Cannot access internal server from the outside

Answered Question
Sep 20th, 2010
User Badges:

Hi, I'm trying to NAT connections coming from the Serial1/0 interface to the GigabitEthernet0/1 and it's not working. Maybe there's something wrong with my config?



Cisco 3825 Router IOS Version 12.4(13r)T11


here's my current config:


ip nat pool PORTFWD 172.16.10.1 172.16.10.1 netmask 255.255.255.0 type rotary
ip nat inside source list 10 interface Serial1/0 overload
ip nat inside destination list 100 pool PORTFWD
!
access-list 10 permit 172.16.10.0 0.0.0.7
access-list 10 permit 0.0.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 0.0.0.0 0.0.0.255
access-list 100 permit ip 172.16.10.0 0.0.0.255 any
access-list 100 permit tcp any any range uucp 550


172.16.10.1 is GigabitEthernet0/1's IP address I tried already mapping it to 172.16.10.5 which is the actual server I'm trying to reach. When I telnet the 172.16.10.5 from the cisco router to the port I want to get into (ie. ftp/AFP) it goes in, so it is reachable.


Serial1/0 has ip nat outside

GigabitEthernet0/1 has ip nat inside


am I doing something wrong? (d'oh)


Thanks in advance.


Ron

Correct Answer by Jon Marshall about 6 years 7 months ago

n0idnixny wrote:


Richard


so is this line necessary?


ip nat inside source list 101 interface Serial1/0 overload


because I added that  line with the access-list 101 permit ip any any in order to provide everyone with internet access because verizon just sent me a config to get the router's IP up and no information on how to allow people in the subnet to connect through it. So I added those lines (from what I read online)  to have everyone access the internet. Is that a wrong entry? Is there a better way to configure this? Maybe that's what's keeping me to get this working?


Thanks in advance.



Ron


Ron


No you need acl 101 for your nat in the above statement but you only need a "permit ip any any". You do not need to apply acl 101 to an interface for it to work with NAT.


You do need this line so all your internal clients can access the internet -


ip nat inside source list 101 interface Serial1/0 overload



Can you -


1) make sure you remove the acl from the serial interface but leave acl 101 for your nat overload


2) try and make a connection from the outside to the server and then look at your nat translation table to see if their is a NAT translation ie.


router# sh ip nat translations | include 172.16.10.5


and post the result.


I'm assuming you are connecting from a device on the outside of the router ?


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (10 ratings)
Loading.
Jennifer Halim Mon, 09/20/2010 - 18:20
User Badges:
  • Cisco Employee,

If I understand you correctly, you would like to configure port address redirection NAT for traffic coming towards the Serial1/0 interface ip address towards a server with ip address of 172.16.10.5.


If the above statement is correct, your current configuration is incorrect as you can't port forward from serial1/0 to gig0/1 then to the actual server. This is not a supported configuration.


Here is an example of what you can configure:


ip nat inside source static tcp 172.16.10.5 550 interface serial1/0 550


Hope that helps.

n0idnixny Mon, 09/20/2010 - 18:33
User Badges:

Yes you understand correctly.


jsut that one line?

I don't need any nat pools or anything like that?


I will try the configuration when I get my hands on the router. Thanks for taking the time to, and for the the fast, reply.


Will let you know as soon as I try it!


Thanks again!

Jennifer Halim Mon, 09/20/2010 - 18:57
User Badges:
  • Cisco Employee,

Yes, just that one line and the example i provided is to redirect TCP port 550. You can add or change the port accordingly. Let us know how it goes.

Thanks.

n0idnixny Tue, 09/21/2010 - 07:25
User Badges:

I still get connection refused.


Here's what I currently have. Do I need to have an acl for everyone that comes from the outside?


!

ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.5 548 interface Serial1/0 548
ip nat inside source list 10 interface Serial1/0 overload
!
access-list 10 permit 172.16.10.0 0.0.0.7
access-list 10 permit 0.0.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 0.0.0.0 0.0.0.255
no cdp run

!


Do you need me to post interface configs?


Thanks in advance.


Ron

Jennifer Halim Tue, 09/21/2010 - 15:39
User Badges:
  • Cisco Employee,

Can you also remove the following: access-list 10 permit 0.0.0.0 0.0.0.255


Also, if you have ACL applied to the serial1/0 interface, you would need to allow everyone to access that interface on port 548.

n0idnixny Wed, 09/22/2010 - 09:22
User Badges:

I removed the access-list 10 permit 0.0.0.0 0.0.0.255 as requested.


