Unable to access public ip, from inside private network.

Unanswered Question
Jan 11th, 2006
User Badges:

We are currently unable to access our public ip address from inside our private lan, and when I do a traceroute to see what is happening, it goes into a loop. Right now, we have two interfaces on the router, and only have two routes configured on the cisco 2811. One is the default route to send all outgoing traffic through the external interface, and the other to send all internal traffic through the internal interface. We have one NAT rule to dynamically assign outgoing traffic through a pool of public ips, not be used by our servers.

Has anyone ever encountered this, and can you tell me what I am doing wrong?

Thanks,

Will.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pkhatri Wed, 01/11/2006 - 19:13
User Badges:
  • Purple, 4500 points or more

Hi Will,


If you could post your config, it would be easier to troubleshoot your problem.


Cheers,

Paresh.

williamreed Wed, 01/11/2006 - 19:49
User Badges:

Here's the config. Thanks Paresh!


no aaa new-model

!

resource policy

!

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool default

import all

network 10.10.10.0 255.255.255.0

dns-server 216.182.14.76 216.182.13.76

default-router 10.10.10.1

!

ip dhcp pool test

host 10.10.10.129 255.255.255.0

hardware-address 000d.939d.b445

!

ip dhcp pool Business-Printer

host 10.10.10.194 255.255.255.0

hardware-address 0014.3864.d1e7

!

no ip bootp server

ip domain name it.com

ip name-server 216.182.14.76

ip name-server 216.182.13.76

!


!

!

interface FastEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$

ip address 10.10.10.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip route-cache flow

duplex auto

speed auto

no mop enabled


interface Serial0/0/0

ip address 74.159.148.157 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip route-cache flow

!

ip classless

ip route 0.0.0.0 0.0.0.0 74.159.148.156 permanent

ip route 10.10.10.0 255.255.255.0 FastEthernet0/0 permanent

!

ip http server

ip http access-class 3

ip http authentication local

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat pool DynamicExt 74.248.40.235 74.248.40.240 netmask 255.255.255.240

ip nat inside source list 1 pool DynamicExt

ip nat inside source static tcp 10.10.10.129 22 74.248.40.241 22 extendable

ip nat inside source static tcp 10.10.10.129 443 74.248.40.241 443 extendable


!

logging trap debugging

access-list 1 remark INSIDE_IF=FastEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 10.10.10.0 0.0.0.255

access-list 3 remark Auto generated by SDM Management Access feature

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 10.10.10.0 0.0.0.255

access-list 100 remark Auto generated by SDM Management Access feature

access-list 100 remark SDM_ACL Category=1

access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq telnet

access-list 100 permit tcp 10.10.10.0 0.0.0.255 host 10.10.10.1 eq 22

access-list 100 deny tcp any host 10.10.10.1 eq telnet

access-list 100 deny tcp any host 10.10.10.1 eq 22

access-list 100 deny tcp any host 10.10.10.1 eq www

access-list 100 deny tcp any host 10.10.10.1 eq 443

access-list 100 deny tcp any host 10.10.10.1 eq cmd

access-list 100 deny udp any host 10.10.10.1 eq snmp

access-list 100 permit ip any any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark SDM_ACL Category=1

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

no cdp run

!

control-plane

!

banner login ^CThis device is property of

All activity is logged, and unauthorized users will be prosecuted.^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

access-class 101 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 102 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

!


pkhatri Wed, 01/11/2006 - 20:22
User Badges:
  • Purple, 4500 points or more

Will,


Just to clarify your issues:


- You cannot ping 74.159.148.157 from any of your PCs sitting on the 10.10.10.x network. Is that correct ?


- Are your PCs able to go out to the Internet or is it the case that they can not access anything ? If they cannot access anything, would you be able to paste the output of 'ipconfig /all' from the PC where you are trying this ?


Thanks,

Paresh.

pkhatri Wed, 01/11/2006 - 20:45
User Badges:
  • Purple, 4500 points or more

Hi Will,


One obvious problem I can see is your NAT pool:


ip nat pool DynamicExt 74.248.40.235 74.248.40.240 netmask 255.255.255.240


The start and end addresses of the pool are in different subnets. In fact, I'm not sure how the router let you configure it. Here's what I get when I paste it in into my router:


router(config)#$t 74.248.40.235 74.248.40.240 netmask 255.255.255.240

%Pool DynamicExt mask 255.255.255.240 too small; should be at least 255.255.255.224

%Start and end addresses on different subnets


The range of addresses from 74.248.40.235 to 74.248.40.239 are part of 74.248.40.224/28 whereas 74.248.40.240 is part of 74.248.40.240/28 (if you choose to use a /28 mask. However, a mask of 255.255.255.224 should cover both sets of addresses.


