sr520 nat issue

Answered Question
Feb 19th, 2010
User Badges:

Hi I have configured the sr520 using cca.


Basically I have a device connected to the sr 520 via wireless with the ip address 192.168.200.160.


The SR connects to the internet using adsl and pppoe.


I configured NAT to the device for a number of ports, however it doesnt work.


I have attached an extract from the config, any ideas what I an doing wrong

Correct Answer by Steven Smith about 7 years 1 month ago


Instead of....
policy-map type  inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
   pass
Could you do
policy-map type  inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
   inspect
I think that will fix the issue.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Steven Smith Fri, 02/19/2010 - 11:58
User Badges:
  • Gold, 750 points or more

What version of CCA are you using to do this?

Steven Smith Fri, 02/19/2010 - 14:11
User Badges:
  • Gold, 750 points or more

Also could you tell what version of IOS you are running?


Can you also provide the following?

config t

term len 0

exit

show policy-map type inspect zone-pair sdm-zp-out-in




(will be a long output)
Steven Smith Mon, 02/22/2010 - 12:47
User Badges:
  • Gold, 750 points or more

Could you run that same show command right after you try to connect to the web server for instance?  Also, you could run a sniffer on the web server to see if the traffic is getting to you, but not getting back out.  I have a few theories about why this isn't working, but would like some confirmation to what you are running into.

Correct Answer
Steven Smith Tue, 02/23/2010 - 14:50
User Badges:
  • Gold, 750 points or more


Instead of....
policy-map type  inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
   pass
Could you do
policy-map type  inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
   inspect
I think that will fix the issue.


johnroche_2 Wed, 02/24/2010 - 08:54
User Badges:

see below



LOUGH-520-R1(config-pmap)#class type SDM-inspect-staticnat-in

LOUGH-520-R1(config-pmap-c)#inspect

%Pass action is already configured. Please remove pass action to configure inspect action

LOUGH-520-R1(config-pmap-c)#no pass

LOUGH-520-R1(config-pmap-c)#no pass

LOUGH-520-R1(config-pmap-c)#in

LOUGH-520-R1(config-pmap-c)#inspect

%No specific protocol configured in class SDM-inspect-staticnat-in for inspection. All protocols will be inspected


LOUGH-520-R1(config-pmap-c)#


Steven Smith Wed, 02/24/2010 - 08:56
User Badges:
  • Gold, 750 points or more

Could you post a show run for this section?  Also, could you show try passing the traffic?

alissitz Fri, 02/26/2010 - 07:05
User Badges:
  • Silver, 250 points or more

Coming into this late ...


Is outgoing fine, just incoming to the specific device on the required ports is not working?

Steven Smith Fri, 02/26/2010 - 07:10
User Badges:
  • Gold, 750 points or more

The config looks correct now.  Is it still not passing traffic?

johnroche_2 Fri, 02/26/2010 - 07:36
User Badges:

The issue is Nat from the internet to the inside.

If you vpn to the router and test www to the inside IP (192.168.200.160) I get a webpage so I know the host is running port 80.


From the internet I get nothing.


John

alissitz Fri, 02/26/2010 - 11:15
User Badges:
  • Silver, 250 points or more

Not sure if I am chasing a wild goose here ... but should this be changed?


class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat


Change to a match-any:


class-map type inspect match-any SDM-inspect-staticnat-in
match access-group name staticnat


If you do make this change, then you would want to modify the policy map back to pass instead of inspect. You modified this earlier ...


Have you considered calling TAC as well?  The FE and ADSL model is supported by Cisco TAC.  I would be interested to hear what they have to say  ...


Do please provide an update when you can.  Kindest regards


Andrew Lissitz

Steven Smith Fri, 02/26/2010 - 11:34
User Badges:
  • Gold, 750 points or more

I don't believe the match-any will change anything.  Match all means match every line below, see the areas where it says match X acl and match protocol http.  In this case, it must pass the ACl and must be http traffic.  With match all and one line, it is essentially the same thing as match any.  Traffic should be matching that ACL.



Can you provide a terminal output when you try to access the web server?

johnroche_2 Mon, 03/15/2010 - 15:34
User Badges:

Hi

My issue is resolved.


I noticed some funnies!!


I had to clear the PPPOE session for it to work.


I also noticed everytime you add another NAT I need to remove "pass" and put in "inspect".


Also one of the reasons I took so long getting back to you is CCA doesnt play nice with DDNS.

Sometimes it seems to create a new dialer, looks like it only partially configures DDNS. "ip ddns update hostname" was missing.

lukeperkins Fri, 08/05/2011 - 11:05
User Badges:

I found this out too. I used the dynamicDNS UC520 document to help me figure this out.


I wish the CCA would have a more complete GUI to setup and test the DDNS system on the SR520.

Actions

This Discussion