NAT Loopback

Unanswered Question

Hello,

I have a 877w router with very common NAT rules in it (http and ftp ports forwarded to the adequate private IP).

I need to be able to be forwarded when, from inside the LAN, I try to reach my server using the public IP.

Is it possible ? I believe "NAT on a stick" could help me somehow, but I'm not sure.

Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Wed, 09/01/2010 - 06:47

Hello,

Please try NVI configuration.

interface "outside interface"

no ip nat outside

ip nat enable

Exit

interface "inside interface"

no ip nat inside

ip nat enable

Exit

After the above configuration, remove and reissue all the NAT commands.

Hope this helps.

Regards,

NT

Here is my running config as when I try NVI then do the commands you stated in your first reply  :

Building configuration...

Current configuration : 18782 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname OSMOSE
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$iXNV$r6tB1ml/1Hp4USLbfLIdT1
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone Paris 1
clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3739588933
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3739588933
revocation-check none
rsakeypair TP-self-signed-3739588933
!
!
crypto pki certificate chain TP-self-signed-3739588933
certificate self-signed 01
  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33373339 35383839 3333301E 170D3032 30333031 30303038
  30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37333935
  38383933 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009495 64AF4380 02219ECA 7BB37BD7 D57B933C 24F588DB 39115720 973B0729
  49D36C52 2E610935 31F88D4F B6BE49CE 64EF28E2 ED5823EE 265C78F3 35FE49AE
  8D977709 949B7BA0 17ED7C0F C90DF0BF 0DDAE815 6696605A 6F21CC75 58416127
  9307DFE4 309C2FFE 32BEB52E 4163D164 2F00FC6E 387305B5 B7020AB9 BDD8E220
  B3AD0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  551D1104 17301582 134F534D 4F53452E 6F736D6F 73653036 2E636F6D 301F0603
  551D2304 18301680 1485473E 82F1FA50 80471702 7E824597 83B138FB 4D301D06
  03551D0E 04160414 85473E82 F1FA5080 4717027E 82459783 B138FB4D 300D0609
  2A864886 F70D0101 04050003 8181003A 72D5FBB6 B80347C5 234FCDB1 D5966D7A
  13B0B7EE DEE86589 E72E1CF5 68181806 8B0845A1 B00BAD5C C790D154 D1EFDD67
  120AF6C5 09293BE1 8E91B499 31B054F6 A8F72076 1DD1AA91 C5328993 BBFD401D
  0E66C852 2EA130CA 36E40AD3 E432257A 990121F9 32DAA63D 09F7E62D 344E50BF
  059ABEC8 74132687 1D5C962C 68D789
      quit
dot11 association mac-list 700
dot11 syslog
dot11 vlan-name WIFIOSMOSE vlan 1
!
dot11 ssid OSMOSE
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   infrastructure-ssid optional
   wpa-psk ascii 7 0454180B003249411A140A0417
!
dot11 ssid WOSMOSE
   authentication open
   guest-mode
   infrastructure-ssid optional
   wpa-psk ascii 7 0454180B003249411A140A0417
!
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.69
ip dhcp excluded-address 192.168.1.100 192.168.1.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 81.253.14.9 80.10.246.132
!
!
ip port-map user-protocol--8 port tcp 28020
ip port-map user-protocol--9 port tcp 28021
ip port-map user-protocol--2 port tcp 1024
ip port-map user-protocol--3 port tcp 502
ip port-map user-protocol--1 port tcp 81
ip port-map user-protocol--6 port tcp 3389
ip port-map user-protocol--7 port tcp 20
ip port-map user-protocol--4 port tcp 5900
ip port-map user-protocol--5 port tcp 5901
ip port-map user-protocol--13 port tcp 28025
ip port-map user-protocol--12 port tcp 28024
ip port-map user-protocol--11 port tcp 28023
ip port-map user-protocol--10 port tcp 28022
ip port-map user-protocol--17 port tcp 28029
ip port-map user-protocol--16 port tcp 28028
ip port-map user-protocol--15 port tcp 28027
ip port-map user-protocol--14 port tcp 28026
no ip bootp server
ip domain name osmose06.com
ip name-server 81.253.14.9
ip name-server 80.10.246.132
!
!
!
username admin privilege 15 secret 5 $1$kF0d$.p8/j47E6heOOkLOdf85P0
!
!
crypto isakmp policy 1
encr 3des
