NAT

Answered Question
Apr 16th, 2010

Hi all,

I have a problem and i don't know how to solve it. I need all requests arriving on the WAN interface of R2  with 22,80.800 and 843 ports are redirected to the address 192.168.0.91. Here is my  configuration and topology:

access-list 110 permit tcp any host 213.190.2.182 eq 22
access-list 110 permit tcp any host 213.190.2.182 eq www
access-list 110 permit tcp any host 213.190.2.182 eq 800
access-list 110 permit tcp any host 213.190.2.182 eq 843

ip nat outside source static 213.190.2.182 192.168.0.91

interface FastEthernet0/0
ip address 192.168.0.2 255.255.255.128 secondary
ip address 192.168.1.30 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto

!

!

interface GigabitEthernet1/0
ip address 213.190.2.182 255.255.255.0
ip nat outside
ip virtual-reassembly
negotiation auto

when I type the command "sh  ip nat translations", this is the result:

Pro Inside global      Inside local       Outside local      Outside global
--- ---                ---                192.168.0.91       213.190.2.182

Anyone  know what I'm doing wrong?

Thanks

Attachment: 
I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 7 months ago

Well, you don't SSH to the private ip address. That is the whole point of NATing it to a public ip address. If you are just going to SSH to the private ip address, then you don't need to configure NATing at all. If you try to SSH from the internet, then you need to NAT as only public ip address is accessible from the internet.

So from R3, you should be doing the following:

ssh -l abcd 213.190.2.182

Please also share the output of "show access-list"

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jennifer Halim Fri, 04/16/2010 - 05:31

You should remove this:

ip nat outside source static 213.190.2.182 192.168.0.91

It should be as follows:

ip nat inside source static tcp 192.168.0.91 22 interface GigabitEthernet1/0 22

ip nat inside source static tcp 192.168.0.91 80 interface GigabitEthernet1/0 80

ip nat inside source static tcp 192.168.0.91 800 interface GigabitEthernet1/0 800

ip nat inside source static tcp 192.168.0.91 843 interface GigabitEthernet1/0 843

Then issue clear ip nat trans *

emilio1973 Fri, 04/16/2010 - 05:45

Thank fo your reply,

I try it and this is the result:

sh ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
tcp 213.190.2.182:22   192.168.0.91:22    ---                ---
tcp 213.190.2.182:80   192.168.0.91:80    ---                ---
tcp 213.190.2.182:800  192.168.0.91:800   ---                ---
tcp 213.190.2.182:843  192.168.0.91:843   ---                ---
GW1-IPSA#

I can't accest to address 192.168.0.91 by SSH. Can you help me?

Thanks

Jennifer Halim Fri, 04/16/2010 - 05:49

Are you seeing the connections coming in?

I assume that you are trying to SSH to the WAN IP address (213.190.2.182) from the Internet?

Do you have access-list configured on the WAN interface? and are you seeing a hit count?

emilio1973 Fri, 04/16/2010 - 05:59

Hi,

sh ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.30    YES manual up                    up 
FastEthernet0/1            unassigned      YES unset  administratively down down
GigabitEthernet1/0         213.190.2.182   YES manual up                    up 
GigabitEthernet2/0         unassigned      YES unset  administratively down down
NVI0                       unassigned      NO  unset  up                    up

I have an access-list configured and applicatted on interface WAN. I try to access to the address 192.168.0.91 by SSH from R3 (internet in this case) and this is the result:

R·#ssh -l abcd 192.168.0.91
% Destination unreachable; gateway or host down

R2#sh ip nat statistics
Total active translations: 4 (0 static, 4 dynamic; 4 extended)
Outside interfaces:
  GigabitEthernet1/0
Inside interfaces:
  FastEthernet0/0
Hits: 0  Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
Queued Packets: 0
GW1-IPSA#

Correct Answer
Jennifer Halim Fri, 04/16/2010 - 06:03

Well, you don't SSH to the private ip address. That is the whole point of NATing it to a public ip address. If you are just going to SSH to the private ip address, then you don't need to configure NATing at all. If you try to SSH from the internet, then you need to NAT as only public ip address is accessible from the internet.

