IOS NAT issue

Answered Question
May 21st, 2010

I am trying to create a NAT statement to allow an Internet address to translate to an inside address with all ports open between them.  Can somebody help with some code examples or suggestions.

For example 208.7.xx.xx ---> 10.0.107.xx

Thank you

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 6 months ago

Peter,


You are trying to PING 208.9.113.111 from 12.21.171.109 correct?
If this is so, then traffic will come to the router on its Fas0/0 interface.
Since there are no ACLs the traffic will be permitted.

If the PING fails, try this:
Do a traceroute to that IP and see if the path reaches your router.
i.e
From a windows machine you can do ''tracert 208.9.113.111'' and check the path and the last hops.

Also,
Can you PING 10.0.107.11 from the router itself?
Please check that the default gateway for 10.0.107.11 is 10.0.107.15

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Fri, 05/21/2010 - 11:41

Peter,

What you're looking at is just the static NAT statement. To allow outside access to a server.

When you're talking about permissions, that's handle by ACLs.

If the router has no ACLs, then by default all IP (TCP/UDP) traffic is permitted.

If the router has an ACL applied to its outside interface, then you need to make sure that the desired ports are allowed through.

Federico.

peter.williams@... Fri, 05/21/2010 - 12:21

Thank you for the post.

As soon as I add "ip nat inside source static 10.0.107.11 208.7.xx.xx"  I lose outside connectivity to the outside interface.  10.0.107.11 is not the inside interface ip it is 10.0.107.15.

Also I have an access-list 1 permit 10.0.107.0 0.0.0.255 but it is not assigned to any interfaces, I believe it is for the the nat overload.

Please let me know how to put the NAT statement in so I do not lose connectivity.

Thank you

Federico Coto F... Fri, 05/21/2010 - 12:30

Peter,

If you lost connectivity to the outside interface when adding the static command is because 208.7.xx.xx is the same IP as the outside interface IP?

If you want to redirect traffic to an inside server based on ports, you can use the same static command with PAT. i.e.

Instead of:

"ip nat inside source static 10.0.107.11 208.7.xx.xx"

Use:

"ip nat inside source static tcp 10.0.107.11 80 208.7.xx.xx 80"   --> using port 80 (you can use this rule for any TCP/UDP port)

Another option is to create a static NAT like the first one:

"ip nat inside source static 10.0.107.11 208.7.xx.xx"

But where 208.7.xx.xx is a not-used IP (available)

To allow access from the outside, you need an ACL like this:

access-list 101 permit tcp any host 208.7.xx.xx eq 80

Or whatever ports you need...

Federico.

peter.williams@... Fri, 05/21/2010 - 12:42

Federico,

I have added "ip nat inside source static 10.0.107.11 208.7.xx.xx (available).  I also added "access-list 101 permit ip host 208.7.xx.xx(available) host 10.0.107.11

However I am unable to ping the available outside ip address.  Is there something I still need to add?

Since my access 1 is what I am using for the overload should I change the access-list 101 to 1?

Thank you

stonnet72 Fri, 05/21/2010 - 13:27

Can you post the config so we can get a look at how you are configuring the router.

Thank you very much

peter.williams@... Fri, 05/21/2010 - 13:33

Here is the config.

Thank you

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname test

!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip domain name wai.com
!
!
!
crypto pki trustpoint TP-self-signed-2350298788
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2350298788
revocation-check none
rsakeypair TP-self-signed-2350298788
!
!
crypto pki certificate chain TP-self-signed-2350298788
certificate self-signed 01
  30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333530 32393837 3838301E 170D3130 30353231 31393231
  30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33353032
  39383738 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BFA2 94494468 EBAFC19F C2A9DB96 E7197D94 6A5DF3A5 82C7A172 B430BAD3
  6012929C 04206572 63593CAB E0204F0F 7C0CDCC0 17E5DABB FADC7986 3056663D
  230B5EA9 25927634 C5B3ED1B ABFF945C D1BB1C33 D75E6E2E E3F0CD40 A13A346D
  4E157253 6DC8C67D 65C17635 04765F3F 93F3751A 72D61C43 3BBF2F61 4BE68D1D
  DD0D0203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
  551D1104 11300F82 0D6D6F76 69312E77 61692E63 6F6D301F 0603551D 23041830
  1680146C 18C110EE 5EA1DC0C D4CC53C2 9C30AE89 47350530 1D060355 1D0E0416
  04146C18 C110EE5E A1DC0CD4 CC53C29C 30AE8947 3505300D 06092A86 4886F70D
  01010405 00038181 00337DDE 5BD12C0A 45500309 12468CB4 7E1E4AC3 7ED256D3
  4003AB3C ED66C699 032589A4 AA84ED58 C7436732 379A425E 531AE143 AA7F22CA
  FBD36B23 13FE77B7 5D628CB4 33734558 8A1783ED E801C49E 9CC5FF9B 460F203B
  90F22D4E C1D34319 7FDB8229 0EE5F826 40ACAEB7 08E29A66 FDC270D3 EF97B2F9
  C324AF62 64AE65C8 5D
  quit
!
!
!
!
!
interface FastEthernet0/0
ip address 208.7.xx.xx 255.255.255.xxx
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.0.107.15 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router ospf 10
log-adjacency-changes
network 10.0.107.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.7.xx.xx
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 10.0.107.11 208.7.xxx.xxx
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.107.0 0.0.0.255
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
!
end

Laurent Aubert Fri, 05/21/2010 - 14:02

Just to clarify something, the outside ip address you want to use is different from the one configured FastEthernet0/0 right ? I'm confused with all those xxx ;-)

Also from where do you try to ping the outside IP address ?