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 109
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 108
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 107
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 106
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 105
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 104
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 109
match protocol user-protocol--9
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 109
match protocol user-protocol--8
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 112
match protocol pptp
class-map type inspect match-any sdm-service-sdm-pol-NATOutsideToInside-1
match protocol http
match protocol ssh
class-map type inspect match-any defaultany
match class-map SDM_GRE
class-map type inspect match-all sdm-nat-user-protocol--16-1
match access-group 109
match protocol user-protocol--16
class-map type inspect match-any sdm-service-ccp-inspect-1
match protocol http
match protocol ssh
class-map type inspect match-all sdm-nat-user-protocol--17-1
match access-group 109
match protocol user-protocol--17
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--14-1
match access-group 109
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--15-1
match access-group 109
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--12-1
match access-group 109
match protocol user-protocol--12
class-map type inspect match-all sdm-nat-user-protocol--13-1
match access-group 109
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 109
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--11-1
match access-group 109
match protocol user-protocol--11
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match class-map defaultany
match access-group name default
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 109
match protocol https
class-map type inspect match-all ccp-protocol-http
match class-map sdm-service-ccp-inspect-1
class-map type inspect match-all sdm-nat-ftp-1
match access-group 102
match protocol ftp
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-ftp-1
  inspect
class type inspect sdm-nat-user-protocol--1-1
  inspect
class type inspect sdm-nat-user-protocol--2-1
  inspect
class type inspect sdm-nat-user-protocol--3-1
  inspect
class type inspect sdm-nat-user-protocol--4-1
  inspect
class type inspect sdm-nat-user-protocol--5-1
  inspect
class type inspect sdm-nat-user-protocol--6-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect sdm-nat-user-protocol--7-1
  inspect
class type inspect sdm-nat-user-protocol--8-1
  inspect
class type inspect sdm-nat-user-protocol--9-1
  inspect
class type inspect sdm-nat-user-protocol--10-1
  inspect
class type inspect sdm-nat-user-protocol--11-1
  inspect
class type inspect sdm-nat-user-protocol--12-1
  inspect
class type inspect sdm-nat-user-protocol--13-1
  inspect
class type inspect sdm-nat-user-protocol--14-1
  inspect
class type inspect sdm-nat-user-protocol--15-1
  inspect
class type inspect sdm-nat-user-protocol--16-1
  inspect
class type inspect sdm-nat-user-protocol--17-1
  inspect
class type inspect sdm-nat-pptp-1
  inspect
class type inspect CCP_PPTP
  pass
class class-default
  drop
policy-map type inspect ccp-inspect
class type inspect ccp-cls-ccp-inspect-1
  pass
class type inspect ccp-invalid-src
  pass
class type inspect ccp-protocol-http
  inspect
class type inspect ccp-insp-traffic
  inspect
class type inspect ccp-h323-inspect
  inspect
class type inspect ccp-h225ras-inspect
  inspect
class class-default
policy-map type inspect ccp-permit
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
!
bridge irb
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
ip address 192.168.2.1 255.255.255.0
!
encryption key 1 size 128bit 7 D96DC1D9E5F0B76CE15FA368B74E transmit-key
encryption mode wep mandatory
!
ssid WOSMOSE
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
l2-filter bridge-group-acl
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address 80.13.27.192 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat enable