So from R3, you should be doing the following:

ssh -l abcd 213.190.2.182

Please also share the output of "show access-list"

emilio1973 Fri, 04/16/2010 - 06:09

This is the result:

R3#ssh -l abcd 213.190.2.182
% Destination unreachable; gateway or host down

R2#sh access-lists
Extended IP access list 110
    10 permit icmp any host 192.168.0.91 (for test)
    20 permit tcp any host 192.168.0.91 eq 22
    30 permit tcp any host 192.168.0.91 eq www
    40 permit tcp any host 192.168.0.91 eq 800
    50 permit tcp any host 192.168.0.91 eq 843

Thanks for your help

Jennifer Halim Fri, 04/16/2010 - 06:15

Access-list is incorrect. You should be matching on the public ip address as follows:

access-list 110 permit icmp any host 213.190.2.182

access-list 110 permit tcp any host 213.190.2.182 eq 22

access-list 110 permit tcp any host 213.190.2.182 eq 80

access-list 110 permit tcp any host 213.190.2.182 eq 800

access-list 110 permit tcp any host 213.190.2.182 eq 843

emilio1973 Fri, 04/16/2010 - 06:32

Ok, this is the output  of show "access-list" command on R2:

R2#sh access-lists
Extended IP access list 110
    10 permit icmp any host 213.190.2.182 (30 matches)
    20 permit tcp any host 213.190.2.182 eq 22 (16 matches)
    30 permit tcp any host 213.190.2.182 eq www
    40 permit tcp any host 213.190.2.182 eq 800
    50 permit tcp any host 213.190.2.182 eq 843

however, I still can not access the address  192.168.0.91

R3#ssh -l emilio 213.190.2.182

(takes a few seconds but this is the result)

R3#

or

R3#ssh -l abcd192.168.0.91
% Destination unreachable; gateway or host down

R3#

Thanks for your time

Jennifer Halim Fri, 04/16/2010 - 06:41

Is the host itself listening on port 22, 80, 800 and 843?

Are you able to access it from internally within the same subnet?

From R2, can you try to telnet on the port:

Test the following:

telnet 192.168.0.91 22

telnet 192.168.0.91 80

telnet 192.168.0.91 800

telnet 192.168.0.91 843

emilio1973 Fri, 04/16/2010 - 06:50

Ok, I' m not sure that. This is the result.

R2# telnet 192.168.0.91 22
Trying 192.168.0.91, 22 ...
% Connection timed out; remote host not responding

R2#telnet 192.168.0.91 80
Trying 192.168.0.91, 80 ...
% Connection timed out; remote host not responding

R2#

Add the configuration of R1:

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!
aaa session-id common
!
!
ip cef
ip domain name cisco.rtp.com
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username abcd privilege 15 password 0 abcd
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.0.91 255.255.255.0
duplex half
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
!
end

Jennifer Halim Fri, 04/16/2010 - 06:58

Well, first of all, HTTP server has not been enabled.

SSH on router, you would need to generate RSA keypair, and also configure "line vty 0 4" to allow SSH. I don't know how you are going to be able to connect on the remainder of the ports, 800 and 843 because you haven't configured anything on this router.

What are you actually trying to achieve here?

The only thing which will work is ping.

emilio1973 Fri, 04/16/2010 - 07:26

Well, I'm work in a lab test with GNS3. In the real case R1 will be a server. Now just generate RSA keypair, and also configure "line vty 0 4" to allow SSH.

I need to access R1 by SSH from anywhere (icmp is only for test)

This is the output of ping:

R3#ping 213.190.2.182

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 213.190.2.182, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/91/196 ms

but if i ping to the address to the 192.168.0.91 this is the result:

R3#ping 192.168.0.91

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.91, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R3#

if ping does work right,  the rest should work right but not happen so- Why?

Jennifer Halim Fri, 04/16/2010 - 07:49

It looks like your GNS3 is not working correctly.

It works fine in an IOS router.

