problem when connecting from an IP private to IP public, doing nat/pat to t

Unanswered Question
Dec 30th, 2005

I need connect to ip 148.244.156.x from ip private, but the router detect that packet is from lan and no forward packet to ip 10.0.0.11, because origin and destination is in same segment and router detect this.

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

ip nat inside source static tcp 10.0.0.14 8080 148.244.156.x 8080 extendable

ip nat inside source static tcp 10.0.0.11 23 148.244.156.x 21 extendable

ip nat inside source static tcp 10.0.0.11 80 148.244.156.x 80 extendable

ip nat inside source static tcp 10.0.0.11 8085 148.244.156.x 8085 extendable

route-map SDM_RMAP_1, permit, sequence 1

Match clauses:

ip address (access-lists): 100

Set clauses:

Policy routing matches: 0 packets, 0 bytes

Extended IP access list 100

10 deny ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255 (92932 matches)

20 permit ip 10.0.0.0 0.0.0.255 any (3156 matches)

interface FastEthernet0/0

description $FW_OUTSIDE$

ip address 148.244.156.x 255.255.255.224

ip nat outside

ip inspect interno in

ip ips sdm_ips_rule_199 in

ip ips sdm_ips_rule_199 out

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map servicios

interface FastEthernet0/1.20

encapsulation dot1Q 20 native

ip address 10.0.0.18 255.255.255.0

ip nat inside

ip inspect interno in

ip ips sdm_ips_rule_199 in

ip virtual-reassembly

no snmp trap link-status

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
mheusinger Fri, 12/30/2005 - 08:05

Can you please give a network diagram with all relevant IP addresses and active devices to allow us to understand your problem?

Thanks

Martin

gpauwen Fri, 12/30/2005 - 09:38

Hello,

in your route map, you deny destination addresses of 10.1.1.0/24, while your web server has IP address 10.0.0.11. I am not sure if this is the problem, but where is 10.1.1.0/24 in your drawing ?

Try and change the route map so that it denies 10.0.0.11, which is the private IP address of your webserver:

deny ip 10.0.0.0 0.0.0.255 host 10.0.0.11

Regards,

GP

davila_c Fri, 12/30/2005 - 09:48

10.1.1.0/24 is a vpn segment this is in the "crypto map servicios".

I try with this acl, but nothing changes:

Extended IP access list 101

10 deny ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255 (199 matches)

20 deny ip host 10.0.0.24 host 148.244.156.20 (21 matches)

30 permit ip 10.0.0.0 0.0.0.255 any (9 matches)

denied ip 10.0.0.11 in the acl it does not work, because the acl is for nat rules, so only packets to public networks they use that route-map.

gpauwen Fri, 12/30/2005 - 12:46

Hola Juan Carlos,

you somehow have to make sure that the traffic from 10.0.0.24 to 10.0.0.11 does not get translated, that would normally be accomplished by denying it in the access list. Can you try:

deny ip host 10.0.0.24 host 10.0.0.11

?

Saludos,

GP

davila_c Mon, 01/02/2006 - 06:28

really, router if it tranlated the package, the problem is that it does not establish the session with the local segment.

example:

2801#sh ip nat trans | i 148.244.156.19

tcp 148.244.156.19:8080 10.0.0.14:8080 --- ---

tcp 148.244.156.2:2019 10.0.0.24:2019 148.244.156.19:8080 148.244.156.19:8080

2801#

the router does work, but detect the packet from local segment equal to destination, and do not forward the session.

Try your recomendation but do not work.

Greetings

mheusinger Mon, 01/02/2006 - 06:42

Hi,

you could just use a DNS entry in the hosts file of 10.0.0.24 to resolve your WEB server DNS address as 10.0.0.11 and contact it directly through the LAN without involving the router at all.

Is there a particular reason why the router should be involved?

Hope this helps

Martin

davila_c Mon, 01/02/2006 - 07:44

the request to the IP is made directly, not by dns, we are used dns publics, non private.

mheusinger Tue, 01/03/2006 - 01:24

Hi, so why is it not possible to use 10.0.0.11 for the server instead of your public IP?

Why do you have to involve NAT and get things complicated? It looks from your drawing that you could just give client and server direct connectivity?

Am I missing something?

Martin

davila_c Mon, 01/02/2006 - 15:03

this is the result for debug ip packet and debug ip nat:

Jan 2 16:54:49.087: IP: s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19, len 48, rcvd 2

Jan 2 16:54:49.499: IP: s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19, len 48, rcvd 2

Jan 2 16:54:50.003: IP: s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19, len 48, rcvd 2

Jan 2 16:55:23.783: IP: tableid=0, s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19 (FastEthernet0/0), routed via RIB

Jan 2 16:55:23.783: NAT: s=10.0.0.24->148.244.156.2, d=148.244.156.19 [3912]

Jan 2 16:55:23.787: NAT: s=148.244.156.19, d=148.244.156.2->10.0.0.24 [2454]

Jan 2 16:55:24.199: IP: tableid=0, s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19 (FastEthernet0/0), routed via RIB