I tried applying this acl and it wouldn't let me?


access-list 10 permit tcp any host IP.of-serial1 eq 548
Translating "tcp"...domain server (198.6.1.4) [OK]
                                              ^

% Invalid input detected at '^' marker.


should I just apply an access group? I applied this but I still get connection refused.


interface GigabitEthernet0/1
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 1000
media-type rj45
no cdp enable
!
interface Serial1/0
ip address WAN-IP-Address 255.255.255.252
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
load-interval 30
dsu bandwidth 44210
no cdp enable

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 WAN's-gateway-IP
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.5 548 interface Serial1/0 548
ip nat inside source list 101 interface Serial1/0 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 101 permit ip any any
access-list 101 permit tcp any host Serial.int.IP.# eq 548
no cdp run
!
!
control-plane
!


Edit: Thanks again for helping.

Richard Burts Wed, 09/22/2010 - 12:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ron


I am not so clear about the bigger problem with address translation but it is clear what is the problem with the access list that you attempted. Access list 10 is a standard access list which allows you to define a single address. To define a source and destination address and to define tcp ports you need to use an extended access list.


HTH


Rick

n0idnixny Wed, 09/22/2010 - 12:58
User Badges:

Hi Richard.


What are the steps to do an extended list for source and destination for what I want to do?


Thanks in advance.


Ron

Richard Burts Wed, 09/22/2010 - 13:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ron


I am very puzzled by this question since you have an extended access list configured in your previous post

access-list 101 permit ip any any
access-list 101 permit tcp any host Serial.int.IP.# eq 548

I would also point out that with the permit ip any any as the first line that the second line is redundant and not used.


HTH


Rick

n0idnixny Wed, 09/22/2010 - 13:18
User Badges:

Richard.


If I take the access-list 101 permit ip any any everyone loses internet connectivity.


Edit: everyone inside the LAN loses internet connectivity.


Ron

Jon Marshall Wed, 09/22/2010 - 13:26
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

n0idnixny wrote:


Richard.


If I take the access-list 101 permit ip any any everyone loses internet connectivity.


Edit: everyone inside the LAN loses internet connectivity.


Ron


Ron


Perhaps a recap is in order.


What do you mean by "if i take the access-list ..." in the sentence above ? Take it off the interface maybe ?


It would be helpful if you could post your current working config again as well.


Jon

n0idnixny Wed, 09/22/2010 - 13:36
User Badges:

Hi Jon.


The subnet 172.16.10.0 uses the internet from the Serial interface and  last time I took out access-list 101 permit up any any, I lost internet  connectivity and so did everyone here. All I'm trying to do is forward  incoming connections from the outside through port 548 (afp) to the  server on 172.16.10.5. is there anything wrong in the config? (obviously  there is)


Here's what I have currently running:


Current configuration : 3608 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname droga5fibre
!
boot-start-marker
boot-end-marker
!
!card type command needed for slot 1
logging buffered 51200 warnings
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 198.6.1.4
ip name-server 198.6.1.122
multilink bundle-name authenticated
!
!
!
archive
log config
  hidekeys
!
!
controller T3 1/0
!
!
!
!
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.248
ip virtual-reassembly
duplex full
speed 100
media-type rj45
no cdp enable
!
interface GigabitEthernet0/1
ip address 172.16.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 1000
media-type rj45
no cdp enable
!
interface Serial1/0
ip address Serial-IP 255.255.255.252
ip access-group 101 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
load-interval 30
dsu bandwidth 44210
1 no cdp enable
!

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial-Route
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.16.10.5 548 interface Serial1/0 548
ip nat inside source list 101 interface Serial1/0 overload
!
access-list 23 permit 172.16.10.0 0.0.0.7
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip any any
access-list 101 permit tcp any host Serial-IP eq 548
no cdp run
!
!
control-plane
!

line con 0
login local
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end



Thanks in advance.



Ron

Jon Marshall Wed, 09/22/2010 - 13:43
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ron


I agree with Rick, remove the acl 101 as "permit ip any any" allows all traffic to come in anyway. You may want to add one later to restrict traffic but you don't need it now.


As for the rest of the config, how are you connecting to the server from outside ? You need to connect using the serial IP and not the real address.


Jon

n0idnixny Wed, 09/22/2010 - 13:54
User Badges:

Jon


I am using the Serial's IP Address to connect from the outside.



Richard.


BTW you are right, I didn't have an access-group on the serial interface but I did have an access-list to forward internet for the rest of the subnet as I said before

Richard Burts Wed, 09/22/2010 - 13:35
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ron


Given what you have posted it is expected behavior that if you remove the permit ip any any from the access list and leave the other entry that everyone on the LAN would lose Internet connectivity.


