12-30-2005 07:52 AM - edited 03-03-2019 11:20 AM
I need connect to ip 148.244.156.x from ip private, but the router detect that packet is from lan and no forward packet to ip 10.0.0.11, because origin and destination is in same segment and router detect this.
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.0.14 8080 148.244.156.x 8080 extendable
ip nat inside source static tcp 10.0.0.11 23 148.244.156.x 21 extendable
ip nat inside source static tcp 10.0.0.11 80 148.244.156.x 80 extendable
ip nat inside source static tcp 10.0.0.11 8085 148.244.156.x 8085 extendable
route-map SDM_RMAP_1, permit, sequence 1
Match clauses:
ip address (access-lists): 100
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Extended IP access list 100
10 deny ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255 (92932 matches)
20 permit ip 10.0.0.0 0.0.0.255 any (3156 matches)
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 148.244.156.x 255.255.255.224
ip nat outside
ip inspect interno in
ip ips sdm_ips_rule_199 in
ip ips sdm_ips_rule_199 out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
crypto map servicios
interface FastEthernet0/1.20
encapsulation dot1Q 20 native
ip address 10.0.0.18 255.255.255.0
ip nat inside
ip inspect interno in
ip ips sdm_ips_rule_199 in
ip virtual-reassembly
no snmp trap link-status
12-30-2005 08:05 AM
Can you please give a network diagram with all relevant IP addresses and active devices to allow us to understand your problem?
Thanks
Martin
12-30-2005 09:22 AM
12-30-2005 09:38 AM
Hello,
in your route map, you deny destination addresses of 10.1.1.0/24, while your web server has IP address 10.0.0.11. I am not sure if this is the problem, but where is 10.1.1.0/24 in your drawing ?
Try and change the route map so that it denies 10.0.0.11, which is the private IP address of your webserver:
deny ip 10.0.0.0 0.0.0.255 host 10.0.0.11
Regards,
GP
12-30-2005 09:48 AM
10.1.1.0/24 is a vpn segment this is in the "crypto map servicios".
I try with this acl, but nothing changes:
Extended IP access list 101
10 deny ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255 (199 matches)
20 deny ip host 10.0.0.24 host 148.244.156.20 (21 matches)
30 permit ip 10.0.0.0 0.0.0.255 any (9 matches)
denied ip 10.0.0.11 in the acl it does not work, because the acl is for nat rules, so only packets to public networks they use that route-map.
12-30-2005 12:46 PM
Hola Juan Carlos,
you somehow have to make sure that the traffic from 10.0.0.24 to 10.0.0.11 does not get translated, that would normally be accomplished by denying it in the access list. Can you try:
deny ip host 10.0.0.24 host 10.0.0.11
?
Saludos,
GP
01-02-2006 06:28 AM
really, router if it tranlated the package, the problem is that it does not establish the session with the local segment.
example:
2801#sh ip nat trans | i 148.244.156.19
tcp 148.244.156.19:8080 10.0.0.14:8080 --- ---
tcp 148.244.156.2:2019 10.0.0.24:2019 148.244.156.19:8080 148.244.156.19:8080
2801#
the router does work, but detect the packet from local segment equal to destination, and do not forward the session.
Try your recomendation but do not work.
Greetings
01-02-2006 06:42 AM
Hi,
you could just use a DNS entry in the hosts file of 10.0.0.24 to resolve your WEB server DNS address as 10.0.0.11 and contact it directly through the LAN without involving the router at all.
Is there a particular reason why the router should be involved?
Hope this helps
Martin
01-02-2006 07:44 AM
the request to the IP is made directly, not by dns, we are used dns publics, non private.
01-03-2006 01:24 AM
Hi, so why is it not possible to use 10.0.0.11 for the server instead of your public IP?
Why do you have to involve NAT and get things complicated? It looks from your drawing that you could just give client and server direct connectivity?
Am I missing something?
Martin
01-02-2006 03:03 PM
this is the result for debug ip packet and debug ip nat:
Jan 2 16:54:49.087: IP: s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19, len 48, rcvd 2
Jan 2 16:54:49.499: IP: s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19, len 48, rcvd 2
Jan 2 16:54:50.003: IP: s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19, len 48, rcvd 2
Jan 2 16:55:23.783: IP: tableid=0, s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19 (FastEthernet0/0), routed via RIB
Jan 2 16:55:23.783: NAT: s=10.0.0.24->148.244.156.2, d=148.244.156.19 [3912]
Jan 2 16:55:23.787: NAT: s=148.244.156.19, d=148.244.156.2->10.0.0.24 [2454]
Jan 2 16:55:24.199: IP: tableid=0, s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19 (FastEthernet0/0), routed via RIB
Jan 2 16:55:24.199: NAT: s=10.0.0.24->148.244.156.2, d=148.244.156.19 [3913]
Jan 2 16:55:24.203: NAT: s=148.244.156.19, d=148.244.156.2->10.0.0.24 [2455]
Jan 2 16:55:24.703: IP: tableid=0, s=10.0.0.24 (FastEthernet0/1.20), d=148.244.156.19 (FastEthernet0/0), routed via RIB
Jan 2 16:55:24.703: NAT: s=10.0.0.24->148.244.156.2, d=148.244.156.19 [3914]
Jan 2 16:55:24.703: NAT: s=148.244.156.19, d=148.244.156.2->10.0.0.24 [2458]
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 148.244.156.x 255.255.255.224 <-------- maybe this is the problem
01-03-2006 01:04 AM
Hi
From the debug O/P its very much visible that your fastethernet ip address is 148.244.156.2 and the public ip of the server is 148.244.156.19.
