We are running NAT overloaded on a 2610, IOS 12.0(7). The external interface is m.n.o.21. 1 global IP (m.n.o.25) is static natted to our mail server on port 25. Our default route =Ser 0/0, network m.n.o.0, next hop = m.n.o.22. This has worked well to date, allowing inbound and outbound mail, but not allowing connections to originate inbound.
Today, we are trying to open an inbound hole using the following ACL on ser 0/0 in:
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit icmp any any traceroute
permit icmp any any unreachable
deny icmp any any
permit tcp any any established
permit udp any any
The problem arises when I try to ping my mail server. I can see the echo requests at my 2620, but the ping dies by TTL expiration. When I run a traceroute from an external location I see the echo request hitting my router interface, then being routed back to the ISP, then back to my router, etc. until TTL expires.
As near as I can figure, my router cannot route to network m.n.o.0, because that net is not connected, so it forwards the packet to the ISP's router... Is there a way to force the router to pass these packets to NAT? Am I trying to accomplish something that can't be done?
Beth, as mentioned below, I think the 'helper' route fixed the prob. I havn't run any ICMP debugs ( tried to debug ip packets & hung the router ) I'm relatively new to routing config and my knowlege of debug is scary. The IOS is 12.0(7)XK1, early deployment release.
If you have a static NAT translation from the single public IP address to your mail servers internal IP address then you should be able to ping the mail server from outside assuming you own the address space that your using for the public address. Take a look at your routing tables and see were your router thinks this network is. You may be able to define a more granular static route or find there is no nat happening between the addresses. You have just explained the dreaded routing loop. Now we just need to find out what is causing it. Make sure your subnetting and the ISP's is correct for your address space. Also look at the NAT translations " sho ip nat stat, sho ip nat trans." to see if the issue is not there.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...