Jan 2 16:55:24.199: NAT: s=10.0.0.24->148.244.156.2, d=148.244.156.19 [3913]

Jan 2 16:55:24.203: NAT: s=148.244.156.19, d=148.244.156.2->10.0.0.24 [2455]

Jan 2 16:55:24.703: IP: tableid=0, s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19 (FastEthernet0/0), routed via RIB

Jan 2 16:55:24.703: NAT: s=10.0.0.24->148.244.156.2, d=148.244.156.19 [3914]

Jan 2 16:55:24.703: NAT: s=148.244.156.19, d=148.244.156.2->10.0.0.24 [2458]

interface FastEthernet0/0

description $FW_OUTSIDE$

ip address 148.244.156.x 255.255.255.224 <-------- maybe this is the problem

spremkumar Tue, 01/03/2006 - 01:04

Hi

From the debug O/P its very much visible that your fastethernet ip address is 148.244.156.2 and the public ip of the server is 148.244.156.19.

Can you try pinging the public ip of the server 148.244.156.19 using an extended ping with the source as ur 148.244.156.2 fastethernets ip ?

Also from the server back to the fastethernet ip which is 148.244.156.2...

regds

davila_c Tue, 01/03/2006 - 11:27

This is the result:

2801#telnet 148.244.156.19 8080 /source-interface fastEthernet 0/0

Trying 148.244.156.19, 8080 ...

% Connection timed out; remote host not responding

Jan 3 13:10:49.286: NAT: s=148.244.156.2, d=148.244.156.19->10.0.0.14 [0]

Jan 3 13:10:49.286: IP: tableid=0, s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB

Jan 3 13:10:49.286: IP: s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), len 44, sending

Jan 3 13:10:49.326: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=148.244.156.2 (FastEthernet0/0), routed via RIB

Jan 3 13:10:49.330: IP: s=10.0.0.14 (FastEthernet0/1.20), d=148.244.156.2, len 44, rcvd 4

Jan 3 13:10:49.330: IP: tableid=0, s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB

Jan 3 13:10:49.330: IP: s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), len 40, sending

Jan 3 13:10:49.386: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.255 (FastEthernet0/1.20), routed via RIB

Jan 3 13:10:49.386: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.255 (FastEthernet0/1.20), len 78, rcvd 3

Jan 3 13:10:49.830: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), routed via RIB

Jan 3 13:10:49.830: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), len 160, rcvd 3

Jan 3 13:10:49.830: IP: tableid=0, s=10.0.0.18 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB

Jan 3 13:10:49.830: IP: s=10.0.0.18 (local), d=10.0.0.14 (FastEthernet0/1.20), len 56, sending

Jan 3 13:10:49.830: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), routed via RIB

Jan 3 13:10:49.830: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), len 161, rcvd 3

Jan 3 13:10:50.330: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), routed via RIB

Jan 3 13:10:50.330: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), len 160, rcvd 3

Jan 3 13:10:50.330: IP: tableid=0, s=10.0.0.18 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB

Jan 3 13:10:50.330: IP: s=10.0.0.18 (local), d=10.0.0.14 (FastEthernet0/1.20), len 56, sending

Jan 3 13:10:50.330: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), routed via RIB

Jan 3 13:10:50.334: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), len 161, rcvd 3

Jan 3 13:10:51.286: NAT: s=148.244.156.2, d=148.244.156.19->10.0.0.14 [0]

Jan 3 13:10:51.286: IP: tableid=0, s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB

Jan 3 13:10:51.286: IP: s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), len 44, sending

Jan 3 13:10:51.286: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=148.244.156.2 (FastEthernet0/0), routed via RIB

Jan 3 13:10:51.286: IP: s=10.0.0.14 (FastEthernet0/1.20), d=148.244.156.2, len 44, rcvd 4

Jan 3 13:10:51.286: IP: tableid=0, s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB

Jan 3 13:10:51.286: IP: s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), len 40, sending

at same time, apply one acl in the lan:

2801#sh access-lists 190

Extended IP access list 190

10 permit ip any host 148.244.156.19

20 permit ip any host 10.0.0.14 <--- no matches

30 permit ip any any (13 matches)

Interfaz lan

interface FastEthernet0/1.20

encapsulation dot1Q 20 native

ip address 10.0.0.18 255.255.255.0

ip access-group 190 out

ip nat inside

ip inspect interno in

ip ips sdm_ips_rule_199 in

ip virtual-reassembly

no snmp trap link-status

interfaz wan:

interface FastEthernet0/0

description $FW_OUTSIDE$

ip address 148.244.156.2 255.255.255.224

ip directed-broadcast

ip nat outside

ip inspect interno in

ip ips sdm_ips_rule_199 in

ip ips sdm_ips_rule_199 out

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

crypto map servicios

Actions

Login or Register to take actions

This Discussion

Posted December 30, 2005 at 7:52 AM
Stats:
Replies:12 Avg. Rating:
Views:305 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard