Solved: Cisco router 831 NAT issue

chicagotech · ‎12-14-2006

I try to configure a Cisco router 831 to open port 3389 for TS. The TS in the LAN is 172.6.5.2 and the AN port IP is 192.168.10.70. I add ?ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable?, but can?t access the TS from 192.168.10.100. This is the result of ?show ip nat translation?:

Pro Inside global Inside local Outside local Outside global

tcp 192.168.10.70:3389 172.16.5.2:3389 --- ---

tcp 192.168.10.70:3389 172.16.5.2:3389 192.168.10.100:2175 192.168.10.100:2175

This is configuration

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 831

!

logging buffered 52000 debugging

!

clock timezone America/Chicago -6

clock summer-time America/Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00

no aaa new-model

ip subnet-zero

no ip source-route

ip domain name cisco.com

ip name-server 4.2.2.1

ip dhcp excluded-address 172.16.5.1 172.16.5.9

ip dhcp excluded-address 172.16.5.51 172.16.5.254

!

ip dhcp pool sdm-pool1

network 172.16.5.0 255.255.255.0

default-router 172.16.5.1

dns-server 4.2.2.1

!

no ip bootp server

ip inspect name sdm_ins_in_100 cuseeme

ip inspect name sdm_ins_in_100 ftp

ip inspect name sdm_ins_in_100 h323

ip inspect name sdm_ins_in_100 netshow

ip inspect name sdm_ins_in_100 rcmd

ip inspect name sdm_ins_in_100 realaudio

ip inspect name sdm_ins_in_100 rtsp

ip inspect name sdm_ins_in_100 smtp

ip inspect name sdm_ins_in_100 sqlnet

ip inspect name sdm_ins_in_100 streamworks

ip inspect name sdm_ins_in_100 tftp

ip inspect name sdm_ins_in_100 tcp

ip inspect name sdm_ins_in_100 udp

ip inspect name sdm_ins_in_100 vdolive

ip inspect name sdm_ins_in_100 icmp

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

interface Ethernet0

description $FW_INSIDE$$ETH-LAN$

ip address 172.16.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no cdp enable

!

interface Ethernet1

description $FW_OUTSIDE$$ETH-WAN$

ip address 192.168.10.70 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect sdm_ins_in_100 in

duplex auto

no cdp enable

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.10.1 permanent

ip http server

ip http authentication local

ip http secure-server

!

access-list 1 permit 172.0.0.0 0.255.255.255

no cdp run

banner login ^CCCAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

sundar.palaniappan · ‎12-14-2006

Can you modify the static NAT as follows to point to the interface (e1) instead of the IP address. I have seen issues when the NAT is configured to use the IP address that's already configured on an interface.

no ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable

ip nat inside source static tcp 172.16.5.2 3389 ethernet1 3389 extendable

HTH

Sundar

View solution in original post

msubtain · ‎12-14-2006

Hi

couple of simple things to test,

Can you ping 172.16.5.2 from router?

Is 172.16.5.2 is windows XP SP2 machine? if yes make sure its firewall is allowing inbound 3389, or you can turn it off and try to see if it resolve the issue.

Muhammad

View solution in original post

sundar.palaniappan · ‎12-14-2006

Can you modify the static NAT as follows to point to the interface (e1) instead of the IP address. I have seen issues when the NAT is configured to use the IP address that's already configured on an interface.

no ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable

ip nat inside source static tcp 172.16.5.2 3389 ethernet1 3389 extendable

HTH

Sundar

chicagotech · ‎12-14-2006

Thank you for the reply. We have some issues here.

1. When trying to do ?no ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable?, I receive ?Entry in use, cannot delete? message?. I tried to use this command ?clear ip nat translation *? to clear the translation, but still cannot delete it. What I deleted it is using SDM.

2. When trying ?ip nat inside source static tcp 172.16.5.2 3389 ethernet1 3389 extendable?, I receive this message

ip nat inside source static tcp 172.16.5.2 3389 ethernet1 3389 extendable

^ (pointing to Ethernet)

% Invalid input detected at '^' marker.

3. If I try ?ip nat inside source static tcp 172.16.5.2 3389 interface ethernet1 extendable?, I receive this message

ip nat inside source static tcp 172.16.5.2 3389 interface ethernet1 3389 extendable

^ (pointing to extendable)

4. Finally, it takes ?ip nat inside source static tcp 172.16.5.2 3389 interface ethernet1 3389?. However, I still can?t access the 172.16.5.2 using port 3389. here is the ip nat translation:

831#sh ip nat trans

Pro Inside global Inside local Outside local Outside global

tcp 192.168.10.70:3389 172.16.5.2:3389 --- ---

tcp 192.168.10.70:3389 172.16.5.2:3389 192.168.10.100:3482 192.168.10.100:348

Any suggestions for above issues?

msubtain · ‎12-14-2006

Hi

couple of simple things to test,

Can you ping 172.16.5.2 from router?

Is 172.16.5.2 is windows XP SP2 machine? if yes make sure its firewall is allowing inbound 3389, or you can turn it off and try to see if it resolve the issue.

Muhammad

chicagotech · ‎12-14-2006

1. Yes, I can ping 172.16.5.2 from the router. This is the result.

831#ping 172.16.5.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.5.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

2. I have two Windows 2003 servers (172.16.5.2 and 172.16.5.10) without any firewall/RRAS/NAT enabled. They can access each other using TS without any issues.

3. I also tried to configure NAT using the IP 172.16.5.10 (ip nat inside source static tcp 172.16.5.10 3389 interface ethernet1 3389). Same result.

ny other sugegstions?

rajinikanth · ‎12-14-2006

Hi

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 172.16.5.2 3389 192.168.10.70 3389 extendable

Your problem is dynamic natting is taking over static nat translation

try to define your pool to exclude those two servers from dynamic natting

then it should work.

check this link

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_q_and_a_item09186a00800e523b.shtml#qa17

Hope this helps

Thanks

Raj

chicagotech · ‎12-15-2006

OK, finally fixed it. It is no thing wrong with the Cisco configuration. It is because the TS is multihomed computer. Disable one NIC and keeps 172 subnet only. It works. Thank you very much.