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname fti/7zddbxu
ppp chap password 7 001E45010F410C01
ppp pap sent-username fti/7zddbxu password 7 04415D01043B4B49
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat enable
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool NAT 80.13.27.192 80.13.27.192 netmask 255.255.255.255
ip nat source list 1 pool NAT overload
ip nat inside source static tcp 192.168.1.122 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.124 81 interface Dialer0 81
ip nat inside source static tcp 192.168.1.124 1024 interface Dialer0 1024
ip nat inside source static tcp 192.168.1.122 502 interface Dialer0 502
ip nat inside source static tcp 192.168.1.124 5900 interface Dialer0 5900
ip nat inside source static tcp 192.168.1.124 5901 interface Dialer0 5901
ip nat inside source static tcp 192.168.1.122 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.122 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.122 21 interface Dialer0 21
ip nat inside source static tcp 192.168.1.122 20 interface Dialer0 20
ip nat inside source static tcp 192.168.1.122 28020 interface Dialer0 28020
ip nat inside source static tcp 192.168.1.122 28021 interface Dialer0 28021
ip nat inside source static tcp 192.168.1.122 28022 interface Dialer0 28022
ip nat inside source static tcp 192.168.1.122 28023 interface Dialer0 28023
ip nat inside source static tcp 192.168.1.122 28024 interface Dialer0 28024
ip nat inside source static tcp 192.168.1.122 28025 interface Dialer0 28025
ip nat inside source static tcp 192.168.1.122 28026 interface Dialer0 28026
ip nat inside source static tcp 192.168.1.122 28027 interface Dialer0 28027
ip nat inside source static tcp 192.168.1.122 28028 interface Dialer0 28028
ip nat inside source static tcp 192.168.1.122 28029 interface Dialer0 28029
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended default
remark CCP_ACL Category=128
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.122
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.122
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.124
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.124
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.122
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.124
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.1.124
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 192.168.1.122
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 192.168.1.122
access-list 110 remark CCP_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 111 remark CCP_ACL Category=2
access-list 111 remark IPSec Rule
access-list 111 deny   ip 192.168.1.0 0.0.0.255 192.168.27.0 0.0.0.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 remark CCP_ACL Category=0
access-list 112 permit ip any any
access-list 700 permit 64b9.e8a4.8867   0000.0000.0000
access-list 700 permit 7c6d.6275.da12   0000.0000.0000
access-list 700 permit 0026.4ae9.edc5   0000.0000.0000
access-list 700 permit 0022.fa8c.1934   0000.0000.0000
access-list 700 permit e806.885b.e5a5   0000.0000.0000
access-list 700 permit 0024.2c5a.1f50   0000.0000.0000
access-list 700 permit 40d3.2db6.57c4   0000.0000.0000
access-list 700 permit 0013.e8e9.abcd   0000.0000.0000
access-list 700 permit 001b.77f2.7574   0000.0000.0000
access-list 700 permit 0025.d33a.da06   0000.0000.0000
access-list 700 permit 0026.4aeb.4a94   0000.0000.0000
access-list 700 permit d830.6282.6739   0000.0000.0000
access-list 700 permit 0016.ea55.ad8e   0000.0000.0000
access-list 700 permit 0026.b0f6.22da   0000.0000.0000
access-list 700 permit 2c81.58e1.bf02   0000.0000.0000
access-list 700 permit 0013.021f.15cb   0000.0000.0000
access-list 700 permit 001e.5215.eb4e   0000.0000.0000
access-list 700 permit 0023.4d38.4498   0000.0000.0000
access-list 700 deny   0000.0000.0000   ffff.ffff.ffff
dialer-list 1 protocol ip permit
!
!
route-map SDM_RMAP_1 permit 1
match ip address 111
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Nagaraja Thanthry Fri, 09/03/2010 - 07:36