Thanks

Laurent.

peter.williams@... Fri, 05/21/2010 - 18:36

Sorry for the confusion - this is what I need -

int fa0/0 - ip address 208.7.567.123

int fa0/1 - ip address 10.0.107.15

I need a ip address 208.7.567.124 (free ip address) to translate to 10.0.107.11.  I need all the ports open (TCP and UDP)

I am pinging the ip address from the internet

Thank you for your help

Federico Coto F... Fri, 05/21/2010 - 19:12

Peter,

Correct me if I'm wrong:

You need to access the IP 10.0.107.11 from the Internet but using the IP 208.7.567.123  --> nice IP (you cannot have an octet above 255) ;p

To do this:

ip nat inside source static 10.0.107.11 208.7.567.123

If the above .208 is a free IP address, I don't see why adding the above rule blocks the communication with your fas0/1 interface.

If you have an ACL applied, you add the following:

access-list ACL_NAME permit ip any host 208.7.567.123

Please let me know if this is not what you need.

Federico.

peter.williams@... Mon, 05/24/2010 - 05:46

I was just making up a number.

I put in the following -

ip nat inside source static 10.0.107.11 208.9.113.111 (sorry making up another number)

access-list 1 permit 208.9.113.111 (sorry making up another number)

I am still not able to ping 208.9.113.111, but I am able to ping the interface ip which is (208.9.113.110)

I really don't understand why this does not work.

Thank you for your help

Jennifer Halim Mon, 05/24/2010 - 05:55

Don't configure "access-list 1 permit 208.9.113.111".

After  creating the static nat translation, you would need to "clear ip  nat  trans *" on the router, just to make sure that the previously PAT inside  host is cleared from the nat table.

Then, you would  need to make sure that proxy arp is enabled on fa0/0.

Lastly,  perform a "clear arp" on the next hop router/ISP router, OR reload the  ISP router if you don't have access to it. This is to make sure that the  correct ARP entry is created on the ISP router for the NATed ip address  of 208.9.113.111. On the ISP router, 208.9.113.111 should have an ARP  entry with the MAC address of your router fa0/0 interface.

Hope  that helps.

peter.williams@... Mon, 05/24/2010 - 07:36

The only way I was able to get the ip address to ping is to do this -

ip nat inside source static 10.0.107.11 208.9.113.111
ip nat outside source static 208.9.113.111 10.0.107.11

Now I can't get the application to work.  Is the statements above correct?

peter.williams@... Mon, 05/24/2010 - 08:03

Now it does not seem that the translation is working from 208.9.113.111 to 10.0.107.11.

Please let me know if I need some kind of ACL in this to work.

Thank you for your help

Federico Coto F... Mon, 05/24/2010 - 08:29

Peter,

To answer some questions:
To check that proxy arp is enabled on the interface do ''sh ip interface fas 0/0''
From the two statements that you post:
ip nat inside source static 10.0.107.11 208.9.113.111
ip nat outside source static 208.9.113.111 10.0.107.11
Only the first one is correct please remove the second one:
no ip nat outside source static 208.9.113.111 10.0.107.11
Do a ''clear ip nat trans *''
Try again...
Note: No need for ACLs to create translations.

Federico.

peter.williams@... Mon, 05/24/2010 - 08:37

I check ther proxy ARP and it on enabled.

I remove the statement that you requested and also cleared the nat translation and now the IP address does not ping.  When I do a sh ip nat translation I get -

Pro Inside global      Inside local       Outside local      Outside global
icmp 208.9.113.111:40360 10.0.107.11:40360 208.9.113.110:40360 208.9.113.110:40360
--- 208.9.113.111      10.0.107.11        ---                ---

Please let me know if that is correct

Thank you for your help!

Federico Coto F... Mon, 05/24/2010 - 08:48

Peter,

The translation is taking place fine as the output you posted.
If you cannot PING, let's do the following:

You're trying to PING from which IP to which IP (source and destination IP addresses)

Please post the current ouput of the following:
sh run | i ip nat
sh run | i ip access-list
sh ip int brief | ex una

Federico.

peter.williams@... Mon, 05/24/2010 - 08:59

I am trying to ping from another location 12.21.171.109

sh run | i ip nat
ip nat outside
ip nat inside
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static 10.0.107.11 208.9.113.111


sh run | i ip access-list
There are no access-lists

sh ip int brief | ex una
FastEthernet0/0            208.9.113.111   YES manual up                    up
FastEthernet0/1            10.0.107.15     YES manual up                    up

Thank you

Correct Answer
Federico Coto F... Mon, 05/24/2010 - 09:07

Peter,


You are trying to PING 208.9.113.111 from 12.21.171.109 correct?
If this is so, then traffic will come to the router on its Fas0/0 interface.
Since there are no ACLs the traffic will be permitted.

If the PING fails, try this:
Do a traceroute to that IP and see if the path reaches your router.
i.e
From a windows machine you can do ''tracert 208.9.113.111'' and check the path and the last hops.

Also,
Can you PING 10.0.107.11 from the router itself?
Please check that the default gateway for 10.0.107.11 is 10.0.107.15

Federico.

peter.williams@... Mon, 05/24/2010 - 10:02

I was told ny my security engineer that the ASA is blocking the pings from the router that I am trying to setup.  Since we cannot translate the router over the ASA, I am going to configure that ASA to do the translation instead of the router.  I was trying to bypass the ASA all together but it did not work.

Thank you everybody for your support!

Actions

This Discussion