cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
640
Views
1
Helpful
9
Replies

Cisco NAT issue

matta_ralph
Level 1
Level 1

Hi,

I am setting up a simple NAT router between a private network (172.16.0.0) and a public network (10.2.0.0).

The Nat part works, except that the router is blocking UDP from coming from WAN (10.2.0.0) to LAN (172.16.0.0). Only TCP is allowed to come inside. I would like to allow udp ports 8000 9000 to enter from wan to lan.

I tried using these commands without any success:

access-list 102 permit udp any range 8000 9000 any range 8000 9000

ip nat inside source list 102 interface fa0/1

Here is my current configuration:

NAT_TEMP#sh run

NAT_TEMP#sh running-config

Building configuration...

Current configuration : 969 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname NAT_TEMP

!

enable password cisco

!

ip subnet-zero

!

!

ip dhcp excluded-address 172.16.0.0 172.16.1.99

ip dhcp ping packets 5

!

ip dhcp pool dhcp

network 172.16.0.0 255.255.0.0

domain-name NAT_TEMP

default-router 172.16.1.1

!

call rsvp-sync

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 172.16.1.1 255.255.0.0

ip nat inside

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 10.2.240.2 255.255.0.0

ip nat outside

duplex auto

speed auto

!

ip nat inside source list 1 interface FastEthernet0/1 overload

ip classless

ip http server

no ip pim bidir-enable

!

access-list 1 permit 172.16.1.0 0.0.0.255

!

dial-peer cor custom

!

!

!

!

line con 0

password cisco

line aux 0

password cisco

login

line vty 0 4

password cisco

login

line vty 5 15

password cisco

login

!

end

Thanks for your help

Ralph

9 Replies 9

gpulos
Level 8
Level 8

first off, 10.2.0.0 is technically considered a private address as this falls within the Class A Private Address Range as defined in RFC 1918.

IP scheme design wise, no NATting should be required between these two networks, 172.16.0.0 & 10.2.0.0.

see this link for more info:

http://www.rfc-archive.org/getrfc.php?rfc=1918

you seem to have NAT setup but i see no ACL to allow/deny traffic between the interfaces. it seems you may be missing some configuration. you may want to try something such as the following:

access-list 101 permit tcp 172.16.0.0 0.0.255.255 any 10.2.0.0 0.0.255.255

access-list 101 permit tcp 10.2.0.0 0.0.255.255 172.16.0.0 0.0.255.255 any

access-list 101 permit udp 172.16.0.0 0.0.255.255 range 8000 9000 10.2.0.0 0.0.255.255

access-list 101 permit udp 10.2.0.0 0.0.255.255 172.16.0.0 0.0.255.255 range 8000 9000

access-group 101 in (set on appropriate interface(s))

5d-swan
Level 1
Level 1

Ralph

It looks like you have not given anywhere for the traffic to go. If you want the UDP traffic to come into your network (initiated from teh ouside, not a response to something on the inside), you need to have a static NAT saying what IP address on the 172.16.0.0 network you want it to be NATed to.

If you enter something like:

ip nat inside source static udp 172.16.1.10 8000 int f0/1 8000

Anything going to the IP address of interface f0/1 udp port 8000 will be NATed to 172.16.1.10 udp port 8000

Good luck :-)

Thank you for your reply,

If I use this command, I have to do it for each port (8000 to 9000). So I used the following which still did not work:

access-list 102 permit udp any range 8000 9000 any range 8000 9000

ip nat inside source list 102 interface fa0/1

Thanks

I found out the origin of the problem.

It is this command that was blocking UDP:

ip nat inside source list 1 interface FastEthernet0/1 overload

With:

access-list 1 permit 192.168.1.0 0.0.0.255

To my surprize removing it caused UDP to pass from WAN to LAN (response to something on the inside)

The question is WHY?

This is the PAT behavior. In order to allow access from outside to inside you have to add another static NAT entry.

Let me know if you need further explanation,

Thank you

yes please I need clarifications. You say it is a PAT issue. In the command, I tell the router to forward packets from the outside to the inside using the allowed private address range of addresses.

Is the PAT caused by the "overload", if so why is it blocking UDP from WAN to LAN?

Thank you

Ralph

Well, in order to allow accesss from outside to inside while enabling NAT with overload on the router you need a static NAT entry for the internal host or hosts. Below you can find a sample:

ip nat inside source static InternalIP publicIP

no need for ACL

This would allow the access from outside to inside,

Try it and let me know if works,

Sorry this was a quick reply coz I got to jump into a meeting,

Regards,

Any news?

Hello,

It is not working.

All I configured on the router is:

Interfaces:

ip nat inside

ip nat outside

ip nat inside source static 192.168.1.103 10.2.240.1 (outside router interface).

With this way nothing is coming in or going out.

The only working configuration is the following but in this case it not letting UDP go in from WAN to LAN:

ip nat inside source list 1 interface fa0/1 overload

where list 1 is:

access-list 1 permit 192.168.1.0 0.0.0.255

Thank you for your reply.

RM

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: