Static NAT - reaching outside address from private LAN (1841 ISR)

Answered Question
Apr 5th, 2010
User Badges:

Dear Experts,


I'm quite new to Cisco and I'm currently working on my CCNA. I recently had the opportunity to take a closer look at the following devices:


- Cisco 1841 ISR

- Cisco Catalyst 2950 24 port

- Cisco Aironet 1231AG


As a start, I wanted to replace my soho hardware and upgrade my home network to these devices. My ISP provides Internet connectivity through cable which is basically Fast Ethernet through the cable modem. The FastEthernet 0/1 is connected to the modem and acquires ip address through DHCP. The internal interface of the 1841 has a static ip address of 192.168.0.1/24. On the router I enabled the onboard dns server and enabled port address translation.  The configuration file looks like the following:



Current configuration : 3253 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Odin

!

boot-start-marker

boot system flash c1841-adventerprisek9-mz.124-24.T1.bin

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$ZgH.$IeANuKYd/rNpxUuqXo6.k/

!

no aaa new-model

dot11 syslog

ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 192.168.0.20
ip dhcp excluded-address 192.168.0.25
ip dhcp excluded-address 192.168.0.198
ip dhcp excluded-address 192.168.0.188
!
ip dhcp pool test
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.254
   dns-server 10.0.0.254
   netbios-name-server 192.168.0.198
   domain-name marcinet
!
ip dhcp pool marcinet-dynamic
   network 192.168.0.0 255.255.255.0
   next-server 192.168.0.198
   dns-server 192.168.0.1
   default-router 192.168.0.1
   netbios-name-server 192.168.0.198
!
ip dhcp pool marcinet-static
   origin file flash:marcinet-dhcp.txt
!
!
ip cef
ip inspect name CBAC-OUT tcp
ip inspect name CBAC-OUT udp
ip inspect name CBAC-OUT dns
ip inspect name CBAC-OUT icmp
ip inspect name CBAC-OUT ftp
ip inspect name CBAC-OUT ntp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
username stmarci privilege 15 secret 5 $1$yNWB$d4VthFfBGEE.OF4vnuV6R0
archive
log config
  hidekeys
!
!
!
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.50 80 interface FastEthernet0/1 8080
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 permit tcp any any eq 8080
!
!
!
!
!
!
control-plane
!
!
banner motd ^CWARNING! You have entered a private network. Unauthorized access will be severely punished by legal means according to current law. Your activity might be monitored.^C
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login local
!
scheduler allocate 20000 1000
end


Everything works fine (I mean all the internal devices have Internet connectivity and CBAC works as expected, but these are not listed in the config). The problem I'm posting this is that when I add static NAT entries (in soho devices this is called port mapping) I can only reach internal services from an outside IP address. The problematic entry:


ip nat inside source static tcp 192.168.0.50 80 interface FastEthernet0/1 8080


This means that I can reach the web server on my internal network from another network on port 8080 but I cannot reach it from 192.168.0.0/24. Let's say that the outside address is 11.111.111.12, then from 192.168.0.50 or 192.168.0.10 I am unable to browse the homepage at 11.111.111.12:8080.


I read lots of forum threads and manuals but I can't see the reason for this happening. I had no such problem with soho devices like D-link or SMC.


I tried to make a "raw" connection with Putty to the port and outside IP address, but the router closes the connection ("Connection closed by remote host").


I also experienced an interesting effect with the router:


When I change the outside interface's MAC address to one that is on the inside network the communication with these devices fail. Again this is not a problem with most SOHO devices. Is there a way to isolate the inside and outside interfaces?


Any help would be greatly appreciated (the static NAT problem is of much higher importance), thank you in advance!


Márton

Correct Answer by Laszlo Zoltan about 7 years 2 months ago

Dear Marton,

Please try this:

!

interface FastEthernet0/0

ip nat enable

!

interface FastEthernet0/1

ip nat enable

!

ip nat source list 1 interface FastEthernet0/1 overload

ip nat source static tcp 192.168.0.50 80 interface FastEthernet0/1 8080

!

This is the "NAT Virtual Interface Support" of the IOS which is used to Inside-to-Inside NAT.

This feature was introduced in version 12.3(14)T. I hope that your IOS supports it.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html

I hope that this is useful for you.

Best wishes,

Laszlo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
droeun141 Mon, 04/05/2010 - 06:39
User Badges:

Why not just use a host file with real IP for internal clients?  Only traffic coming through an interface tagged with 'ip nat outside' triggers the NAT rule.

steierlein.marton Mon, 04/05/2010 - 07:00
User Badges:

Thanks for your answer! But can you be more specific? Are you suggesting that when i enter the outside IP address to the browser it doesn't trigger the static rule? Is it possible to make it persistent?


Best regards,

Márton

droeun141 Mon, 04/05/2010 - 07:09
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}

Not if you're sourcing from the 192.168.0.0/24 network.  You have to connect to 192.168.0.50 on port 80 directly if you're inside.  From outside you would connect to your WAN interface on port 8080.  If it's registered in DNS you can modify your host file to point to the real IP address instead while outside users will resolve the WAN IP.  If the router supports it you can also use DNS doctoring.

steierlein.marton Mon, 04/05/2010 - 08:04
User Badges:

Thank You!


If I understand correctly then what I seek is not possible . Don't you happen to know why? Actually the inside services are not that important to use DNS, these are just simple port forwards to allow specific applications to work properly.


This is strange, because Linksys and other home routers have no problems accessing the outside IP and port forwards.


Anyway thank you for your help!

Correct Answer
Laszlo Zoltan Wed, 04/21/2010 - 08:16
User Badges:

Dear Marton,

Please try this:

!

interface FastEthernet0/0

ip nat enable

!

interface FastEthernet0/1

ip nat enable

!

ip nat source list 1 interface FastEthernet0/1 overload

ip nat source static tcp 192.168.0.50 80 interface FastEthernet0/1 8080

!

This is the "NAT Virtual Interface Support" of the IOS which is used to Inside-to-Inside NAT.

This feature was introduced in version 12.3(14)T. I hope that your IOS supports it.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html

I hope that this is useful for you.

Best wishes,

Laszlo

steierlein.marton Thu, 04/22/2010 - 05:27
User Badges:

Dear Laszlo,


Thank you very much for your help, your configuration has just solved my problem!


Best regards,

Márton

droeun141 Thu, 04/22/2010 - 06:46
User Badges:

Good find.  What exactly does it do to fix it?

Actions

This Discussion