I suggest that we take a step back and look at this question from a slightly different perspective. The original question was about the need to do a static translation in addition to dynamic translations. And then the observation was made that if you have an access list filtering traffic on the serial interface that it should permit this traffic. And everyone started assuming that you had an access list (and access group on the interface). Based on what has been in this thread I am guessing that you did not have an access list until we suggested it. And based on what is posted to be in the access list I am going to suggest that you do not need an access list filtering traffic on the serial interface.


The real question of whether you should have an access list (and access group on the interface) requires knowledge of your environment and of your requirements that goes far beyond what is included in this thread. But based on what is in this thread I suggest that you remove the access list, remove the access group from the serial interface and focus on whether the translation is working. If the translation works then it is great. If the translation does not work then you will know that the problem is not the access list.


HTH


Rick

n0idnixny Wed, 09/22/2010 - 13:46
User Badges:

Richard


so is this line necessary?


ip nat inside source list 101 interface Serial1/0 overload


because I added that  line with the access-list 101 permit ip any any in order to provide everyone with internet access because verizon just sent me a config to get the router's IP up and no information on how to allow people in the subnet to connect through it. So I added those lines (from what I read online)  to have everyone access the internet. Is that a wrong entry? Is there a better way to configure this? Maybe that's what's keeping me to get this working?


Thanks in advance.



Ron

Correct Answer
Jon Marshall Wed, 09/22/2010 - 14:02
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

n0idnixny wrote:


Richard


so is this line necessary?


ip nat inside source list 101 interface Serial1/0 overload


because I added that  line with the access-list 101 permit ip any any in order to provide everyone with internet access because verizon just sent me a config to get the router's IP up and no information on how to allow people in the subnet to connect through it. So I added those lines (from what I read online)  to have everyone access the internet. Is that a wrong entry? Is there a better way to configure this? Maybe that's what's keeping me to get this working?


Thanks in advance.



Ron


Ron


No you need acl 101 for your nat in the above statement but you only need a "permit ip any any". You do not need to apply acl 101 to an interface for it to work with NAT.


You do need this line so all your internal clients can access the internet -


ip nat inside source list 101 interface Serial1/0 overload



Can you -


1) make sure you remove the acl from the serial interface but leave acl 101 for your nat overload


2) try and make a connection from the outside to the server and then look at your nat translation table to see if their is a NAT translation ie.


router# sh ip nat translations | include 172.16.10.5


and post the result.


I'm assuming you are connecting from a device on the outside of the router ?


Jon

n0idnixny Wed, 09/22/2010 - 14:56
User Badges:

wow I feel a little retarded, as I was trying to telnet the port from the same line no wonder I was getting connection refused.


sorry


I tried from a different line we have here @ the office and it works!!!


Thanks guys for your help! Jon, Richard, Halijenn for the fast replies.


I will take care of those ACL's and remove the access-group from the interface as well.



Thanks again for your kind help guys. I really appreciate it.



Ron

n0idnixny Wed, 09/22/2010 - 13:58
User Badges:

In other words, 172.16.10.0 subnet(GigabitEthernet0/1) needs internet connectivity from the Serial Interface and tcp port 548 needs to be forwarded to address 172.16.10.5.


Maybe there is a better way to configure this scenario from what I already have?


I appreciate the help and time.


Thanks in advance.

Richard Burts Wed, 09/22/2010 - 14:25
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Ron


I am glad to know that my understanding was correct that you did not originally have an access list applied to the serial interface. And part of the solution is to remove the access-group from the serial interface but not necessarily to remove access list 101.


When I had been talking about access list 101 I was thinking of it in terms of how you had applied it to the serial interface (using access-group) and I missed the fact that you also use that access list in your nat statement. You still need some access list in your nat statement and do not need an access list (or access-group) on the serial interface.


While I believe that you need an access list for nat I am not sure that this version of access list 101 is the optimum choice. I do not remember the details but I think that I remember reading that using permit any any in nat could cause some problems. I would suggest that you configure an access list like this

acces-list 10 permit 172.16.10.0 0.0.0.255

and use access list 10 in your nat statement rather than using access list 101.


HTH


Rick

n0idnixny Wed, 09/22/2010 - 15:26
User Badges:

Thanks again Richard for your help!


Next time, instead of hitting myself in the head for 2 days, I'll come here for Q&A.


Thanks!!



Regards,


Ron

Actions

This Discussion

Related Content