Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT, ACLs

We are running NAT overloaded on a 2610, IOS 12.0(7). The external interface is m.n.o.21. 1 global IP (m.n.o.25) is static natted to our mail server on port 25. Our default route =Ser 0/0, network m.n.o.0, next hop = m.n.o.22. This has worked well to date, allowing inbound and outbound mail, but not allowing connections to originate inbound.

Today, we are trying to open an inbound hole using the following ACL on ser 0/0 in:

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any packet-too-big

permit icmp any any traceroute

permit icmp any any unreachable

deny icmp any any

permit tcp any any established

permit udp any any

The problem arises when I try to ping my mail server. I can see the echo requests at my 2620, but the ping dies by TTL expiration. When I run a traceroute from an external location I see the echo request hitting my router interface, then being routed back to the ISP, then back to my router, etc. until TTL expires.

As near as I can figure, my router cannot route to network m.n.o.0, because that net is not connected, so it forwards the packet to the ISP's router... Is there a way to force the router to pass these packets to NAT? Am I trying to accomplish something that can't be done?

Thanks for any help / insight

Chris Byrnes

Net. Admin.

4 REPLIES
Bronze

Re: NAT, ACLs

Can you post your icmp debugs (just edit the IP’s to your m.n.o.x style)? The show version would be helpful also. I was searching for bugs and found a few but don’t have enough version info to go on.

New Member

Re: NAT, ACLs

Beth, as mentioned below, I think the 'helper' route fixed the prob. I havn't run any ICMP debugs ( tried to debug ip packets & hung the router ) I'm relatively new to routing config and my knowlege of debug is scary. The IOS is 12.0(7)XK1, early deployment release.

Thanks

Chris

New Member

Re: NAT, ACLs

If you have a static NAT translation from the single public IP address to your mail servers internal IP address then you should be able to ping the mail server from outside assuming you own the address space that your using for the public address. Take a look at your routing tables and see were your router thinks this network is. You may be able to define a more granular static route or find there is no nat happening between the addresses. You have just explained the dreaded routing loop. Now we just need to find out what is causing it. Make sure your subnetting and the ISP's is correct for your address space. Also look at the NAT translations " sho ip nat stat, sho ip nat trans." to see if the issue is not there.

Hope this helps.

Alan

New Member

Re: NAT, ACLs

I recognized the loop, but didn't know how to fix it. I added a static 'helper' route to the table: m.p.q.128 255.255.255.248 FA0/0. This did the trick.

I also deleted all my ACLs. Am now in the process of trying to set them up again, but at this point, pings from an outside source die at my inbound ser interface. ( is this a function of NAT ? )

My NAT config is listed below:

ip nat pool xlate m.n.o.110 m.n.o.110 netmask 255.255.255.252

ip nat inside source list 1 interface Serial0/0.1 overload

ip nat inside source static tcp a.b.c.11 80 m.p.q.130 80 extendable

ip nat inside source static tcp a.b.c.15 110 m.p.q.129 110 extendable

ip nat inside source static tcp a.b.c.15 25 m.p.q.129 25 extendable

The following is the access-list I hope will allow SMTP (mail server m.p.q.129) in and out, kill unwanted icmp, allow DNS, and let 1 specific host to connect to my web server (m.p.q.130) on port 80.

access-list 105 permit tcp any any established

access-list 105 permit tcp 'outside host ip' m.p.q.130 255.255.255.248 eq 80

access-list 105 permit smtp any m.p.q.129 25

access-list 105 permit udp any any

access-list 105 permit icmp any any echo

access-list 105 permit icmp any any echo-reply

access-list 105 permit icmp any any time-exceeded

access-list 105 permit icmp any any packet-too-big

access-list 105 permit icmp any any traceroute

access-list 105 permit icmp any any unreachable

access-list 105 deny icmp any any log

access-list 105 deny tcp any any log

Line 2 does not work, am researching itnow. If you see holes or other probs., help is always appreciated.

Thanks

Chris

103
Views
0
Helpful
4
Replies