


Best Regards

Giuseppe



l33h3lluk Thu, 11/20/2008 - 06:08
User Badges:

I would have thought it would be given that each line would use a different public IP + port no combination.


i.e.


10.10.10.1:25

10.10.10.2:25

10.10.10.3:25

10.10.10.4:25


then given this I could connect to any one of these public IP adddress


At the end of the day this is what I'm trying to achieve however for now I would be good to just get it working one line then think about if I can or cant do multiple lines but even this is proving not straight forward.


I'm not sure where I'm going wrong.


TIA,

Lee

Actions

This Discussion