Can you try pinging the public ip of the server 148.244.156.19 using an extended ping with the source as ur 148.244.156.2 fastethernets ip ?
Also from the server back to the fastethernet ip which is 148.244.156.2...
regds
01-03-2006 11:27 AM
This is the result:
2801#telnet 148.244.156.19 8080 /source-interface fastEthernet 0/0
Trying 148.244.156.19, 8080 ...
% Connection timed out; remote host not responding
Jan 3 13:10:49.286: NAT: s=148.244.156.2, d=148.244.156.19->10.0.0.14 [0]
Jan 3 13:10:49.286: IP: tableid=0, s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB
Jan 3 13:10:49.286: IP: s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), len 44, sending
Jan 3 13:10:49.326: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=148.244.156.2 (FastEthernet0/0), routed via RIB
Jan 3 13:10:49.330: IP: s=10.0.0.14 (FastEthernet0/1.20), d=148.244.156.2, len 44, rcvd 4
Jan 3 13:10:49.330: IP: tableid=0, s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB
Jan 3 13:10:49.330: IP: s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), len 40, sending
Jan 3 13:10:49.386: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.255 (FastEthernet0/1.20), routed via RIB
Jan 3 13:10:49.386: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.255 (FastEthernet0/1.20), len 78, rcvd 3
Jan 3 13:10:49.830: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), routed via RIB
Jan 3 13:10:49.830: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), len 160, rcvd 3
Jan 3 13:10:49.830: IP: tableid=0, s=10.0.0.18 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB
Jan 3 13:10:49.830: IP: s=10.0.0.18 (local), d=10.0.0.14 (FastEthernet0/1.20), len 56, sending
Jan 3 13:10:49.830: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), routed via RIB
Jan 3 13:10:49.830: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), len 161, rcvd 3
Jan 3 13:10:50.330: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), routed via RIB
Jan 3 13:10:50.330: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), len 160, rcvd 3
Jan 3 13:10:50.330: IP: tableid=0, s=10.0.0.18 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB
Jan 3 13:10:50.330: IP: s=10.0.0.18 (local), d=10.0.0.14 (FastEthernet0/1.20), len 56, sending
Jan 3 13:10:50.330: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), routed via RIB
Jan 3 13:10:50.334: IP: s=10.0.0.14 (FastEthernet0/1.20), d=10.0.0.18 (FastEthernet0/1.20), len 161, rcvd 3
Jan 3 13:10:51.286: NAT: s=148.244.156.2, d=148.244.156.19->10.0.0.14 [0]
Jan 3 13:10:51.286: IP: tableid=0, s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB
Jan 3 13:10:51.286: IP: s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), len 44, sending
Jan 3 13:10:51.286: IP: tableid=0, s=10.0.0.14 (FastEthernet0/1.20), d=148.244.156.2 (FastEthernet0/0), routed via RIB
Jan 3 13:10:51.286: IP: s=10.0.0.14 (FastEthernet0/1.20), d=148.244.156.2, len 44, rcvd 4
Jan 3 13:10:51.286: IP: tableid=0, s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), routed via FIB
Jan 3 13:10:51.286: IP: s=148.244.156.2 (local), d=10.0.0.14 (FastEthernet0/1.20), len 40, sending
at same time, apply one acl in the lan:
2801#sh access-lists 190
Extended IP access list 190
10 permit ip any host 148.244.156.19
20 permit ip any host 10.0.0.14 <--- no matches
30 permit ip any any (13 matches)
Interfaz lan
interface FastEthernet0/1.20
encapsulation dot1Q 20 native
ip address 10.0.0.18 255.255.255.0
ip access-group 190 out
ip nat inside
ip inspect interno in
ip ips sdm_ips_rule_199 in
ip virtual-reassembly
no snmp trap link-status
interfaz wan:
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 148.244.156.2 255.255.255.224
ip directed-broadcast
ip nat outside
ip inspect interno in
ip ips sdm_ips_rule_199 in
ip ips sdm_ips_rule_199 out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
crypto map servicios
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: