Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 877 NAT, what am I missing?

Hello,

I'm trying to configure a simple static NAT rule for a webserver on my 877 router but it's not working and I'm not sure why.

I have a nat overload rule based on a route-map for internet access that works fine, so the internet (at least outbound) appears to work.

The router can also ping/telnet to the port on the webserver that I need, so the path is in place.

Essentially the nat rules are:

ip nat inside source static tcp 172.31.33.3 80 dialer0 80

ip nat inside source static tcp 172.31.33.3 443 dialer0 443

I have also tried using the actual external Ip address in place of 'dialer0' but to no avail.

I can see the actual nat translations appear in 'show ipnat translations.'

The default gateway for 172.31.33.3 is actually the router, 172.31.33.2, so it's only 1 hop. I have an allow any rule on the dialer interface at the moment for testing, there is no ACL on the vlan interface (with ip 172.31.33.2).

Is there something I am missing? How best to debug this, are there NAT debug command (I couldn't see any).

Everyone's tags (2)
24 REPLIES
Purple

Cisco 877 NAT, what am I missing?

Hi,

You should do this:

ip nat inside source static tcp 172.31.33.3 80 dialer0 80

ip nat inside source static tcp 172.31.33.3 443 dialer0 443

Concerning the debug: debug ip nat

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Cisco 877 NAT, what am I missing?

My apologies, that's actually a typo as I re-wrote the command rather than copying them.

I've updated the original post. I'll investigate the nat debugging and post some results.

New Member

Cisco 877 NAT, what am I missing?

Well upon using the debug command it seemed the NAT rule is working it's just not communicating properly with it's intended destination.

I tested out connecting up a device onto the router with a subnet/vlan unique to that device and the nat rule worked fine to that, I could access it externally.

So now I'm left with working out why it's not connecting. The 172.31.33.3 address is routed to a different router first. I can access both the other router and the destination IP/ports from the NATing router. My only ACL on the NATing router that is in place currently is a permit ip any any rule on the external interface and a NAT overload route-map group for internet access.

Could it be ACLs on the original router? (there are a few on there NAT overload rules and outbound/inbound restrictions on the dialer interface (I'm moving it over to the new router)). Do I need to add an ACL somewhere something like a 'permit tcp any host 172.31.33.3 80' on the old router?

How do I best debug this?

Thank you.

Bronze

Cisco 877 NAT, what am I missing?

Does the other routers involved in this have a route to your subnet?

Eugen

New Member

Cisco 877 NAT, what am I missing?

Yeah, I can ping from the webserver to both routers, and other subnets on both routers. I also tried setting up a NAT rule to another subnet on the 2nd router but the same thing happened (and there is proper connectivity there).

It's something to do with NATing to that other router it seems. Any debugging tips?

Bronze

Cisco 877 NAT, what am I missing?

If I understand correctly, your set up is like this:

WebServer(your local LAN) -->router-->router-->router-->PC(destination LAN). Is this assumption correct?

New Member

Cisco 877 NAT, what am I missing?

Not quite, it's like this (where the dot is the interface it comes in/goes out on and the @ is the nat rule):

WebServer-->Subint.Router.Subint-->VlanIP.Router@.ADSL(Static IP)--->Internet--->RemoteClient

So it should go, for example:

Client types in http://1.2.3.4

1.2.3.4-->External ADSL Interface (Rtr1)-->NAT 172.31.33.3--->Route to 172.31.14.1 (int on Rtr2)--->Route to 172.31.33.1 (subint on Rtr2)--->Send to webserver

Bronze

Cisco 877 NAT, what am I missing?

You have only 2 routers between server and Internet, is that correct?

I assume that all subnets have /24 mask, is that correct?

Your server has an ip in 172.31.33.0 subnet with default gateway of 172.31.33.1, is that correct?

New Member

Cisco 877 NAT, what am I missing?

Yes, all subnets are /24.

And yes, that's the IP and gateway setup I'm using.

2 Routers total

Bronze

Cisco 877 NAT, what am I missing?

Does this look like your set up?

New Member

Cisco 877 NAT, what am I missing?

Almost, the 172.31.33.3 address isn't actually on the interface on the ADSL router, that's the webserver IP address (instead of 172.31.33.10). I may have mislead you above as I stated that it NATs to that in the diagram, but I meant more that's where the NAT rule is. The inside interface of the ADSL router is 172.31.14.248 (the vlan 1 IP address) which is how it talks to the 2nd router.

So in that diagram if you replace 172.31.33.3 with 172.31.14.248 and replace 172.31.33.10 with 172.31.33.3 then that's the setup, with the NAT rule on the ADSL router.

I am able to NAT across an intermediary router right?

Bronze

Cisco 877 NAT, what am I missing?

Ok.

Try this on ADSL

ip route 0.0.0.0 0.0.0.0 dialer0 (or outside int)

ip route 172.31.33.0 255.255.255.0 172.31.14.1

ip nat source static 172.31.33.3 x.x.x.x (public ip on outside int)

On LAN router

ip route 0.0.0.0 0.0.0.0 172.31.14.248

New Member

Cisco 877 NAT, what am I missing?