Are you testing the secondary ip address theory?

emilio1973 Fri, 04/16/2010 - 09:14

Ok, tomorrow i'll try in a real router. I'll keep you updated

Thanks for your time

emilio1973 Fri, 04/16/2010 - 15:04

the R2 config now:

interface FastEthernet0/0
ip address 192.168.0.2 255.255.255.128 secondary
ip address 192.168.1.30 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex half
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet1/0
ip address 213.190.2.182 255.255.255.0
ip access-group 110 in
ip nat outside
ip virtual-reassembly
negotiation auto
!
interface GigabitEthernet2/0
no ip address
shutdown
negotiation auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source static tcp 192.168.0.91 843 interface GigabitEthernet1/0 843
ip nat inside source static tcp 192.168.0.91 800 interface GigabitEthernet1/0 800
ip nat inside source static tcp 192.168.0.91 80 interface GigabitEthernet1/0 80
ip nat inside source static tcp 192.168.0.91 22 interface GigabitEthernet1/0 22
!
access-list 110 permit icmp any host 213.190.2.182
access-list 110 permit tcp any host 213.190.2.182 eq 22
access-list 110 permit tcp any host 213.190.2.182 eq www
access-list 110 permit tcp any host 213.190.2.182 eq 800
access-list 110 permit tcp any host 213.190.2.182 eq 843
!

emilio1973 Tue, 04/20/2010 - 00:51

Hi Halijenn,

I'm  so sorry but I was wrong with my topology and I could not explain to me  what I needed. Fisrt, i was not understood well the secondary ip feature. Second, only  needed a NAT ip LAN to WAN IP and map the ports 22, 80, 800 and 843 to  the ip 192.168.0.91 which is the gateway 192.168.0.2 secondary ip. Three, did not need the access list. Sorry  to waste your time, I appreciate your help as they can see I was wrong. Add tehe right topology and config.

Thanks

Attachment: 
Jennifer Halim Tue, 04/20/2010 - 03:49

I don't think you can connect 2 routers with 1 router using the primary ip address to connect to another router using the secondary ip address in the same subnet.

Currently on R1 (fa0/0) primary address is 192.168.0.91, and R2 (fa0/0) primary address is 192.168.1.30 - they are not in the same subnet. Both primary addresses need to be in the same subnet, then you can configure secondary addresses as follows:

On R1:

interface fa0/0

     ip address 192.168.0.91 255.255.255.0

     ip address 192.168.1.31 255.255.255.0 secondary

On R2:

interface fa0/0

     ip address 192.168.0.2 255.255.255.0

     ip address 192.168.1.30 255.255.255.0 secondary

emilio1973 Tue, 04/20/2010 - 04:39

Hi,

ok, I think that I have not explained well. R1 is a server that must be accessible  only by attacking the ports 22, 80, 800 and 843. The configuration is as follows:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Tabla normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

interface FastEthernet0/0

ip address 192.168.0.2 255.255.255.128 secondary

ip address 192.168.1.30 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

speed 100

full-duplex

!

interface Serial0/0:0

bandwidth 2048

ip address 213.190.2.182 255.255.255.252

no ip redirects

no ip proxy-arp

ip nat outside

encapsulation ppp

load-interval 30

no fair-queue

serial restart-delay 0

no cdp enable

!

ip nat inside source static tcp 192.168.0.91 843 interface Serial0/0:0 843

ip nat inside source static tcp 192.168.0.91 800 interface Serial0/0:0 800

ip nat inside source static tcp 192.168.0.91 80 interface Serial0/0:0 80

Do you think this is the most appropriate to do so or is  there another?

Thanks

Jennifer Halim Tue, 04/20/2010 - 04:49

The static nat statements are correct, but as advised earlier, the ip addressing configured on the router is not correct.

Both R1 and R2 needs to have primary ip address in the same subnet.

emilio1973 Wed, 04/28/2010 - 00:47

Hi,

We are experiencing low speed problems in this router  and are starting to think that may be due to not being properly  implemented feature secondary ip.

Add our topoloy; apparently is working correctly and our client  receives no delays or packet loss. Do you think it may be due to the  design of the network? Does anyone believe they could improve?

Actions

This Discussion