Static NAT :- Problem accessing server from Inside (TCP reset)

Unanswered Question
Jan 19th, 2007

Hi,

I have a 2811, with a DSL WIC.

Fa0/1 is setup as NAT inside (10.1.1.x)

Dialer0 is NAT outside (81.x.x.1 overload)

I also have a static NAT setting for one web server (10.1.1.200), which is mapped to one of my public IP address 81.x.x.10

The following works just fine :-

Inside PC's 10.1.1.x get NAT'ed outside to 81.x.x.1

Hosts on the internet can reach my Web Server 81.x.x.10

However, if I try to access 81.x.x.10 from inside my network, I get a TCP reply from 81.x.x.10 with RST,ACK bits set !!

I can however access the web interface on 81.x.x.1 which is the cisco router itsef, from INSIDE.

I have logged all access lists, but it does not seem to be an ACL problem.

Any idea what may be going wrong ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.2 (6 ratings)
Jon Marshall Fri, 01/19/2007 - 08:21

Hi

I suspect this is because you are going in the wrong direction through your router. ie.

when a packet comes in to your router on the outside interface with a destination address of 81.x.x.10 it is natted to 10.1.1.200.

But you are not coming in on the outside interace so that NAT does not take place.

is there a reason why you need to do this ?. When you are on the internal lan can you not just contact the web servers on it's 10.1.1.200 address ?

Jon

tjeanne Fri, 01/19/2007 - 09:08

Hi,

In fact, NAT only works when packets pass through both "nat inside" and "nat outside" configured interfaces.

When you try to access 81.x.x.10 from inside your network, packets never pass through the outside interface and no address translation occurs.

dgahm Fri, 01/19/2007 - 11:31

Here is what is likely happening:

1. PC 10.1.1.100 sends SYN packet to 81.X.X.10.

2. Router default routes packet to ISP and NATs source 10.1.1.100 to 81.X.X.1.

3. ISP routes packet back and NAT translates 81.X.X.10 to 10.1.1.200.

4. 10.1.1.200 sends SYN ACK to 81.X.X.1. The NAT correctly translates 81.X.X.1 to 10.1.1.100, but fails to translate 10.1.1.200 to 81.X.X.10.

5. PC 10.1.1.100 receives SYN ACK, but from 10.1.1.200. Since the PC never sent a SYN to that address the response is a RST.

6. Server responds with a RST ACK.

You could confirm this with a debug ip nat.

Just using the private server address internally is the easy way out of this. You could also change your NAT pool address to a new public address other than the interface subnet, thereby routing packets in both directions through your ISP and meeting the requirement of traversing the inside and outside NAT interfaces.

Dave

Please rate helpful posts.

shahedvoicerite Sat, 01/20/2007 - 05:17

Hi Dave,

I think your explanation is spot on.

I did do a debug nat, and did see some

translations going on.

Are you suggesting that a way out (other than to use the internal address, which I am doing anyway), is to give a Public IP address like 82.x.x.10 ?

Unfortunately, my ISP wont give me more than 1 block of 16 IP addresses in 1 subnet.

dgahm Sat, 01/20/2007 - 09:55

What is the subnet mask on Dialer0?

Something like this would work:

Dialer0 81.X.X.1 255.255.255.252

Server NAT public 81.X.X.10

inside NAT Overload 81.X.X.11

By not using the interface address for your NAT overload the server responses would default route to the ISP and come back, allowing NAT to work normally.

Dave

shahedvoicerite Sat, 01/20/2007 - 11:03

Thanks Dave,

The address for Dialer0 is

81.x.x.114

255.255.255.240

My range of 16 IP addr is 81.x.x.112/28

PC's get NAT'ed using Dialer0's IP. (114)

If I understand your reply correctly,

I'll change the Inside PCs to use nat address of 116,

and the webserver server to use 115, and see if that works.

Thanks

Shahed

dgahm Sat, 01/20/2007 - 11:23

Shahed,

Yes, that should work.

Does your default route point to the next hop address of .113, or Dialer0? If it uses Dialer0 you may need to change it the ISPs router address .113.

Dave

shahedvoicerite Sun, 01/21/2007 - 01:23

My default route is to Dialer0.

My router itself is 114, and I dont have anything on 113.

Are you saying I should do something like :-

isp.def.gw.xx 0.0.0.0 Dialer0

0.0.0.0 0.0.0.0 isp.def.gw.xx

Where isp.def.gw.xx is the IP address of

the ISP's default gateway ?