Yes the outside interface is the dialer interface and the inside interfaces are the VLANs on the router

eugen barticel wrote:

Ok.

Try this on ADSL

ip route 0.0.0.0 0.0.0.0 dialer0 (or outside int)

ip route 172.31.33.0 255.255.255.0 172.31.14.1

ip nat source static 172.31.33.3 x.x.x.x (public ip on outside int)

On LAN router

ip route 0.0.0.0 0.0.0.0 172.31.14.248

Ah, I see what you did there...

Yes this actually makes it work, once I add the default route on the other router (everything else was always in place). It would seem the packets are not going in the same path as they are going out.

However the whole reason we got this new router is so that we could set the default route on the other router to be our production ASA (this 2nd router is a redundancy link and will be used for VPN) so this doesn't suite my needs.

However as we now know the problem how can I get around it?

Could I, for example, change the NAT rule to be something like 172.31.34.3, make a subinterface on the 2nd router with that IP, mark it as 'ip nat outside', then NAT from 172.31.34.3 to 172.31.33.3 on the 2nd router? So you basically nat to hop to the first router, then nat to hop to the webserver. Is my logic off here?

Bronze

Cisco 877 NAT, what am I missing?

Which router are you going to use for VPN? ADSL or LAN?

If you don't want a default route on LAN router you can create a more specific static route

ip route 172.31.33.3 255.255.255.255 172.31.14.248 and then use acl to permit or block other ip addresses

New Member

Cisco 877 NAT, what am I missing?

The VPN will go on the ADSL router (the one with the NAT rule).

We do want a default route on the LAN router, but we want it to be to our production ASA (which has our links to other sites and our main internet feed). That's why I was saying you have a NAT rule on a dummy IP on the LAN router, so that you can follow the same path out as it comes in (is that possible).

Can you please explain how that route would work (you put it on the LAN router I assume?) Wouldn't that just cause a routing problem as it would send packets destined to for 172.31.33.3 to the wrong router?

Bronze

Cisco 877 NAT, what am I missing?

Yes for both static and default routes on LAN change 172.31.14.248 to match the ip of ASA and then ASA will forward it.

New Member

Cisco 877 NAT, what am I missing?

Sorry I'm not exactly sure what you mean. Are you saying set the default route of the LAN router to be to the ASA, and then put a route in the ASA like this:

172.31.33.3 255.255.255.255 172.31.14.248.

So this would mean the full path would be:

Client-->Internet-->ADSL Router-->Lan Router-->Web Server-->Lan Router-->ASA-->Lan Router-->ADSL Router-->Internet-->Client

Or do you mean something completely different?

Bronze

Cisco 877 NAT, what am I missing?

There are 2 options you can go from client to server

1. client -->internet-->adsl-->lan-->webserver  -this is like my topology

2. client -->internet-->adsl-->asa-->lan-->webserver  -if you need to use the ASA and is between lan and adsl you need to configure it accordingly.

New Member

Cisco 877 NAT, what am I missing?

Hmmm. I can see how they are both done, but I was hoping more along the lines of having the default route for the LAN be to the ASA, but traffic coming in via the ADSL natting to the webserver then going back out via the ADSL and not going to the ASA.

Would my double NAT idea work do you think?

Bronze

Cisco 877 NAT, what am I missing?

Only for server access you can use

client -->internet -->adsl -->lan -->webserver

for all other traffic

clients -->internet -->adsl -->asa -->lan --pc

New Member

Cisco 877 NAT, what am I missing?

I'm not entirely sure what you mean by that...

Just to clarify I don't want the traffic coming in the ADSL to go to the ASA, I just want the default route to that.

Traffic going to the webserver from the ADSL I want to path out the way it came in.

Bronze

Cisco 877 NAT, what am I missing?

Thats what I meant. Your traffic for default route goes to ASA, and all traffic coming to webserver goes directly to it without asa.

on LAN router you will have

ip route 0.0.0.0 0.0.0.0 ASA ip

ip route 172.13.33.3 255.255.255.0 ADSL ip

on ADSL you will have

you have acl to permit traffic for webserver going out the interface connected to LAN router.

and other acl to direct all other traffic to ASA.

New Member

Cisco 877 NAT, what am I missing?

I added the route on the lan router as follows:

ip route 172.31.33.3 255.255.255.255

But it had no effect. The 172.31.33.3/24 subnet is locally connected to the LAN router so wouldn't that take precedence?

Besides, correct me if I'm wrong, but the problem is outbound, I think it reaches the webserver fine but then when the packet goes back out it goes back out the wrong way. As such I need to change the outbound destination packet.

Can I write an outside NAT rule somehow to modify the source IP on the inbound packet to be the outside local address (ie the ADSL IP) rather than the outside global address? Then a simple route of 255.255.255.255 would fix that.

New Member

Cisco 877 NAT, what am I missing?

This might be stupid question but you have 'ip nat inside' and 'ip nat outside' on your interface right?

2628
Views
0
Helpful
24
Replies
CreatePlease login to create content