Hello,

I guess the issue is with the way you have configured the NAT. Do you have a

static IP assigned to your dialer interface? If yes, instead of using the

"interface dialer" in the NAT configuration, can you use the IP address?

no ip nat inside source static tcp 192.168.1.122 80 interface Dialer0 80

no ip nat inside source static tcp 192.168.1.124 81 interface Dialer0 81

no ip nat inside source static tcp 192.168.1.124 1024 interface Dialer0 1024

no ip nat inside source static tcp 192.168.1.122 502 interface Dialer0 502

no ip nat inside source static tcp 192.168.1.124 5900 interface Dialer0 5900

no ip nat inside source static tcp 192.168.1.124 5901 interface Dialer0 5901

no ip nat inside source static tcp 192.168.1.122 3389 interface Dialer0 3389

no ip nat inside source static tcp 192.168.1.122 443 interface Dialer0 443

no ip nat inside source static tcp 192.168.1.122 21 interface Dialer0 21

no ip nat inside source static tcp 192.168.1.122 20 interface Dialer0 20

no ip nat inside source static tcp 192.168.1.122 28020 interface Dialer0

28020

no ip nat inside source static tcp 192.168.1.122 28021 interface Dialer0

28021

no ip nat inside source static tcp 192.168.1.122 28022 interface Dialer0

28022

no ip nat inside source static tcp 192.168.1.122 28023 interface Dialer0

28023

no ip nat inside source static tcp 192.168.1.122 28024 interface Dialer0

28024

no ip nat inside source static tcp 192.168.1.122 28025 interface Dialer0

28025

no ip nat inside source static tcp 192.168.1.122 28026 interface Dialer0

28026

no ip nat inside source static tcp 192.168.1.122 28027 interface Dialer0

28027

no ip nat inside source static tcp 192.168.1.122 28028 interface Dialer0

28028

no ip nat inside source static tcp 192.168.1.122 28029 interface Dialer0

28029

ip nat inside source static tcp 192.168.1.122 80 80.13.27.192 80

ip nat inside source static tcp 192.168.1.124 81 80.13.27.192 81

ip nat inside source static tcp 192.168.1.124 1024 80.13.27.192 1024

ip nat inside source static tcp 192.168.1.122 502 80.13.27.192 502

ip nat inside source static tcp 192.168.1.124 5900 80.13.27.192 5900

ip nat inside source static tcp 192.168.1.124 5901 80.13.27.192 5901

ip nat inside source static tcp 192.168.1.122 3389 80.13.27.192 3389

ip nat inside source static tcp 192.168.1.122 443 80.13.27.192 443

ip nat inside source static tcp 192.168.1.122 21 80.13.27.192 21

ip nat inside source static tcp 192.168.1.122 20 80.13.27.192 20

ip nat inside source static tcp 192.168.1.122 28020 80.13.27.192 28020

ip nat inside source static tcp 192.168.1.122 28021 80.13.27.192 28021

ip nat inside source static tcp 192.168.1.122 28022 80.13.27.192 28022

ip nat inside source static tcp 192.168.1.122 28023 80.13.27.192 28023

ip nat inside source static tcp 192.168.1.122 28024 80.13.27.192 28024

ip nat inside source static tcp 192.168.1.122 28025 80.13.27.192 28025

ip nat inside source static tcp 192.168.1.122 28026 80.13.27.192 28026

ip nat inside source static tcp 192.168.1.122 28027 80.13.27.192 28027

ip nat inside source static tcp 192.168.1.122 28028 80.13.27.192 28028

ip nat inside source static tcp 192.168.1.122 28029 80.13.27.192 28029

Hope this helps.

Regards,

NT

Nagaraja Thanthry Fri, 09/03/2010 - 09:45

Hello,

OK, I tested this in my lab and here is a working config. You should not be

using the "inside" keyword in the NAT when using NVI.

no ip nat inside source static tcp 192.168.1.122 80 interface Dialer0 80

no ip nat inside source static tcp 192.168.1.124 81 interface Dialer0 81

no ip nat inside source static tcp 192.168.1.124 1024 interface Dialer0 1024

no ip nat inside source static tcp 192.168.1.122 502 interface Dialer0 502

no ip nat inside source static tcp 192.168.1.124 5900 interface Dialer0 5900

no ip nat inside source static tcp 192.168.1.124 5901 interface Dialer0 5901

no ip nat inside source static tcp 192.168.1.122 3389 interface Dialer0 3389

no ip nat inside source static tcp 192.168.1.122 443 interface Dialer0 443

no ip nat inside source static tcp 192.168.1.122 21 interface Dialer0 21

no ip nat inside source static tcp 192.168.1.122 20 interface Dialer0 20

no ip nat inside source static tcp 192.168.1.122 28020 interface Dialer0

28020

no ip nat inside source static tcp 192.168.1.122 28021 interface Dialer0

28021

no ip nat inside source static tcp 192.168.1.122 28022 interface Dialer0

28022

no ip nat inside source static tcp 192.168.1.122 28023 interface Dialer0

28023

no ip nat inside source static tcp 192.168.1.122 28024 interface Dialer0

28024

no ip nat inside source static tcp 192.168.1.122 28025 interface Dialer0

28025

no ip nat inside source static tcp 192.168.1.122 28026 interface Dialer0

28026

no ip nat inside source static tcp 192.168.1.122 28027 interface Dialer0

28027

no ip nat inside source static tcp 192.168.1.122 28028 interface Dialer0

28028

no ip nat inside source static tcp 192.168.1.122 28029 interface Dialer0

28029

no ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat source static tcp 192.168.1.122 80 interface Dialer0 80