Thanks

Shahed

dgahm Sun, 01/21/2007 - 18:21

Shahed,

You can reconfigure your NAT and try it without changing the default route, but sometimes there is an issue with proxy ARP if your default route is like this:

ip route 0.0.0.0 0.0.0.0 dialer0

This is better:

ip route 0.0.0.0 0.0.0.0 81.X.X.113

Since the network address is .112 the first usable address is .113, which is almost surely the address of the interface on the ISP router since they assigned you .114. You could try pinging the .113, contact your ISP to be sure, or just change it afterhours and see if it works.

Dave

shahedvoicerite Mon, 01/22/2007 - 06:25

Hi Dave,

I tried various things, but still cant seem to get NAT to work both ways.

What I have not done yet, is to further subnet my assigned range of 16 IP addresses.

I am attaching an extract of my config, in the hope that maybe you can spot what is wrong.

I also did a Ethreal Trace, and when I make a request to the web server external IP, from an internal PC,

I see a return from the web servers Extrnal Address, to my internal address, with a TCP RST.

The config uses route-maps + ACLS for NAT, because I also have VPN clients, for which I dont want internal servers to be nat'ed.

All internal PC's are 10.1.1.x

ISP assigned address range is 81.x.x.112/28,

and I chose .14 as the IP address of the router, instead of .13, as earlier, I had an external ADSL Modem with IP address of 13.

The web server public addr is 81.x.x.115, which is staticly nat'ed to 10.1.10.10

Thanks for any help !!

Attachment: 
shahedvoicerite Mon, 01/22/2007 - 07:12

Below is the output of a debug ip nat detail

I open a browser session from 10.1.1.216 to

81.x.x.115, which is the web server.

Jan 22 15:11:47.701: NAT: map match SDM_RMAP_1

Jan 22 15:11:47.701: NAT: Allocated Port for 10.1.1.216 -> 81.xx.xx.114: wanted 3296 got 3296

Jan 22 15:11:47.701: NAT: i: tcp (10.1.1.216, 3296) -> (81.xx.xx.115, 80) [19883]

Jan 22 15:11:47.701: NAT: s=10.1.1.216->81.xx.xx.114, d=81.xx.xx.115 [19883]

Jan 22 15:11:47.701: NAT: o: tcp (81.xx.xx.115, 80) -> (81.xx.xx.114, 3296) [47308]

Jan 22 15:11:47.701: NAT: s=81.xx.xx.115, d=81.xx.xx.114->10.1.1.216 [47308]

dgahm Mon, 01/22/2007 - 09:05

The config shows you are stilling using Dialer0 for your inside source dynamic NAT. You need to create a NAT pool with the new address and use that in the NAT statement.

You also need to change your default route to use the next router hop address. Since the DSL modem is using .113 you will need to determine what this address is. Perhaps .126, that would be the last usable address in the subnet. ISPs usually use the first or last. You may need to contact them.

Dave

shahedvoicerite Tue, 01/23/2007 - 09:36

Unfortunately, I tried all the suggestions above, and still cant seem to get it to work :-(

It seems that the root cause of the problem is that packets from inside are not traversing the "outside" interface, thus causing NAT to behave strangly.

I tried using route-maps, but that also did not help.

If I do manage to get this to work somehow, I'll post my config here :-)

scottmac Sat, 01/20/2007 - 11:03

The "easy" way to fix this can happen two ways:

You can bring up or change your internal (inside) DNS to point to the 10.1.1.200 ... and make sure your internal clients use the internal DNS as primary (the internal DNS can also serve addresses on the outside)

If you only have a couple PCs on the inside, you can add the web server's internal address to the "hosts" file (on WinXp it's located in C:\WINDOWS\SYSTEM32\DRIVERS\ETC)

Either way, systems on the outside can use either the outside address or external DNS name, and inside PCs, using the NAME of the webserver can access without jumping through hoops.

If the DNS names are the same (inside and outside DNS) then there'd be no change in operation ... the same "Favorites" or "Bookmarks" would work from inside or outside.

Good Luck

Scott

Actions

Login or Register to take actions

This Discussion

Posted January 19, 2007 at 7:34 AM
Stats:
Replies:14 Avg. Rating:4.2
Views:281 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
150
72
69
65
45