Hope that helps,

Paresh.

williamreed Thu, 01/12/2006 - 04:45
User Badges:

We can all access the internet, but when we try to get to one of our own websites hosted on a server behind our cisco router using an external ip from the address pool given to us by our ISP, we get caught in some kind of loop.

For example, we are all on the 10.10.10.0 network. One of the external ips provided to us by our isp is 74.248.40.241. When we try to access the 74.248.40.241 ip in our browsers, it times out. When I perform a traceroute from inside the system, it shows a loop going out of the 10.10.10.1 interface and getting caught between 74.159.148.157 and 74.159.148.156.

I'm thinking it is a routing issue, not any kind of NAT issue.

olorunloba Thu, 01/12/2006 - 09:42
User Badges:
  • Silver, 250 points or more

It times out because you do not have a route for the address 74.248.40.241 in your routing table. The router therefore uses the default route, which is towards your ISP. Your ISP will have a route for the address pointing to you, and therefore route it back to you. And you back to the ISP, hence the loop.


If the system is on the lan (maybe Fastethernet 0/0) configure route for the host pointing towards the lan i.e.

ip route 74.248.40.241 255.255.255.255 f0/0.

tekha Thu, 01/12/2006 - 10:30
User Badges:
  • Bronze, 100 points or more

You can't access the server via the public address because the IP doesn't get NAT'ted, you can't perform NAT from a inside interface to a inside interface, it has to be from inside to outside or vice versa.

You should connect to the server on the private IP insted.

Alternativly you could do nat on a stick.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

But I wouldn't recommend it unless really necessary.


pkhatri Thu, 01/12/2006 - 15:26
User Badges:
  • Purple, 4500 points or more

HI Will,


Let's say the IP address of the PC that is running the browser is 10.10.10.10. This is what is happening then:

- the PC is sending a packet with a SA of 10.10.10.10 and a DA of 74.248.40.241

- the packet hits the router's Fast0/0

- the router does a route lookup for the DA of 74.248.40.241. The only route that matches is the default so it selects serial0/0/0 as the outgoing interface

- since the incoming interface is an inside NAT interface and the output interface is an outside NAT interface, the router knows that it has to perform NAT on the packet.

- it therefore assigns an address to the packet from the DynamicExt pool, say 74.248.40.235

- the packet now has a SA of 74.248.40.235 and a DA of 74.248.40.241

- the router now sends it out its serial0/0/0 interface which goes to your ISP

- the ISP router receives the packet and performs a route lookup for the DA of 74.248.40.241. That route points back to your link so it sends it back over the link to your serial0/0/0 interface

- your router receives the packet with a SA of 74.248.40.235 and a DA of 74.248.40.241. No NAT is performed at this point since there are no translations in the NAT table for this combination of addresses and ports.

- it once again does a route lookup for 74.248.40.241 and the only route that matches is the default so it selects serial0/0/0 as the outgoing interface

- the ISP once again gets the packet and repeats the process

- this repeats until the TTL on the packet reaches 0 at which point it is discarded.


The moral of the story is that you cannot do this with your current setup.


However, if you make the NAT entry for your server a static IP NAT entry, this should work i.e just add the following command:

ip nat inside source static 10.10.10.129 74.248.40.241


Hope that helps.. pls rate the post if it does.


Regards,

Paresh.


pkhatri Thu, 01/12/2006 - 15:36
User Badges:
  • Purple, 4500 points or more

Hi again,


One gotcha with using a static IP NAT translation for the server is that it is now open one all ports to all hosts on the Internet.. not a good thing.


If you are going to go ahead with this, I suggest you place an inbound access-list on your Serial0/0/0 interface that allows full access to all hosts within your public IP range but limits it to designated ports from all other hosts.


Hope that helps.. pls rate the post if it does.


Regards,

Paresh.

Actions

This Discussion