ip nat source static tcp 192.168.1.124 81 interface Dialer0 81

ip nat source static tcp 192.168.1.124 1024 interface Dialer0 1024

ip nat source static tcp 192.168.1.122 502 interface Dialer0 502

ip nat source static tcp 192.168.1.124 5900 interface Dialer0 5900

ip nat source static tcp 192.168.1.124 5901 interface Dialer0 5901

ip nat source static tcp 192.168.1.122 3389 interface Dialer0 3389

ip nat source static tcp 192.168.1.122 443 interface Dialer0 443

ip nat source static tcp 192.168.1.122 21 interface Dialer0 21

ip nat source static tcp 192.168.1.122 20 interface Dialer0 20

ip nat source static tcp 192.168.1.122 28020 interface Dialer0 28020

ip nat source static tcp 192.168.1.122 28021 interface Dialer0 28021

ip nat source static tcp 192.168.1.122 28022 interface Dialer0 28022

ip nat source static tcp 192.168.1.122 28023 interface Dialer0 28023

ip nat source static tcp 192.168.1.122 28024 interface Dialer0 28024

ip nat source static tcp 192.168.1.122 28025 interface Dialer0 28025

ip nat source static tcp 192.168.1.122 28026 interface Dialer0 28026

ip nat source static tcp 192.168.1.122 28027 interface Dialer0 28027

ip nat source static tcp 192.168.1.122 28028 interface Dialer0 28028

ip nat source static tcp 192.168.1.122 28029 interface Dialer0 28029

Hope this helps.

Regards,

NT

Nagaraja Thanthry Fri, 09/03/2010 - 09:48

Hello,

Also, add this line for your VPN access:

no ip nat source list 1 pool NAT overload

ip nat source route-map SDM_RMAP_1 pool NAT overload

Regards,

NT

Hi,

I seem to have troubles applying these modifications since i'm operating remotely and often lose SSH connectivity.

I also forgot to mention that I'm a total newbie at working with cisco routers...

Since I'm not gonna be able to try anymore before Monday, could you please check and confirm/correct what I'm doing in the meanwhile :

Starting from my old config with working "classic" NAT but no Inside to Inside NAT (older than what I pasted earlier)

NVI Configuration :

ip nat pool NAT 80.13.27.192 80.13.27.192 netmask 255.255.255.252 (255 seems invalid)

ip nat source route-map SDM_RMAP_1 pool NAT overload

is there anything else I'm missing there ?

Then I input :

interface Dialer0

no ip nat outside

ip nat enable

Exit

interface BVI1

no ip nat inside

ip nat enable

Exit

And finally :

no ip nat inside source static tcp 192.168.1.122 80 interface Dialer0 80

ip nat source static tcp 192.168.1.122 80 interface Dialer0 80

for each NAT rule I have (except SDM_RMAP_1 that is just removed)

What about all this ?

Thanks for all the efforts you put into this.

Regards

Nagaraja Thanthry Sat, 09/04/2010 - 00:19

Hello,

That procedure seems to be correct. You have covered all the steps required.

Please let me know if you face any issues when configuring the NAT rules.

Regards,

NT

Hello,

This is still not working, I lose internet connectivity as soon as I apply this configuration, I believe the issue resides around the SDM_RMAP_1 thing, when I play with the nat rule route-map, I'm sometimes able to ping servers outside but cannot request them (ie HTTP).

I also tries to mimic the configuration described here : http://community.plus.net/forum/index.php?topic=75490.0

which is in fact almost exactly what you told me to do, but no result either (I wish my configuration was as simple&short as this guy's).

What do you suggest ?

Best regards

Actions

This Discussion