11-14-2008 08:56 AM - edited 03-06-2019 02:29 AM
Hi,
Hopefully someone will be able to help me with this one.
I'm trying to setup some static PAT rules so that certain external trafic such as SMTP gets forwarded to a particular internal server.
Bit of background on my setup.
I have 4 ADSL lines which are not bonded and therefore have each have their own public IP address.
CEF and NAT is setup and outgoing traffic is being load balanced over the 4 lines on a stream by stream basis.
The problem is I have tried couple variants of setting up PAT but cant get anything to work.
Here's what I have tried
assuming my internal servers ip address is 192.168.1.10
and my public ip addresses are 10.10.10.1, 10.10.10.2, 10.10.10.3, 10.10.10.4
Focusing on getting it to work for any line
interface FastEthernet0/0
ip address 192.168.1.6 255.255.255.0
ip nat inside
duplex auto
speed auto
no mop enabled
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 4
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/1/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/2/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/2/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface ATM0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/3/0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 3
!
!
interface Dialer0
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 4
dialer-group 1
no cdp enable
.................
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
.................
!
interface Dialer2
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 2
dialer-group 1
no cdp enable
.................
!
interface Dialer3
ip address negotiated
ip nat outside
ip access-group 6 out
ip access-group 160 in
encapsulation ppp
dialer pool 3
dialer-group 1
no cdp enable
.................
!
!
ip nat inside source static tcp 192.168.1.10 25 interface Dialer3 25
ip nat inside source route-map rmd0 interface Dialer0 overload
ip nat inside source route-map rmd1 interface Dialer1 overload
ip nat inside source route-map rmd2 interface Dialer2 overload
ip nat inside source route-map rmd3 interface Dialer3 overload
access-list 6 permit 192.168.1.0 0.0.0.255
! Block spoofing of our IP address
access-list 160 deny ip 192.168.1 0.0.0.255 any
! Allow incomming SMTP access to our server
access-list 160 permit tcp any host 10.10.10.1 eq 25
route-map rmd3 permit 10
match ip address 6
match interface Dialer3
!
route-map rmd2 permit 10
match ip address 6
match interface Dialer2
!
route-map rmd1 permit 10
match ip address 6
match interface Dialer1
!
route-map rmd0 permit 10
match ip address 6
match interface Dialer0
where line
ip nat inside source static tcp 192.168.1.10 25 interface Dialer3 25
I have also tried
ip nat inside source static tcp 192.168.1.10 25 10.10.10.1 25 extendable
but didn't work either
Any one got any bright ideas where I'm going wrong?
TIA.
Lee
11-15-2008 02:02 AM
Hello Lee,
dialer3 is a nat outside interface I don't think that access-list 6 out is matching if packets are already natted you will not see any source in range 192.168.1.0/24 .
I would change:
int dialer3
no ip access-group 6 out
access-list 6 is also used inside the route-maps.
I would change access-list 6 so that the server never matches in the route-maps
access-list 6 deny host 192.168.1.10
access-list 6 permit 192.168.1.0 0.0.0.255
try with these changes
Hope to help
Giuseppe
11-17-2008 03:12 AM
Hi Giuseppe,
If I do this wouldn't this stop the server from connecting to the internet?
I think i did try something similar (without the deny line on the servers address) and it was crashing clients not to be able to connect to the internet when they used this line.
I assume you would leave line
interface Dialer3
ip access-group 160 in
Do I also need to apply any ACL's on the FastEthernet0/0 interface to allow traffic in for the SMTP server?
TIA,
Lee
11-17-2008 05:29 AM
Hello Lee,
my concerns were the following:
a) avoid to have an ACL that shouldn't match in outbound on dialer3 logic interface.
b) be sure that ip address of the server has no chances to get translated in the other NAT commands using the different route-maps because you need consistency in server translation to be reached from outside.
There are several examples of ACLs or extended ACLs used for NAT with the logic suggested for acl 6 in previous post.
In my opinion I would remove acl 160 too at least during testing.
Hope to help
Giuseppe
11-17-2008 06:50 AM
Hi Giuseppe,
Sorry I don't quite follow what you mean.
Ultimately I want to replicate the PAT on all 4 lines so the server could be accessed using any one of the 4 lines.
Could you give any examples please?
TIA,
Lee
11-18-2008 08:33 AM
Hi,
Previously I have tried without any ACL set on the Dialer interface, this just results in the incoming traffic being blocked.
If I configure just an ACL such 160 mentioned previously and set this on the Dialer in interface like so
interface Dilaer3
ip access-group 160 in
this results in other traffic being blocked, when used get put on this line through load balancing they cannot connect the internet.
Am I correct in thinking that this is because when no ACL's are specified on a interface then traffic is being permited because of my route-map rules however when you specify a ACL on an interface this overrides the route-map ACL and does an implicit deny on all traffic except those match the interface's ACL. Hope that makes sense.
So how do I fix this. Must be a common thing to set up PAT.
Thanks,
Lee
11-20-2008 02:43 AM
Anyone?
11-20-2008 05:52 AM
Hello Lee,
>> PAT on all 4 lines so the server could be accessed using any one of the 4 lines.
I don't think you can achieve this: you can map the server socket (ip address + TCP port) to one line public address but not to all of them at the same time.
This is why having 4 lines of 2Mbps is not same as having 1 line of 8 Mbps
Best Regards
Giuseppe
11-20-2008 06:08 AM
I would have thought it would be given that each line would use a different public IP + port no combination.
i.e.
10.10.10.1:25
10.10.10.2:25
10.10.10.3:25
10.10.10.4:25
then given this I could connect to any one of these public IP adddress
At the end of the day this is what I'm trying to achieve however for now I would be good to just get it working one line then think about if I can or cant do multiple lines but even this is proving not straight forward.
I'm not sure where I'm going wrong.
TIA,
Lee
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: