Re: Cisco IOS zone based, Problem with NAT order?

chorl0232 · ‎05-24-2007

Hello,

I'm using a 2811 with one HWIC-2 DSL module, as router-firewall. I want a failover configuration,

with Fa0/0 as primary WAN interface, Dialer0 as backup and one HWIC-4ESW (designed vlan1) as LAN

interface. Fa0/0 has a fixed public IP, Dialer0 has negotiated IP, and Vlan1 has 10.1.0.1/24.

I'm using SDM 2.4 to configure the firewall, so the firewall created by SDM uses zone based design,

that's the reason because I can`t find much information about my problem. In this configuration

I have a in-zone (trusted) and a out-zone (untrusted), with several ACLs set by SDM.

My problem is with NAT order, or so I think. Here is a log of what happend when I start a ping to

www.google.es from one host in the LAN segment (10.1.0.232).

000089: *May 24 10:00:21.031 UTC: IP: tableid=0, s=10.1.0.232 (Vlan1), d=66.28.0.45 (Dialer0), routed via FIB

000090: *May 24 10:00:21.031 UTC: IP: s=83.63.171.52 (Vlan1), d=66.28.0.45 (Dialer0), len 59, dropped by inspect

000091: *May 24 10:00:22.027 UTC: IP: tableid=0, s=10.1.0.232 (Vlan1), d=80.58.32.97 (Dialer0), routed via FIB

000092: *May 24 10:00:22.027 UTC: IP: s=83.63.171.52 (Vlan1), d=80.58.32.97 (Dialer0), len 59, dropped by inspect

000093: *May 24 10:00:22.255 UTC: IP: tableid=0, s=83.43.71.128 (Dialer0), d=83.63.171.52 (Dialer0), routed via RIB

000094: *May 24 10:00:22.255 UTC: IP: s=83.43.71.128 (Dialer0), d=83.63.171.52 (Dialer0), len 48, rcvd 3

000095: *May 24 10:00:22.259 UTC: IP: tableid=0, s=83.63.171.52 (local), d=83.43.71.128 (Dialer0), routed via FIB

000096: *May 24 10:00:22.259 UTC: IP: s=83.63.171.52 (local), d=83.43.71.128 (Dialer0), len 40, sending

000097: *May 24 10:00:23.027 UTC: IP: tableid=0, s=10.1.0.232 (Vlan1), d=66.28.0.45 (Dialer0), routed via FIB

000098: *May 24 10:00:23.027 UTC: IP: s=83.63.171.52 (Vlan1), d=66.28.0.45 (Dialer0), len 59, dropped by inspect

000099: *May 24 10:00:23.575 UTC: IP: tableid=0, s=83.43.71.128 (Dialer0), d=83.63.171.52 (Dialer0), routed via RIB

000100: *May 24 10:00:23.575 UTC: IP: s=83.43.71.128 (Dialer0), d=83.63.171.52 (Dialer0), len 48, rcvd 3

000101: *May 24 10:00:23.579 UTC: IP: tableid=0, s=83.63.171.52 (local), d=83.43.71.128 (Dialer0), routed via FIB

000102: *May 24 10:00:23.579 UTC: IP: s=83.63.171.52 (local), d=83.43.71.128 (Dialer0), len 40, sending

000103: *May 24 10:00:25.031 UTC: IP: tableid=0, s=10.1.0.232 (Vlan1), d=66.28.0.45 (Dialer0), routed via FIB

000104: *May 24 10:00:25.031 UTC: IP: s=83.63.171.52 (Vlan1), d=66.28.0.45 (Dialer0), len 59, dropped by inspect

I'm confused about NAT order, it seems that outbound packets have different source address than the

destination address of the inbound ones, but I'm not sure about this.

NAT table seems to be ok:

udp 83.63.171.52:1024 10.1.0.92:1025 80.58.0.33:53 80.58.0.33:53

udp 83.63.171.52:1025 10.1.0.232:1025 66.28.0.45:53 66.28.0.45:53

udp 83.63.171.52:1025 10.1.0.232:1025 80.58.32.97:53 80.58.32.97:53

The result is no ping, no http, etc from LAN.

What am I doing wrong?

Thanks in advance,

Ignacio Siles.

chorl0232 · ‎05-24-2007

Sorry, forgot to add config file.

chorl0232 · ‎05-24-2007

One more thing...

DSL line is working properly, ping to www.google.es from inside the router works.

But if I try to ping 66.102.9.147 (www.google.es), or I paste the URL in the browser (in host 10.1.0.232), #debug ip packets detail show nothing!

Where are all of these packets? They are displayed properly in NAT tables, but I can't see what happened to them...